Current Compliance Priorities in Bank Regulatory Exams

Updated examination practices, published guidance and public statements from federal banking agencies can provide insights for banks into where regulators are likely to focus their efforts in coming months. Of particular focus are safety and soundness concerns and consumer protection compliance priorities.

Safety and Soundness Concerns
Although they are familiar topics to most bank leaders, several safety and soundness matters merit particular attention.

  • Bank Secrecy Act/anti-money laundering (BSA/AML) laws. After the Federal Financial Institutions Examination Council updated its BSA/AML examination manual in 2021, recent subsequent enforcement actions issued by regulators clearly indicate that BSA/AML compliance remains a high supervisory priority. Banks should expect continued pressure to modernize their compliance programs to counteract increasingly sophisticated financial crime and money laundering schemes.
  • In November 2021, banking agencies issued new rules requiring prompt reporting of cyberattacks; compliance was required by May 2022. Regulators also continue to press for multifactor authentication for online account access, increased vigilance against ransomware payments and greater attention to risk management in cloud environments.
  • Third-party risk management. The industry recently completed its first cycle of exams after regulators issued new interagency guidance last fall on how banks should conduct due diligence for fintech relationships. This remains a high supervisory priority, given the widespread use of fintechs as technology providers. Final interagency guidance on third-party risk, expected before the end of 2022, likely will ramp up regulatory activities in this area even further.
  • Commercial real estate loan concentrations. In summer 2022, the Federal Deposit Insurance Corp. observed in its “Supervisory Insights” that CRE asset quality remains high, but it cautioned that shifts in demand and the end of pandemic-related assistance could affect the segment’s performance. Executives should anticipate a continued focus on CRE concentrations in coming exams.

In addition to those perennial concerns, several other current priorities are attracting regulatory scrutiny.

  • Crypto and digital assets. The Federal Reserve, the Office of the Comptroller of the Currency, and the FDIC have each issued requirements that banks notify their primary regulator prior to engaging in any crypto and digital asset-related activities. The agencies have also indicated they plan to issue further coordinated guidance on the rapidly emerging crypto and digital asset sector.
  • Climate-related risk. After the Financial Stability Oversight Council identified climate change as an emerging threat to financial stability in October 2021, banking agencies began developing climate-related risk management standards. The OCC and FDIC have issued draft principles for public comment that would initially apply to banks over $100 billion in assets. All agencies have indicated climate financial risk will remain a supervisory priority.
  • Merger review. In response to congressional pressure and a July 2021 presidential executive order, banking agencies are expected to begin reviewing the regulatory framework governing bank mergers soon.

Consumer Protection Compliance Priorities
Banks can expect the Consumer Financial Protection Bureau (CFPB) to sharpen its focus in several high-profile consumer protection areas.

  • Fair lending and unfair, deceptive, or abusive acts and practices (UDAAP). In March 2022, the CFPB updated its UDAAP exam manual and announced supervisory changes that focus on banks’ decision-making in advertising, pricing, and other activities. Expect further scrutiny — and possible complications if fintech partners resist sharing information that might reveal proprietary underwriting and pricing models.
  • Overdraft fees. Recent public statements suggest the CFPB is intensifying its scrutiny of overdraft and other fees, with an eye toward evaluating whether they might be unlawful. Banks should be prepared for additional CFPB statements, initiatives and monitoring in this area.
  • Community Reinvestment Act (CRA) reform. In May 2022, the Fed, FDIC, and OCC announced a proposed update of CRA regulations, with the goal of expanding access to banking services in underserved communities while updating the 1970s-era rules to reflect today’s mobile and online banking models. For its part, the CFPB has proposed new Section 1071 data collection rules for lenders, with the intention of tracking and improving small businesses’ access to credit.
  • Regulation E issues. A recurring issue in recent examinations involves noncompliance with notification and provisional credit requirements when customers dispute credit or debit card transactions. The Electronic Fund Transfer Act and Regulation E rules are detailed and explicit, so banks would be wise to review their disputed transaction practices carefully to avoid inadvertently falling short.

As regulator priorities continue to evolve, boards and executive teams should monitor developments closely in order to stay informed and respond effectively as new issues arise.

Regulators Focus on Sales Practices: Responding to Heightened Scrutiny

Regulators-2-13-17.pngFederal and state regulatory enforcement actions and unprecedented fines for alleged fraud—fraud that apparently originated with sales incentive compensation plans—have left bank executive management teams and boards wondering if the same thing could be happening at their institutions. These concerns are shared by banking regulators, as evidenced by the flurry of activity, including testimonies, speeches and information requests, in the fourth quarter of 2016.

Given the huge media attention to one bank’s alleged misdeeds, bank executive management teams and boards are wondering if the same thing could be happening at their institutions.

Excessive risk-taking, without proper risk management and controls, often has been cited as one of the root causes of the recession that begin in late 2007. Progress certainly has been made since the financial crisis, particularly in fostering a healthy compliance culture, committing to effective risk management and governance, and improving how customers are treated. However, the issues associated with sales and incentive plans have thrust these concerns back into the open to be scrutinized by the public, policymakers, law enforcement and regulatory agencies.

The 2010 Guidance on Sound Incentive Compensation Policies
In June 2010, the Office of the Comptroller of the Currency (OCC), the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision published their final Guidance on Sound Incentive Compensation Policies in the Federal Register. The guidance applies to all banking organizations supervised by the OCC, the FDIC and the Federal Reserve, regardless of the size of banking organization.

The guidance is based upon three key principles about incentive compensation arrangements, namely that they should:

  1. Provide employees with incentives that appropriately balance risk and financial results in a manner that does not encourage employees to expose their organizations to imprudent risks.
  2. Be compatible with effective controls and risk management.
  3. Be supported by strong corporate governance, including active and effective oversight by the banking organization’s board of directors.

The guidance, as well as other similarly focused rulemaking activities, clearly indicates that incentive-based compensation arrangements now are under the microscope. Every bank should review its incentive-based compensation arrangements to make sure they are in compliance with the applicable regulations.

What’s My Exposure?
Bank executives and directors who are trying to determine their entity’s exposure related to sales incentive programs need their bank to undergo a risk assessment focused on common activities that are aligned to their bank’s sales incentive practices. If the assessment reveals problems with improper behavior, the bank then must determine its level of exposure.

A comprehensive approach to assessing exposure should encompass the following high-level areas and analyze associated data at a level sufficient to identify whether improper behaviors are occurring:

  • Review accounts, products and services offered to consumers or small businesses through all channels (including branches, phone, internet and private banking).
  • Analyze incentive program payments by product or service provided.
  • Consider noncash incentive programs.
  • Ensure reports are issued by internal audit, front-line self-assessments or an external party that cover sales practices or account opening or closing procedures.
  • Establish policies, procedures and reports of concerns with sales practices or account opening or closing procedures resulting from employee terminations or exit interviews, whistleblower or ethics hotlines or consumer complaints.
  • Develop training program materials for employees who sell products and services.
  • Institute policies, procedures and detection controls specific to account opening and closing metrics.

It is important that assessment and data analysis activities include third-party risk management programs to identify and effectively manage risks related to third parties that are involved in opening and maintaining customer accounts.

In addition, banks should consider performing culture assessments to determine if there are conflicting elements or subcultures that are misaligned. Many banks change their cultures by sequentially aligning strategies, structures, processes, rewards and people practices.

Actionable Information
With assessment information in hand, executives and boards are better able to make informed decisions and take appropriate actions necessary to help protect the bank and its customers. Depending on the assessment results, the bank then might need to take the following steps to mitigate the risk:

  • Further investigate the areas for which the exposure assessment identifies improper behavior or potential fraud.
  • Test the design and operating effectiveness of existing controls to prevent and detect account origination, servicing and termination fraud as well as unfair, deceptive, or abusive acts and practices (UDAAP) within the sales process.
  • Develop and implement new controls within the sales, account origination, servicing and termination processes.
  • Review incentive compensation plans and their governance processes.
  • If necessary, reshape overall compensation plans to eliminate incentives that could lead to a higher likelihood of fraud and undue risk-taking.
  • Design and implement systems or functions to identify, measure, monitor and control risk-taking and standards of behavior.

The New FFIEC Information Security Examination Procedures: What Boards Should Be Doing Now

FFIEC-9-14--16.pngHow effective is your bank’s approach to information security, including cybersecurity? On September 9, the Federal Financial Institutions Examination Council (FFIEC) published new information security examination procedures. It is critical that boards and management teams quickly get up to speed on the new exam procedures so there are no surprises in the bank’s next exam that adversely impact earnings, capital or value creation.

The new exam procedures focus on assessing the quality and effectiveness of the bank’s information security program, including its culture, governance, security operations, with emphasis on cybersecurity, and assurance processes, such as self-assessments, penetration tests, vulnerability assessments and independent audits. The procedures contain eleven objectives for the examiners to attain.

The objective relating to security operations and cybersecurity is especially noteworthy, as it contains enhanced expectations. Both in the preamble and in the specific exam procedures, there is recognition that it is not a question of if, but when an attacker will break into the network, so banks need to enhance threat identification, monitoring, detection and response. Examiners will evaluate whether the bank has monitoring in place to identify malicious activity, a process to identify possible compromises in the bank’s systems, and whether it uses tools that reveal and trace an attacker’s actions, such as attack or event trees, to size up exposures and respond effectively.

While speaking on cybersecurity on the main stage at Bank Director’s 2016 Bank Audit and Risk Committees Conference in June, I electronically polled the bank directors and senior executives in attendance. The results from the 206 respondents indicate a need for banks to beef up cybersecurity to meet these enhanced regulatory expectations. While cybersecurity is a top concern for bank boards, seventy-seven percent indicated that they do not review cybersecurity at every board meeting. Fifty-nine percent of attendees said that detecting anomalous activity or threats from malicious insiders are the cybersecurity risks for which their bank is least prepared.

Source: 206 respondents, Bank Director Audit and Risk Committees Conference June 2016

When I asked how many had implemented ongoing reviews of the network visibility map for risk oversight, only 31 percent had done so. This map visually shows all assets inside the network and helps identify threats. Without this visual map, the bank will be managing its cyber risks in the blind.

What the Board Should Do
Here are five steps that boards should take to remain proactive regarding information security.

  1. Review cybersecurity at every board meeting. Cybersecurity must be handled as a strategic boardroom issue, not as a back-office IT issue.
  2. Use the new information security exam procedures to perform a self-assessment. Identify and eliminate any deficiencies well in advance of the next exam.
  3. Review the network visibility map at every board meeting to visually identify all assets and the risk mitigation in place to protect them.
  4. Task a “hunt” team to identify anomalies within the bank’s network, as described in the new exam procedures. On average, attackers roam inside the network undetected for more than 200 days. Eliminate the exposure using advanced analytics that can mine through millions of records and reveal the attacker and the entire exposure. Response must be prompt.
  5. Conduct ongoing but randomly scheduled social engineering and phishing simulation training to keep employee awareness heightened. Education can prevent employees from falling victim to real attacks and becoming the weakest link in the chain.

In March, the Consumer Financial Protection Bureau fined an online payment processor for engaging in unfair, deceptive or abusive acts and practices (UDAAP), due to its failure to implement an adequate information security program and protect consumer data. Other regulators have taken notice, and will not hesitate to assess enforcement actions for information or cybersecurity deficiencies using UDAAP or other enforcement tools available against banks and its technology providers. Information or cybersecurity lapses can cause irreparable harm to the bank, and tarnish its reputation instantly. The stakes are very high. Banks must stay one step ahead.

2015 Risk Practices Survey: Cyberanxiety for Bank Boards

3-23-15-Risk2.pngIn the wake of high-profile cyberattacks and data breaches last year at JPMorgan Chase & Co., Sony Pictures Entertainment Inc., Home Depot Inc., Kmart and eBay Inc., bank leaders say that cybersecurity is the risk category that concerns them most, according to Bank Director’s 2015 Risk Practices Survey, sponsored by FIS. Eighty-two percent of respondents, which include bank chief executives, chief risk officers and directors, cite this as a top concern for the second year in a row, and anxiety about the issue is even more heightened: When asked the same question in last year’s survey, 51 percent of respondents cited cybersecurity.

Half say that preparing for a potential cyberattack is one of the biggest risk management challenges facing their bank. But while high profile attacks may be raising the blood pressure of bank CEOs, other senior executives and individual directors, this hasn’t yet translated into more focus by bank boards. Less than 20 percent say cybersecurity is reviewed at every board meeting, and 51 percent of risk committees do not review the bank’s cybersecurity plan. Most banks allocated less than 1 percent of revenues to cybersecurity in 2014.

In addition to cybersecurity, the 2015 Risk Practices Survey explores how bank leaders govern risk and address the related challenges they face. A total of 149 directors and senior executives of U.S. banks with more than $500 million in assets participated in the survey, which was conducted online in January.

Key Findings:

  • Risk expertise matters, and respondents from institutions with a chief risk officer, indicated by 90 percent, and at least one risk expert on the board, by two-thirds, report a higher return on equity and return on assets.
  • Eighty-two percent believe there is room for improvement in the bank’s enterprise risk management (ERM) program.
  • Fifty-eight percent report their bank has a risk appetite statement, and an additional 27 percent plan to implement one within the next 12 months. Of those who have one, 84 percent say the board reviews the risk appetite statement just once a year.
  • Creating a culture that supports bank-wide risk communication and assessment is a key challenge, according to 43 percent, up 18 percentage points from last year’s survey. Sixty-two percent provide regular board training on risk issues, and a little more than half train all employees on risk. Just 21 percent communicate the risk appetite statement to all employees.
  • Seventy-three percent believe their board needs more training and education on emerging risks, such as cybersecurity or Unfair, Deceptive or Abusive Acts or Practices (UDAAP) risks.
  • Almost two-thirds report that their bank employs a full-time chief information security officer. For those banks that don’t, the role often falls on the chief information officer.
  • A significant percentage of banks rely on their vendors to keep themselves—and their customers—safe: 44 percent of respondents reveal a heavy dependence, and half a moderate dependence, on vendors for cybersecurity.
  • Seventy-nine percent say their bank increased its cybersecurity budget for fiscal year 2015, most by less than 10 percent. The majority of banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in FY 2014.

Download the summary results in PDF format.

View the video: Risk Management Best Practices for 2015

Bank Boards Making Progress on Risk Governance: Results of the 2014 Risk Practices Survey

3-17-14-risk-survey.pngThe banking industry has made great strides over the last few years in the management of risk, and a number of important best practices have begun to emerge, according to Bank Director’s 2014 Risk Practices Survey, sponsored by FIS. While the Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers, smaller banks are proactively following suit. By taking a more comprehensive approach to risk management, these institutions are reaping the benefits with improved financial performance.

The 2014 Risk Practices Survey reveals how these banks govern risk, and that a best-practice approach can positively impact financial performance. Creating and properly using a comprehensive risk appetite statement challenges many boards. Many see room for improvement in the quality and comprehensiveness of the bank’s enterprise risk management program. Tying risk management to the strategic plan and measuring its impact on the organization is difficult for many institutions, although those that have tried to measure the risk management program’s impact report a positive effect on financial performance.

Conducted in January, the survey is based on 107 online responses from independent directors and senior bank executives, primarily chief risk officers, of banks with more than $1 billion in assets.

Findings include:

  • Ninety-seven percent of respondents report that the bank has a chief risk officer or equivalent on staff, and 63 percent oversee risk within a separate risk committee of the board. Moreover, respondents whose banks have a separate board-level risk committee report a higher median return on assets (ROA), at 1.00, and higher median return on equity (ROE), at 9.50, compared to banks that govern risk within a combined audit/risk committee or within the audit committee.
  • Of those that oversee risk within a separate risk committee, 64 percent of respondents review the bank’s strategic plan and risk mitigation strategies, while the remaining 36 percent do not yet do so.
  • Tools like the risk appetite statement, the enterprise risk assessment and risk dashboard aren’t fully used. Only one-third of respondents feel that the bank’s risk appetite statement covers all the risks faced by the institution, and less than half use it to provide limits to board and management. Just 13 percent analyze the risk appetite statement’s impact on financial performance.
  • Just 17 percent of respondents review the bank’s risk profile and related metrics at the board and executive level monthly. Almost half review these metrics quarterly, while 23 percent review twice a year or annually.
  • Fifty-seven percent of directors feel that the board could benefit from more training in understanding how new regulations impact and pose risk to the bank, and 53 percent want a deeper understanding of emerging risks, such as risks associated with cyber security or Unfair, Deceptive or Abusive Acts or Practices (UDAAP). Conversely, senior executives feel that the board needs more training in overseeing the bank’s risk appetite, and understanding risk oversight best practices and how other banks govern risk.
  • The regulatory environment continues to challenge bank boards. Fifty-five percent cite the volume and pace of regulatory change as the environmental factor most likely to cause risk evaluation failures at the bank.
  • More than half of bank officers, and 40 percent of respondents overall, say that maintaining the technology and data infrastructure to support risk decision-making is a top risk management challenge.

Download the summary results in PDF format.

View the video: Five Risk Management Best Practices for 2014

Regulatory Punch List of Top Priorities for Bank Directors

8-26-13-Wolters.pngIn today’s banking world, exams are tougher, the supervisory focus is on fairness to consumers, data is heavily scrutinized and consequences for failing to mitigate risks are more severe than ever. It is incumbent upon bank directors to stay in front of high risk areas and make sure their institutions can survive and thrive in this challenging environment. I put together my punch list of some of the top challenges I see facing the industry to provide guidance on where you will want to focus.

Get Serious about Complaint Management
The Consumer Financial Protection Bureau (CFPB) continues to amass an unprecedented public database of complaints against specific financial institutions. The CFPB’s complaint system is informing many of their decisions about whom to examine and how to regulate. In the face of this, banks should strive to improve their own internal complaint systems. You don’t want those complaints going to the bureau. You want them coming to the bank so you can solve them.

Be Extra Vigilant When Choosing and Managing Vendors
Regulators are looking more closely at the way banks choose and manage their vendors and are holding banks responsible for the faults of their vendors. In fact, recent enforcement actions from the CFPB resulted in a combined $101.5 million in fines plus $435 million in restitution for the financial firms based on flaws in the way the banks monitored their vendors. Additionally, the CFPB issued a bulletin in April 2012, with the message that banks are responsible for any faults of the vendors they work with.

Don’t Let the Ease of Social Media Make Things Difficult
In the social channel, which demands quick responses, an outsider may see what he perceives to be a run-of-the-mill consumer complaint and hastily respond in a way that causes more trouble. Be sure to monitor social media activity continually in real time.

Don’t Wait for Clarity from Regulators—Monitor, Test and Correct Fair Lending Issues Now
The recent OCC order that hit a bank for discriminating against white males may have taken some bankers off guard, and moved several to demand more clarity from regulators. But in this enforcement heavy environment, the best option is for banks to heavily monitor, test and correct, when necessary, all of their credit products now.

Solidify a Regulatory Reform Process
In our Regulatory & Risk Management Indicator survey in June, we asked bankers which regulatory concerns keep them up at night, and 46 percent said regulatory reform—referring to new rules stemming from the Dodd-Frank Act and the CFPB. Make sure your bank can address three primary questions relating to compliance programs:

  1. What are the laws and regulations you are subject to across all the jurisdictions in which you operate?
  2. Are you confident you are complying with all of these laws and regulations?
  3. Can you prove it to third parties (e.g., board members, investors, regulators and other stakeholders)?

Leverage Technology to Adjust to Onslaught of New Rules
Once upon a time, when a bank had an enforcement action of a significant deficiency, the first thing senior management used to say was: Where is our chief compliance officer? How did this happen? Now the question is going to be: Where is our chief technology officer? Why didn’t technology come up with the means to implement these changes in a more effective, efficient and compliant way? If technology and compliance aren’t talking to each other, they need to get together.

When it Comes to Auto Lending, Be in the Driver’s Seat
The CFPB is cracking down on interest rate markups that automobile dealers add to the cost of car loans. If they’re done in a discriminatory manner, then the bank is responsible. The CFPB recently released a bulletin that said lenders must enhance their oversight of auto dealers with which they do business after a recent investigation revealed disparities in interest rates charged to minority borrowers versus non-minorities. The bigger-picture problem for banks is that the regulatory scrutiny requires them to monitor the loans being made by all of the auto dealers they work with. That’s sometimes more than 1,000 dealers. The CFPB is hoping that lenders will voluntarily place compensation restrictions on dealers.

Watch out for UDAAP
The Dodd-Frank Act adds an “A” (which stands for abusive) to UDAP—turning the Federal Trade Commission’s provisions into “unfair, deceptive or abusive acts or practices.” A lot of it depends on the consumer’s ability to understand what is being presented to them. The gap between what is presented to customers and how they perceive what they get as well as its value is where the danger appears to lie. From the moment that a deposit or mortgage product or service is developed and the process begins, compliance folks have to have a seat at the table. I recommend that banks perform some testing to be sure the information being conveyed is perceived by the consumer the way it was meant to be. If there is a complaint, and that complaint goes to the bureau, the lender is going to have to be prepared to defend his ability to provide a product that was not unfair, that was not deceptive and certainly was not abusive.

Gear up for New Mortgage Rules
Several new mortgage rules are on their way from the CFPB. Among the new rules is the QM, or qualified mortgage (ability-to-pay) rule, a provision related to high-cost mortgages, a rule impacting loan officer compensation, new servicing standards, an escrow rule about impounding accounts and tax insurance, an appraisal disclosure rule and another appraisal guideline related to high-cost mortgage. Even now that the QM rule is final and going into effect in January, the industry still has to focus on the qualified residential mortgage (risk-retention rule) and its impact on mortgage lending and the secondary market. For much of the industry, setting up systems to comply with QM is a big concern. Also, we still must find out how all these different rules conflict with each other. It will certainly be a challenge.

Regulator Panel: Would You Sell These Products to Your Mom or Dad?

7-5-13_Naomi.pngThe shifting focus of regulators is indeed a concern for bankers and bank boards these days. The creation of the Consumer Financial Protection Bureau (CFPB) has impacted almost all banks and thrifts, not just the $10-billion-plus financial institutions that are subject to CFPB exams. The CFPB is publishing new rules monthly about topics such as fair lending, mortgage disclosures and even the interest rate banks can charge for residential loans. Plus, regulatory exams that end badly can have serious negative consequences for banks, so it’s a good idea to keep tabs of what regulators are thinking about your bank.

At Bank Director’s Bank Audit Committee Conference in Chicago last month, Deputy Comptroller Bert Otto in the central district in the Office of the Comptroller of the Currency (OCC) joined David Van Vickle, assistant regional director at the Federal Deposit Insurance Corp. (FDIC) and Molly Curl, bank regulatory national advisory partner at Grant Thornton LLP, in a discussion of what regulators are looking for in exams. John Geiringer, a partner at law firm Barack Ferrazzano Kirschbaum & Nagelberg LLP, moderated the discussion.

Otto said strategic risk is one of the things his office is most worried about right now. Banks are focused on improving earnings, but he would like bank boards to look at the risk involved in their strategic plan and any new products or services offered by the bank.

He said regulators are focused on risk: What are the bank’s risks and is the bank leadership identifying them? “The focus of all the regulators going forward, at least at the OCC, is really risk on a forward-looking basis,’’ he said.

Van Vickle agreed that this is a focus for his agency as well. Examiners are asking: What is the bank’s tolerance for risk? What are the key indicators of risk? In terms of mitigating risk, Curl said banks should have a full risk profile with risks rated from highest to lowest, and a plan for how to mitigate those risks. The risk line of defense then involves the compliance department, as well as internal audit, which will review at least annually the internal controls to see if policies and procedures are being followed. A bank can opt for yet another line of defense: an outside firm to review the bank’s risk profile and procedures for mitigating risk.

Banks frequently use outside vendors of various sorts, but they can actually be a source of risk as well. Note recent news about the CFPB crackdown on Minneapolis-based U.S. Bancorp over subprime auto loans to military service members, which were provided to U.S. Bancorp through a vendor. Van Vickle, speaking in general and not about U.S. Bancorp, said:  “We will hold the bank responsible for a lot of what those service providers are saying, if they are approaching customers and making promises and not making appropriate disclosures.”

Compliance risk can also hinder acquisition plans, as it did in M&T Bank Corp.’s purchase of Hudson City Bancorp this year, when regulators delayed the closing date of the sale amid questions about M&T’s compliance with anti-money laundering rules. The Bank Secrecy Act (BSA) and anti-money laundering laws are now more significant in regulatory exams than in years past because a bank’s  compliance track record now impacts its safety and soundness rating, Curl said.

“BSA should be a critical element to any products you roll out,’’ Geiringer said. “It used to be the compliance officer came in at the end, and was Dr. No.” Nowadays, the compliance officer should be involved in the beginning of the process of rolling out new services and products, he said. Consumer compliance is a new focus of regulation, Geiringer said. The Dodd-Frank Act expanded consumer law in the form of UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) to include the term “abusive.” Ask yourself: Would you sell the bank’s products to your mom or dad? Does your bank board set the right tone in reacting to compliance issues? If new regulations are mentioned at a board meeting, do you roll your eyes? How does that impact management if they see board members doing that?

There has been a shift in banking regulation and it’s worth paying attention to. The regulatory panel at the audit conference made that clear. 

Boards Must Address New Standards for Consumer Products

4-12-13_wolters_kluwer.pngThe unfair, deceptive or abusive acts or practices standard (UDAAP) is one of the most talked about compliance issues today. The Dodd-Frank Act added the word “abusive” to what was forbidden under the law previously, expanding the scope of what constituted an UDAAP violation. All banking regulators are now charged with enforcing a new standard in consumer protection. This renewed focus on UDAAP has created an especially heightened regulatory concern for banks and other financial institutions governed by the Consumer Financial Protection Bureau (CFPB), particularly due to the lack of certainty behind how the term “abusive” will be interpreted. Given the heavy fines issued by the CFPB in 2012 and high profile settlements, directors will want to take inventory of their UDAAP compliance program and evaluate how each product and service is impacting the consumer. Here are a few recommendations.

Promote a Culture Shift to Focus on Risk to the Consumer
In this new consumer-centric supervisory context, in addition to evaluating the traditional risk to the institution if a compliance violation occurs, banks must also focus on the inherent risk to the consumer for any given process or product. This is a major shift in how institutions are being asked to examine risk and essentially creates a new risk discipline. Board members can lead the charge by making sure that any adverse impact on the consumer is evaluated right alongside traditional risk disciplines.

Set the Tone
Like all things related to regulatory risk and compliance, the best practice for creating a UDAAP-conscious organization is to establish the tone for compliance at the top. Financial institutions are well advised to review what is being communicated downward through various means, particularly in the form of policies, procedures and training materials. The key to establishing an effective UDAAP compliance program within the framework of your compliance management program is having strong controls. The CFPB prescribes the following four interdependent control components:

  • Board and Management Oversight
  • Formal Compliance Program (i.e., policies and procedures; training; and monitoring corrective action)
  • Response to Consumer Complaints
  • Compliance Audit

Ask the Questions
In applying practical thinking to managing UDAAP compliance risk and considering the high-risk areas, ask your senior management, does our compliance management system:

  • Establish compliance responsibility and accountability for UDAAP compliance at all levels of the organization?
  • Communicate to all employees their responsibility for compliance with UDAAP through training and regular compliance updates?
  • Ensure that UDAAP requirements are incorporated into the everyday business processes, as well as the procedures followed by contractors and third-party service providers?
  • Review operations for compliance with UDAAP requirements?
  • Require corrective action when non-compliance or a potential weakness is identified?

Evaluate Fairness and Transparency throughout the Product Lifecycle
Banks should always strive for fairness and transparency when communicating product features, terms and costs to customers, and apply the same standard in the delivery, support and servicing of all products. Consider the full extent of the product lifecycle when assessing your UDAAP compliance risks. High risk areas to focus on are:

  • Advertising and Solicitations
  • Loan and Account Disclosures
  • Servicing and Collections
  • Third-Party Service Provider Oversight

In all aspects of the product lifecycle, stress absolute transparency and hold each business line and product group accountable for continuously reviewing technical accuracy, alignment to actual practices, and clarity and ease of understanding from the consumer’s point-of-view.  

Manage Consumer Complaints
With the CFPB actively soliciting complaints from consumers and using that data to support their supervisory activities, you need to take a close look at your complaint data management and response processes. Particular attention should be paid to:

  • Your definition of a complaint
  • How complaints are categorized and classified internally
  • How they are routed for analysis of root cause, formal response, and ultimate resolution  

An effective complaint management system must be able to receive and process complaints from all sources, ranging from complaints issued directly to the bank to complaints from external sources such regulators, attorneys, the Better Business Bureau, consumer protection groups, web-based sources and social networking media. Complaints, while often troubling, are an opportunity to detect and address UDAAP issues such as false or misleading statements, inaccuracies in disclosures, and excessive and/or previously undisclosed fees.  Keep in mind that third-party service providers performing services on behalf of your organization should have conforming processes in place to receive complaints that mirror your own complaint handling processes. 

If you have not already taken a hard look at where your organization stands with respect to UDAAP, the time for action is now.