CFPB COMPLIANCE: Interaction Between
Compliance Assessments and Systems Issues
Presented by:
Stefanie H Jackman Stefanie H. Jackman
Consumer Financial Services Group
678.420.9490 | jackmans@ballardspahr.com
Trevor Salter
Consumer Financial Services Group
2
• Compliance and Ethics Training • GRC Software Applications
p g
• Hotline and Ethics Reporting
• Code of Conduct Services and Training • Assessments
• Certifications and Attestations • Advisory Services
About Compliance 360® GRC Solutions
3
p
• 250 000+250,000+ Active UsersActive Users
• 900,000+ Regulations
• 400,000+ Policies
• 100,000+ Audits & Assessments
• 150,000+ Contracts
Travelers
Compliance 360 Platform
4
Compliance 360 Platform Assessments Policies
Third Party
Risk Mgt. ERM Internal Audits Surveys Content Library Dashboards & Reports Tasks Documents Meetings Forums GRC PLATFORM Workflow Projects Email Integration Search Virtual Evidence Room Laws, regulations and requirements
Interaction Between Compliance
Assessments and S stems Issues
Assessments and Systems Issues
August 22, 2013
Stefanie Jackman
Consumer Financial Services Group 678.420.9490
jackmans@ballardspahr com
Trevor Salter
Consumer Financial Services Group 202.661.2224
saltert@ballardspahr com jackmans@ballardspahr.com saltert@ballardspahr.com
Agenda
• Developing A Compliance Management System
C id ti f i li
- Considerations for assessing compliance - Reporting exceptions and document fixes
- Importance of written policies and procedures and centralized access Importance of documenting employee training and discipline
- Importance of documenting employee training and discipline
• Potential Risk Areas
- UDAAP
- Marketing and sales
- Employee training and discipline - Complaint tracking and reporting
Thi d i i
- Third party supervision
Developing a Comprehensive
Compliance Management
Compliance Management
System
Who Is The CFPB Examining First?
• Companies identified by CFPB as presenting a heightenedCompanies identified by CFPB as presenting a heightened
risk to consumers based on:
̶ Information received from other regulatorsg ̶ Complaints
̶ LitigationLitigation ̶ Media
W b i d i l di
Purpose of Exam Process
• CFPB exams always have two objectives: (1) to determine
the adequacy of internal procedures and controls; and (2) to assess substantive compliance.
• Comprehensive analysis of substantive compliance – likely
to touch every area of law impacting your company.
• The CFPB’s approach is to request electronic copies of
documents and other records, including recorded calls, which its examiners review in order to assess compliance which its examiners review in order to assess compliance with every potentially applicable statutory or regulatory provision – and some issues may come as a bit of a
surprise. surprise.
The need for a compliance management system
• CFPB has made it clear that lenders must have a writtencompliance management system.
• CFPB’s 900+ page Exam Manual describes the policies and procedures comprising such a system in great detail. • CFPB has instructed its examiners to request and review
th t t’ li i d d A d th
the exam target’s policies and procedures. And the CFPB’s “First Day Letters” confirm that they do so.
System should be risk based
“CFPB examiners should seek to determine whether the board…ha[s]: Allocated resources to the compliance
function commensurate with the size and complexity of the entity’s operations and practices the Federal consumer the entity s operations and practices, the Federal consumer financial laws and regulations to which the entity is
subject, and necessary to avoid the potential consumer harm associated ith iolations of s ch la s and
harm associated with violations of such laws and regulations” --CFPB Exam Manual
What should system cover?
• Consumer complaint responsep p • Training• Monitoring and corrective action • Monitoring and corrective action • Compliance audits
hi d i id i h
• Third party service provider oversight • Board oversight
• Policies and procedures addressing applicable consumer protection laws (e.g., TILA, ECOA, EFTA, UDAAP)
Compliance Management System Oversight Compliance Program Consumer Complaint Response Compliance Audit
• Performed by
disinterested staff or third parties
• Includes audits and due diligence of third-party Training
• Define responsibilities of Board and compliance officer
• Assess training deficiencies • Assess compliance program
deficiencies
• Categorizing • Tracking • Resolving • Reporting
• (Includes complaints • New employee
• Refresher
• Ad hoc (new laws/regs)
T ti diligence of third-party service providers Monitoring &
Corrective Action deficiencies
• Review audit reports • Monitor new laws/regs • Monitor complaint trends • Revise compliance program
• (Includes complaints lodged with or against third-parties)
• Test consumer loan files • Testing
• Listen to calls • Monitor third parties • Discipline employees
• Include monitoring rights in third party agreements
Policies & Procedures • UDAAP
• ECOA
• Military issues (SCRA, Talent)
• EFTA • Privacy • Red flags
Consumer complaint response
• Documentingg• Tracking • Responding • Responding
• Observing trends
i d
• Reporting trends to management
• Using complaint data to improve procedures, disclosures,
t i i t
Monitoring and Corrective Action
• Listening to calls to consumers g(marketing/servicing/collection, etc.) • Auditing loan files
• Mystery shopping by phone or in branch/store • Background checks on employeesBackground checks on employees
• Corrective action
T i ti
A di P lli Q ti
16
Audience Polling Question
How is your organization currently tracking consumer How is your organization currently tracking consumer
complaints?
Employee Training and Discipline
• Compliance management system can be used to train p g y employees throughout organization:
- Branch/store employees (TILA, ECOA, UDAAP) - Collectors (FDCPA, UDAAP)
- Marketing staff (TILA, UDAAP)Marketing staff (TILA, UDAAP) - Operations (EFTA, TILA)
All l (d t it i )
- All employees (data security, privacy)
• Need to demonstrate that employees are required to perform according to policies and procedures
Third Party Service Provider Oversight
• Under the CFPB’s service provider bulletin, potential exists that an entity may be held liable for UDAAP violations by a that an entity may be held liable for UDAAP violations by a service provider
• Bulletin 2012-03 identifies several specific things that
supervised entities must do with respect to service providers:
- Initial due diligence
- Review of policies, procedures and training (remote and on-site) - Include compliance-related provisions in contract
M it i d t l t t/d t t li i l ti - Monitoring and controls to prevent/detect compliance violations - Taking remedial action as appropriate
Board Oversight
• Appoint chief compliance officerpp p • Review compliance reports
• Review audits • Review audits
• Analyze complaints
i f l d l i
• Monitor for new laws and regulations
Compliance audits
• Conduct regular self assessments from consumer g satisfaction/confusion perspective
• Performed by third parties/outside counsel or disinterested staff from another area of operations
• Report results to Board
• Using audit data to improve procedures, disclosures, training, etc.
• Pay attention to customer complaints and encourage customers to submit them to you, not the CFPB
UDAAP Compliance
- A practice does not need to be illegal/improper under applicable law or cause actual harm to be deemed a applicable law or cause actual harm to be deemed a UDAAP violation
- To evaluate for UDAAP, need to adopt consumer’s , p perspective:
• How does the consumer encounter your products or process
Identifying UDAAP Risks
• Consumer complaintsp
• CFPB/regulatory consent orders • Consumer blogs
• Consumer blogs • Consumer groups
l • Attorneys General
• Private class action litigation
Marketing & Advertising
• Bank regulators want to know that all marketing has been reviewed for accuracy, truthfulness and that all claims have been substantiated
• When disclosures are necessary, then the disclosures must be at least clear and conspicuous – the “4 Ps”
PROMINENCE I h di l bi d l h f - PROMINENCE: Is the disclosure big and clear enough for
consumers to notice and read?
- PRESENTATION: Is the wording and format easy for consumers g y to understand?
- PLACEMENT: Is the disclosure where consumers would expect it? - PROXIMITY: Is the disclosure within or close to the claim it
Hot Issues in Marketing of Financial Products
• Introductory or teaser rates • “Up to” claims
• Failing to put claims into proper context (i.e., UDAAP is
d i d b l ki h li f h d)
determined by looking at the totality of the ad)
- Particular problem with social media
• Telemarketing
- The demise of outbound
- Scripting, scripting, scripting
• Ensuring disclosure standard is met across platforms (i.e., li bil t bl t t )
Add-on Products
• Add-on products have perennially been an area of regulatory focus
• The underlying themes in this area have been relatively constant across product lines (closed-end loans, credit card accounts, auto RISCs), and these areas form the basis for UDAAP compliance RISCs), and these areas form the basis for UDAAP compliance with respect to add-on products:
• Consumer not informed that product is voluntary • Inadequate disclosure of cost of product
• Inadequate disclosure of cancellation rights (or resistance to cancellation through retention efforts)
Debt Collection
• Quality of account documentation used to collect on debt (AMEX, Asset Acceptance, FTC Debt Buying Report, subject of many CIDS) • Failing to investigate accuracy of debts/verify debts
C i i ki i i
• Contract provisions speaking to representations or warranties as to accuracy of account information purchased
• Internal handling of data to ensure accuracy and integrity (dual g y g y ( systems)
• Misleading statements of impact of payment on credit score/creditworthiness
Debt Collection
• Authentication of debts and account records under the business records rule
• Consumer complaints alleging inaccurate information, and responses to those complaints (including FCRA disputes)
to those complaints (including FCRA disputes)
• Threatening actions do not intend/do not take in regular course • Failing to report debts as disputed to credit bureausg p p
• Failing to disclose convenience fees
• Recent bulletins re: FDCPA applies to first party collectors and service providers
Privacy
• UDAAP and Privacy
- Practices that are inconsistent with privacy policy are “deceptive”
- Practices that are consistent with privacy policy, but nevertheless cause substantial consumer harm that consumers cannot avoid, may be considered “unfair.”
• Website and mobile privacy policy • Website and mobile privacy policy
- Due diligence is critical: Understand how site or app actually works and what information is collected
- Be transparent about what information is being used
• Engagement in social media sites
- Customer information posted on company social media pages/sites willCustomer information posted on company social media pages/sites will be used/collected
Data Security
• UDAAP and Data Security
- Not protecting information in a reasonable manner could be considered deceptive or unfair.
- Avoid absolutes (e.g. “100% secure, “always,” etc.)( g , y , )
• Employee and management training
- 3 Categories of Controls: administrative physical technical3 Categories of Controls: administrative, physical, technical
• Special considerations when selecting and overseeing service providers and affiliatesp
Fair Lending Risks and Monitoring
•
Advertising/marketing
•
Product steering
•
Discretion in underwriting/servicing/collection
•
Employee/dealer/service provider incentive
compensation
•
Employee training on access options for disabled
persons
•
Service providers, especially in collections
Role of Outside Counsel
What should you consider retaining outside counsel? • Reactive
- Internal: when internal audit or fact-finding reveals policy or f
performance gaps
- External: when customer complaints or regulator inquiry (e.g. exam) reveals policy or performance gaps) p y p g p
• Proactive
- When creating a new or innovative financial product, channel, orWhen creating a new or innovative financial product, channel, or marketing method
A di P lli Q ti
33
Audience Polling Question
Would you like to learn how Ballard Spahr LLP or SAI Would you like to learn how Ballard Spahr LLP or SAI
Global can assist with your compliance initiatives? (select all that apply)
Resources
CFPB Monitor
Subscribe to our ABA award-winning blog at
E-Alerts
Subscribe at
www.ballardspahr.com
Mortgage Banking Update
Subscribe at
www.ballardspahr.com g g
www.CFPBMonitor.com.
p
(click “subscribe” and choose Consumer Financial Services or Labor & Employment as
f i t t)
p
(click “subscribe” and choose Mortgage Banking as your area of interest).
your area of interest).
Additi l R
35
Additional Resources Educational Webinars:
www.compliance360.com/webinars Banking Demo Series:g
• Part 1: CFPB / UDAAP Compliance Self-Assessments Automated in Compliance 360
• Part 2: CFPB / UDAAP Risk Assessments Automated inPart 2: CFPB / UDAAP Risk Assessments Automated in Compliance 360
• Part 3: Complaint Management Automated in Compliance 360 Enterprise Risk Management for Banks - Automated in
Compliance 360
li 360 / bd
CFPB COMPLIANCE: Interaction Between
Compliance Assessments and Systems Issues
Presented by:
Stefanie H. Jackman Stefanie H. Jackman
Consumer Financial Services Group
678.420.9490 | jackmans@ballardspahr.com
T S lt
Trevor Salter
