Tuesday, November 6, 2012

CFPB: Compliance Management System

On October 31, 2012, the CFPB issued its first issue of Supervisory Highlights: Fall 2012, a newsletter to the public and the financial services industry about its examination program, including the concerns that it finds during the course of its completed work, and the remedies that it has obtained for consumers who have suffered financial or other harm.
It is written as an Executive Summary, and it will not refer to any specific institution. But it will "signal to all institutions the kinds of activities that should be carefully scrutinized for compliance with the law."
According to the CFPB, it has already taken non-public supervisory actions against financial institutions participating in the credit card, credit reporting, and mortgage markets, confirming "remedial relief" to 1.4 million consumers, and causing the affected financial institutions to correct illegal practices. Importantly, and in consequence to the CFPB's examinations and actions, financial institutions were required to adopt effective policies and procedures to ensure that violations do not recur and, especially, mandating that they implement a robust Compliance Management System (CMS). 
The CFPB maintains that an effective CMS is a "critical component of a well-run financial institution."
After a brief discussion about the CMS concept, I should like to outline these three significant findings derived from the CFPB's examinations:
- Comprehensive CMS Deficiencies Found Through CFPB Supervisory Activities
- Deficiencies Related to Failure to Oversee Affiliate and Third-party Service Providers
- Deficient Fair Lending Compliance Programs
Compliance Management System
Comprehensive CMS Deficiencies
Failure to Oversee Affiliate and Third-party Service Providers
Deficient Fair Lending Compliance Programs
Compliance Management Systems
I consider the term Compliance Management System to be a proxy for the term mortgage risk management. Our firm was founded on the premise that such risk management was the best way to ensure a financial institution's safety and soundness with respect to mortgage banking. At the time, there was only the term "risk management", a catch-all term that was overly broad. So I coined the term "mortgage risk management" to bring mortgage compliance into greater focus, expertise, and application.
Over the years, the prudential regulators and state banking departments have included much guidance in preparedness for their mortgage banking examinations. And now the CFPB has further elaborated the crucial and central importance of managing risk and examination readiness. As recently as July 2012, I published a magazine article about The Rules of Operational Risk, in order to bring into strong relief the practical matters and unique circumstances of mortgage risk management.
The CFPB's conception of a well-conceived CMS is certainly consistent with the foundational features of mortgage risk management.
Both the CFPB and mortgage risk management require effective internal controls and oversight, training, internal monitoring, consumer complaint response, independent testing and audit, third-party service provider oversight, recordkeeping, product development and business acquisition, and marketing practices.
Mortgage risk management and the CMS both expect the development, maintenance, and integration of mortgage compliance practices across a financial institution's framework and applied to its entire loan product and service lifecycle.
As the CFPB states:
"Without such a system, serious and systemic violations of Federal consumer financial law are likely to occur. Further, a financial institution with a deficient CMS may be unable to detect its own violations. As a result, it will be unaware of resulting harm to consumers, and will be unable to adequately address consumer complaints."
Comprehensive CMS Deficiencies
The CFPB has issued findings for financial institutions lacking an effective CMS across the entire consumer financial portfolio, or in which the company failed to adopt and follow comprehensive internal policies and procedures. In these instances, the finding held that this condition resulted in "a significant breakdown in compliance and numerous violations of Federal consumer financial law."
The corrective action required an adopting of appropriate policies and procedures, and establishing an effective CMS to ensure legal compliance, which had to include the "enhancement" of financial institutional regulatory knowledge and expertise to help ensure proper monitoring of business activities and prompt identification of potential risks to consumers.
In this regards, educating about and training employees in a company's policies and procedures should be fully implemented and routinely followed. I suggest a schedule of on-going education and training modules, given to both new hires and all active, affected personnel.
Keep in mind that the CFPB will exam not only the policies and procedures and their communication to employees but also management's inclination to be proactive or passive, preemptive or complacent, knowledgeable or disinterested. According to the CFPB, a financial institution’s CMS is “inadequate” where appropriate policies have been adopted, but management fails to take measures to ensure compliance with those policies.
In a typical CMS examination, the CFPB evaluates both the understanding and application of the financial institutions’ compliance management program by its managers and employees. The CFPB has stated that it has found "one or more situations in which the financial institution had articulated many elements of an appropriate compliance policy, but the policy was not followed."

I find such absence of follow-through simply inexcusable. What good are policies and procedures if they are not followed? Policies that lack enforcement are no more than the pabulum of confirmation bias and denial. In the CFPB's view, it is axiomatic that a failed CMS will occur "where the necessity of an effective CMS is not fully appreciated by management or employees of the financial institution, or where a compliance department is not given access to the information, resources, and personnel necessary to carry out its compliance duties."
Failure to Oversee Affiliate and Third-party Service Providers
The CFPB places oversight of service providers as a key component of an effective CMS, and expects companies to have an effective process for managing the risks of those relationships to ensure compliance with applicable Federal consumer financial law.
This means that the responsibility of the company reaches to the management of its service provider relationships. "The mere fact that a financial institution enters into a business relationship with a service provider does not absolve the financial institution of responsibility for complying with Federal consumer financial law and does not give it license to 'turn a blind eye' to violations of Federal consumer financial laws and regulations by the entity that is acting on its behalf," states the CFPB.
The CFPB has noted instances in which a financial institution has not established a "comprehensive service provider management program" or failed to effectively manage service providers acting on its behalf to ensure compliance with Federal consumer financial law. During a CFPB examination, we have found that the trail to this finding tracks through the lack of coordination between the company and its service provider in such intrinsic areas as how they handle their correspondence with consumers and contact with the public.
Instead of waiting for the CFPB to direct a company to develop and implement a comprehensive program that ensures the service providers’ compliance with Federal consumer financial law, such programs should be developed now, including risk-based procedures governing the retention and monitoring of service provider relationships, as well as policies and procedures to monitor and test for compliance with Federal consumer financial law by service providers acting on behalf of the financial institution.
Deficient Fair Lending Compliance Programs
In order to avoid potential fair lending compliance issues, the CFPB expects every financial institution to establish fair lending policies, procedures and internal controls to ensure that it is operating in compliance with the Equal Credit Opportunity Act (ECOA), and its implementing Regulation B, in all of the company’s relevant lines of business.
In conducting CFPB readiness and actual examinations, my firm has found that the appropriate, fair lending program will vary from company, depending on the firm's size, complexity, and risk profile. We do know that the CFPB’s examiners have derived the common features of well developed fair lending compliance programs. Here are a few, as also noted in the Supervisory Highlights.
- An up-to-date fair lending policy statement.
- Regular fair lending training for all employees involved with any aspect of the financial institution’s credit transactions, as well as all company officers, Board of Directors, and members of management.
- On-going monitoring for compliance with fair lending policies and procedures.
- On-going monitoring for compliance with other policies and procedures that are intended to reduce fair lending risk (such as controls on loan originator discretion).
- Review of lending policies for potential fair lending violations, including potential disparate impact.
- Depending on the size and complexity of the financial institution, regular statistical analysis of loan data for potential disparities on a prohibited class basis in pricing, underwriting, or other aspects of the credit transaction.
- Regular assessment of the marketing of loan products.
- Meaningful oversight of fair lending compliance by management and, where appropriate, the company’s Board of Directors.
The CFPB has found instances in which financial institutions lack any formal fair lending compliance system or in which they have implemented fair lending compliance systems that are sufficient with respect to some product lines, but exclude compliance oversight for other major lending products.
In such situations, the CFPB has directed the company to establish fair lending compliance programs commensurate with the size and complexity of the financial institution and its lines of business.
If fair lending violations have occurred, the CFPB has directed remediation that included (1) adoption of comprehensive policies and procedures, (2) allocation of sufficient resources to employee training and oversight, and (3) review of adverse action letters to ensure they provide applicants with the required information.
According to the CFPB, in some cases financial institutions have been directed to expand their internal fair lending regression analysis, monitor compliance through special reports and certifications, or take other steps to address the potential existence of discrimination against applicants on a prohibited basis and to verify full compliance with the ECOA.
Law Library Image
Consumer Financial Protection Bureau
 Supervisory Highlights: Fall 2012 
Executive Summary
*Jonathan Foxx is the President & Managing Director of Lenders Compliance Group