Monday, January 30, 2017

Production Incentives: Protecting the Consumer, plus Compliance Checklist for Production Incentives

Jonathan Foxx
Managing Director

Production incentives have been around since the dawn of modern capitalism. They are not going anywhere. Incentives have been called sales incentives, sales bonuses, compensation bonuses, and take into account any additional remuneration that tends to be transactionally based. All such incentives can be grouped into business objectives where a transaction may be tied to certain benchmarks, met by employees or service providers, the achievement of which leads to an increase in wage or reward for the party achieving the stated goal. For the sake of discussion, let’s call forms of such economic inducement, collectively, as “incentives.”

Typical incentives include cross-selling, where sales or referrals of new products or services are pitched to existing consumers; sales of products or services to new customers; sales at higher prices where pricing discretion exists; quotas for customer calls completed; and collections benchmarks.

Some of these incentives are very complex in the way they are achieved and applied, whether optionally or required. The incentive challenge is one of the usual conundrums arising when money and capital formation meet: the opportunity for harm to the consumer. Obviously, incentives offer a way to further enhance revenue for the seller of services and products. Indeed, in our market economy, an incentive can reveal the economic interest of market participants in a particular service or product, which is extrapolated from consumers’ responses to the offerings. Like so much in finance, incentives are not inherently good or bad, but how they are applied makes them so!

The Consumer Financial Protection Bureau (“Bureau”) has decided to weigh in with guidance on production incentives. I am going to provide my reading of the Bureau’s most recent bulletin on this topic, entitled “Detecting and Preventing Consumer Harm from Production Incentives” (Bulletin 2016-03, November 28, 2016, hereinafter “Bulletin”). It is an interesting read, because it endeavors not only to compile guidance that the Bureau had provided in other contexts but also draws on the Bureau’s supervisory and enforcement experience in which incentives contributed to substantial consumer harm. Importantly, the Bulletin offers some actions that supervised entities should take to mitigate risks posed by incentives.

This White Paper article is an adjunct to an earlier published web article (December 2016), with further elaboration herein, plus now including a "Compliance Checklist for Production Incentives," which provides some helpful guidelines to creating production incentive plans. The full White Paper, Article, and Compliance Checklist may be downloaded from our firm's website at


The most obvious risk of incentives to the consumer is a sales program that includes an enhanced economic motivation for employees or service providers to pursue overly aggressive marketing, sales, servicing, or collections tactics. These kinds of incentives are and always have been features of sales tactics that do not meet regulatory scrutiny. Consequently, it is the case that the Bureau has taken enforcement action against financial institutions that have expected or required employees to open accounts or enroll consumers in services without consent or where employees or service providers have misled consumers into purchasing products the consumers did not want, were unaware would harm them financially, or came with an unexpected ongoing periodic fee.

One or more regulatory violations may be triggered as a result of such incentives. To name but a few of the more salient regulatory frameworks that can be violated, impermissible incentives can cause violations of unfair, deceptive, and/or abusive acts or practices (UDAAP) (Dodd-Frank Act, §§ 1031 & 1036(a), codified at 12 USC §§ 5531 & 5536(a), the Electronic Fund Transfer Act (EFTA), as implemented by Regulation E (15 USC § 1693 et seq.; 12 CFR Part 1005); the Fair Credit Reporting Act, as implemented by Regulation V (15 USC § 1681-1681x; 12 CFR Part 1022); the Truth in Lending Act (TILA), as implemented by Regulation Z (15 USC § 1601 et seq.; 12 CFR Part 1026); and the Fair Debt Collection Practices Act (15 USC § 1692-1692p). And to this the Bureau itself notes that violations can stir up public enforcement, supervisory actions, private litigation, reputational harm, and potential alienation of existing and future customers.

Although not meant to be comprehensive, here are some impermissible incentives that surely trigger regulatory violations:
  • Opening Accounts: sales goals that encourage employees, either directly or indirectly, to open accounts or enroll consumers in services without their knowledge or consent, which may result in improperly incurred fees, improper collections activities, and/or negative effects on consumer credit scores;
  • Benchmarks: sales benchmarks that encourage employees or service providers to market a product deceptively to consumers who may not benefit from or even qualify for it;
  • Terms or Conditions: paying compensation based on the terms or conditions of transactions (such as interest rate) that encourages employees or service providers to overcharge consumers, to place them in less favorable products than they qualify for, or to sell them more credit or services than they had requested or needed;
  • Tiered Compensation: paying more compensation for some types of transactions than for others that were or could have been offered to meet consumer needs, which could lead employees or service providers to steer consumers to transactions not in their interests; and 
  • Quotas: unrealistic quotas to sign consumers up for financial services may incentivize employees to achieve this result without actual consent or by means of deception.

Thursday, January 12, 2017

Cybersecurity Guidelines – “First-in-the-Nation” Regulation

President & Managing Director


On December 28, 2016, the New York Department of Financial Services (DFS) announced that it had revised its proposed cybersecurity regulations in response to public comments that they would be too burdensome, particularly on smaller institutions. The proposed rules, which were initially announced on September 13, 2016, and set to take effect on January 1, 2017, were billed as a “first-in-the-nation regulation” to protect New York residents from cyberattacks.

The “Cybersecurity Requirements for Financial Services Companies (“Regulation”) is promulgated through Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, and takes effect upon publication in the State Register.[i]

These guidelines would require banks, insurers and other financial services companies regulated by the DFS to set up a cybersecurity program aimed at protecting consumer information from cyberattacks. The revised regulation eases certain reporting and encryption requirements, and exempts small institutions from complying with certain sections of the rule.

The Regulation, as revised, is set to take effect on March 1, 2017. There is a transitional period, which is 180 days from the effective date of March 1st, with implementation timeframes layered in as exceptions granted for certain requirements, from 12 months to 18 months to 24 months. Covered entities will be required to annually prepare and submit to the DFS a Certification of Compliance[ii] with the New York State Department of Financial Services Cybersecurity Regulations, commencing February 15, 2018.

In this article, I will provide a high-level overview of these guidelines. This outline is not meant to be comprehensive. However, I will hit on several salient areas of interest. Expect these requirements to become a model for examination and enforcement in most other states. Lenders Compliance Group has provided risk assessments for cybersecurity, information security, and information technology based on the Federal Financial Institutions Examination Council's (FFIEC) procedures. So, my firm has experience in cybersecurity risk assessments. Given that familiarity, we now are providing an overlay for the DFS cybersecurity requirements that are promulgated in the Regulation.

Cybersecurity Program

Each covered entity – that is, any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York State Banking Law, the Insurance Law or the Financial Services Law – must maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s Information Systems.

The Regulation defines a “cybersecurity event” as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. For purposes of this regulation, an information system is a “discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information,” as well as any specialized system such as industrial and process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

A risk assessment must be conducted by the covered entity and the cybersecurity program must be based on that risk assessment and also be designed to perform the following core cybersecurity functions:
  1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of all electronic information that is not publicly available information, known as Nonpublic Information (“NPI”), stored on the covered entity’s information systems;
  2. use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the NPI stored on those information systems, from unauthorized access, use or other malicious acts;
  3. detect cybersecurity events;
  4. respond to identified or detected cybersecurity events to mitigate any negative effects;
  5. recover from cybersecurity events and restore normal operations and services; and
  6. fulfill applicable regulatory reporting obligations. 
With respect to covered entities that have affiliates, the requirements of the Regulation permit adoption of a cybersecurity program maintained by an affiliate, provided that the affiliate’s cybersecurity program covers the covered entity’s information systems and NPI and meets the requirements of the Regulation. An affiliate is any Person that controls, is controlled by or is under common control with another Person. For purposes of the Regulation, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of stock of such Person or otherwise.