RISK MANAGEMENT UPDATE Lessons [To Be] Learned from Recent Enforcement Actions

RISK MANAGEMENT UPDATE Lessons [To Be] Learned from Recent Enforcement Actions Presented by: Dixie K. Hieb and Robb Schlimgen Davenport, Evans, Hurwitz & Smith, LLP www.dehs.com 2014 Davenport, Evans, Hurwitz & Smith, LLP

Banking Risk Management Banking Risks Risk Management Systems -- Objectives -- Components -- Role of Board and Management Recent Enforcement Actions 2

BANKING RISK The potential that events, expected or unanticipated, may have a negative impact on a bank s earnings or capital. RISK! 3

Banking Risks Credit Interest rate Liquidity Foreign currency translation Price Transaction Compliance Strategic Reputation RISK! 4

Risk Management Systems Community banks today offer a wide array of new and complex products and services. Therefore, risk management systems in community banks will vary in accordance with the complexity and volume of risk a bank assumes. Comptroller s Handbook 5

Risk Management System Objectives Identify risk Measure risk Monitor risk Control risk 6

Identify Risk Risk Management Systems Existing risks Risks from new business initiatives Risks from external market forces Risks due to regulatory or statutory changes Requires continuing process Transaction and portfolio levels 7

Measure Risk Risk Management Systems Accurate and timely measurement Sophisticated measurement tools based on complexity Testing as to accuracy of measurement tools Transaction and portfolio levels 8

Monitor Risk Risk Management Systems Review of risk positions and exceptions Timely, accurate, and informative Distributed to appropriate individuals Encompass all geographies, products, and related entities 9

Control Risk Risk Management Systems Establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority Risk limits should be subject to adjustment Authorize and document exceptions and changes to risk limits 10

Role of Board and Management Understand Risks Provide Appropriate Guidance Monitor Exposures Make Personnel Decisions/Delegate Senior Management Implement Policies Develop Risk Monitoring/Reporting Tools Report Risk Exposures to the Board Attract and Develop Personnel 11

Risk Management System Components Policies Written statement regarding commitment to certain result Set standards risk tolerances Recommend courses of action Processes Procedures, programs, and practices Imposes order on pursuit of objectives Defines how daily activities are conducted governed by checks and balances internal controls 12

Risk Management System Components Personnel Staff and managers that execute or oversee processes Qualified and competent Understand bank s mission, values, policies, and processes Appropriate compensation programs Control Systems Tools and information systems Measure performance Make decisions about risk Assess effectiveness of processes Feedback timely, accurate, and pertinent Appropriate to level and complexity of risk 13

ENFORCEMENT ACTIONS 14

Fair Lending Overview Fair lending - - consistent, objective and unbiased treatment of all consumers without regard to any basis prohibited by law (e.g., race, gender, age, marital status) Fair lending laws and regulations apply to: All credit products and services for both consumer and business purposes Entire loan life cycle, including servicing and collections Two primary federal laws ECOA/Regulation B Fair Housing Act ECOA FHA 15

Legal Theories of Discrimination Overt Discrimination: Direct evidence that lender intentionally discriminated on prohibited basis or expressed discriminatory preference, even without acting on that preference. Disparate Treatment: Circumstantial evidence that lender intentionally treated similarly situated person differently on prohibited basis. Disparate Impact: Evidence that lender applied a neutral policy or practice uniformly to all credit applicants, but policy or practice has disproportionately adverse impact on members of protected class without sufficient business justification. 16

Fair Lending Areas Mortgage lending Indirect auto finance (dealer finance charge participation) Student lending (cohort default rates) Servicing, collections and loss mitigation (discretionary decisions) 17

United States of America v. Wells Fargo Bank, NA (DOJ 2012) Taglines: Fair Lending; Discretionary Loan Pricing DOJ alleged that Bank s policies allowed discretion to: Place African-American and Hispanic borrowers in nonprime loan products, even when borrower could have qualified for prime loan product. Loan officer received higher compensation for nonprime loan. Charge African-American and Hispanic borrowers higher rates and fees on mortgages as compared to white borrowers with similar credit profiles. Mortgage brokers submitting loans to Bank s wholesale channel could vary interest rates and fees, unrelated to borrower s credit risk. DOJ charged that these policies resulted in African-American and Hispanic borrowers being placed in nonprime products with higher rates and paying higher interest rates and fees than similarly situated white borrowers. 18

United States of America v. Wells Fargo Bank, NA (DOJ 2012) Taglines: Fair Lending; Discretionary Loan Pricing $234.3 million in restitution $59.3 million to African-American and Hispanic retail subprime borrowers $125 million to wholesale borrowers who were allegedly steered into subprime mortgages or who allegedly paid higher fees and rates than white borrowers because of their race or national origin $50 million in direct down payment assistance to borrowers in 8 specified communities 19

United States of America v. Wells Fargo Bank, NA (DOJ 2012) Lessons Learned Eliminate Discretionary Pricing and Monitor Impact Prohibit lender compensation based on terms of loan Limit lender pricing discretion Permit lender-paid compensation to brokers only in set amount per loan Provide comprehensive fair lending training to management and employees 20

In the Matter of Ally Financial Inc. and Ally Bank (DOJ and CFPB December 2013) Taglines: Fair Lending, Indirect Auto Lending Investigation focused on ECOA violations in connection with Ally s pricing of auto retail installment contracts. Ally used proprietary underwriting model to establish buy rate reflecting minimum interest rate at which Ally would finance contract. Dealers had discretion to mark up interest rate above buy rate. Dealer mark-up was shared by Ally with dealers. 21

In the Matter of Ally Financial Inc. and Ally Bank (DOJ and CFPB December 2013) Taglines: Fair Lending, Indirect Auto Lending Ally violated ECOA by charging African-American, Hispanic, and Asian and Pacific Islander borrowers higher dealer markups than similarly situated non-hispanic white borrowers. Damages of $80 million to harmed borrowers Civil money penalty of $1.8 million 22

In the Matter of Ally Financial Inc. and Ally Bank (DOJ and CFPB December 2013) Lessons Learned Loan Policy If discretionary policy, must include: 1) Limits on maximum rate spread 2) Notices to dealers: ECOA Expectations regarding compliance Obligations regarding non-discriminatory pricing 3) Analysis of pricing disparities on prohibited basis OR Adopt non-discretionary dealer compensation plan ECOA 23

In the Matter of First Trust & Savings Bank (FDIC 2013) Taglines: Fair Lending, Individual Credit In connection with certain loans, First Trust & Savings Bank of Moville, Iowa, required executed Declaration of Partnership. Order does not provide details regarding content of Declaration, but it was apparently required to be executed by borrower s spouse. Order requires Bank to determine whether spouses intended to seek joint credit, release spouses who did not intend to seek joint credit, modify or re-execute loan documentation, and void and otherwise cease use of Declaration of Partnership. $12,500 civil money penalty 24

In the Matter of First Trust & Savings Bank (FDIC 2013) Lessons Learned Application for Individual Credit Cannot Require Information on Spouse Consider spouse only in joint credit application and loan documentation Do not require spouse s signature unless joint application or jointly owned property secures loan 25

United States of America v. Four Oaks Fincorp, Inc. and Four Oaks Bank and Trust Company (DOJ 2013) Taglines: Know Your Customer, Third-Party Payment Processors Operation choke point is joint effort by DOJ, FDIC, and CFPB at choking-off short-term lenders from the financial system. DOJ is scrutinizing national, regional, and community banks to determine whether they, in exchange for fee revenue, partnered with online payday lenders who engage in illegal lending practices. DOJ has issued subpoenas to more than 50 banks and payment processors, with additional subpoenas and criminal or civil actions anticipated. 26

United States of America v. Four Oaks Fincorp, Inc. and Four Oaks Bank and Trust Company (DOJ 2013) Taglines: Know Your Customer, Third-Party Payment Processors Four Oaks entered into 5-year agreement with third-party payment processor under which Four Oaks sponsored thirdparty payment processor so payment processor would have direct access to Federal Reserve to undertake ACH transactions. 97% of payment processor s merchants were Internet payday lenders. DOJ alleged that Bank was in a position to know that Internet payday lenders operated in manner inconsistent with federal consumer protection laws. 27

United States of America v. Four Oaks Fincorp, Inc. and Four Oaks Bank and Trust Company (DOJ 2013) Taglines: Know Your Customer, Third-Party Payment Processors Four Oaks ordered to engage in extensive due diligence in regards to both third-party payment processors and their merchants. Due diligence required on certain high-risk merchants as if the merchant was a direct customer. Forfeiture of $200,000 Civil money penalty of $1million 28

United States of America v. Four Oaks Fincorp, Inc. and Four Oaks Bank and Trust Company (DOJ 2013) Lessons Learned Develop Strong Know Your Customer Policies and Procedures Must conduct meaningful know-your-customer analysis by collecting sufficient information to determine if client poses threat of criminal or improper conduct. Examples of information banks should be collecting: Purpose of account Actual and anticipated activity Nature of client s business Client s location Types of products and services client intends to offer 29

United States of America v. Four Oaks Fincorp, Inc. and Four Oaks Bank and Trust Company (DOJ 2013) Lessons Learned Additional Due Diligence for Payment Processors If customer is third-party payment processor, additional due diligence is required: Review promotional materials to determine target clientele Determine whether payment processor re-sells its services Review payment processor s policies and procedures to determine adequacy of merchant due diligence Review main lines of business and return volumes for payment processor s merchants Require that payment processor provide bank with information about its merchants so bank can confirm that merchants are operating legitimate businesses 30

United States of America v. Four Oaks Fincorp, Inc. and Four Oaks Bank and Trust Company (DOJ 2013) Lessons Learned ACH High Risk Payday lenders Lenders located in foreign countries or affiliated with Native American tribes Difficult to identify actual merchant due to corporate structure High chargeback rates Other high-risk ACH customers include mail order and telephone order companies, telemarketing companies, illegal online gambling operations, and adult entertainment businesses 31

In the Matter of Discover Bank (FDIC and CFPB September 2012) Taglines: Board Oversight, Add-On Products, Telemarketing Regulators contended Discover contracted with telemarketers to conduct outbound sales calls for add-on credit card products, including Payment Protection, Identity Theft Protection, and Credit Score Tracker. Discover also used inhouse telemarketers. Telemarketing scripts contained material misrepresentations and omissions. Telemarketers spoke more rapidly when giving mandatory disclosures and downplayed disclosures. 32

In the Matter of Discover Bank (FDIC and CFPB September 2012) Taglines: Board Oversight, Add-On Products, Telemarketing Finding that Discover engaged in deceptive acts and practices in violation of Section 5 of FTC Act and Sections 1031 and 1036 of CFP Act Restitution of at least $200 million Civil money penalty of $14 million 33

In the Matter of Discover Bank (FDIC and CFPB September 2012) Lessons Learned Board Oversight Required Board of Directors must: Participate fully in oversight of compliance management system Take full responsibility for policies and procedures Ensure adequate supervision of compliance-related activities 34

In the Matter of Discover Bank (FDIC and CFPB September 2012) Lessons Learned Telemarketing Program When soliciting by telephone: (1) Comply with Telemarketing Sales Rule (2) Promptly state that purpose of call is to determine interest in product (3) Prior to purchase disclose total cost of product and how fees will be calculated or assessed (4) Prior to purchase disclose all material conditions, benefits, and restrictions relating to product (5) Disclose that purchase is optional 35

In the Matter of Discover Bank (FDIC and CFPB September 2012) Lessons Learned Telemarketing Program (6) Explain restrictions on eligibility (e.g., for Payment Protection Plan - unemployed, self-employed, pre-existing medical, etc.) (7) Make all disclosures at reasonable speed (8) Require consumer acknowledgement that purchase is voluntary and consumer wishes to purchase (9) Provide detailed post-purchase disclosures (e.g., charges, cancellation policy, refund policy) (10) Follow telephone purchase with detailed written disclosure and disclose on next 3 periodic statements 36

In the Matter of JP Morgan Chase Bank, N.A. and Chase Bank USA, N.A. (CFPB September 2013) Taglines: Add-On Products, Vendor Management, UDAAP CFPB contended that Chase sold Identity Protection Products as add-on feature for credit cards and to Bank customers. Chase could not provide Identity Protection Service until it had customer s written authorization to obtain customer s credit report. Chase billed customers full monthly fees even if authorization was not obtained and Chase was unable to access customer s credit report to provide Identity Protection Service. 37

In the Matter of JP Morgan Chase Bank, N.A. and Chase Bank USA, N.A. (CFPB September 2013) Taglines: Add-On Products, Vendor Management, UDAAP CFPB determined that Chase unfairly billed customers. Refund estimated $309 million to over 2.1 million Chase customers Civil money penalty of $20 million 38

In the Matter of JP Morgan Chase Bank, N.A. and Chase Bank USA, N.A. (CFPB September 2013) Lessons Learned Written UDAAP Policy for Add-On Products: 1) Require annual written analysis of: Any changes to existing add-on products that are at high risk for UDAAP Any new add-on products considered to be at high risk for UDAAP 2) Analysis must cover: Assessment of UDAAP risk for product at every stage Evaluation of adequacy of bank s internal controls and policies and procedures to identify, measure, monitor, and control UDAAP risk 39

In the Matter of JP Morgan Chase Bank, N.A. and Chase Bank USA, N.A. (CFPB September 2013) Lessons Learned Written UDAAP Policy for Add-On Products 3) Ongoing policies and procedures: Training of bank employees and vendor agents on federal law and bank s policies and procedures Identifying and reporting violations to bank s specified executive risk manager Ensure risk management, internal audit, and corporate compliance programs have requisite authority and status to conduct reviews to identify and remedy deficiencies 40

In the Matter of JP Morgan Chase Bank, N.A. and Chase Bank USA, N.A. (CFPB September 2013) Lessons Learned Vendor Management Policy Due diligence analyze vendor s ability to perform in compliance with law and bank s policies and procedures Marketing Sales Delivery Servicing Fulfillment Periodic onsight review Controls Performance Information systems 41

In the Matter of JP Morgan Chase Bank, N.A. and Chase Bank USA, N.A. (CFPB September 2013) Lessons Learned Vendor Management Policy (cont.) Written contract setting forth responsibilities of each party, especially: Vendor s specific performance responsibilities and duty to maintain adequate internal controls Vendor s responsibilities and duty to provide adequate training on applicable law and bank s policies and procedures Granting bank authority to conduct periodic onsite reviews of vendor s controls, performance, and information systems Bank s right to terminate contract if Vendor routinely fails to comply with contract terms 42

In the Matter of American Express Centurion Bank (FDIC, OCC, and CFPB December 2013) Taglines: Add-On Products, Vendor Management, Spanish Marketing Regulators contended that three American Express subsidiaries and their vendors and telemarketers sold credit card add-on products, including payment protection product called Account Protector. American Express also marketed its Lost Wallet as being able to assist card members in Puerto Rico with cancelling and replacing lost or stolen cards. 43

In the Matter of American Express Centurion Bank (FDIC, OCC, and CFPB December 2013) Taglines: Add-On Products, Vendor Management, Spanish Marketing Finding that (1) Bank s compliance monitoring and vendor management resulted in ineffective oversight that failed to prevent, identify, or correct improper practices, (2) Bank and its vendors and telemarketers engaged in misleading and deceptive tactics regarding payment protection products, and (3) Bank engaged in unfair billing practices for identity protection products. Restitution of approximately $59.5 million to more than 335,000 consumers Civil money penalties: CFPB $9.6 million -- FDIC $3.6 million -- OCC $3 million 44

In the Matter of American Express Centurion Bank (FDIC, OCC, and CFPB December 2013) Lessons Learned Spanish Marketing When marketing in language other than English: Provide uniform telemarketing scripts for those calls Provide written materials in same language 45

In the Matter of Bank of America, N.A. and FIA Card Services, N.A. (OCC and CFPB 2014) Taglines: Add-On Products, Vendor Management Bank of America marketed credit card add-on products, including payment protection and identity theft products. Regulators contended that (1) telemarketing scripts contained misstatements and telemarketers often went off script, making misleading sales pitches and omitting pertinent information, and (2) due to inability to obtain consumers credit reports, consumers were billed when they did not receive identity theft protection services. 46

In the Matter of Bank of America, N.A. and FIA Card Services, N.A. (OCC and CFPB 2014) Taglines: Add-On Products, Vendor Management CFPB Consent Order $268 million restitution to 1.4 million customers for deceptive marketing $20 million civil money penalty OCC Consent Orders $459 million restitution to 1.5 million consumers enrolled in credit monitoring products $25 million civil money penalty 47

In the Matter of Bank of America, N.A. and FIA Card Services, N.A. (OCC and CFPB 2014) Lessons Learned YOU SHOULD KNOW THIS BY NOW!!! 48

For more information contact: Dixie K. Hieb (605) 357-1277 dhieb@dehs.com Robb Schlimgen (605) 357-1296 rschlimgen@dehs.com 2014 Davenport, Evans, Hurwitz & Smith, LLP 49