CFPB COMPLIANCE: Interaction Between Compliance Assessments and Systems Issues Presented by: Stefanie H. Jackman Consumer Financial Services Group 678.420.9490 jackmans@ballardspahr.com Trevor Salter Consumer Financial Services Group 202.661.2224 saltert@ballardspahr.com
2 GRC Software Applications Compliance and Ethics Training Hotline and Ethics Reporting Code of Conduct Services and Training Assessments Certifications and Attestations Advisory Services Compliance 360 GRC Software 2
3 About Compliance 360 GRC Solutions 250,000+ 000+ Active Users 900,000+ Regulations 400,000+ Policies 100,000+ Audits & Assessments 150,000+ Contracts ZERO Software Travelers 3
4 Compliance 360 Platform Surveys Assessments Policies Third Party Risk Mgt. ERM Internal Audits Dashboards & Reports Content Library Workflow Email Integration Search Tasks GRC PLATFORM Documents Projects Forums Meetings Virtual Evidence Room Laws, regulations and requirements Incidents Privacy Breaches Claims Audits Claims Denials SOX
Interaction Between Compliance Assessments and Systems Issues August 22, 2013 Stefanie Jackman Consumer Financial Services Group 678.420.9490 jackmans@ballardspahr.comcom Trevor Salter Consumer Financial Services Group 202.661.2224 saltert@ballardspahr.com Copyright 2013 by Ballard Spahr LLP
Agenda Developing A Compliance Management System - Considerations for assessing compliance - Reporting exceptions and document fixes - Importance of written policies and procedures and centralized access - Importance of documenting employee training and discipline Potential Risk Areas - UDAAP - Marketing and sales - Employee training and discipline - Complaint tracking and reporting - Third party supervision i - Record retention and information security 6
Developing a Comprehensive Compliance Management System 7
Who Is The CFPB Examining First? Companies identified by CFPB as presenting a heightened risk to consumers based on: Information received from other regulators Complaints Litigation Media Wb Web postings and social ilmedia 8
Purpose of Exam Process CFPB exams always have two objectives: (1) to determine the adequacy of internal procedures and controls; and (2) to assess substantive compliance. Comprehensive analysis of substantive compliance likely to touch every area of law impacting your company. The CFPB s approach is to request electronic copies of documents and other records, including recorded calls, which its examiners review in order to assess compliance with every potentially applicable statutory or regulatory provision and some issues may come as a bit of a surprise. 9
The need for a compliance management system CFPB has made it clear that lenders must have a written compliance management system. CFPB s 900+ page Exam Manual describes the policies and procedures comprising such a system in great detail. CFPB has instructed its examiners to request and review the exam target s t policies i and procedures. And the CFPB s First Day Letters confirm that they do so. 10
System should be risk based CFPB examiners should seek to determine whether the board ha[s]: Allocated resources to the compliance function commensurate with the size and complexity of the entity s operations and practices, the Federal consumer financial laws and regulations to which the entity is subject, and necessary to avoid the potential consumer harm associated with violations of such laws and regulations --CFPB Exam Manual 11
What should system cover? Consumer complaint response Training Monitoring and corrective action Compliance audits Third party service provider oversight Board oversight Policies and procedures addressing applicable consumer protection laws (e.g., TILA, ECOA, EFTA, UDAAP) 12
Compliance Management System Oversight Compliance Program Consumer Complaint Response Compliance Audit Define responsibilities of Board and compliance officer Assess training deficiencies Assess compliance program deficiencies Review audit reports Monitor new laws/regs Monitor complaint trends Revise compliance program Training Categorizing Performed by New employee Tracking disinterested staff or Refresher Resolving third parties Ad hoc (new laws/regs) Reporting Includes audits and due Testing (Includes complaints diligence of third-party Monitoring & Corrective Action lodged with or against third-parties) Test consumer loan files Listen to calls Monitor third parties Discipline employees Include monitoring rights in third party agreements service providers Policies & Procedures UDAAP ECOA Military issues (SCRA, Talent) TILA Collections/FDCPA Data security/document retention Bankruptcy EFTA Privacy Red flags TCPA ADA FCRA 13
Consumer complaint response Documenting Tracking Responding Observing trends Reporting trends to management Using complaint data to improve procedures, disclosures, training, i etc. 14
Monitoring and Corrective Action Listening to calls to consumers (marketing/servicing/collection, etc.) Auditing loan files Mystery shopping by phone or in branch/store Background checks on employees Corrective action Termination 15
16 Audience Polling Question How is your organization currently tracking consumer complaints? (select all that apply) 16
Employee Training and Discipline Compliance management system can be used to train employees throughout organization: - Branch/store employees (TILA, ECOA, UDAAP) - Collectors (FDCPA, UDAAP) - Marketing staff (TILA, UDAAP) - Operations (EFTA, TILA) - All employees (data security, privacy) Need to demonstrate that employees are required to perform according to policies and procedures 17
Third Party Service Provider Oversight Under the CFPB s service provider bulletin, potential exists that an entity may be held liable for UDAAP violations by a service provider Bulletin 2012-03 identifies several specific things that supervised entities must do with respect to service providers: - Initial due diligence - Review of policies, procedures and training (remote and on-site) - Include compliance-related provisions in contract - Monitoring i and controls to prevent/detect t t compliance violations - Taking remedial action as appropriate Special concerns for technology providers 18
Board Oversight Appoint chief compliance officer Review compliance reports Review audits Analyze complaints Monitor for new laws and regulations Revise compliance management system as needed 19
Compliance audits Conduct regular self assessments from consumer satisfaction/confusion perspective Performed by third parties/outside counsel or disinterested staff from another area of operations Report results to Board Using audit data to improve procedures, disclosures, training, etc. Pay attention to customer complaints and encourage customers to submit them to you, not the CFPB 20
Potential High Risk Areas 21
UDAAP Compliance - A practice does not need to be illegal/improper under applicable law or cause actual harm to be deemed a UDAAP violation - To evaluate for UDAAP, need to adopt consumer s perspective: How does the consumer encounter your products or process Who is the reasonable consumer? 22
Identifying UDAAP Risks Consumer complaints CFPB/regulatory consent orders Consumer blogs Consumer groups Attorneys General Private class action litigation Approaching compliance from the consumer s perspective 23
Marketing & Advertising Bank regulators want to know that all marketing has been reviewed for accuracy, truthfulness and that all claims have been substantiated When disclosures are necessary, then the disclosures must be at least clear and conspicuous the 4 Ps - PROMINENCE: Is the disclosure big and clear enough for consumers to notice and read? - PRESENTATION: Is the wording and format easy for consumers to understand? - PLACEMENT: Is the disclosure where consumers would expect it? - PROXIMITY: Is the disclosure within or close to the claim it qualifies? 24
Hot Issues in Marketing of Financial Products Introductory or teaser rates Up to claims Failing to put claims into proper context (i.e., UDAAP is determined dby looking at the totality of the ad) - Particular problem with social media Telemarketing - The demise of outbound - Scripting, scripting, scripting Ensuring disclosure standard is met across platforms (i.e., online, mobile, tablet, t etc.) 25
Add-on Products Add-on products have perennially been an area of regulatory focus The underlying themes in this area have been relatively constant across product lines (closed-end loans, credit card accounts, auto RISCs), and these areas form the basis for UDAAP compliance with respect to add-on products: Consumer not informed that product is voluntary Inadequate disclosure of cost of product Inadequate disclosure of cancellation rights (or resistance to cancellation through retention efforts) Statements made in connection with sales process Sale of products when consumers cannot realize benefits Price of products as compared to consumer utilization 26
Debt Collection Quality of account documentation used to collect on debt (AMEX, Asset Acceptance, FTC Debt Buying Report, subject of many CIDS) Failing to investigate accuracy of debts/verify debts Contract provisions i speaking to representations or warranties as to accuracy of account information purchased Internal handling of data to ensure accuracy and integrity y( (dual systems) Misleading statements of impact of payment on credit score/creditworthiness 27
Debt Collection Authentication of debts and account records under the business records rule Consumer complaints alleging inaccurate information, and responses to those complaints (including FCRA disputes) Threatening actions do not intend/do not take in regular course Failing to report debts as disputed to credit bureaus Failing to disclose convenience fees Recent bulletins re: FDCPA applies to first party collectors and service providers 28
Privacy UDAAP and Privacy - Practices that are inconsistent with privacy policy are deceptive - Practices that are consistent with privacy policy, but nevertheless cause substantial consumer harm that consumers cannot avoid, may be considered unfair. Website and mobile privacy policy - Due diligence is critical: Understand how site or app actually works and what information is collected - Be transparent about what information is being used Engagement in social media sites - Customer information posted on company social media pages/sites will be used/collected 29
Data Security UDAAP and Data Security - Not protecting information in a reasonable manner could be considered deceptive or unfair. - Avoid absolutes (e.g. 100% secure, always, etc.) Employee and management training - 3 Categories of Controls: administrative, physical, technical Special considerations when selecting and overseeing service providers and affiliates Considerations for managing system failures and breaches 30
Fair Lending Risks and Monitoring Advertising/marketing Product steering Discretion in underwriting/servicing/collection Employee/dealer/service provider incentive compensation Employee training on access options for disabled persons Service providers, especially in collections Exception reporting and tracking/monitoring 31
Role of Outside Counsel What should you consider retaining outside counsel? Reactive - Internal: when internal audit or fact-finding reveals policy or performance gaps - External: when customer complaints or regulator inquiry (e.g. exam) reveals policy or performance gaps Proactive - When creating a new or innovative financial product, channel, or marketing method - When a regulator signals areas of high-risk, such as those discussed in this presentation 32
33 Audience Polling Question Would you like to learn how Ballard Spahr LLP or SAI Global can assist with your compliance initiatives? (select all that apply) 33
Resources CFPB Monitor Subscribe to our ABA award-winning blog at www.cfpbmonitor.com. E-Alerts Subscribe at www.ballardspahr.com (click subscribe and choose Consumer Financial Services or Labor & Employment as your area of finterest). t) Mortgage Banking Update Subscribe at www.ballardspahr.com (click subscribe and choose Mortgage Banking as your area of interest). Questions? E-mail questions@ballardspahr.com. 34
35 Additional Resources Educational Webinars: www.compliance360.com/webinars Banking Demo Series: Part 1: CFPB / UDAAP Compliance Self-Assessments Automated in Compliance 360 Part 2: CFPB / UDAAP Risk Assessments Automated in Compliance 360 Part 3: Complaint Management Automated in Compliance 360 Enterprise Risk Management for Banks - Automated in Compliance 360 www.compliance360.com/webdemos 35
CFPB COMPLIANCE: Interaction Between Compliance Assessments and Systems Issues Presented by: Stefanie H. Jackman Consumer Financial Services Group 678.420.9490 jackmans@ballardspahr.com Trevor Salter Consumer Financial Services Group 202.661.2224 saltert@ballardspahr.com