Amid all the hand-wringing and bloviating that accompanied the fifth anniversary of the Dodd-Frank Act earlier in July, one of its most controversial creations also has a birthday coming up: Nearly four years ago the Consumer Financial Protection Bureau first opened its doors for business, and firms are still struggling with their compliance approach to the watchdog.
What have we learned during the time this new agency has been on the beat? Not as much as the many businesses on its radar screen would like.
We do know the CFPB’s purview is sweeping. In the last four years, it has targeted debt collectors, credit card issuers, mortgage businesses, student loan issuers. Everyone from the largest banks to the smallest retailers is in scope.
We also know that despite political attacks, the agency hit the ground running. To date, it has returned $10 billion to consumers through enforcement actions. In one week this July, Citibank agreed to refund $700 million for deceptive card practices, Discover Bank was fined $18.5 million for allegedly deceptive practices related to servicing student loans, and Honda took a $24 million hit for discriminatory lending practices.
The overall mood among firms in the CFPB’s crosshairs is one of “frustration and despair,” according to Anthony DiResta, a partner with the law firm Holland & Knight. “They are surprised and challenged by its aggressiveness in terms of the way it conducts investigations, examinations, and audits. They are surprised by the broad way it is interpreting the scope of its jurisdiction and how it is defining deception, unfairness, and abuse.”
Compared with the Federal Trade Commission, the CFPB lacks defined guideposts about how it interprets, for example, deceptive advertising. “With the FTC we certainly have a clear understanding of expectations through guidance and enforcement actions,” DiResta says. “We have a body of precedent to interpret ‘deception,’ for example, that we don’t have yet with the CFPB. There still doesn’t seem to be clear procedural guidance about what the rules of the road are.”
“The most significant compliance challenge continues to be the ‘unfair, deceptive, or abusive acts and practices’ [UDAAP] standard because the Bureau has chosen to interpret it by enforcement rather than rulemaking,” says Jason McCarter, a partner at law firm Sutherland Asbill & Brennan. “Developing the standard case-by-case will take time, even while covered entities are trying to account for this uncertainty at every stage of their product lifecycles.”
With the expectation that covered parties ensure compliance by their service providers, the implications, and costs, of CFPB vagaries “extend well down the food chain,” McCarter adds. Among his clients are several in the automotive industry who, although not extending consumer credit, are investing large amounts of time and effort into developing compliance programs and responding to audits and inquiries from covered parties, “which vary dramatically in scope and detail, since no one really knows what the CFPB may emphasize in future enforcement or supervision of the industry.”
“With the FTC we certainly have a clear understanding of expectations through guidance and enforcement actions. We have a body of precedent to interpret ‘deception,’ for example, that we don’t have yet with the CFPB.”
Anthony DiResta, Partner, Holland & Knight
“Clarity may develop over time, but we’re still far from it,” he says.
Learning the Ropes
The newness of the agency presents a unique problem for firms looking to bolster their compliance staffing. Companies that regularly deal with the Securities and Exchange Commission’s regulatory regime, for example, often hire former officials and staffers (or turn to outside counsel that do the same) to tap into their in-house expertise. That is easier said than done with an agency as young as the CFPB is. “Financial firms are looking for people who had exposure and experience with this agency to add to their internal staff,” says John Zach, a former federal prosecutor, now a partner at law firm Boies Schiller. “But it’s a new agency, so there’s not a deep bench.”
While firms head hunt former CFPB staffers to elevate their general understanding of its workings, there is also an immediate, evolving risk. A controversial centerpiece of the CFPB’s efforts is its public complaint database. In June the agency made nearly 8,000 narratives submitted with complaints public.
Those complaints are not verified, which is causing considerable consternation among firms that find themselves in the online database. Even worse, the database allows users to top complaint trends and top complaint targets. Bank of America, for example, has amassed 31,123 mortgage complaints since 2011. Also in the top 10: Wells Fargo, JPMorgan Chase, Citibank, HSBC, U.S. Bancorp, and PNC Bank.
“It is hard to remember that these are just allegations when it is formalized like this,” Zach says. “Coming from a government agency it takes on an added gloss of credibility. Firms are going to struggle to calibrate their response.”
A DEMAND FOR COMPLIANCE MANAGEMENT SYSTEMS
The following, from the Consumer Financial Protection Bureau’s “Supervisory Highlights: Summer 2015” addresses weaknesses in compliance management systems among debt collection firms.
The CFPB expects a financial institution under its supervision to maintain an adequate compliance management system (CMS) tailored to its operations. A robust and well-administered CMS is vital to preventing violations of Federal consumer financial law and the resulting harm to consumers.
Examinations of one or more institutions engaging in consumer debt collection identified various CMS weaknesses that created a risk of consumer harm. One or more institutions’ boards of directors did not hold regularly scheduled meetings or receive information sufficient to adequately oversee compliance practices. Examiners found that the institutions lacked formal follow-up or escalation procedures for third-party debt collection personnel who were delinquent in completing their required training. These providers were allowed to continue collecting on debt and interacting with consumers, even when their training was overdue. And the institutions lacked comprehensive compliance audit programs. Supervision directed the institutions to remedy these compliance management weaknesses.
During an examination of one or more institutions, examiners also found weaknesses in inquiry and complaint management for collections operations. The institutions did not log or record consumer complaints that were resolved by agents or their managers – depriving compliance personnel of an important tool for detecting violations of Federal consumer financial law during collection activities. Examiners identified instances where complaints and inquiries forwarded from third-party debt collectors were not recorded, categorized, or processed by the financial institution receiving them. Instead, they remained un-reviewed in an electronic queue. Supervision directed the institutions to enhance their procedures and monitoring program to ensure that inquiries and complaints were timely identified, categorized, and resolved.
Those responses require a formalized approach that escalates matters, as needed, to upper management. “What the CFPB wants to see is a company taking note of what consumers are saying and making the changes that need to be made,” says Sabrina Atkins, an associate with the law firm Baker Donelson. “What they want to see is that you are very proactive in working with them and determining the steps that you can take to better protect consumers.”
The goal should be to keep consumer complaints from showing up in the database in the first place because when they do, they stay on public display. “Firms should build complaint-tracking and training into their compliance management systems, from properly recording complaints to resolution protocols to reporting emerging issues up to management and even the board in some cases,” McCarter says. Complaints can serve as a valuable early warning system on bigger issues, and “a thorough and real process for resolving complaints can be strong mitigating evidence for any investigations that do arise,” he added.
While firms can try to insulate themselves from the reputational, legal, and regulatory exposure the complaint database poses, they should take the opportunity to think big about CFPB compliance. Despite complaints about agency ambiguity, some clear expectations do exist.
The CFPB recently released its annual supervisory report. In addition to outlining key areas of focus—credit reporting, student loan servicing, mortgage origination and servicing, and debt collection—it emphasized the need to have a formalized compliance management system. A robust CMS, in its view, includes written and updated policies and procedures, formalized training for employees, effective consumer complaint management, regular managerial reviews, and periodic compliance audits.
A review of mortgage origination violations underlines this expectation, as many of them included a lack of written internal compliance procedures; disclosure requirements; and deceptive representations made to borrowers. The CFPB attributed many of these violations to weaknesses in training, monitoring and corrective action, and compliance audits.
“Firms need to develop a solid compliance management system that is overseen by a chief compliance officer,” DiResta says. “You need to have very effective policies and procedures on UDAAP, marketing and advertising, privacy, and consumer communications to ensure there is no deception or misleading information.”
“Management has to be involved because the CFPB, like other governmental agencies, believes that the C-suite must have a role in compliance management and you need a very effective chief compliance officer who has their ear,” he adds.