New Year’s is a good time for a Consumer Financial Protection Bureau (“CFPB”) compliance tune-up. Providers of consumer financial products and services (“providers”) operate in a dynamic environment influenced by challenges to profitability and survival, increased focus on the consumer experience, industry consolidation, advancing technology, and changes in laws and regulations.
The CFPB, created by the Consumer Financial Protection Act of 2010 (“CFPA”), has open investigations in virtually all of the market areas under its jurisdiction, including such areas as depository institutions (with assets over $10 billion), nonbanks involved in private student loans, mortgage servicing, small dollar lending, debt collection, consumer reporting, consumer credit and related activities, money transmitting, check cashing and related activities, prepaid cards, and debt relief services. On top of this, the CFPB has a growing supervisory and examination program to compel and assess compliance with federal consumer financial laws.
In the first year and a half of its existence, the CFPB has issued a number of guides, reports, and bulletins and has brought several public enforcement actions that set forth its expectations for how providers should comply with federal consumer financial laws. Below we provide six simple practical tips to help keep your company running at peak performance and meet the CFPB’s expectations.
- Review Compliance Management System: In order to help ensure legal compliance, many providers develop and maintain compliance management systems that are integrated into the overall framework of the company. These programs are designed to address all facets of the operation, including in the design, delivery, and administration of services – that is, the entire service lifecycle.
According to the CFPB Supervision and Examination Manual:
“An effective compliance management system commonly has four interdependent control components:
- Board and management oversight;
- Compliance program;
- Response to consumer complaints; and
- Compliance audit.”
The second component, a compliance program, includes the company’s policies and procedures (discussed below), employee training, and monitoring and corrective actions. Companies that are often able to avoid most challenges make compliance part of the day-to-day responsibilities of management and their employees, which allows them to self-identify issues (sometimes with the help of outside consultants) and take corrective action when necessary.
- Policies and Procedures Matter: When a government regulator (e.g., CFPB, Federal Trade Commission (“FTC”), banking regulator, state Attorney General, etc.) comes knocking, an examination or investigation often will go more smoothly if the company can demonstrate that it has established policies and procedures that cover all relevant legal and regulatory topics. To this end, consider whether key policies are in writing, and if procedures have been implemented to ensure that the policy is followed. Without written policies and procedures, it is difficult to document or put into context compliant behavior. Consider ways to get your board of directors and senior management involved so that they may exercise oversight and are able to monitor the implementation of the policies. Also, consider whether you have enough resources to get the job done.
- Actions Speak Louder than Words: While policies and procedures are important, in the final analysis, it will be more important to show that the organization and its staff actually are complying with applicable legal and regulatory requirements. A review of company practices can include: random samples from employees and from the consumer perspective; review of training programs to confirm they are current and consistent with policies and procedures (and the law); updating monitoring and disciplinary protocols; and a formal compliance audit. The CFPB has made clear its expectation that entities subject to its examination authority should incorporate a compliance audit designed to evaluate compliance with consumer financial laws and adherence to internal policies and procedures. And, from the CFPB’s perspective, to be effective, the audit program must be sufficiently independent from the company’s overall compliance program and business functions and should report to the board of directors (or a board committee).
- Communications with Consumers, Advertising, and Marketing: Television, radio, online content (including social media), telephone calls, and lead generation by third-party providers all can qualify as advertising under the law, meaning they need to comply with state and federal laws governing advertising, which generally require that any statements be truthful, not misleading, and substantiated.
- Third-Party Affiliates and Vendors: Federal and state regulators are increasingly sounding the alarm that they will hold providers responsible for the actions of their affiliates and service providers. Indeed, the CFPB published an entire bulletin on the topic. To minimize problems with an affiliate or vendor, providers should implement policies and procedures designed to ensure that their third-party affiliates/vendors comply with the providers’ legal obligations. In addition to conducting robust due diligence before engaging a vendor, providers must monitor the third party’s conduct for ongoing compliance. If the affiliate/vendor doesn’t appear to be compliant or refuses to answer important questions, then consider your options, including discontinuing the use of the third party. Bottom line, the CFPB expects providers to demonstrate compliance for each of their product lines, marketing practices, and third-party affiliates and/or vendors.
One-Size Does Not Fit All: The CFPB has jurisdiction over a wide-range of financial institutions and service providers. As a result, the relevant federal consumer financial laws that are applicable vary institution-by-institution. Nonetheless, the CFPB expects compliance management activities to be a priority and to be tailored to the nature, size, and complexity of the provider’s consumer-facing business. Substantive areas that the CFPB already has observed widespread deficiencies include:
- Furnishers to credit reporting agencies – Regulation V of the Fair Credit Reporting Act
- Credit cards – Equal Credit Opportunity Act and its implementing Regulation B, misrepresentations in advertising and marketing, failure to make appropriate disclosures under the Truth in Lending Act, violations of the Fair Credit Reporting Act, and deceptive debt collection practices
- Mortgage lending – Real Estate Settlement Procedures Act, the Truth in Lending Act’s Regulation Z and Home Mortgage Disclosure Act, as well as violations of the rule for mortgage acts and practices (Regulation N)
- Foreclosure assistance and mortgage assistance relief services – Regulation O
- Debt relief services – Section 5 of the FTC Act, the CFPA, and the Telemarketing Sales Rule
Finally, as mentioned above, the supervision and enforcement work of the CFPB focuses not only on providers, but also on their partners, including those who facilitate their conduct and who may run afoul of the federal consumer financial protection laws.
No compliance tune-up can preclude all liability that may arise for an institution. Staying current on the legal and regulatory requirements applicable to your organization is crucial.