As we all know it takes more than legislation to shift a mindset away from business as usual. And by no means is the once overlooked world of consumer finance excepted from this truth. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), which seeks to change the corporate culture within American financial institutions, was just the start, but it cannot do it alone. This is where the regulators fit in. But are they rising to the challenge?
Armed with four more years of President Obama’s administration, the Consumer Financial Protection Bureau (CFPB or Bureau), with the prudential regulators in tow, (e.g., Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve Board (FRB)) have been given the breathing room and the perceived electoral approval to address so called “deficient” compliance management systems (CMS)1 within the consumer finance space to ensure proper legal compliance, monitoring, and prompt identification of risks. How will they do this? Well, to borrow a phrase from Thomas Curry, Comptroller of the Currency, it will take “boots on the ground.”2
In the recent article, “Two is Stronger Than One: Joint Enforcement Actions, Trend Spotting in the CFPB’s Recent Enforcement Activity,”3 we explored the trend, impact, and staying power of the CFPB’s coordinated enforcement efforts with multiple prudential regulators. Specifically, we looked at the CFPB’s enforcement and supervisory authority in comparison to that of the prudential regulators, as well as points of convergence between them, especially in the area of compliance and the impact of coordination on supervisory responsibilities.
From a twelve thousand foot view, the result of the recent coordination appears to be a highly effective and stronger consumer financial stability oversight body. At a more granular level, the result is well coordinated joint enforcement actions with increased penalty costs ($101.5 million assessed within four months) and clear directives focused on improving corporate governance, from board oversight to service provider mandates and everything in between.
Further to that end, prudential regulators have raised the bar and “heightened expectations for corporate governance” rule the day.4 The jargon of the moment, “heightened expectations,” is not easily defined, but it is clearly evidenced in the recent joint public enforcement actions,5 mentioned below, which address head-on operational risks associated with consumer financial law, and clearly lay out CMS expectations.
In this article we look more closely at the CFPB’s CMS expectations and recent CMS related findings as discussed in its Supervisory Highlights, as well as some recent statements by other prudential regulators, in particular the FDIC and the OCC, which echo the CFPB’s sentiment, and we consider what this means for the large banks6 and supervised non-banks7 falling under the CFPB’s supervisory authority in days ahead. To begin, however, we briefly look at how the supervisory coordination is working out between the CFPB and the prudential regulators.
Supervisory Coordination by the CFPB and the Prudential Regulators.
Rather than creating what could have been a kerfuffle, Title X of Dodd-Frank, which requires the CFPB to coordinate with the prudential regulators, for the moment appears to have created a stronger collaborative oversight body.8 As set forth in the Memorandum of Understanding9entered into between the CFPB and the prudential regulators, the respective examiners are coordinating on a host of issues, including compliance with Federal consumer financial law,10 Section 5 of the Federal Trade Commission Act,11 and other federal laws.
By all accounts, the coordination has proven effective and is in full swing. The CFPB’s first public enforcement actions have all been joint actions with other prudential regulators including the OCC, the FDIC and the FRB. At least one of the actions stemmed from a CFPB examination 12 and two of the actions stemmed from investigations started by the prudential regulators.13
For example, over a span of four months, the CFPB along with prudential regulators have entered into Consent Orders with Capital One Bank, (USA), N.A.,14 Discover Bank,15 and several American Express entities,16 wherein some prudential regulators determined the entities engaged in deceptive acts and practices, and/or unsafe and unsound banking practices.
Equally significant, but normally hidden from public view, is the coordinated supervisory activity occurring within the “traditional supervisory framework of institutional confidentiality.”17 A rare insight on this behind-the-scenes activity is contained within the CFPB’s Supervisory Highlights.18 The report dishes out choice morsels of issues being detected in key product areas, while maintaining confidentiality. The report also goes on to describe some of the non-public corrective actions being taken against financial institutions participating in the credit card, credit reporting and mortgage markets.19
While not as publicized as the public enforcement activities, the report indicates that the CFPB’s non-public supervisory activities have resulted in remedial relief to 1.4 million consumers, correction of illegal practices, adoption of policies and procedures, and implementation of robust CMS20 - relatively impressive for the Bureau examiners’ first year on the job.21
On the prudential regulator front, insight from comments like the recent one by Comptroller Curry, that “[P]assable is not acceptable,” 22 indicate an ever decreasing tolerance appetite for the days ahead.
The CFPB’s CMS Expectations.
To appreciate fully the CFPB’s CMS expectations, you must start with the foundational knowledge that the CFPB believes that assessing the quality of a financial institution’s CMS is one of its most important supervisory responsibilities.23 This is a poignant message of what to expect from the CFPB examiner. But note, unlike what large banks may have experienced from their examiner in the past, this new examiner will be looking at CMS from a different angle - the consumer financial law angle - and with a heightened level of intensity not known in seasons past.
A clear message on the Bureau’s tolerance level, the Supervisory Highlights states that one of the most critical concerns the CFPB examiners confronted in the last year were comprehensive deficiencies in CMS, including deficiencies related to affiliate or third-party service providers.24 As such, it is not surprising that the CFPB, which is generally loquacious for the good of transparency, released its Supervisory Highlights25 to apprise the financial services industry of its findings and to reiterate its expectations. Some key observations from that report follow.
For one, corporate culture is under the microscope. The CFPB is not only evaluating the understanding and application of an institution’s compliance program by its employees, but also by its management. In other words, the CFPB expects a corporate culture of compliance - a culture that starts at the highest levels and finds its way down through the ranks and across business lines. In that vein, the CFPB expressed limited tolerance for a lack of appreciation by management of the importance of compliance policies and procedures. Thus, supervised entities should expect heightened attention in the areas of training and implementation of compliance programs by examiners.
The next observation is that regardless of the nature, size, or complexity of a financial institution’s consumer business, compliance management activities in the consumer finance space must be a priority. The Bureau’s Supervision and Examination Manual demands nothing less.26 Nevertheless, CFPB examiners were seeing instances where CMS was wholly lacking across an institution’s consumer financial portfolio. As a result, the Bureau found that these institutions had no means to address risks presented by their lines of business.27
This finding by the Bureau is some of the best evidence that large banks cannot expect business as usual when it comes to supervision and examinations. These issues on the consumer business side of an institution, which for a number of reasons may not have caught the attention of the prudential regulators in seasons past, are now front and center and prime territory for correction, restitution and fines.
This finding should also send shivers through the spines of management at supervised non-banks. A compliant CMS and one that will satisfy the CFPB cannot be created and implemented overnight. This means that non-banks not previously subjected to examination must ensure that compliance is prioritized and systems are in place if possible prior to examination.
Also included in the Supervisory Highlights are comments concerning deficient fair lending compliance programs and observations by the CFPB of some “common features” its examiners had identified in “well developed” programs. Supervised entities should review this list of eight “common features,” with the anticipation that examiners will be looking for them, with some potential leeway dependent upon an entity’s size and complexity.28
Concerning affiliates or third party service providers,29 the CFPB echoed its prior guidance.30 Along that line, the CFPB expressed limited tolerance for inadequate programs that fail to oversee and to effectively manage the relationship to ensure compliance with Federal consumer financial law.31
What does this boil down to? Well, if we use the American Express Consent Orders32 as an example, it means that supervised entities need to have effective monitoring, training, record-keeping and audit procedures to properly review relationships in place on their consumer business side. Procedures should also be in place for promptly addressing consumer complaints. Ultimately, the Bureau’s guidance on service providers and its Consent Orders should be reviewed, and where applicable, steps taken to implement its recommendations.
None of this should come as a surprise to anyone who has been following the CFPB’s public enforcement actions. Using the American Express Consent Orders again as an example,33 which themselves did not escape the Bureau’s commentary in the Supervisory Highlights, one sees findings with regards to board and management oversight, compliance programs, audit programs, and compliance office staffing, as well as oversight of service providers. The Bureau demanded numerous additional affirmative actions related to CMS, and for that reason, the Consent Orders are definitely worth a read or two.
That is not all - there is more to the Supervisory Highlights. In brief, the report goes on to separately discuss the “numerous violations of Federal consumer financial law” discovered through the CFPB’s non-public activities, and then goes on to highlight those that resulted in public actions, e.g., the Capital One Bank, (USA), N.A., Discover Bank, and the American Express entities actions. 34 To that point, the CFPB noted that those public actions addressed, among other things, issues related to vendor risk management programs, implementation of effective CMS and/or compliance management deficiencies.35
Yet, some discovered violations did not result in public actions. Those included violations of the CARD Act,36 and violations related to credit reporting or mortgage originators.
At bottom, compliance is king. The Supervisory Highlights should be received as a policy statement on the CFPB’s CMS expectations and its tolerance level for days ahead.
What are the Prudential Regulators Saying About This?
In recent months, there has been much postulation and water cooler talk by industry observers that the prudential regulators do not want to take a sideline to the CFPB, or look like they are not fulfilling their mandate in light of all the recent activity by the CFPB. Whether they are right, the reality on the ground is that the prudential regulators are toughening their stance on CMS, particularly in the consumer finance space. And while the CFPB’s and the prudential regulators’ respective mandates clearly differ, they converge at times, particularly in the area of CMS in the consumer finance space. Even more than that, the prudential regulators are utilizing the CFPB as an ally who can bolster their efforts. Surely all one has to do is examine the Consent Orders and public statements by the prudential regulators in the latter half of 2012 to reach this conclusion.
For instance, the OCC participated with the CFPB in the public enforcement against Capital One Bank, (USA), N.A. The FDIC participated with the CFPB in the public enforcement action against Discover Bank. And the FDIC, the OCC, and the FRB, as well as the Utah Department of Financial Services all participated with the CFPB in the public enforcement action against the American Express entities.37
In each of those actions, the prudential regulators were playing back-up to the CFPB in the area of Federal consumer financial law, as required by Dodd-Frank.38 Nonetheless, working with the CFPB as an ally, they were still able to seek restitution and civil monetary penalties, based on their power to enforce Section 5 of the FTC Act.39 In addition, in the Discover Bank and American Express actions, the prudential regulators also made statements concerning unsafe and unsound banking practices.
But wait - there is even more enforcement activity going on. While Dodd-Frank gave the CFPB primary enforcement authority with regards to Federal consumer financial law over large banks, the prudential regulators remain the primary enforcers when it comes to small banks, e.g., institutions with less than $10 billion in assets.
40 In exercising this authority, the FDIC, in August 2012, brought a public enforcement action against The Bancorp Bank (Bancorp) and its affiliate, Higher One, Inc., (Higher One)41 for alleged unsafe or unsound banking practices and unfair and deceptive practices in violation of Section 5 of the FTC Act.
In a nutshell, the FDIC claimed that Higher One and Bancorp were operating a student debit card account program that was charging students multiple nonsufficient fund fees on a single transaction, and allowing them to remain overdrawn over a period of time resulting in a continued accrual.42 As a consequence, Higher One was ordered to provide restitution to approximately 60,000 students and pay a civil money penalty in the amount of $110,000. Bancorp was fined $172,000.43 In addition, both Consent Orders included significant compliance related mandates. Higher One was required to institute “a sound compliance management system,” and Bancorp was required to take several steps, including improving its CMS, increasing its board oversight of compliance matters and increasing its management of third party risk.44 In many ways these compliance mandates echo the requirements contained in the CFPB joint enforcement actions mentioned above.
The CFPB’s policy statements on CMS and its waning tolerance have in many ways been echoed by its prudential regulator counterparts in recent days as well. For instance, the Comptroller of the Currency has not been shy about the heightened expectations for corporate governance and oversight, and his agency’s change of tone, in comparison with pre-financial crisis days.45 For example, in an interview a few days following some meetings with large banks in early November 2012, Comptroller Curry acknowledged and affirmed the industry’s perceived change of tone, and added that the OCC will not hesitate in bringing public action where warranted, as “[I]t’s important for the public to know that regulators are doing their job.”46
That same day Curry spoke to an audience at The Clearing House’s Second Annual Business Meeting and Conference wherein he reiterated the OCC’s higher expectations for days ahead.47 To that end, he noted that at the very core of the heightened expectations is “excellence in corporate governance.”48
The FDIC is also a part of this compliance caravan. The newly appointed Vice Chairman of the FDIC, Thomas Hoenig, expressed a similar sentiment at a speech he gave in September 2012.49 In that speech he acknowledged a failure by supervisory authorities in their role of overseeing the financial markets. And in response to those past mistakes stated that, “there will be a clearer line of sight for carrying out our supervisory responsibilities.”50 This means a return by the regulators to the job of examining banks for “safety and soundness,” and “assuring compliance with established rules.”51
Is This All Starting to Sound Like a Recurring Theme?
While mandates differ between the CFPB and the prudential regulators, the change of tone across the Capitol City is the same. Compliance is king and the regulators’ tolerance for CMS violations is decreasing. Add to this mix the ingredient of heightened attention to the consumer finance business lines by the CFPB’s examiners - an area that the prudential regulators are allied with the CFPB - and one has a perfect recipe for correction, restitution and fines. Both banks and supervised non-banks should expect to see increased activity by their examiners in these areas in the days ahead.