The Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) recently entered into Stipulation and/or Consent Orders with a well known bank regarding alleged consumer finance law violations by its third party service providersi retained to market and sell the bank’s add-on credit card services. In addition to imposing third party liability on the bank for the conduct of its service providers, the OCC and CFPB provided a detailed consumer finance protection roadmap of federalized “Caremark duties on steroids” for Boards of companies providing consumer financial services. Without getting into the fine points of jurisdiction, covered and excluded entities, and the well-known Caremark case, here are the Board highlights of the two orders:
As the OCC and CFPB see matters, Boards have primary responsibility for consumer protection oversight at their companies.
- The CFPB consent order was signed by the Board Chairman, and the OCC consent order was signed by each member of the Board.
- The OCC order provides that “The Board shall ensure that the Bank achieves and thereafter maintains compliance with this Order...” and the CFPB order requires that it be distributed to every member of the Board, every executive officer and all service providers.
The upshot of both orders is that the Board of Directors is required not only to exercise Caremark (oversight) duties but also to create, revise, adopt, implement and/or ensure Bank compliance with and implementation (in accordance with detailed requirements) of:
- A Bank Compliance Management System (and submit revision to CFPB for prior approval);
- A Bank Service Provider Management Policy (and submit to CFPB for preapproval);
- Quarterly written compliance progress reports to the OCC;
- An Action Plan (describing action necessary for execution of the OCC Order);
- An effective and sustainable Enterprise-Wide Risk Management Program for consumer finance (to be submitted to OCC for preapproval);
- A Restitution Plan;
- Revisions to the existing Corporate Compliance Unit monitoring and testing program;
- Revisions to the existing Internal Audit Unit monitoring and testing program; and
- A Bank Vendor Management Policy (subject to OCC pre-approval).
In addition, the Board’s Audit and Risk Committee’s burden has substantially increased. It is required to:
- Monitor and oversee the Bank’s compliance with the OCC Order;
- Require and review quarterly Bank compliance reports to the ARC;
- Submit quarterly compliance progress reports to the Board;
- Oversee quarterly detailed “Remediation Reports” to be submitted to the CFPB;
- (As a practical matter), work with the CFPB's mandated order – an Independent Remediation Auditor; and
- Review and monitor Bank reports regarding claims and payments and forward copies of the reports to the OCC.
The OCC Order went on to specify larger, overall duties of the Board, taking the position that the Board is required to:
- Carry the ultimate responsibility for proper and sound management of the Bank;
- Do whatever is necessary for the Bank to comply;
- Require timely reporting of whatever is necessary;
- Follow-up on material non-compliance with whatever actions are necessary; and
- Require corrective action in a timely manner.
If your organization provides consumer finance and is not a Bank under $10 billion in assets, Uncle Sam (the CFPB) wants you. This is a powerful new agency with a chip on its shoulder hitting the ground running with a vast legacy of regulations and experience from other agencies, a new 800+ page Examination Manual with 3 updates, 16 Bulletins, 8 Final Rules and 3 Proposed Rules – led by a former state Attorney General with an apparent preference to regulate by bulletin announcement and enforcement action rather than the slower, less visible, regulatory promulgation path, and to supervise not just with examiners but with teams comprised of examination and enforcement personnel.
There is good news, however. Between them, the OCC and The CFPB have produced a collage of 6 documentsii that form the basis of a Consumer Protection Compliance Template which is so detailed, it is a virtual safe harbor. If you are on the Board of one of these covered entities and would prefer not to be a signatory to a Consent Order, the ONE QUESTION the Board should ask Management is “How do we stack up against the six- piece Consumer Protection Compliance Template?” In other words, is Management’s assessment that we are not in compliance with consumer finance protection law? Please discuss the six pieces and, in the context of the exhaustive detail contained in them, the quality of the company’s:
- enterprise risk management program;
- compliance management system;
- service provider management plan;
- corporate compliance’s test and management plan;
- and internal audit’s test and management plan.
Welcome to the new world of “Caremark Duties on Steroids.”