Self- Policing- An excellent way to control your own destiny!
So you are the compliance officer and while doing a routine
check on disclosures, you notice a huge error that the Bank has been making for
the last year. The beads of sweat form
on your forehead as you realize that this mistake may impact several hundred
customers. Real panic sets in as you
start to wonder what to do about the regulators. To tell or not to tell, that is indeed the
question!
Many of our clients struggle with the question of what to do
when your internal processes discover a problem. We have always believed that the best policy
is to inform the regulators of the problem and now we have confirmation that
this is indeed the case! CFBP Bulletin
2013-06 discusses what it calls “responsible business conduct” and details the
grounds for getting consideration for getting enforcement consideration from
the CFPB. In this case, “consideration
is somewhat vague and it clearly depends on the nature and extent of the
violation, but the message is clear. It
is far better to self-police and self-report than it is to let the examination
team discover a problem!
Why Disclose a
Problem if the Regulators Didn’t Discover it?
It is easy to make the case that financial institutions
should “let sleeping dogs lay”. After
all, if your internal processes have found the issue, the thing is that you can
correct it without the examiners every knowing, move on and everybody is
happy! Right? In fact, nothing could be further from the
truth. We admit there was a time when
the relationship between regulators and the banks they regulate was collegial,
but that is most certainly not the case any longer. Part of the process of rehabilitating the
image of banks is to ensure that they are being well regulated and that
misbehavior in compliance is being addressed.
Self- Policing
It is not enough that a bank discovers its own problems and
addresses them. In the current
environment, there is a premium placed on the idea that a bank has compliance
and/or audit systems in place that are extensive enough to find problems,
determine the root of the problems and make recommendations for change. An attitude that compliance is important must
permeate the organization starting from the top. T impress the regulators that an organization
is truly engaged in self-policing, there has to be evidence that senior
management has taken the issue seriously and has taken steps to address
whatever the concern might be. For
example, suppose during a compliance review, the compliance team discovers that
commercial lenders are not consistently given a proper ECOA notification. This finding is reported to the Compliance
Committee along with a recommendation for training for commercial lending
staff. The Compliance Committee accepts
the recommendation and tells the Compliance Officer to schedule Reg. B training
for commercial lenders. This seems like
a reasonable response, right?
Self-Reporting
While at first blush self-reporting seems a lot like
punching oneself in the face, which is not the case at all! The over-arching idea from the CFPB guidance
is that the more the institution is willing to work with the regulatory agency,
the likely that there will be consideration for reduced enforcement
action. The truth is, compliance
failures will eventually be discovered and the more they are self-discovered
and reported, the more trust that the regulators have in the management of the bank
in general and the effectiveness of the compliance program in particular. The key here is to report at the right
time. Once the extent of the violation
and the cause of it have been determined, the time to report is imminent. While it may seem that the best time to
report is when the issue is resolved, this will generally not be the case. In point of fact, the regulators may want to
be involved in the correction process.
In any event, you don’t want to wait until it seems that discovery of
the problem was imminent (e.g. the regulatory examination will start next week!).
It is important to remember here that the reporting should
be complete and as early as possible keeping in mind that you should the extent
and the root cause of the problem. It is
also advisable to have a strategy for remediation in place at the time of
reporting.
Remediation
What will the Bank do to correct the problem? Has there been research to determine the
extent of the problem and how many potential customers have been affected? How did the Bank make sure that whatever
the problem is has been stopped and won’t be repeated? What practices, policies and procedures have
been changed as a result of the discovery of the problem? These are all questions that the regulators will
consider when review the Banks efforts at remediation. So for example, if it turns out that the Bank
has been improperly disclosing transfer taxes on the GFE, an example of strong
mediation would include:
·
A determination if the problem was systemic or
with a particular staff member
·
A “look back” on loan files that for the past 12
months
·
Reimbursement of any all customers who qualify
·
Documentation of the steps that were taken to
verify the problem and the reimbursements
·
Documentation of the changed policies and
procedures to ensure that there is a clear understanding of the requirements of
the regulation.
·
Disciplinary action(if appropriate for affected
employees)
·
A plan for follow-up to ensure that the problem
is not re-occurring
Cooperation
Despite the very best effort at self-reporting and
mediation, there may still be an investigation by the regulators. Such an instance calls for cooperation not
hunkering down. The more the bank is
forthcoming with the information about its investigation, the more likely that
the regulators will determine that there is nothing more for them to do.
At the end of the day, it is always better to
self-detect report and remediate. In
doing so you go a long way toward controlling your destiny and reducing
punishment!