Self- Policing- An excellent way to control your own destiny!

So you are the compliance officer and while doing a routine check on disclosures, you notice a huge error that the Bank has been making for the last year.  The beads of sweat form on your forehead as you realize that this mistake may impact several hundred customers.   Real panic sets in as you start to wonder what to do about the regulators.  To tell or not to tell, that is indeed the question! 

Many of our clients struggle with the question of what to do when your internal processes discover a problem.  We have always believed that the best policy is to inform the regulators of the problem and now we have confirmation that this is indeed the case!    CFBP Bulletin 2013-06 discusses what it calls “responsible business conduct” and details the grounds for getting consideration for getting enforcement consideration from the CFPB.  In this case, “consideration is somewhat vague and it clearly depends on the nature and extent of the violation, but the message is clear.  It is far better to self-police and self-report than it is to let the examination team discover a problem!    

Why Disclose a Problem if the Regulators Didn’t Discover it?  

It is easy to make the case that financial institutions should “let sleeping dogs lay”.  After all, if your internal processes have found the issue, the thing is that you can correct it without the examiners every knowing, move on and everybody is happy!  Right?  In fact, nothing could be further from the truth.   We admit there was a time when the relationship between regulators and the banks they regulate was collegial, but that is most certainly not the case any longer.   Part of the process of rehabilitating the image of banks is to ensure that they are being well regulated and that misbehavior in compliance is being addressed. 

Self- Policing

It is not enough that a bank discovers its own problems and addresses them.  In the current environment, there is a premium placed on the idea that a bank has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  An attitude that compliance is important must permeate the organization starting from the top.  T impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This seems like a reasonable response, right?  

 This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal of a Bank should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile of bank decreases and the less likely enforcement action will be imposed. 

Self-Reporting

While at first blush self-reporting seems a lot like punching oneself in the face, which is not the case at all!   The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the likely that there will be consideration for reduced enforcement action.  The truth is, compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management of the bank in general and the effectiveness of the compliance program in particular.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  In point of fact, the regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).

It is important to remember here that the reporting should be complete and as early as possible keeping in mind that you should the extent and the root cause of the problem.  It is also advisable to have a strategy for remediation in place at the time of reporting. 

Remediation

What will the Bank do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did the Bank make sure that whatever the problem is has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when review the Banks efforts at remediation.  So for example, if it turns out that the Bank has been improperly disclosing transfer taxes on the GFE, an example of strong mediation would include:

·       A determination if the problem was systemic or with a particular staff member

·       A “look back” on loan files that for the past 12 months

·       Reimbursement of any all customers who qualify

·       Documentation of the steps that were taken to verify the problem and the reimbursements

·       Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation.

·       Disciplinary action(if appropriate for affected employees)

·       A plan for follow-up to ensure that the problem is not re-occurring

Cooperation

Despite the very best effort at self-reporting and mediation, there may still be an investigation by the regulators.  Such an instance calls for cooperation not hunkering down.  The more the bank is forthcoming with the information about its investigation, the more likely that the regulators will determine that there is nothing more for them to do. 

At the end of the day, it is always better to self-detect report and remediate.  In doing so you go a long way toward controlling your destiny and reducing punishment! 

UDAAP- What is in a name? 

Among the many new regulations that have been passed in the banking world in the last two-three years, one of the most feared and miss-understood is the Unfair, Abusive or Deception Acts or Practices regulation of UDAAP for short.  The truth is that these laws allow the regulatory fairly broad authority to criticize, halt, prevent or even punish a ban for practices that are deemed unfair or abusive.  The ugly truth about this area of regulation is that the definitions included in it are vague.  Regulators are left to interpret what is and is not an unfair practice.  To paraphrase the words of Supreme Court Justice Potter Stewart-the regulators may not be able to define it, but they know abusive and deceptive practices when they see them!

Although the question about what is and is not a deceptive or abusive act or practice comes up quite a bit from our clients, there is rarely a clear answer.   Instead we currently base our advice on the enforcement actions that have been published under the Act, “stories from the road” and well established best practices. 

Abusive?  Our Bank?  Never!  

For many of our clients the mere names included in the act are too much to bear!  Abusive and deceptive sound incredibly sinister and dark hearted.  AS a result, many believe that this law and the implementing regulations do not apply.  Surely these rules were designed for some cartoonish character who preys on poor unsuspecting customers and cheats them out of their houses, cars or other valuable possession!

But even though the words sound awful, it is possible to engage in a deceptive or abusive act, simply by failing to disclose fees completely or properly.   For example, suppose your bank offers a “free” checking account on its website.  In fact the product has no month to month charges, but there is a cost to the Bank for setting up the account.  If your bank passes that cost on to the customer, then the account is not free and your advertising is deceptive.  You enticed customers in with the promise of free checking when in fact, it was not free.  RELATIVELY free is not the same thing as free!  

5 Steps to a UDAAP Free-Zone

In our opinion there is nothing that you do to absolutely guaranty that there will be UDAAP violations at your bank.  However, there are some steps that you can take to significantly reduce UDAAP risk.  The motto for avoiding problems in this area is that consistency is key!   

Step 1. - Get Compliance Involved; Recognize that that advertising and marketing must get the blessing of the compliance department before going to the public.  The largest area of enforcement action under UDAAP has been in the areas of false of deceptive advertising.   It is often the case that advertising is classified as deceptive when the information on account disclosures does not exactly match the advertising on the website or on print media.  By getting the compliance department to review advertising ahead of time, a great deal of pain and suffering can be avoided.  As a best practice, it is a great idea to have the compliance department be involved with the development of products so that fair lending and UDAAP concerns can be addressed at the time a product is being developed not after all of the marketing materials have been delivered!  

Step 2. –Formalize the customer compliant system; it is obvious that the regulators have been directed to pay close attention to the manner in which banks handle customer complaints.  In the past this simply meant making sure that all complaints were answered within a reasonable time.  However, in the future examiners will explain that the bank will track the complaints to make a determination of the nature and quality of complaints.  If, for example several complaints are received about a fee or billing from customers, the examiners will expect that the Board will discuss the complaints and make the necessary charges to the product.  Failure to address complaints puts the Bank in the position of willfully violating UDAAP  

Step 3. - Incorporate UDAAP into the Compliance Management program;    When the compliance department is preparing its annual risk assessment and determining what areas of the bank require review for compliance, make sure that UDAAP is part of the considerations.  An ongoing review to ensure that not only are complaints tracked and answered, that all disclosures match, but also to ensure that products being offered are yielding their intended results.  In some cases, what can seem like a fee that is meant to discourage activity (overdraft fee); can have the result of a UDAAP violation.   Compliance must ensure that all staff is trained about UDAAP and the potential for trouble.

Step 4. – Internal Audit for UDAAP; Make sure that you internal auditor or audit provider includes UDAAP compliance in its scope.  Although there is not an established UDAAP template, the scope should reflect that overall size and complexity of the bank and the potential for UDAAP violation  

STEP 5. - Vendor management; when your bank uses vendors for the delivery of products, it is critically important to work with the vendors to ensure that the information disseminated to the customer matches the desires of the Board and senior management of your bank.  It is important to perform at least an annual due diligence for vendors of products to determine whether there has been any quality control issues.  Remember the Bank is ultimately responsible for compliance.

 

Remember, deception, abuse and general bad acts are in the eyes of the regulator that beholds the bank!   By incorporating these steps in the overall compliance effort, the bank can keep what is seen clean!  

Adverse Actions- Time is NOT on your side!   

One the most prominent parts of the Equal Credit Opportunity Act is section 202.9 AKA the notifications section.   It is this section that requires that within 30 days of receiving a completed application, a bank will send notice of action taken.  Put in other terms, a bank has 30 days from the time they receive enough information to make a credit decision to tell an applicant that their loan is being declined.  Of course a Bank can make a counter offer rather than an outright decline, but the time limitation is the same.  

On phenomenon that we are seeing is a tendency for banks to draw out this equation.  Reg. B allows a bank to go beyond the 30 day limitation if there is ongoing contact with the borrower.  For example, in the case where a borrower is missing financial information, the Bank can notify the borrower and ask for the missing information.  While the Bank is waiting for the customer to respond the 30 day clock stops ticking.  And while this provision of the regulation can be used to the advantage of both the borrower and the bank, there are potential concerns with extending the application process.  

Keeping the Home Fires Burning

For commercial lending in particular, it is often the case that a deal develops slowly.  A potential borrower may be unsure of what she actually wants or needs in terms of a financial product for her business.   In the meantime, the ever vigilant commercial loan or business development officer doesn’t want to lose the client to another institution be appearing to be uninterested.   The result is that an “application” that is not truly an application will be taken by a bank.  Minimal information is often taken to open a file, but as time goes on, the loan officer will make a series of requests for information to stop the 30 day clock from running out and to keep the prospect active.  Using this process a bank could theoretically keep a loan application open in perpetuity and not violate Reg. B.  

When is an application an application? 

One of the ongoing questions that vex banks and financial institutions about Reg. B is “when is an application a complete application for purposes of the regulation?” Our advice on this question is that once there is enough information to say “no” the application is complete!  For example, after a credit report on a business is run and the report shows an unacceptable record, you know enough to make a credit decision.  This is not to say that an optimistic loan officer may not attempt to work around poor or questionable credit.  It simply means that she has to do so expeditiously!   Unfortunately, what happens in many situations we see is that the officer continues to ask for additional information from the customer, stops the 30 day clock and eventually- 90 days later- sends an adverse action based upon the poor credit report.   The truth is that the bank could and should have closed the account and sent the notification much earlier. 

 The compliance concern with keeping an application open

So what’s the big deal? Is there really a problem or concern with keep loan applications open for time period longer than 30 days?  In a word, YES!   There are several concerns with this practice.  The two largest concerns center on fair lending.  

First, leaving accounts open and eventually denying the application or allowing the applicant to withdraw after a long period of time, can give the impression of discouragement.  Consider a situation where a loan officer is attempting to work with a group of borrowers form a traditionally underserved community.  In an attempt to accommodate unsophisticated borrowers, the officer makes a habit of keep applications open and requesting information on a step by step basis.  As a result of this practice about 25% of the applicants withdraw their loans after 45 days.  Moreover, another 40% of the applicants are denied, after an average wait of 60 days.   In this case, the bank’s regulators can (and did!) make the argument that the bank was in the practice of discouraging borrowers in protected classes.  The regulators’ concerns were heightened when they compared the average time for completion of loan applications for persons in non-protected classes, which was 20 days.   In this particular case, even though the motive was a good one, the outcome was very negative.     

The potential for complaints from the borrower that lead investigations from regulatory agencies is also a concern.  Consider an applicant that receives a notice of adverse action after 60 days; the reason for the denial is “lack of credit history”.  If the applicant is bank savvy they will realize that the credit report is part of the very early stages of processing an applicant. They will know that the bank had this reason for denial within days of the initial application.  We have seen complaints to regulators based upon the idea that the Bank was “stringing me along”.  These are the sort of complaints that can also lead to fair lending investigations and orders from the regulator to do a file search!   

The longer a file stays open, the greater the likelihood that it can be overlooked.  We have seen several cases when a file has been kept open for additional financial information and for various reasons; the loan officer overlooks that file.  In one extreme case, a file was open for an entire year with ne resolution due a re –assignment of officers!  

For compliance purposes, it is always better to bring an application to its conclusion as soon as possible.  If the bank will be unable to loan to the applicant, then that idea should be communicated at the first possible chance.   

Some suggestions for balance

So how do you balance the desire to keep a client relationship open with the need to protect the bank from compliance issues?  A best practice is to give the borrower a specific number of days to respond to the request for information.  Language in the communication requesting information should indicate to the customer that if the information is not received by the stated date, the Bank will consider the matter closed.  

Further, it is more effective to have a member of compliance staff review the files that have information requests and to work with loan officers to determine whether the requested information will truly enhance the possibility of an applicant to be completed successfully.  Working together, compliance and business development can effectively balance the interests of both departments.  

Fair Lending-Should We Self Evaluate?

 

Over the past few years, it has become clear that one of the areas of emphasis for examinations will be Fair Lending. For many of the Banks with whom we communicate, Fair Lending Examinations sound like a huge scary mass of rules and regulations that were designed specifically to confuse and haunt compliance departments everywhere!

“Why oh why are they doing this?” you ask yourself. Is it because there just isn’t enough to worry about already? Not at all. In fact, there are some really good reasons why this has become an area of focus. Just look at some testimony from a US House Subcommittee hearing in 2007:

“I have included one case where the lender was twice found in violation of the fair lending laws in Federal court and was rewarded by the regulatory agency by raising its grade to Outstanding and continuing to approve its applications for banking privileges

I have [also] included a case where the Department of Justice sued a bank and its vice president for his alleged sexual harassment of female loan applicants, including seeking sexual favors for loan approvals. In this case, the regulatory agency which was examining the bank during the period of the harassment had not done a fair lending examination in six years and had decided that there was no need to do one during the period when the harassment occurred. The bank got a passing CRA rating. (1) “

(1) Testimony of Calvin Bradford for the National Training and Information Center (NTIC) before the Subcommittee on Domestic Policy of the House Committee on Oversight and Government Reform October 24, 2007

Since the time of that testimony the issue of fair lending has broadly increased and expanded.  For example, In April 2012, the CFPB issued a bulletin confirming that it plans to apply a disparate impact test in exercising its supervisory and enforcement authority under the ECOA for all types of credit, including mortgage lending. In February 2013, HUD issued a final rule providing that disparate impact can be used to establish liability under the FHA. Use of disparate impact allows the CFPB, HUD, or a private plaintiff to prove unlawful discrimination even if there is no discriminatory intent.  And while these rules are currently undergoing some revisions, they make clear that financial institutions regulatory agencies are planning to include all aspects of lending within the purview of fair lending. 

Included in some of the most recent fair lending enforcement actions were issues of steering, pricing and underwriting.  Current investigations that have not yet been concluded include foreclosure practices, advertising, and monitoring of exceptions to policy for purposes of adverse actions.   Wells Fargo Bank settled a fair lending suit initiated by combined regulatory agencies in July 2012.

This renewed and expanded focus on fair lending has its roots in the financial crisis of 2009 and in particular, the experiences of borrowers that are in the subprime market.  The market for subprime loans is made up largely of women and minorities. This is the same group of people that ECOA was first designed and enacted to protect. The ECOA was first enacted in 1974 as a means of protecting the credit rights of women. The amendments of 1976 added protections for minorities and several other protected classes. Coupled with the Community Reinvestment Act, the Federal Fair Housing Act, state Fair Housing Laws, and in 1989, the Home Mortgage Disclosure Act (HMDA) a complete regulatory scheme was developed aimed at opening credit markets for groups of people who were traditionally shut out. While many economists and essayists have argued over the effectiveness of the regulatory scheme, the facts remain that vast numbers of communities still lack access to the credit markets. Over the years, there have been various studies performed that have determined that women and racial minorities have limited access to credit markets. This is especially true in the housing markets. The experiences of these borrowers continues to be one of higher interest rates, higher rates on foreclosures lowers rates of loan modifications and in many cases extremely high fees.  

What about us? 

Many community banks have not considered how the regulatory agencies emphasis on fair lending might affect them individually.   However, we suggest that now id the time to do a fair lending self-assessment.   The point is that in the current environment, there is ample evidence that community banks can and should do all that they can to ensure that Fair Lending compliance is a part of any strong compliance program.

Are you ready? Have you reviewed your Fair lending policies and procedures lately? When was the last time that you reported to the Board on issues of discouragement? Do you know what the credit needs of your local community are? If you cannot definitely answer these and several other questions in this area, now is the time to act! Get help with a fair lending self-assessment!  See our June 5 blog that contains a fair lending tune up!