QUESTION
Our state banking department has sent us a note that they want us to self-assess
certain areas. They plan to “evaluate” if we are acting “responsibly” by
finding out if we are taking the time to check ourselves.
The idea is for us to
do a self-assessment to minimum risk to consumers.
What kind of evaluations
should we be taking to ensure that we are meeting the department’s
expectations?
ANSWER
The banking department’s view in this area goes back many years. Self-assessing
is not new. In fact, in 2013 the CFPB issued a Bulletin that identified several
activities that businesses could engage in that could prevent and minimize harm
to consumers, referring to these activities as “responsible conduct.” So, the
wording of the note you received has a legacy to it. The terminology
“responsible conduct” is influenced by that 2013 Bulletin.
There are certain factors that the CFPB and, by extension, state
banking departments consider as the fulfilment of responsible conduct.
Recently, the Bureau updated the aforementioned Bulletin, further providing the
view that if an entity engages in another type of activity than these factors,
an activity particular to the entity’s situation that is both substantial and
meaningful, the CFPB may take that responsive activity into consideration.[i]
I will provide a brief description of each factor, which can be extrapolated to complying with state banking department expectations. I think you should review
these factors and integrate them into your Compliance
Management System.
Self-Assessing
Also described as self-monitoring or self-auditing, self-assessing is a
proactive commitment by an entity to use resources for the prevention and early
detection of violations of consumer financial law.
Resources
- What resources does the entity devote to compliance?
- How robust and effective is its compliance management system?
- Is it appropriate for the size and complexity of the entity’s business?
Compliance Management System
- Has the entity taken steps to improve its compliance management system when deficiencies have been identified either by itself or external regulators?
- Did the entity ignore obvious deficiencies in compliance procedures?
- Does the entity have a culture of compliance?
Violations
- Considering the nature of the violation, did the entity identify the issue?
- What is the nature of the violation or likely violation and how did it arise?
- Was the conduct pervasive or an isolated act? How long did it last?
- Did senior personnel participate in, or turn a blind eye toward, obvious indicia of misconduct?
- How was the violation detected and who uncovered it?
- If identified by the entity, how did the entity identify the issue (i.e., from customer complaints, audits or monitoring based on routine risk assessments, or whistleblower activity)?
- Was the identification the result of a robust and effective compliance management system, including adequate internal audit, monitoring, and complaint review processes?
- Was identification prompted by an impending exam or an investigation by a regulator?
- What self-assessment mechanisms were in place to effectively prevent, identify, or limit the conduct that occurred, elevate it appropriately, and preserve relevant information?
- In what ways, if any, were the entity’s self-assessing mechanisms particularly noteworthy and effective?
Self-Reporting
Prompt self-reporting of likely violations also represents concrete
evidence of an entity’s commitment to responsibly address the conduct at issue.
Conversely, efforts to conceal a likely violation from the banking department may
constitute evidence of the entity’s lack of commitment to responsibly address
the conduct at issue.
Disclosure
- Did the entity completely and effectively disclose the existence of the conduct to the banking department, to other regulators, and, if applicable, to self-regulatory organizations?
- Did the entity report any additional related misconduct likely to have occurred?
Reporting
- Did the entity report the conduct to the Bureau without unreasonable delay?
- If it delayed, what justification, if any, existed for the delay?
- How did the delay affect the preservation of relevant information, the ability of the Bureau to conduct its review or investigation, or the interests of affected consumers?
Being Proactive
- Did the entity proactively self-report, or wait until discovery or disclosure was likely to happen anyway, for example, due to impending supervisory activity, public company reporting requirements, the emergence of a whistleblower, consumer complaints or actions, or the conduct of the department’s investigation?