Our state banking department has sent us a note that they want us to self-assess certain areas. They plan to “evaluate” if we are acting “responsibly” by finding out if we are taking the time to check ourselves.
The idea is for us to do a self-assessment to minimum risk to consumers.
What kind of evaluations should we be taking to ensure that we are meeting the department’s expectations?
The banking department’s view in this area goes back many years. Self-assessing is not new. In fact, in 2013 the CFPB issued a Bulletin that identified several activities that businesses could engage in that could prevent and minimize harm to consumers, referring to these activities as “responsible conduct.” So, the wording of the note you received has a legacy to it. The terminology “responsible conduct” is influenced by that 2013 Bulletin.
There are certain factors that the CFPB and, by extension, state banking departments consider as the fulfilment of responsible conduct. Recently, the Bureau updated the aforementioned Bulletin, further providing the view that if an entity engages in another type of activity than these factors, an activity particular to the entity’s situation that is both substantial and meaningful, the CFPB may take that responsive activity into consideration.[i]
I will provide a brief description of each factor, which can be extrapolated to complying with state banking department expectations. I think you should review these factors and integrate them into your Compliance Management System.
Also described as self-monitoring or self-auditing, self-assessing is a proactive commitment by an entity to use resources for the prevention and early detection of violations of consumer financial law.
- What resources does the entity devote to compliance?
- How robust and effective is its compliance management system?
- Is it appropriate for the size and complexity of the entity’s business?
Compliance Management System
- Has the entity taken steps to improve its compliance management system when deficiencies have been identified either by itself or external regulators?
- Did the entity ignore obvious deficiencies in compliance procedures?
- Does the entity have a culture of compliance?
- Considering the nature of the violation, did the entity identify the issue?
- What is the nature of the violation or likely violation and how did it arise?
- Was the conduct pervasive or an isolated act? How long did it last?
- Did senior personnel participate in, or turn a blind eye toward, obvious indicia of misconduct?
- How was the violation detected and who uncovered it?
- If identified by the entity, how did the entity identify the issue (i.e., from customer complaints, audits or monitoring based on routine risk assessments, or whistleblower activity)?
- Was the identification the result of a robust and effective compliance management system, including adequate internal audit, monitoring, and complaint review processes?
- Was identification prompted by an impending exam or an investigation by a regulator?
- What self-assessment mechanisms were in place to effectively prevent, identify, or limit the conduct that occurred, elevate it appropriately, and preserve relevant information?
- In what ways, if any, were the entity’s self-assessing mechanisms particularly noteworthy and effective?
Prompt self-reporting of likely violations also represents concrete evidence of an entity’s commitment to responsibly address the conduct at issue. Conversely, efforts to conceal a likely violation from the banking department may constitute evidence of the entity’s lack of commitment to responsibly address the conduct at issue.
- Did the entity completely and effectively disclose the existence of the conduct to the banking department, to other regulators, and, if applicable, to self-regulatory organizations?
- Did the entity report any additional related misconduct likely to have occurred?
- Did the entity report the conduct to the Bureau without unreasonable delay?
- If it delayed, what justification, if any, existed for the delay?
- How did the delay affect the preservation of relevant information, the ability of the Bureau to conduct its review or investigation, or the interests of affected consumers?
- Did the entity proactively self-report, or wait until discovery or disclosure was likely to happen anyway, for example, due to impending supervisory activity, public company reporting requirements, the emergence of a whistleblower, consumer complaints or actions, or the conduct of the department’s investigation?