QUESTION
Our state banking department has sent us a note that they want us to self-assess
certain areas. They plan to “evaluate” if we are acting “responsibly” by
finding out if we are taking the time to check ourselves.
The idea is for us to
do a self-assessment to minimum risk to consumers.
What kind of evaluations
should we be taking to ensure that we are meeting the department’s
expectations?
ANSWER
The banking department’s view in this area goes back many years. Self-assessing
is not new. In fact, in 2013 the CFPB issued a Bulletin that identified several
activities that businesses could engage in that could prevent and minimize harm
to consumers, referring to these activities as “responsible conduct.” So, the
wording of the note you received has a legacy to it. The terminology
“responsible conduct” is influenced by that 2013 Bulletin.
There are certain factors that the CFPB and, by extension, state
banking departments consider as the fulfilment of responsible conduct.
Recently, the Bureau updated the aforementioned Bulletin, further providing the
view that if an entity engages in another type of activity than these factors,
an activity particular to the entity’s situation that is both substantial and
meaningful, the CFPB may take that responsive activity into consideration.[i]
I will provide a brief description of each factor, which can be extrapolated to complying with state banking department expectations. I think you should review
these factors and integrate them into your Compliance
Management System.
Self-Assessing
Also described as self-monitoring or self-auditing, self-assessing is a
proactive commitment by an entity to use resources for the prevention and early
detection of violations of consumer financial law.
Resources
- What resources does the entity devote to compliance?
- How robust and effective is its compliance management system?
- Is it appropriate for the size and complexity of the entity’s business?
Compliance Management System
- Has the entity taken steps to improve its compliance management system when deficiencies have been identified either by itself or external regulators?
- Did the entity ignore obvious deficiencies in compliance procedures?
- Does the entity have a culture of compliance?
Violations
- Considering the nature of the violation, did the entity identify the issue?
- What is the nature of the violation or likely violation and how did it arise?
- Was the conduct pervasive or an isolated act? How long did it last?
- Did senior personnel participate in, or turn a blind eye toward, obvious indicia of misconduct?
- How was the violation detected and who uncovered it?
- If identified by the entity, how did the entity identify the issue (i.e., from customer complaints, audits or monitoring based on routine risk assessments, or whistleblower activity)?
- Was the identification the result of a robust and effective compliance management system, including adequate internal audit, monitoring, and complaint review processes?
- Was identification prompted by an impending exam or an investigation by a regulator?
- What self-assessment mechanisms were in place to effectively prevent, identify, or limit the conduct that occurred, elevate it appropriately, and preserve relevant information?
- In what ways, if any, were the entity’s self-assessing mechanisms particularly noteworthy and effective?
Self-Reporting
Prompt self-reporting of likely violations also represents concrete
evidence of an entity’s commitment to responsibly address the conduct at issue.
Conversely, efforts to conceal a likely violation from the banking department may
constitute evidence of the entity’s lack of commitment to responsibly address
the conduct at issue.
Disclosure
- Did the entity completely and effectively disclose the existence of the conduct to the banking department, to other regulators, and, if applicable, to self-regulatory organizations?
- Did the entity report any additional related misconduct likely to have occurred?
Reporting
- Did the entity report the conduct to the Bureau without unreasonable delay?
- If it delayed, what justification, if any, existed for the delay?
- How did the delay affect the preservation of relevant information, the ability of the Bureau to conduct its review or investigation, or the interests of affected consumers?
Being Proactive
- Did the entity proactively self-report, or wait until discovery or disclosure was likely to happen anyway, for example, due to impending supervisory activity, public company reporting requirements, the emergence of a whistleblower, consumer complaints or actions, or the conduct of the department’s investigation?
remediating
Violations of Federal and state consumer financial law should be
remediated to prevent the violations from recurring, and, when appropriate,
effectuating changes in the entity’s future conduct for the protection and benefit of consumers.
Remedies
- What steps did the entity take upon learning of the violation?
- Did the steps immediately stop the violation?
- How long after the violation was uncovered did it take to implement an effective response?
Disciplinary Actions
- What steps did the entity take to discipline the individuals responsible for the violation and to prevent the individuals from repeating the same or similar conduct?
Analysis
- Did the entity conduct an analysis to determine the number of affected consumers and the extent to which they were harmed?
- Were consumers made whole through compensation and other appropriate relief, as applicable?
- Did affected consumers receive appropriate information related to the violations within a reasonable period of time?
Recurrence
- What assurances are there that the violation (or a similar violation) is unlikely to recur?
- Did the entity take measures, such as a root cause analysis, to ensure that the issues were addressed and resolved in a manner likely to prevent and minimize future violations?
- Have the entity’s business practices, policies, and procedures changed to remove harmful incentives and encourage proper compliance?
Cooperation
The “quality of an entity’s interactions, to wit, the level of
cooperation with the state banking department after the department becomes
aware of a likely violation of Federal or state consumer financial law – either
through an entity’s self-reporting or the banking department’s own efforts – is
a factor that may be taken into consideration in a supervisory review or
enforcement investigation.
Prompt Response
- Did the entity cooperate promptly and completely with the department and other appropriate regulatory and law enforcement bodies?
- Was that cooperation present throughout the course of the review and/or investigation?
Share Findings
- Did the entity take proper steps to develop the facts quickly and thoroughly and to fully share its findings with the department?
- Did it undertake a thorough review of the nature, extent, origins, and consequences of the violation and related behavior?
- Who conducted the review and did they have a vested interest or bias in the outcome?
- Were scope limitations placed on the review? If so, why and what were they?
Results and Documentation
- Did the entity promptly make available to the banking department the results of its review and provide sufficient documentation reflecting its response to the situation?
- Did it provide evidence with sufficient precision and completeness to facilitate, among other things, appropriate actions against others who violated the law?
- Did the entity produce a complete and thorough written report detailing the findings of its review?
- Did it voluntarily disclose material information not directly requested by the department or that otherwise might not have been uncovered?
- Did the entity provide all relevant, non-privileged information and make assertions of privilege in good faith?
Employee Accessibility
- Did the entity direct its employees to cooperate with the department and make reasonable efforts to secure such cooperation?
- Did it make the most appropriate person(s) available for interviews, consultation, and/or sworn statements?
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
[i] Responsible
Business Conduct: Self-Assessing, Self-Reporting, Remediating, and Cooperating,
(CFPB BULLETIN 2020–01), FR, 85/55, March 20, 2020, Rules and Regulations, pp 15917-15919