Business Continuity and Pandemic Events

QUESTION

Our Business Continuity Plan does not define the difference between business interruption and pandemic challenges. We are a small mortgage lender in the mid-west, and we were caught blind-sided with needing procedures to deal with the coronavirus pandemic. 

We started to update our BCP and found that we actually did not know if our regulator would expect us to have procedures to address both business interruption and pandemic disruption. Since you literally wrote the book on business continuity, our staff asked me to find out the difference by asking you. 

So, what is the difference between business interruption and pandemic disruption? 

Also, what are some of the actions we should take in protecting our company during a pandemic event?

ANSWER

It is kind of you to state that we “wrote the book” on business continuity but our Checklist and Workbook (“Checklist”) is just a small contribution toward a more stable business environment. Indeed, we did not charge – and will not be charging – a fee for the Checklist. It is free. We are living in a pandemic – what until relatively recently was usually called a “plague” – and providing a way to preserve your business is the least we could do. 

The Checklist was first published on March 16th, and the most recent version is Update # 6, published on April 16th. It is 183 pages of checklists, workbook space, and resources. We even provided a webinar on April 16th!

• Download the Checklist - Update # 6, webinar video and slides, and some supporting documents HERE.

• For a Business Continuity Plan – standard, customized, or enhanced – go HERE.

• And for a BCP Tune-up to check if your business continuity plans are sufficient, go HERE.

With regards to clarifying the difference between business and pandemic disruption, there are distinct differences between pandemic planning and traditional business continuity planning.

When developing business continuity plans, financial institution management typically considers the effect of various natural or man-made disasters that may differ in their severity. These disasters may or may not be predictable, but they are usually short in duration or limited in scope. In most cases, malicious activity, technical disruptions, and natural/man-made disasters typically will only affect a specific geographic area, facility, or system. These threats can usually be mitigated by focusing on resiliency and recovery considerations.

However, pandemic planning presents unique challenges to financial institution management. Unlike natural disasters, technical disasters, malicious acts, or terrorist events, the impact of a pandemic is much more difficult to determine because of the anticipated difference in scale and duration. We are currently in the midst of only the first wave of the COVID-19 plague. There will be other waves. 

The death count, and, by extension, inevitable effects on businesses, of the second and subsequent waves will be orders of magnitude greater than the first wave unless (1) there is universal testing, (2) proper hygiene, social distancing, and sheltering are practiced, and (3) until a vaccine is created and effectively distributed.  

The nature of the global economy virtually ensures that the effects of a pandemic event will be widespread and threaten not just a limited geographical region or area, but potentially every continent. In addition, while traditional disasters and disruptions normally have limited time durations, pandemics generally occur in multiple waves, each lasting two to three months. Consequently, no individual or organization is safe from the adverse effects that might result from the plague.

Experts predict that perhaps the most significant challenge likely from a severe pandemic event will be staffing shortages due to absenteeism. These differences and challenges highlight the need for all financial institutions, no matter their size, to plan for a pandemic event when developing their BCP.

Don’t let your guard down! The BCP is a dynamic document that requires periodic updating in response to changing conditions. There are at least five primary actions to managing your way through a pandemic event.

1) A preventive program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, in addition to providing appropriate hygiene training and tools to employees.

2) A documented strategy that provides for scaling the institution’s pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself. The strategy will also need to outline plans that state how to recover from a pandemic wave and proper preparations for any following wave(s).

3) A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods. Such procedures could include social distancing to minimize staff contact, telecommuting, redirecting customers from branch to electronic banking services, or conducting operations from alternative sites. The framework should consider the impact of customer reactions and the potential demand for, and increased reliance on, online banking, telephone banking, ATMs, and call support services. In addition, consideration should be given to possible actions by public health and other government authorities that may affect critical business functions of a financial institution.

4) A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue.

5) An oversight program to ensure ongoing review and updates to the pandemic plan so that policies, standards, and procedures include up-to-date, relevant.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

Reputation and Strategic Risks

QUESTION

We are a mid-sized bank in the northwest. For years, we have been reading your FAQs. Often, we use them in our weekly operations and compliance meetings. 

What we like is you get to the point, no funny or fringy stuff, and your explanations pan out time and again. Our concern now is about risks, particularly two risks: reputation risk and strategic risk. 

Although other risks seem to be quantifiable, these risks have an intangible quality to them. How would you define these risks? Also, what features are involved in these risks?

ANSWER

When I get such wonderful and kind words from a reader, I feel humbled and grateful. Our work covers virtually all areas of mortgage banking compliance, and we work with tiny to huge companies. The FAQ is more than just a labor of love for us. It is our way of staying in touch with you, listening to you, giving you feedback and support. Thank you for subscribing!

I have written and spoken extensively about risks. We provide regulatory compliance support, but we are purveyors of risk management, specifically, “mortgage risk management” – a term that I coined many long years ago. 

If you want to read one of many articles and White Papers I have authored on risk, such as Risk Management Principles, please click HERE. For other articles, click HERE.

In its purest form, the purpose of the risk identification process is to aggregate risks for evaluation and consideration relative to a management’s or a Board of Director’s risk appetite. To effectively carry out an ongoing risk aggregation process, institutions need to develop a method for defining and categorizing risks throughout the institution. So, I suggest you describe the method to be applied, list the risks categorically, and provide their respective features thereunder.

You would want to include categories for market risk, operational risk, reputation risk, strategic risk, all of which generally apply to most businesses; additionally, credit risk, legal and compliance risk, and liquidity risk, which apply to financial institutions. 

Your question concerns the risk categories or reputation and strategic risks. Although these appear to be less quantifiable and more qualitative than then other risks, I think you will be surprised at just how quantifiable are the features associated with reputation and strategic risks.

The following is a brief outline for you to consider.

Reputation Risk

Reputation risk arises due to negative publicity or public opinion (either real or perceived) that may adversely affect the institution’s brand image. 

This risk can impact clients, employees, communities, or shareholders and is often a secondary result of one of the other risk categories:

• Corporate scandals (i.e., accounting irregularities, governance)
• Industry-related risk (i.e., insurance, mutual funds)
• Inherent nature of business (i.e., payday lending, embassy accounts)
• Third-party relationships (i.e., clients, service providers)
• Employee morale (i.e., layoffs, corporate change)
• Employee activities (i.e., e-mails, rogue trading)
• Regulations (i.e., fines, violations, untested regulations)
• Litigation
• Client service (i.e., system availability, processing errors)

Strategic Risk

Strategic risk is the risk that the institution’s business strategy and objectives do not allow the institution to achieve its vision, mission, and purpose. 

The responsibility for managing this risk rests with the board of directors and senior management. 

Any inability to execute the corporate plan generally is a result of one of the other general risk categories and may focus on such areas as:

• Financial goals
• Business, product, delivery channel, or geographic directions
• IT plans (i.e., outsourcing, hardware, and software solutions)
• Organizational structure
• Succession plans
• Relationship management
• Customer service

When we do an internal audit, we undertake an evaluation of the risk management initiatives. I suggest you do the same!

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

UDAAP: CFPB Enforcement

QUESTION

We are in the process of updating our UDAAP policy. The last update was in December 2018. There is the view that CFPB’s enforcement is more lenient these days. I am fighting a pitched battle to hold the line and stay prepared for the possibility of enforcement. So, what can I tell my colleagues about CFPB enforcement with regard to UDAAP?

ANSWER

The notion that the Trump Administration has caused the CFPB to back away from enforcement is not entirely accurate. However, under the current Administration, some critics believe that the CFPB has become more like a consumer information agency rather than an aggressive pursuer of examination and enforcement. That said, a case can be made that the CFPB has been providing guidance continually in the form of its enforcement actions.

Since the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, and since the toning down of CFPB enforcement under the Trump Administration, commentators have speculated how aggressively the CFPB would continue to pursue its broad authority to regulate unfair, deceptive, or abusive acts or practices (UDAAP).

Federal statutes had previously given similar authority to federal agencies, including the Federal Trade Commission under Section 5 of the FTC Act and under Section 511 of the Credit CARD Act of 2009 (regulation of mortgage lending), and the Federal Reserve Board under the FTC Act and the Truth-in-Lending Act. Most of the states have adopted their own versions of UDAAP statutes.

The CFPB issued a UDAAP Policy on February 6, 2020.[i] Its stated purpose is to

“provide greater certainty as to how the [CFPB] intends to use the abusiveness standard in supervision and enforcement…”

So, it is not the case that CFPB is avoiding enforcement. The Bureau’s approach seems to be one of ensuring that there is a standard by which UDAAP may be evaluated. I will outline a few key standards. You should incorporate them into your UDAAP policy update. The following is a brief outline.

·       The CFPB plans to focus on citing conduct as abusive if the CFPB concludes that the harms to consumers from the conduct outweigh its benefits to consumers.

o   The CFPB’s consideration of the harm and benefit can be qualitative as well as quantitative. It intends to focus on the prevention of harm by citing conduct as abusive in supervision and challenging conduct as abusive in enforcement if the CFPB concludes that the harms to consumers from the conduct outweigh the benefits to consumers, including its effects on access to credit.

o   Further, it seems clear that the Bureau expects this approach to ensure that it uses its “scarce resources” to address conduct that harms consumers and that its supervisory and enforcement decisions are consistent.

o   It is worth mentioning that the CFPB overtly considers this focus consistent with the FTC’s approach to unfairness and deception, which weighs costs and benefits under the unfairness standard but not under the deception standard.

§  The primary difference between unfairness analysis and deception analysis is that deception does not ask about offsetting benefits, instead presuming that false or misleading statements either have no benefits or that the injury they cause to consumers can be avoided by the company at very low cost. In other words, deception analysis creates a shortcut, assuming that when a material falsehood exists, the practice would not pass the full benefit/cost analysis of unfairness because there are rarely, if ever, countervailing benefits to deception.

·       The CFPB generally will avoid challenging conduct as abusive that relies on all or nearly all of the same facts that the it alleges are unfair or deceptive.

o   When the CFPB decides to include an alleged abusiveness violation, it intends to plead abusiveness in a manner designed to clearly demonstrate the nexus between the cited facts and its legal analysis of the claim. So, in supervision activity, the CFPB likewise intends to provide more clarity as to the specific factual basis for determining that a covered person has violated the abusiveness standard.

·       The CFPB does not intend to seek certain types of monetary relief for abusiveness violations when the covered person was making a good faith (reasonable, albeit mistaken) effort to comply with the abusiveness standard.

o   If a covered person makes a good faith but unsuccessful effort to comply with the abusiveness standard, the CFPB still intends to seek legal or equitable remedies, such as damages and restitution, but not civil penalties or disgorgement, to redress identifiable consumer that would not otherwise be addressed.

o   It is our understanding that the Bureau intends to consider all relevant factors, including, but not limited, to the considerations outlined in CFPB Bulletin 2013-06 regarding Responsible Business Conduct.

·       The CFPB is committed to aggressively pursuing the full range of monetary remedies against bad actors.

o   These are persons who were not acting in good faith in violating the abusiveness standard, such as those who engage in fraudulent practices or consumer scams.

·       The Bureau intends to allege “stand-alone” abusiveness violations (i.e., violations not accompanied by related unfairness or deception violations) when doing so would be consistent with the abusiveness standard and the Policy Statement.

o   As I’ve indicated above, the CFPB intends to plead stand-alone claims in a manner designed to demonstrate the nexus between the cited facts and its legal analysis of the claims.

I suggest that you stay tuned to future editions of the CFPB’s Supervisory Highlights. The Bureau will likely use this publication to describe the basis for UDAAP citations with greater clarity.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

---

[i] Statement of Policy Regarding Prohibition on Abusive Acts or Practices, Consumer Financial Protection Bureau, 85 Federal Register 6733 (February 6, 2020)

Risk Appetite Statements

QUESTION

We are a lender all states and we have a large servicing platform. We are owned by a large regional bank. We are often confronted with risk challenges in many lines of business and certainly in our portfolio and servicing end. To ensure that we are considering all risks, I wonder if you would provide some feedback on the implications of risks. My question is, what are some typical risks a company like ours faces? And, what are the typical features of these risks?

ANSWER

A financial institution such as yours should be conducting a risk appetite review. Contact me to discuss risk appetite audits, as it seems to me you need one. We are experts in risk appetite statements. If you want to discuss risk appetite, click HERE and we’ll contact you.

It is a mission-critical feature of management to develop a risk identification process to aggregate risks for evaluation and consideration relative to the Board’s risk appetite. To effectively carry out an ongoing risk aggregation process, institutions need to develop a method for defining and categorizing risks throughout the institution. Educated risk based on sound principles of evaluation is, or should be, the most responsible approach for management to make decisions.

I am providing a brief overview that, hopefully, will provide feedback on how different types of risk are generally defined and categorized. Based on the brief description of your company, and because we have not conducted a risk appetite evaluation of your institution, my response is generalized. I will set forth these risks in a categorical outline.

Market Risk

Market risk arises from changes in the value of the portfolios of financial instruments due to adverse movement in market rates or prices is called market risk. Factors that should be considered include interest/exchange rate-sensitive activities, accounting treatment, market conditions, and potential losses, such as:

• Portfolio (i.e., investment concentrations, durations, correlations)
• Trading account or inventory risk
• Hedge effectiveness (improper or lack of hedging)
• Interest rate-sensitive activities (i.e., mortgage servicing rights, value-based fees)
• Modeling errors (i.e., assumptions, values)
• Foreign exchange rates (i.e., foreign letters of credit, forward contracts)

Operational Risk

Operational risk is especially related to loss associated with inadequate or failed internal processes, people, systems, or external events. This risk includes:

• Internal processes (i.e., financial reporting misstatements, inadequate reconcilements, errors and omissions, missing/incomplete documentation, improper safeguarding of assets, inadequate or insufficient internal controls, failed processor settlement, improper markups)
• People (i.e., embezzlement and asset misappropriation, authorization/approval limits, keying/input error, management override, unethical acts (real or perceived))
• Systems (i.e., IT systems failure, inappropriate information security access)
• External events (i.e., external fraud (real or perceived), legal liability, outsourcing, check kiting, counterfeit transactions, natural disasters)

Reputation Risk

Reputation risk can be unbelievably devastating to a company. It arises due to negative publicity or public opinion (either real or perceived) that may adversely affect the institution’s brand image. Reputation risk can impact clients, employees, communities, or shareholders and is often a secondary result of one of the other general risk categories:

• Corporate scandals (i.e., accounting irregularities, governance)
• Industry-related risk (i.e., insurance, mutual funds)
• Inherent nature of business (i.e., payday lending)
• Third-party relationships (i.e., clients, service providers)
• Employee morale (i.e., layoffs, corporate change)
• Employee activities (i.e., emails, rogue social media)
• Regulations (i.e., fines, violations, untested regulations)
• Litigation
• Client service (i.e., system availability, processing errors)

Strategic Risk

Strategic risk is a core risk because it arises where an institution’s business strategy and objectives do not allow the institution to achieve its vision, mission, and purpose. The responsibility for managing this risk rests with the Board and senior management. Any inability to execute the corporate plan generally is a result of one of the other general risk categories and may focus on such areas as:

• Financial goals
• Business, product, delivery channel, or geographic directions
• IT plans (i.e., outsourcing, hardware, and software solutions)
• Organizational structure
• Succession plans
• Relationship management
• Customer service

While the foregoing risks are vital to risk evaluation, they are the types of risks that apply to many business enterprises; however, there are risks that apply to financial institutions. I will give you a few examples of these types of risks.

Credit Risk

Credit risk arises from a borrower’s or counterparty’s inability or unwillingness to repay its financial obligations as agreed. Components of credit risk can include collateral, market conditions, concentration, cash flow, credit ratings, portfolio, and product issues. Credit risk extends beyond traditional lending and includes both on and off balance sheet commitments. Examples of credit risk include:

• Investment securities
• Loan default (failure to meet the terms of the obligation)
• Loan losses and non-performing assets
• Subprime lending
• Off balance-sheet exposures (i.e., derivatives and letters of credit)
• Electronic payments (ACH, wire transfers, and online banking)
• Controlled disbursement accounts
• Overdrafts and return items
• Official checks (issued for customers)

Transitioning Loan Officer as Employee

QUESTION

A while back Jonathan Foxx discussed the transitioning of loan officers. He wrote about how to handle the licensing issues so that new loan officers can get to work. The questioner asked about transferring loan officers from their bank registration to become licensed loan officers. My question also deals with transitioning. Is a transitioning loan officer an employee?

ANSWER

Click Transitioning Loan Officer Licensing to read the post we published on November 7, 2019. I continue to see employers struggling with the issue of how best to effectuate the transitioning of a loan officer.

Indeed, it was in November 2019 that the CFPB issued an interpretive rule to construe an ambiguity regarding certain non-licensed loan originators. The Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (EGRRCP Act) made it easier for loan originators to move from one employer to another, by giving a registered or state-licensed loan originator temporary authority to act as a loan originator in a different state if he or she:

• Has not had an application for a loan originator license denied or a loan originator license revoked or suspended;
• Has not been subjected to or served with a cease and desist order;
• Has not been convicted of a misdemeanor or felony that would preclude licensing in the new state;
• Has submitted an application to be a state-licensed loan originator in the new state; and,
• If applicable, was registered in the NMLSR as a loan originator during the 1-year period preceding the filing of the new application.

The statute separately addresses registered loan originators and state-licensed loan originators.

Regulation Z imposes training requirements on loan originator organizations for “each of its individual loan originator employees who

• is not required to be licensed, and
• is not licensed as a loan originator….”

This language, which the CFPB adopted before the EGRRCP Act existed, is ambiguous regarding whether the individual loan originators it references include loan originators with temporary authority under the EGRRCP Act. Accordingly, on November 19, 2019, the CFPB adopted an interpretive rule to address the ambiguity.

In its interpretive rule, the CFPB took the position that, although the language is ambiguous, the Bureau believes the most appropriate interpretation of Regulation Z is that the regulation does not refer to a loan originator with temporary authority under the EGRRCP Act, because a loan originator with temporary authority does not satisfy the first condition in Regulation Z § 1026.36(f)(3)—“is not required to be licensed.”

That is, to point a fine point on it, a loan originator with temporary authority is not an “individual loan originator employee … who is not required to be licensed….” He or she is an employee who is required to be licensed, although the employee can act as a loan originator while seeking the required license.

The CFPB issued its interpretation as an interpretive rule to further ensure that TILA § 130(f) offers a safe harbor to loan originator organizations that act in conformity with the interpretive rule. [84 FR 63791 (Nov. 19, 2019)] The Bureau plans to incorporate the interpretive rule into Regulation Z.

Jonathan Foxx
Chairman & Managing Director
Lenders Compliance Group