Friday, June 26, 2020

Influencer Guidelines for Financial Institutions

We have affiliates that sell products and services. As the Compliance Manager, I was recently tasked by our CEO to make sure that we are not giving the impression that we’re recommending something being sold by our affiliates, even if our websites already mention their products and services. This seems like a contradiction. 

On the one hand, we are told to not recommend the affiliates’ products and services, and, on the other hand, we are told to make sure our websites mention them. 

Are there some guidelines we can follow to make sure we are not promoting the products and services while also mentioning them on our websites?

These days, there is a term for the power to affect the purchasing decisions of others. It’s called an “influencer.” You may have heard this term in the last few years. It is associated often with social media. The influencer is somebody who supposedly has the authority, knowledge, relationship, position, expertise, experience, and competence to “influence” somebody’s purchasing decisions. In fact, there are courses now available for people to learn how to be an influence!

The world of financial services has its own form of influencers. And the scenario you describe is one such instance where influence crosses into regulatory territory. That territory is the regulatory framework of the Federal Trade Commission (FTC). Using the FTC standards, it is possible to provide a set of guidelines that, hopefully, will make it possible for you to both mention the affiliates’ products and services without giving the impression that you are promoting them without proper disclosure.

The FTC has the power to issue trade regulation rules declaring acts, practices, and conduct in or affecting interstate commerce to be unfair or deceptive practices. As a point of reference, Dodd-Frank generally displaced the FTC with the CFPB as the coordinator of consumer complaints and principal regulator regarding consumer financial products or services provided by banks, federal savings association, and nonbank creditors (except for motor vehicle dealers).

Prior to the enactment of Dodd-Frank, the FTC Act required banking regulators to issue similar rules within 60 days after an FTC rule’s effective date, unless the banking agency found that similar acts and practices of depository institutions were not unfair or deceptive. Although, Dodd-Frank deleted this requirement, financial institutions may still find it worthwhile to understand FTC rules, if only to understand the rules with which their FTC-regulated competitors must comply.

So, the following is a brief list of guidelines that my firm would be considering if we were doing an audit your scenario. It is based on years of working with FTC standards and website reviews. If we were to do an audit, there would be many other moving parts to consider, including an influencer disclosure review, but I think this outline will give you a head start!

Influencer Guidelines for Financial Services Affiliates 
  • The institution (“influencer”) should clearly and conspicuously indicate the relationship between the influencer and its affiliate (i.e., “we’re affiliated companies owned by the same parent company”).
  • If the other company (the affiliate) gives the influencer a benefit in return for mentioning its products and services, the influencer should mention that benefit (i.e., “we receive [compensation/similar promotion by [the other firm]] in return for mentioning its products and services”).
  • The influencer should treat tags, likes, pins, and similar ways of showing the influencer likes a product or service as endorsements that require disclosures.
  • The influencer should place each disclosure so it’s hard to miss. A disclosure should appear along with the endorsement message and should not appear only if the viewer must click more to reach it.
  • The influencer should not mix the disclosure with a group of hashtags or links, although the disclosure could include a hashtag such as #ad or #sponsored.
  • If an endorsement appears in a picture on a platform like Snapchat or Instagram Stories, the disclosure should be superimposed over the picture in a way that ensures viewers have time to notice and read it.
  • If the endorsement appears in a video, a disclosure should appear both in audio and in video as part of the video and not just in a description uploaded with the video and not only in words superimposed on a video.
  • If the endorsement is made in a live stream, the disclosure should be repeated periodically so viewers who see only part of the stream will get the disclosure.
  • Disclosures should use simple and clear language, without vague or confusing terms such as uncommon abbreviations or shorthand.
  • A disclosure should be in the same language as the endorsement.
  • An influencer should not assume that a platform’s disclosure tool is sufficient, but should consider using that tool in addition to the influencer’s own, good disclosure.
  • An endorsement should be honest and truthful. For example, an influencer should not mention experience with a product the influencer has not tried, or say the product is terrific if the influencer thinks it’s terrible, or make up a claim that would require proof the influencer does not have.
  • The influencer should ensure its disclosures are made, not rely on someone else to make them.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Friday, June 19, 2020

Pandemic Response: Preparing for the Second Wave

We have followed many of the suggestions in your Business Continuity Checklist, especially the parts that deal with the pandemic response. We purchased your Business Continuity Plan. 

The problem we now have relates not to the present but the future. Specifically, we are worried about the possibility of a second COVID-19 wave. Our compliance people are grappling with how to handle a second wave. 

Our question is, what do we do now about preparing for the second wave of COVID-19?

I am grateful that you are using the Business Continuity Plan Checklist and Workbook, Includes Pandemic Response. As you know, the Checklist is free and provided as a courtesy to enable companies to manage business continuity. It has a large section that deals specifically with pandemic responses in general and the COVID-19 pandemic in particular. It also contains numerous resources and references. We are the only compliance firm in the country that has published such a helpful tool, which is now on Update # 7, consisting of 208 pages. You can download it HERE. Update # 8 will be published shortly.

Thank you for buying the Business Continuity Plan (“BCP”). Yesterday we notified media and our subscribers about our Business Continuity and Pandemic Response Plan, which we decided to offer at a deeply reduced rate to make it affordable to most companies. Even still, how could companies afford not to buy it, considering their very survival depends on business continuity? Waiting is really not an option. Our BCP is extensive, detailed, and dynamic. And we even provide a walkthrough of the document with one of our subject matter experts at no additional fee. You can order it HERE.

For the first wave response, I have outlined operational issues as well as pandemic challenges. For some recent posts, go HEREHEREHEREHERE, and HERE.

Your question is important. I do not want to be the bearer of bad tidings, but the second wave could be worse than the first – and, realistically, we are not out of the first. As I write, some states are seeing a record number of hospitalizations, and a few are reaching maximum capacity in their ICU units. Thousands are becoming infected every month. Currently, the United States has 2.2 million confirmed cases; 16,500 are now critical; and over 118,000 have died to date.[i] There have been about 27 million tests done in a population of 330 million, or only 8%, with 1.2 million active cases and over 931,000 recovering cases. There is insufficient educating; insufficient testing; insufficient contact tracing; insufficient wearing of masks; and insufficient social distancing.

Even if a person has no symptoms, that person can spread the disease. The CDC estimates that 40% of transmissions happen before people feel sick.[ii] I have seen studies that show upwards of 4-5 people can become infected by contact with persons who did not think they had the disease. Whether testing is done or not done, the infection rate is not changing. One has nothing to do with the other. However, testing tells us the epidemiological factors involved in the rapid geographic spread of the disease and the measures needed to contain it. Not testing at a high rate is tantamount to denying the ever-increasing risk.

Surely, denying the presence of a catastrophic plague is the worst form of response.

Over 40 million people have filed for initial unemployment. Everyone wants the economy to improve, but, in the long run, it just can’t improve without good hygiene being pervasively practiced. 

Here’s a simple algorithm for wearing a face mask for those people who think they don’t need to wear a face: 
Wearing a face mask leads to less asymptomatic viral spread,
which leads to more of the economy opening sooner. 

Delay the response; delay the revitalized economy.

We should be clear about what is meant by “asymptomatic spread.” The asymptomatic spread is a condition where the transmission is by people who do not have symptoms and will not get symptoms from their infection. But those infected carriers could still get others infected. Also, there is “pre-symptomatic spread.” The pre-symptomatic spread is a condition where the transmission is by people who don’t look or feel sick but will eventually get symptoms later. Obviously, they too can infect others without knowing it.

Pandemics usually occur in waves. Infections spike, peak, plateau, and even recede – but the infection rebounds again later. This process may happen several times. It is the pattern of the pandemics in 1918-1919 with Spanish flu, 1957-58 with the H2N2 virus, and 2009-2010 with the swine flu.

I have written previously that the second wave of a pandemic is often worse than the first. I understand that people want to return to “normal,” but that simply cannot happen at this time. The CDC predicts that there could be upwards of 200,000 deaths caused by COVID-19 by the fourth quarter.[iii] Given that Federal authorities have mostly left it to the states to effectuate good hygiene orders, and many states maintain that they will not shut down a second time – although some states never shut down at all in this first wave – the reduction of infections and deaths seem as far away as ever. After all, when a state runs out of ICU beds, it really has no other choice, ethically speaking, but to shut down.

Yet a second wave is coming. And that means a second shut down is possible. For instance, Japan has had to shut down geographical areas of resurgence. Other countries have been shutting down, where resurgence has occurred. There are now surging spikes in several states, and ICU units are reaching capacity. Because COVID-19 has a lengthy incubation period, to wit, 3 to 14 days (with symptoms often appearing within 4-5 days after exposure), during that first 72 hours, a person can transmit the virus to others.

Let’s view our current circumstances as being in the first wave, one that has not ended, but reduced somewhat in parts of the country, plateaued in other parts, and surging in other parts at an astonishing speed. Let’s also assume that the second wave is coming in the fourth quarter 2020. Given that situation, we can do two things: (1) maintain now as much good hygiene as possible in our pandemic response to the first wave; and (2) prepare carefully for the second wave.

So, what lessons have we learned thus far? And what should you do in preparation for the second wave of the COVID-19 pandemic? I will outline the action items you should be considering and implementing.

1. Preparation

Anticipate the continuation of first wave hygienic activities. Get a sense of how your organization is responding to the current pandemic challenges and how much time remains before the second wave hits.

2. Proactive

Do not let your organization become the victim of denial. Be proactive. Determine the strengths and weaknesses of the current pandemic response. Refine the actions taken and document them.

3. Business Continuity Plan

Be sure that you view the Business Continuity Plan as a dynamic document that will change over time. It is not a fixed, unchanging set of procedures, but will need to change in response to real-world challenges.

4. Communication - Internal

Maintain on-going communications between management and employees. Use various media to communicate news, testing criteria, and revised guidelines. Be sure to fact check and correct misinformed information provided by any sources that are not credentialed scientists and doctors trained in relevant fields.

5. Communication – External

Synchronize internal (within the organization) and external (outside the organization) news, procedures, announcements, and actions.

6. Absenteeism

Use these four criteria to minimize and monitor absentee employees: (1) essential to report to the workplace; (2) essential but can work remotely; (3) non-essential but can work remotely; and (4) non-essential and not necessary to work remotely.

7. Crisis Management

Periodically assemble a crisis management team consisting of senior management, department heads, business line leaders, and internal administrative staff (i.e., HR, IT, legal, finance, compliance). Document the meetings and discuss ways and means to stay current with challenges to business continuity.

8. Geography

If the organization is multistate, geographic challenges present themselves. Each remote branch office or regional vector should have a reporting chain to senior management for business continuity and pandemic response concerns. The Business Continuity Plan should take remote offices and regions into consideration.

9. Drills

Implement exercises to test various realistic scenarios. The COVID-19 virus is a “long tail” virus,[iv] so doing scenario exercises will keep the organization in a state of readiness and functioning in a safe environment.

10. Recovery

Be willing to transition to a more recovered posture, if events allow for recovery. The recovery state is part of business continuity, but not without pitfalls. Recovery does not just mean business-as-usual. It means ensuring that the crisis may be past, though it is not a time to let down your guard. 

Some crises do cease to exist, and, to that extent, the organization may still remain with periodic testing. However, some crises do not cease to exist: only the current risk of them happening has been reduced. Pandemics are the latter case. Do not be caught blind-sided by relaxing your pandemic response to the point that you end up making the same mistakes in the next wave.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

[i] As of 6/19/20 at 7:33AM (EST) Coronavirus Resources Center, Dashboard, Johns Hopkins University and Medicine, See
[iii] US could see 200,000 coronavirus deaths by September, Woods, Amanda, June 11, 2020, NY Post
[iv] A “long tail risk” is one that, from a risk point of view, is “between the start of the exposure and the manifestation of loss or damage resulting from the exposure.” International Chamber of Commerce

Thursday, June 11, 2020

Pandemic Response: Whistleblower Retaliation

I am an underwriter in a large lender. We have offices in 30 states, with a main office in the Midwest. I work at the main office.

I want to know about how to go about handling a whistleblower complaint without having my boss fire me.

My concern is that we were required to return to the office, even though the office was not set up for protecting us from COVID-19. Now, two underwriters and a few processors have come down with COVID-19 and are in quarantine.

If we don’t come in, we have been told we will be replaced. I need this income and the health benefits and can’t survive without them.

We met with senior management a couple of weeks ago, but they have done nothing. Basically, we feel they don’t care. So, I want to report them to the authorities without winding up getting myself fired.

My question is, what protection do I have from getting fired if I report this unhealthy environment?

I sympathize with your situation. Unfortunately, your question is not the first of its kind that we have received. It is a significant concern when management does not ensure a healthy work environment. It seems that you have already researched which authorities should be contacted. But, having done so, you believe you may be fired for reporting the problem.

When an illegitimate and illegal firing takes place for reporting the potential of violations of law in a commercial entity, this is called Whistleblower Retaliation. 

In general, whistleblower statutes aim at encouraging employees to speak out and act when they see illegality, so as to eliminate corruption while protecting the employees who “blow the whistle.” There is some case law based on statutes where an employee is not protected who stands by and takes no action. So, it sure does feel like ‘damned if you do, and damned if you don’t!’

I will not comment about the illegality of this matter, but I suggest you contact a labor lawyer licensed to practice law in the state where the main office is located. You may find that some of these lawyers are more interested in representing employers than employees. But there are plenty who will want to get involved. Make sure you bring other employees with you. I think whistleblower retaliation may be mitigated if you retain appropriate legal counsel.

But, let’s view that choice as a last resort. First things first: I suggest finding a way to broaden the discussion with management in a proactive and helpful way. It may be that they want to work collaboratively with employees but there is no structural method in place to benchmark one another.

Download our Business Continuity Plan with Pandemic Response – Checklist and Workbook (“Checklist”). This document is now in its 7th update, and the 8th is going to be published shortly. It is free! It has been downloaded by thousands of people at this point, including regulators, executive, senior, and middle management, and indeed many employees, rank and file. So, you’re in good company, and you can make a case for using it for a working relationship with management.

Read through the Checklist and decide on how to present your view in a coherent way. Take the Checklist to management and request an opportunity to discuss the sections that pertain to your particular needs and concerns. Give a copy of the Checklist to management or give them the link to download the Checklist

Appoint a committee of employees to work with management in fulfilling the expectations. Meet regularly to benchmark one another. You may find that opening communications is the best way to ensure a healthy working environment.

To assist with opening such communications with management, advocate for your view by drawing on a few talking points. Some reliable talking points are set forth in our recent FAQ: Pandemic Challenges: Returning to the Office.

Good luck! Stay Safe!

Jonathan Foxx
Chairman & Managing Director
Lenders Compliance Group

Thursday, June 4, 2020

Compliance Officer: Job Description

We are looking to hire a new compliance officer. As we put together the job description, we wanted to be sure we listed gave a full description of the position. That led us to your door.

We know that you offer continual compliance support, so you would know the best way to describe the responsibilities of a compliance officer. 

Our plan is to use the description in our policies and procedures as well as in our job advertisement. 

What is a compliance officer and how should we describe the responsibilities?

Thanks for knocking on our “door!” Yes, we provide on-going mortgage compliance guidance. In fact, our firm is the first compliance firm in the country to offer low cost, fixed fee, monthly compliance support, manned by subject matter experts and supervised by professionals with substantial experience, knowledge, and expertise.

Many companies, large and small, retain us as an independent adjunct to their compliance department. Others use us primarily as a proxy for an in-house compliance department. Whatever the case, we are highly experienced in working with management and compliance personnel.

If you’re interested in knowing more, please contact me HERE

You’ll be glad you did!

I am going to provide a brief job description for a compliance officer in a format that you can use both for your policy and procedures and also your job advertisement. I outline the format according to topical expectations.

Job Description
  • Compliance Officer position is designated by the Board of Directors.
  • Responsible for establishing and maintaining an ongoing compliance program.
  • Administers compliance training program for officers and employees.
  • Works closely with internal or external legal counsel, if needed.
  • Performs or retains auditors to perform audit programs.
  • Reviews audit results and maintains audit standards.

  • Reports to: Chairman of the Board
  • Supervises: Compliance Initiatives

Duties and Responsibilities
  1. Develops compliance policies and procedures.
  2. Responsible for the implementation of new regulations or changes to existing regulations.
  3. Ensures compliance with legal and regulatory standards for originating loans and mortgage servicing.
  4. Assists in updating and reviewing bank policies and procedures based on regulatory changes, internal audits, and examinations by regulatory agencies.
  5. Establishes and maintain an ongoing program for training personnel.
  6. Monitors the resolution of consumer complaints.
  7. Prepares for regulatory examinations and ensure an adequate corrective action process.
  8. Reports compliance activities and audit findings to the Board of Directors.

  • The Compliance Officer accesses all departments and documentation that may be necessary to effectuate compliance responsibilities.
  • The Compliance Officer has the authority to implement corrective action upon discovering actual or possible violations.

  • The Compliance Officer supervises regular audits of all appropriate areas of the bank to determine the degree of compliance with various consumer laws.
  • Actual or possible violations and any needed corrective action should be reported to the Compliance Committee, the bank’s legal counsel, and the division and department managers of the area under examination.
  • The manager of the area under examination reports to the Compliance Officer all action taken to correct the findings detected in a compliance audit or the Compliance Officer requires the manager to perform in furtherance of the compliance mandate.

  • The Compliance Officer is a higher-level officer, familiar with all areas of mortgage banking, and possesses excellent oral and written communication skills.
  • Knowledge includes, among other things, deep familiarity with mortgage banking standards, auditing, and consumer compliance regulations.
  • Human relations skills are expected to effectively conduct compliance activities throughout the organization.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group