TOPICS

Friday, September 24, 2021

Self-Police, Self-Report, Remediate, and Cooperate

QUESTION
In our recent state banking examination report, we were asked to continually evaluate our compliance with mortgage banking requirements. They said we are “responsible for business conduct, including self-policing, self-reporting, remediation, and cooperation.”

Frankly, I must admit that we do not “self-assess,” as our compliance manager calls it. We rely on outside internal auditors, compliance’s regular review of department functions, and management reviews of various reports, such as quality control reports for originations and servicing.

But we do not self-police ourselves at all. Never did! We don’t have guidelines to follow for self-policing. Hopefully, you can help us with suggestions and guidelines.

What do we have to do to self-police? 

What are suggested guidelines we can provide in a hand-out to our employees?

ANSWER
Although you are finding out about self-policing now, banking departments long ago expected “self-assessment” to be a feature of proper regulatory compliance. Nearly all supervising compliance personnel are aware of this requirement. Or they should be!

The phrase you noted, “responsible business conduct,” goes all the way back to 2013, when the CFPB issued a directive to its supervised institutions to ensure “self-policing, self-reporting, remediation, and cooperation.”[i] I will treat each of these factors separately.

In its bulletin, the CFPB offered assurance that its described “responsible conduct” may favorably affect the ultimate resolution of a CFPB enforcement investigation. It also warned that vigorous, consistent enforcement of the law and the imposition of appropriate sanctions are essential in promoting the agency’s commitment to the best interests of consumers.

Conduct can be so egregious or the harm so great that no amount of cooperation or other mitigating actions could justify a decision not to bring an enforcement action.

To quote the Bureau:

 “In short, the fact that a party may argue it has satisfied some or all of the elements set forth in this guidance will not foreclose the Bureau from bringing any enforcement action or seeking any remedy if it believes such a course is necessary and appropriate.”

Before I get to suggestions for self-policing guidelines, an enforcement action against Wells Fargo and JPMorgan Chase would demonstrate how the CFPB applies the self-policing expectation.

On January 22, 2015, the CFPB brought an enforcement action against Wells Fargo and JPMorgan Chase that stemmed from its expectations regarding “responsible conduct.” The CFPB and the Maryland Attorney General announced consent orders regarding the two firms’ alleged involvement in a Marketing Services Scheme with Genuine Title.[ii]

According to the CFPB, Genuine Title provided substantial marketing services to loan officers of the lenders. For example, Genuine Title purchased marketing leads – data on consumers likely to refinance their mortgage loans – from a third-party vendor and provided the leads to loan officers at Wells Fargo and Chase.

For some loan officers, Genuine Title not only analyzed and purchased leads from a third-party vendor but also paid the costs of producing and mailing marketing letters. The loan officers did not pay for the full cost of the leads, marketing, printing, and processing of the marketing materials, or mailing. In return, the loan officers referred real estate closings to Genuine Title. According to the CFPB, these arrangements violated RESPA § 8(a) and Dodd-Frank Act § 1036, as well as the Maryland Consumer Protection Act.

At the time, Maryland’s Attorney General Brian Frosh said:

 “Homeowners were steered toward this title company, not because they were the best or most affordable, but because they were providing kickbacks to loan officers who referred consumers to them.”

“This type of quid pro quo arrangement is illegal, and it’s unfair to other businesses that play by the rules.”[iii]

The CFPB alleged that, despite the fact that Wells Fargo had multiple warnings of the illegal arrangements between its loan officers and Genuine Title, including a lawsuit explicitly alleging the existence of the agreements, the bank failed to take action to stop the practices and did not have an adequate system in place to identify the violations. The proposed consent order would require Wells Fargo to pay $10.8 million in redress and $24 million in civil penalties.

The CFPB also alleged that at least six Chase loan officers in three different branches in Maryland, Virginia, and New York were involved in the scheme. The loan officers referred settlement business to Genuine Title on almost 200 loans. The CFPB claimed that Chase did not have an adequate system in place to ensure its loan officers were complying with RESPA. Under the proposed consent order, Chase would pay about $300,000 in redress and $600,000 in civil penalties.

According to the CFPB, several loan officers at a third financial institution also participated in the scheme with Genuine Title. While Wells Fargo and JPMorgan Chase had not identified or addressed the conduct, the third financial institution had self-identified the practices and fired the loan officers involved. The institution also had cooperated with the CFPB’s investigation and self-initiated a remediation plan. The CFPB resolved its investigation of that institution without an enforcement action, consistent with the agency’s “Bulletin on Responsible Business Conduct.”

Now to outline and paraphrase the factors provided by the CFPB.[iv]

Self-policing

- What is the nature of the violation or potential violation, and how did it arise?

o Was the conduct pervasive or an isolated act?

o How long did it last?

o Was the conduct significant to the party’s profitability or business model?

- How was the violation or potential violation detected, and who uncovered it?

o What compliance procedures or self-policing mechanisms were in place to prevent, identify, or limit the conduct that occurred and preserve relevant information?

o In what ways, if any, were the party’s self-policing mechanisms particularly noteworthy and effective?

- If the party’s self-policing functions have previously been the subject of supervisory examination by the Bureau or other regulators, what have been the results of such examination?

o How, if at all, has the party changed its self-policing following such examination?

o If the party’s self-policing functions have not previously been the subject of supervisory examination, how do those functions measure up to customary supervisory expectations?

- If the party is a business entity, what was the “tone at the top” of the business about compliance?

o Was there a culture of compliance®?[v]

o How high up in the chain of command did people know of or participate in the conduct at issue?

o Did senior personnel participate in, or turn a blind eye toward, obvious indicia of misconduct or deficiencies in compliance procedures?

Self-reporting 

- Did the party completely and effectively disclose the existence of the conduct to the Bureau, to other regulators, and, if applicable, to self-regulators?

o Did affected consumers receive appropriate information related to the violations or potential violations within a reasonable period of time?

- Did the party report the conduct promptly to the Bureau?

o If it delayed, what justification, if any, existed for the delay?

o How did the delay affect the preservation of relevant information, the ability of the Bureau to conduct its investigation, or the interests of affected consumers?

- Did the party proactively self-report, or wait until discovery or disclosure was likely to happen anyway, for example, due to impending supervisory activity, public company reporting requirements, the emergence of a whistleblower, consumer complaints or actions, or the conduct of a Bureau investigation?


Remediation

- What steps did the party take upon learning of the misconduct?

o Did it immediately stop the misconduct?

o How long after the misconduct was uncovered did it take to implement an effective response?

- If the party is a business, were there any consequences imposed on the individuals responsible for the misconduct?

- Did the party take prompt and effective steps to preserve information, identify the extent of the harm to consumers, and appropriately recompense those adversely affected?

o In situations where the harm caused by the violation goes beyond the amounts the victims may have paid to the party, did the party identify and implement additional ways to completely redress the harm?

- What assurances are there that the misconduct is unlikely to recur?

o By the time of the resolution of the Bureau matter, did the party improve internal controls and procedures designed to prevent and detect a recurrence of such violations?

o Similarly, have the party’s business practices, policies, and procedures changed to remove harmful incentives and encourage proper compliance?

Cooperation 

- Did the party cooperate promptly and completely with the Bureau and other appropriate regulatory and law enforcement bodies?

o Was that cooperation present throughout the course of the investigation?

o Did the actor identify any additional related misconduct likely to have occurred?

- Did the party take proper steps to develop the truth quickly and completely and to fully share its findings with the Bureau?

o Did it undertake a thorough review of the nature, extent, origins, and consequences of the misconduct and related behavior?

o Who conducted the review, and did they have a vested interest or bias in the outcome? Were scope limitations placed on the review?

o If so, why and what were they?

- Did the party promptly make available to the Bureau the results of its review and provide sufficient documentation reflecting its response to the situation?

o Did it provide evidence with sufficient precision and completeness to facilitate, among other things, enforcement actions against others who violated the law?

o Did the party produce a complete and thorough written report detailing the findings of its review?

o Did it voluntarily disclose material information not directly requested by the Bureau or that otherwise might not have been uncovered?

o If the party is a business, did it direct its employees to cooperate with the Bureau and make reasonable efforts to secure such cooperation?

So, hopefully, you can recognize how responsible business conduct is critical to meeting the banking department’s expectations.

Finally, you requested a set of brief suggestions that could be handed out to affected personnel at the company. Here are a few that are consistent with the foregoing outline. 

Suggested Guidelines for a Hand-out 

- Keep up the “tone at the top” about compliance and be sure it trickles down, never turning a blind eye toward even suspected misconduct or compliance deficiencies.

- Emphasize profitability through compliance, not profitability on the margins of compliance.

- Nurture mutual respect for agency examiners, and treat them as critical members of the financial institution’s team to share a commitment to the institution’s success.

- Conduct regular, persistent self-examinations aimed at early detection of potential violations and prompt elimination of violations.

- Quickly focus on any potential violation and determine whether an actual violation occurred.

- If an actual violation occurs:

o Determine the scope of persons affected and realistically assess any harm, including additional related misconduct that might have occurred.

o Promptly notify the primary regulator (“self-report”).

o Resolve the matter with the affected customer(s) quickly, fairly, and forthrightly.

o Be careful to include oversight by persons without a vested interest or bias in the outcome.

o Take any necessary steps to improve internal controls and procedures so it does not recur.

- Take appropriate action regarding the individuals responsible for any violation. Analyze why they behaved the way they did and remove any improper incentives that may have motivated them.

- Thoroughly document each investigation.

- Do not neglect challenges that have been the subject of a previous supervisory examination, but focus on them to be sure they do not reappear.


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group 


[i] ‘‘Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation, “ Bulletin 2013-6, June 25, 2013, Consumer Financial Protection Bureau

[ii] “CFPB Takes Action Against Wells Fargo and JPMorgan Chase for Illegal Mortgage Kickbacks,” Press Release, January 22, 2015, Consumer Financial Protection Bureau

[iii] Idem

[iv] Op. Cit. i

[v] “Culture of Compliance” is a registered trademark of Lenders Compliance Group, Inc.