TOPICS

Thursday, February 24, 2022

Risk Assessment of a Compliance Management System

QUESTION 

I am the Assistant General Counsel of our bank. Generally, we believe we have a dependable Compliance Management System. A couple of years ago, we had your firm do a CMS Tune-up, and we learned how to improve it even more. Your review was a productive experience, strengthening management’s sincere commitment to maintaining high standards. 

Recently, we went through Change Management procedures that involved changes in our Compliance Management System. We plan to have you back soon to do another CMS Tune-up to ensure everything is intact. 

In the meantime, we could use some additional insight. In particular, in outlining our risk assessment objectives, we would like to know which factors to consider. We are not looking to know how to evaluate the compliance program so much as to understand better the top level areas to be reviewed in a risk assessment of the Compliance Management System. 

So, our question is, what are some of the essential categories in the risk assessment of a Compliance Management System? 

ANSWER 

Regulatory compliance management of consumer laws involves implementing policies and procedures designed to ensure the financial institution understands and follows the laws in a manner that avoids, among other things, fines, lawsuits, and reputational issues. The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Consumer Financial Protection Bureau (CFPB) that centralizes the monitoring and enforcement of consumer protection laws. 

The CFPB issues regulations that institutions use to implement the laws that Congress passes. The risk institutions face is that these regulations will not be followed as intended. The implications that could result include specific administrative actions by the institution’s primary regulator, including fines, lawsuits, and various other types of risk. Therefore, it is essential to have a strong Consumer Compliance Management Program, usually called a Compliance Management Program (CMP) or Compliance Management System (CMS). The primary purpose of the CMS architecture is to oversee the institution’s compliance with applicable laws and regulations. 

The tool we pioneered, the CMS Tune-up, is a mini-audit that provides a comprehensive review that highlights a financial institution’s regulatory strengths and weaknesses with respect to its CMS mandate. It is cost-effective and is completed in sixty days. The report and risk rating are results that help facilitate decisions throughout the company’s compliance infrastructure. If you’ve encountered substantive issues of Change Management, you should contact us to do a follow-on CMS Tune-up. 

If you or anyone else wishes more information about the CMS Tune-up, contact us HERE. 

Risk assessments of your company’s Compliance Management System are important to conduct periodically to evaluate the adequacy of your institution’s CMS efforts to protect the institution from the failure associated with compliance defects and risks. I will provide certain categories that you should include in your risk assessment protocol. Given the enormity of risk assessment development, my comments here can only be brief, cursory, and suggestive. 

Objectives 

It would be best to have a clear idea of the risk assessment objectives. In my view, the following four objectives are mandatory: 

1)     Determine the quality of the institution’s CMS, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations;

2)     Assess whether the CMS is effective at facilitating compliance; 

3)     Identify potential deficiencies in the CMS and areas of most significant risk and concern; and 

4)     Determine where transaction testing is necessary. 

When you develop the risk assessment, keep in mind the evaluation is meant to serve as guidance for the categories to be addressed during the risk team’s dialogue with departments and functions personnel. I suggest that you organize by elements of the CMS, and these elements should be considered in conjunction with each of the different operational areas of the company, so as to come to a conclusion about the strength of each element overall and the applicable overall risk assessment score. 

Risk Rating 

Also, it is critical to determine the requirements for a risk rating. To develop a consumer compliance risk rating, review the overall compliance program using the methods that I outline briefly below. The compliance rating should reflect: 

·       Quantity of compliance risk; 

·       Adequacy of the bank’s risk management practices in light of the quantity of compliance risk; 

·       Degree of reliance that can be placed on the company’s risk management system, inclusive of the compliance review and audit functions; and 

·       Degree of supervisory concern posed by the company’s CMS. 

Acts, Statutes, Regulations 

It is fundamental to the risk assessment process to identify applicable statutes and regulations. Specifically, determine if the CMS adequately addresses (through oversight, policies and procedures, training, monitoring, and complaint response) all areas related to the following federal consumer laws, regulations, rules, and policy statements. Take note, this list is not meant to be comprehensive, and any relevant list should be updated, as needed, to be all-inclusive as of the risk assessment date. 

A list of core statutes and regulations in a risk assessment should include:

Thursday, February 17, 2022

Annual Privacy Disclosure Rules

QUESTION 

As a result of a banking examination, we found out that we failed to provide an annual privacy disclosure on our portfolio loans. These are closed-end, portfolio loans that we do not sell to the secondary market. 

We thought our privacy policy made sure this would not happen. That said, the regulator was not particularly thrilled with our privacy policy. 

In updating the policy, we would like some guidance to consider for the section devoted to the annual disclosure. 

What are some aspects of the annual privacy disclosure that are important to include in our policy? 

ANSWER 

As I have said multiple times, a policy is useless if not implemented. And if it is implemented but not monitored, it’s also meaningless. Just because you have a policy does not mean you have taken the appropriate compliance actions needed to both implement and monitor the requirements thereunder. A policy bereft of implementation and monitoring is no more than dysfunctional pontification. So, understand, even if you claim to be implementing, you must also be monitoring. 

Under the applicable regulations,[i] an institution must provide a disclosure of its privacy policy at least annually during the continuation of the customer relationship. 

An institution may define the 12-consecutive-month period however it wants, but the institution must apply it to the customer on a consistent basis. Consistency matters, and it will be determined in a banking examination. 

By “annually” is meant at least once in any period of 12 consecutive months during which that relationship exists. An institution is required to provide the annual disclosure only during the term of the customer relationship with the consumer and is not required to provide an annual notice to a customer with whom the institution no longer has a continuing relationship. 

So, when does a consumer no longer have a continuing relationship with an institution? When any of the following situations occur: 

·      In the case of a deposit, share, or share draft account, the account is considered inactive (i.e., dormant) under the institution’s rules. (Any state law test for dormancy does not apply in this situation; only the state law policy is used.) 

·      In the case of a closed-end loan, the consumer pays the loan in full, the institution charges off the loan, or the institution sells the loan without retaining servicing rights or transfers the servicing rights. 

·      In the case of a credit card relationship or other open-end credit relationship, the institution no longer provides any statements or notices to the consumer concerning that relationship, or the institution sells the credit card receivables without retaining servicing rights. 

·      For other types of relationships, the institution has not communicated with the consumer about the relationship for a period of 12 consecutive months, other than to provide annual notices of privacy policies and practices or other promotional materials. Therefore, the fact that the institution continues to send the consumer promotional material will not require that a privacy policy be sent annually if there is no communication with the customer about the customer relationship. 

·      In the case of a credit union, an individual is no longer a member as defined in its bylaws. 

And, of course, this is regulatory compliance, so there may be exceptions! For instance, you are not required to deliver an annual privacy notice if you: 

·     Provide nonpublic personal information to non-affiliated third parties only under the exceptions in these regulations:[ii] 

o   Exception to opt-out requirements for service providers and joint marketing [12 CFR § 1016.13]; 

o   Exceptions to notice and opt-out requirements for processing and servicing transactions [12 CFR § 1016.14]; and 

o   Other exceptions to notice and opt-out requirements [12 CFR § 1016.15]. 

·     Have not changed your policies and practices with respect to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under certain sections of 12 CFR § 1016.6 (Information to be included in Privacy Notices), specifically sections 1016.6(a)(2) through (5) and (9)[iii], since your most recent initial privacy notice provided to customers. 

Now, if you change your policies or practices so that you no longer meet the requirements for the exception, you must comply with one of the following, as applicable: 

·     Changes that required a revised privacy notice. 

If you no longer meet the requirements for the exception, and the change required you to issue a revised privacy notice under section 1016.8 of Regulation P (Revised Privacy Notices), you must provide an annual privacy notice by treating the date of the revised privacy notice as the initial privacy notice date. 

·     Changes not preceded by a revised privacy notice. 

If you no longer meet the requirements for the exception, but you are not required to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of the exception. 

I realize this seems confusing. So, here’s an example. Let’s say you change your policies and practices in such a way that you no longer meet the requirements for the exception effective April 1 of year 1. Assuming you define the 12-consecutive-month annual notice period as a calendar year, if you were required to provide a revised privacy notice under section 1016.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under section 1016.8, you must provide an annual privacy notice by July 9 of year 1. 

The procedures should ensure that you change your policies and practices in such a way that you no longer meet the requirements for the exception and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements for the exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you again no longer meet the requirements for the exception.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group


[i] 12 CFR § 1016.5

[ii] See Title 12 - Banks and Banking, Chapter X, Bureau of Consumer Financial Protection, Part 1016, Privacy of Consumer Financial Information (Regulation P), Subpart C - Exceptions

[iii] See subsections (2) The categories of nonpublic personal information that you disclose; (3) the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§ 1016.14 and 1016.15; (4) the categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under § 1016.14 and § 1016.15; (5) if you disclose nonpublic personal information to a nonaffiliated third party under § 1016.13 (and no other exception in § 1016.14 or § 1016.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted; (9) any disclosure that you make under § 1016.6(b) (regarding a description of nonaffiliated third parties subject to exceptions).

Thursday, February 10, 2022

Reasonable Investigation of Indirect Disputes

QUESTION

We are a consumer reporting agency. Recently, our regulator said that we showed a few instances of not conducting a “reasonable investigation” of indirect disputes brought by consumers, in violation of FACTA. This really shocked us because we go out of our way to investigate these indirect disputes involving credit reporting. 

Even our counsel thinks we are doing everything to conduct the investigation. Maybe you can help! 

We want to know more about investigations and indirect dispute resolution. 

What is a “reasonable investigation” of an indirect dispute involving consumer credit reporting? 

ANSWER 

Let's begin with some background. Before the Fair and Accurate Credit Transactions Act (FACT Act or FACTA), the Fair Credit Reporting Act (FCRA) required consumers to raise disputes about the information in their credit reports with one or more consumer reporting agencies (CRAs), not with the furnishers of that information. The CRA was required to investigate the disputed information and, if necessary, contact the furnisher (i.e., provide the furnisher with an “indirect” dispute). After hearing back from the furnisher, the CRA was required to report to the consumer. 

The FACT Act supplemented this process by amending the FCRA to allow consumers to directly dispute credit report information with furnishers of information, under certain circumstances. Consumers now can submit a dispute directly to the furnisher (viz., a “direct” dispute) when the issue relates to information for which the furnisher is responsible. 

Regulation V, which implements the FCRA, requires a furnisher to conduct a “reasonable investigation” of a direct dispute if it relates to any of the following circumstances: 

(1) the consumer’s liability for a loan with the furnisher, such as direct disputes relating to identity theft or fraud against the consumer, individual or joint liability on an account, or the question of who is an authorized user of a credit account; 

(2) the terms of a loan with the furnisher, such as direct disputes relating to the type of account, principal balance, scheduled payment amount, or the amount of the reported credit limit on an open-end account; 

(3) the consumer’s performance or other conduct concerning a loan with the furnisher, such as direct disputes relating to the current payment status, high balance, the date a payment was made, the amount of a payment, or the date an account was opened or closed; or 

(4) any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer’s creditworthiness, credit standing, character, general reputation, personal characteristics, or mode of living attributed to the furnisher on the consumer report. 

Regulation V also lists exceptions that furnishers are not required to handle as direct disputes: 

(1) disputes regarding the consumer’s identifying information, such as name, date of birth, Social Security number, telephone number, or address; 

(2) disputes regarding the identity of past or present employers; 

(3) disputes regarding information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless provided by a furnisher having a relationship with the consumer; 

(4) disputes regarding information related to fraud alerts or active duty alerts; 

(5) disputes regarding information provided by another furnisher; or 

(6) disputes reasonably believed to have been submitted by, prepared on behalf of the consumer by, or submitted on a form supplied to the consumer by, a credit repair organization. 

You don’t provide an outline of the efforts you make in defense of your position of conducting a reasonable investigation. However, I think a particular case, decided recently, would help elucidate one aspect of many parameters relating to such processes. I have in mind White v Equifax Information Services.[i] In this case, the U.S. Court of Appeals for the 11th Circuit considered a complaint that a furnisher had failed to reasonably investigate a dispute a consumer raised with a CRA, not directly with the furnisher. 

When White checked her Equifax and Trans Union credit reports, they noted that she disputed her Wells Fargo tradeline. She sent a letter to the credit reporting agencies (CRAs) to say she no longer disputed the tradeline. 

The CRAs forwarded the letter to Wells Fargo, asking Wells Fargo to verify the dispute. Wells Fargo responded that the tradeline remained in dispute because its records indicated Wells Fargo had not received any word from White saying she no longer disputed the tradeline. The CRAs then left the dispute notation on their credit reports. 

White sued Wells Fargo, alleging it had violated the FCRA by failing to investigate her dispute. Her complaint did not allege that she ever told Wells Fargo directly that she no longer disputed the tradeline. Her complaint only said that she had sent the CRAs a letter stating that they were wrong in reporting that the Wells Fargo tradeline was in dispute. 

The district court dismissed the claim. And the 11th Circuit affirmed. 

White had previously disputed the Wells Fargo tradeline, but she had not resolved the dispute with Wells Fargo by the time she sent the letter to the CRAs. 

This decision is important because precedent from the 11th Circuit held that “reasonableness” is the touchstone for evaluating investigations under the indirect dispute provision of the FCRA.[ii] Whether a furnisher’s investigation is reasonable depends in part on the documentation available to the furnisher.

Thursday, February 3, 2022

Responding fully to an RFI

QUESTION 

We are a mortgage servicer, providing servicing throughout the country. I am the company’s Assistant General Counsel. 

As a result of a multistate banking examination, it is alleged that we failed to respond fully to RFI requirements. Specifically, the claim is that we did not provide sufficient information in response. 

Our staff has done considerable research on this matter; however, we have yet to determine how much information is sufficient to satisfy the RFI requirements. I am writing to you to get your view. 

How much information must a servicer provide in response to an RFI? 

ANSWER 

The Real Estate Settlement Procedures Act (RESPA) and its implementing Regulation X require servicers to respond to borrower requests for information (RFIs). This procedure results from the Dodd-Frank Wall Street Reform and Consumer Protection Act’s expansion of the scope of RESPA’s complaint handling requirements beyond the previously existing qualified written request (QWR) requirements. 

The RFI requirements apply to any written request from a borrower (or an agent for a borrower) to a servicer for information if the request includes three elements: 

(1) the name of the borrower; 

(2) information that enables the servicer to identify the borrower’s mortgage loan account; and 

(3) a statement of the information the borrower is requesting. 

Let’s take a look at the procedural components. 

Regulation X sets up a 2-step process for responding to RFIs, as follows: 

First, within five days (excluding legal public holidays, Saturdays, and Sundays) after receiving an RFI, a servicer must provide a written acknowledgment of receipt; and 

Second, a servicer generally must respond to the RFI not later than 10 days after receiving an RFI for the identity of, and address or other relevant contact information for, the owner or assignee of a mortgage loan, and not later than 30 days after receiving any other RFI. 

The servicer may extend the 30-day period by 15 days if, before the end of the 30-day period, the servicer notifies the borrower of the extension and its reasons. (The 10-day period cannot be extended.) A servicer need not comply with this 2-step process if it provides the information requested in writing within 5 days after receiving the RFI, along with contact information, including a telephone number, for further assistance. 

In general, the servicer must respond to an RFI by taking one of two actions: 

(1) providing the borrower with the requested information and contact information in writing, including a telephone number; or 

(2) conducting a reasonable search for the requested information and providing the borrower with a written notification stating that the servicer has determined that the information is not available to the servicer, with the basis for that determination and contact information, including a telephone number. 

Now, to your question about how much information must the servicer provide. 

Regulation X offers guidance regarding the types of information a servicer need not provide and what information is considered not available to the servicer. For example, information is not available if a borrower requests information stored on electronic back-up media that is not accessible by servicer personnel in the ordinary course of business without undertaking extraordinary efforts to identify and restore the information. Also, a servicer is not required to respond to RFIs that are overbroad or unduly burdensome, such as RFIs that seek documents relating to substantially all aspects of mortgage origination, mortgage servicing, foreclosure, and mortgage sale or securitization. 

I think a recent court decision may provide some clarification. 

The U.S. Court of Appeals for the 6th Circuit addressed a borrower’s claim that her mortgage loan servicer failed to provide all the information she requested in an RFI.[i] 

In 2005, Ms. Miller bought a home and financed the purchase with a mortgage loan. She fell behind on her payments and by January 2019 was 29 payments past due. She unsuccessfully sought a loan modification. In March 2019, a sheriff’s sale took place. 

In August 2019, Miller sued the lender’s assignee and the loan servicer, including RESPA claims for violating Regulation X’s RFI requirements and “dual-tracking” prohibition. (I’ll get to “dual tracking” shortly.) She claimed that the defendants “did not provide all of the information sought in her letters” and that she “was inconvenienced and incurred expenses in seeking the information that [d]efendants refused to provide.” 

Miller asked for “actual damages, including, but not limited to: 

(1) out-of-pocket expenses incurred dealing with the RESPA violation including expenses for preparing, photocopying and obtaining certified copies of correspondence, 

(2) lost time and inconvenience to the extent it resulted in actual pecuniary loss, 

(3) late fees, and 

(4) denial of credit or denial of access to full amount of credit line, additional [statutory] damages in the amount of $2,000.00, plus attorney’s fees, the costs of this lawsuit, and litigation expenses.” 

The district court dismissed all her claims for lack of standing, finding that she had failed to plead sufficient damages to establish an injury-in-fact.