QUESTION
Well, it has finally happened, and we have been told that the CFPB is going to be doing an examination of our company. I am in the compliance department, and, needless to say, everyone is getting ready. But there is also anxiety about what to expect. Nobody, including some top management, has ever been through a CFPB audit. Even our legal counsel has never been involved in a CFPB exam.
Our company has never had a CFPB exam before! So, we need help understanding what is going to happen. As part of our preparation, we are retaining your firm to do a CMS Tune-up, which will give us an overview of our Compliance Management System. I asked permission from our Chief Compliance Officer and our CEO to write you for some guidance. We want to know what to expect. Please let us know the usual way that the CFPB conducts its audits.
What is the customary way that we can expect the CFPB to audit us?
Are there resources we can research for CFPB examination guidelines?
ANSWER
First, everybody take a deep breath! The Consumer Financial Protection Bureau (CFPB) is not your enemy. Consider it like state banking departments, which, like them, is a sort of consumer advocacy agency. The CMS Tune-up is a good overview of your Compliance Management System. However, you should have a solid understanding of the CFPB's examination process itself.
I began writing extensively about the CFPB even before it was enfranchised. For instance, in 2009, I published an article entitled The CFPA Controversy: Asking the Tough Questions. Indeed, in 2011, just days before the CFPB received its enumerated authorities, I published a dialogue with Elizabeth Warren, who had advocated for it in the halls of Congress, and in speeches, lectures, and interviews throughout the United States. The article was entitled Opening a Dialogue: Elizabeth Warren and the Mortgage Industry. I invited many mortgage industry organizations and officials to participate in the interview questions. Nearly all major mortgage industry associations responded to my invitation. Senator Warren (then Professor Warren) and her staff worked with me on this project. Send me a request if you want a copy of the foregoing articles.
Over the years, my firm has worked with numerous companies in preparation for the CFPB examination. We've worked with companies on resolving issues that the CFPB found as a result of the examination. We've worked with companies on CFPB administrative and legal matters, such as Civil Investigative Demands. We've worked with companies on their compliance needs, both large and small institutions, that want to be proactive in anticipation of a CFPB examination.
And here's my takeaway: the CFPB's remit is to ensure consumer financial protection. If your company complies with applicable Federal consumer laws, the CFPB will help to ensure your company's regulatory stability.
Getting ready – and staying ready – for a CFPB exam requires you to be aware of the CFPB's focus. There are essentially three supervisory activities in the CFPB's mandate, which are:
1. assessing compliance with Federal consumer financial law;
2. obtaining information about a supervised institution's activities and compliance systems and procedures; and
3. detecting and assessing risks to consumers and markets for consumer financial products and services.
Before the Consumer Financial Protection Act, other Federal supervisory agencies conducted consumer protection examinations of banks and credit unions. Many features of its supervision program are based on the longstanding supervisory traditions of such other agencies.
As with other supervisory agencies, CFPB supervisory activities are confidential. The confidential nature of supervision promotes candid communication between supervised entities and their regulators. These considerations also apply to both bank and non-bank supervision. That said, I suggest you have counsel involved in confidential communications.
The CFPB's supervision
operates as a continuous cycle. This graphic shows the examination cycle.[i]
Supervision Examination Cycle
You should review the Supervision and Examination Manual issued by the CFPB. This manual is the guide used by examiners to oversee companies that provide consumer financial products or services. The manual describes how the CFPB supervises and examines these companies and gives examiners explicit directions on assessing compliance with Federal consumer financial laws.
However, legal discussions in the manual are not binding on examiners or other CFPB staff. A supervisory finding that an institution has violated the law is based on the governing statute and regulations applicable to that institution. The manual is not a legal reference. Or, to put it succinctly, supervised institutions are bound by statutes and regulations, not by the CFPB's manual.
The selection of firms subject to audit is accomplished through a risk-based methodology that prioritizes the allocation of supervisory resources. The prioritization approach focuses on individual product lines at an institution rather than on a comprehensive focus of all products and services offered by an institution. This approach allows the CFPB to assess the likely risk to consumers across the consumer financial marketplace in all product lines at all stages of a product's life cycle, including product development and implementation.[ii] Affiliated organizations that fall under the CFPB's jurisdiction are considered, too. Because of this prioritization method, not every firm subject to the CFPB's supervision authority will get examined.
There are seven aspects involved in the role of examiners. Examiners typically do the following:
1. Collect and review available information from within the CFPB, other Federal and state agencies, and public sources, consistent with statutory requirements;
2. Review documents and information obtained through information requests sent to supervised entities;
3. Conduct onsite (or virtual) portions of exams to observe, conduct interviews, review additional documents and information, transaction test, and assess compliance management;
4. Consult within the CFPB on legal issues arising from an examination, including legal violations;
5. Draw preliminary conclusions about the regulated entity's compliance management and its statutory and regulatory compliance after internal consultation;
6. Consult within the CFPB about examination work product and any corrective actions that the institution should take;
7. Send the supervisory communication to the supervised entity.
Examiners usually discuss their preliminary conclusions during the examination.
At the end of the exam, the examiners will provide a supervisory communication, such as an exam report or supervisory letter, which includes their findings. The report provides sections for the scope of review, conclusions and comments, and a rating. There may be a section for Matters Requiring Attention (called an "MRA"). MRAs are used to communicate specific goals to be accomplished to address violations of law, risk of such violations, or compliance management deficiencies. These sections are then followed by a section for review and findings, usually consisting of subsections for the compliance management review and various areas subject to review.
It is possible that examiners may find that an institution has violated a statute or regulation or is at risk of such a violation. These findings are normally reviewed by staff supporting the examiners at CFPB Headquarters. They are not final determinations by the CFPB or the CFPB Director. Instead, they are part of the supervisory process that aims to improve compliance and prevent violations.
A final word about supervision and enforcement. In our experience, most supervisory activities do not result in a referral to the Office of Enforcement. This office is equipped with many sources of information and tools for investigations, such as consumer complaints, referrals from other agencies, whistleblowers, and market intelligence. The CFPB's enforcement activity has its own Life Cycle of Enforcement Action, consisting of commencing enforcement investigations, fact gathering, hearing from subjects of the investigations, and public enforcement actions.
The CFPB decides if a matter should be referred to the Office of Enforcement or stay within the supervisory process. But, if a matter is referred for enforcement review, the Office of Enforcement is not bound by the examiners' preliminary findings. Enforcement may take any additional investigative steps it considers necessary, such as issuing Civil Investigative Demands. It will formulate a recommendation to the CFPB Director about whether to initiate an enforcement action, which may be narrower or broader than the examiners' preliminary findings. However, the Office of Enforcement will likely send a Notice and Opportunity to Respond and Advise letter to invite input from the institution.
Obviously, most financial companies prefer the supervisory process to formal law enforcement investigations. It is best to view the examination as a process to identify issues before they become systemic or cause significant harm. Effective supervision depends on cooperation by your company with examiners' requests for information, collaboration between the examiners and your company staff, and clear, unambiguous communication. If you prepare properly and become familiar with the examination process, your company should be in a position to respond appropriately to the CFPB's audit requirements.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
[i]
Supervision Examination Cycle, Overview 10, March 2017, CFPB Supervision and
Examination Process, Consumer Financial Protection Bureau
[ii]
Examination Priotization, Overview 11, CFPB Supervision and Examination
Process, March 2017, Consumer Financial Protection Bureau