QUESTION
We just received an MRA from the CFPB. We are a mid-size mortgage lender licensed in 30 states. This MRA hit us like a huge shock. Yesterday, we contacted your firm and spoke to a representative. I want to set up a conference call for my management and you to discuss how to proceed. Our counsel recommended that we bring you on board to assist them in handling the MRA demands.
Here's the situation. The CFPB found that we failed their exam in various areas, one of which was that we did not do any self-assessments, which they call "self-identifications."
First of all, I didn't even know that we were supposed to do these self-assessments. Secondly, we have a small compliance department, and we do not know how to do self-assessments. Third, our attorneys say they can only do a few of the self-assessments, but not all of them, and their fees are ridiculous. The bottom line is that we need an outside, independent firm to do self-assessments at an affordable cost.
There are other areas of the MRA that we need to talk to you about, especially in the areas that our counsel wants to team up with you on. However, we need to take care of the CFPB's list of self-assessments, and we want to retain your firm to do them.
Please get in touch with me as soon as possible to set up a call. In the meantime, please give us a clue about what goes into these self-identifications or self-assessments.
What is self-identification?
Why does the CFPB expect self-identification?
COMPLIANCE SOLUTION
ANSWER
Our firm is the first and only firm in the country to provide self-assessment audits, a series denoted by the overall term Compliance Tune-up®. We deconstructed a mortgage company from the point of sale to secondary and beyond to derive audit criteria for each element and regulation. The Compliance Tune-up® is one of our Compliance Solutions and is often in considerable demand.
I will discuss the Compliance Tune-up® at the conclusion of this article, as it is a means to be responsive to the expectations of the Consumer Financial Protection Bureau (CFPB or Bureau). I'll drop a contact link on the way if you want more information about the Compliance Tune-up®.
First, I want to outline how self-identifications – or self-assessments – function in the context of the CFPB examination and the evaluation of the Compliance Management System (CMS).
The CFPB's exam focuses on risks of harm to consumers, including the risk that a supervised entity will not comply with Federal consumer financial law. To get ready for the examination, you should do pre-review planning to collect the information necessary to determine the scope, resource needs, and work plan. The information and documentation should be assembled, given that an Examiner in Charge (EIC) will notify you that the examination team plans to conduct its work offsite and onsite during the review. Timing is critical, and you must be responsive.
The fact that you received an MRA
(Matters Requiring Attention) tells me that you are quite far along in a risk
rating evaluation. The CFPB's risk evaluation procedures are extensive. The
Bureau uses an MRA to communicate to an institution's Board of Directors,
senior management, or both, specific goals to be accomplished in order to
correct violations of Federal consumer financial law, remediate harmed
consumers, and address related weaknesses in the CMS that the examiners found
are directly related to violations of Federal consumer financial law. MRAs
include timeframes for periodic reporting of efforts taken to address these
matters, as well as expected timeframes for implementation.
___________________________________________________________
Let's consider some features of the CPPB examination with an emphasis on self-identification.
Prior to the examination, you will receive an Information Request. The Information Request is a list of specific information and documents that the supervised entity is asked to provide to the Bureau for offsite review or make available when the examiners arrive onsite. It may include a request for an electronic data upload. Our experience is that the pre-review planning process varies depending on the size, complexity, business model, products, systems, and risk profile of a particular supervised entity.
Don't assume that the Bureau is only dealing with getting information from you; in fact, it gets quite a lot of information from both internal and external sources to aid in constructing the risk focus and scope of a review. The examiners gather as much information as possible from within the Bureau, other regulatory agencies, and third-party, public sources because the Bureau is required by statute to use, to the fullest extent possible, information available from other agencies or reported publicly.[i]
The following key documents and information are relevant to understanding a supervised entity and its ability to manage its compliance responsibilities and risks to consumers. Not all documents will necessarily be available for a particular entity; however, you should anticipate that the Bureau's team will consider them. There are two categories: the Bureau's internal sources and regulatory agencies, as well as public information and third parties.
BUREAU INTERNAL SOURCES AND OTHER REGULATORY AGENCIES
·
Monitoring
information
· Any recent risk assessments,
self-identifications, and self-assessments
·
Prior
Scope Summary, Supervision Plan, or similar document produced by state or
prudential regulators
·
Prior
Examination Reports and Supervisory Letters, and supporting workpapers
(internal and from the prudential regulator(s), state regulator(s), or other
agencies)
·
Information
about prior supervisory actions, consumer remediation, and responses to
Examination Reports and Supervisory Letters
·
Information
on enforcement or other public actions (if applicable)
·
Correspondence
from prudential or state regulator(s) and Bureau correspondence files
·
State
licensing information for the entity
·
The
CFPB Consumer Complaint database
·
FTC
Consumer Sentinel database
·
Uniform
Bank Performance Report (UBPR) and Call Reports, if applicable
·
Previous
years' FFIEC Home Mortgage Disclosure Act Loan Application Registers (HMDA
LARs)
·
Home
Affordable Modification Program data
·
Fair
lending analyses and supporting documentation
·
Office
of the Comptroller of the Currency (OCC) Federal Housing Home Loan Data System
(FHHLDS) report, if applicable
·
Mortgage
Call Report (MCR) from the Nationwide Mortgage Licensing System (NMLS)
· Registration or licensing information for mortgage originators (Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act)
PUBLIC SOURCES OF INFORMATION
·
Institution
securities filings, its offered securitizations, and similar public
records
·
Industry
publications showing credit ratings, product performance, and areas of
profitability
·
Newspaper
articles, web postings, or blogs that raise examination-related issues
·
Neighborhood
Watch
·
Service
providers and other third-party arrangements
· Content of the supervised entity's website
RATING SYSTEM CATEGORIES AND ASSESSMENT FACTORS
The Bureau's rating system is organized under three broad categories:
1. Board and Management Oversight,
2. Compliance Program, and
3. Violations of Law and Consumer Harm.
I will not outline the rating system here. Suffice it to say that it is complex and is used to reflect the implementation of assessment factors considered within each category, with some cross-referencing, along with narrative descriptions of performance. The first two categories, Board and Management Oversight and Compliance Program, are used to assess the strength of an institution's CMS. Examiners evaluate the assessment factors within these two categories commensurate with the institution's size, complexity, and risk profile.
All institutions, regardless of size, should maintain an effective CMS. The sophistication and formality of the CMS typically will increase commensurate with the size, complexity, and risk profile of the entity.
The Bureau's compliance expectations contained within the narrative descriptions of the foregoing two categories extend to third-party relationships[ii] utilized by the financial institution. There can be certain benefits to financial institutions engaging in relationships with third parties, including gaining operational efficiencies or an ability to deliver additional products and services. Still, such arrangements may expose financial institutions to risks if they are not managed effectively.
Board and Management Oversight – Assessment Factors
The Board and Management Oversight category is where the authority of self-identification resides. The examiner evaluates the institution's board of directors and management as appropriate for their respective roles and responsibilities based on the following assessment factors:
o
Oversight
of and commitment to the institution's CMS;
o
Effectiveness
of the institution's change management processes, including responding timely
and satisfactorily to any variety of changes, internal or external, to the
institution;
o
Comprehension,
identification, and management of risks arising from the institution's
products, services, or activities; and
o Self-identification of consumer compliance issues and corrective action undertaken as such issues are identified.
There are assessment factors relating to the Compliance Program, such as whether the institution's policies and procedures are appropriate to the risk in the products, services, and activities of the institution; risk assessment and self-identification activities; the degree to which compliance training is current and tailored to risk and staff responsibilities; the sufficiency of the monitoring and audit to encompass compliance risks throughout the institution; and the responsiveness and effectiveness of the consumer complaint resolution process.
There are assessment factors
relating to Violations of Law and Consumer Harm, such as the root cause,
or causes, of any violations of law identified during the examination; the
severity of any consumer harm resulting from violations; the duration of time
over which the violations occurred; and the pervasiveness of the violations.
SELF-IDENTIFICATION OF VIOLATIONS OF LAW AND CONSUMER HARM
As I have said repeatedly, a strong compliance program is proactive. It promotes consumer protection by preventing, self-identifying, and proactively addressing compliance issues. Accordingly, the Bureau's rating system provides incentives for such practices through the definitions associated with its top rating. The fact that your MRA states that you have not conducted self-identification reviews and, consequently, the Bureau expects you to perform them shows that you are adversely affecting your overall risk rating.
Self-identification and prompt correction of violations of law reflect strengths in an institution's CMS. A robust CMS appropriate for the size, complexity, and risk profile of an institution's business will often prevent violations or facilitate the early detection of potential violations. In other words, by not conducting the self-assessments, you may have caused compliance violations that could have been prevented.
This early detection can limit the size and scope of consumer harm. Moreover, self-identification and prompt correction of serious violations represent concrete evidence of an institution's commitment to address underlying risks responsibly. In addition, appropriate corrective action, including both correction of programmatic weaknesses and full redress for injured parties, limits consumer harm and prevents violations from recurring in the future. Thus, the rating system recognizes institutions that consistently adopt these strategies.
COMPLIANCE TUNE-UP®
Lenders Compliance Group pioneered the Compliance Tune-up®. Many years ago, we realized that mortgage origination and servicing can be deconstructed into its constituent elements. Consequently, we extrapolated each component into a separate module, each one targeting a department, function, regulation, and relationship.
Each Compliance Tune-up® provides a self-assessment that offers an audited approach to internal due diligence. We wanted it to be affordable, quick, and focused, and we wanted it to provide a report, with recommendations and a risk rating, that provides the overall strengths and weaknesses of departments, functions, and regulatory compliance. In many ways, the Compliance Tune-up® series emulates a regulatory examination.
The series covers the primary rules, regulations, banking laws, Best Practices, and department and function operations. To date, our efforts have been met with considerable acceptance by the mortgage community and regulators.
Visit our Compliance Tune-up® page for more information.
Jonathan Foxx, Ph.D., MBAChairman & Managing Director
[i] See Dodd-Frank Act, §§ 1024(b)(4) and
1025(a)(3)
[ii] For the purposes of assessing
compliance ratings, the Federal Financial Institutions Examination Council (FFIEC)
refers to these relationships as being with "third parties." Because
the Bureau has adopted the FFIEC's Consumer Compliance Rating System,
the Bureau uses that terminology. However, the Bureau generally uses the term
"service provider" in its supervisory documents. See Bureau Bulletin
2016-02.
