Thursday, May 23, 2024

CFPB Examination: Failure to Conduct Self-Assessments


We just received an MRA from the CFPB. We are a mid-size mortgage lender licensed in 30 states. This MRA hit us like a huge shock. Yesterday, we contacted your firm and spoke to a representative. I want to set up a conference call for my management and you to discuss how to proceed. Our counsel recommended that we bring you on board to assist them in handling the MRA demands. 

Here's the situation. The CFPB found that we failed their exam in various areas, one of which was that we did not do any self-assessments, which they call "self-identifications." 

First of all, I didn't even know that we were supposed to do these self-assessments. Secondly, we have a small compliance department, and we do not know how to do self-assessments. Third, our attorneys say they can only do a few of the self-assessments, but not all of them, and their fees are ridiculous. The bottom line is that we need an outside, independent firm to do self-assessments at an affordable cost. 

There are other areas of the MRA that we need to talk to you about, especially in the areas that our counsel wants to team up with you on. However, we need to take care of the CFPB's list of self-assessments, and we want to retain your firm to do them. 

Please get in touch with me as soon as possible to set up a call. In the meantime, please give us a clue about what goes into these self-identifications or self-assessments. 

What is self-identification? 

Why does the CFPB expect self-identification? 


Compliance Tune-up® 


Our firm is the first and only firm in the country to provide self-assessment audits, a series denoted by the overall term Compliance Tune-up®. We deconstructed a mortgage company from the point of sale to secondary and beyond to derive audit criteria for each element and regulation. The Compliance Tune-up® is one of our Compliance Solutions and is often in considerable demand. 

I will discuss the Compliance Tune-up® at the conclusion of this article, as it is a means to be responsive to the expectations of the Consumer Financial Protection Bureau (CFPB or Bureau). I'll drop a contact link on the way if you want more information about the Compliance Tune-up®. 

First, I want to outline how self-identifications – or self-assessments – function in the context of the CFPB examination and the evaluation of the Compliance Management System (CMS). 

The CFPB's exam focuses on risks of harm to consumers, including the risk that a supervised entity will not comply with Federal consumer financial law. To get ready for the examination, you should do pre-review planning to collect the information necessary to determine the scope, resource needs, and work plan. The information and documentation should be assembled, given that an Examiner in Charge (EIC) will notify you that the examination team plans to conduct its work offsite and onsite during the review. Timing is critical, and you must be responsive. 

The fact that you received an MRA (Matters Requiring Attention) tells me that you are quite far along in a risk rating evaluation. The CFPB's risk evaluation procedures are extensive. The Bureau uses an MRA to communicate to an institution's Board of Directors, senior management, or both, specific goals to be accomplished in order to correct violations of Federal consumer financial law, remediate harmed consumers, and address related weaknesses in the CMS that the examiners found are directly related to violations of Federal consumer financial law. MRAs include timeframes for periodic reporting of efforts taken to address these matters, as well as expected timeframes for implementation.


 Compliance Tune-up®

 Visit Us to Request Information


Let's consider some features of the CPPB examination with an emphasis on self-identification. 

Prior to the examination, you will receive an Information Request. The Information Request is a list of specific information and documents that the supervised entity is asked to provide to the Bureau for offsite review or make available when the examiners arrive onsite. It may include a request for an electronic data upload. Our experience is that the pre-review planning process varies depending on the size, complexity, business model, products, systems, and risk profile of a particular supervised entity. 

Don't assume that the Bureau is only dealing with getting information from you; in fact, it gets quite a lot of information from both internal and external sources to aid in constructing the risk focus and scope of a review. The examiners gather as much information as possible from within the Bureau, other regulatory agencies, and third-party, public sources because the Bureau is required by statute to use, to the fullest extent possible, information available from other agencies or reported publicly.[i] 

The following key documents and information are relevant to understanding a supervised entity and its ability to manage its compliance responsibilities and risks to consumers. Not all documents will necessarily be available for a particular entity; however, you should anticipate that the Bureau's team will consider them. There are two categories: the Bureau's internal sources and regulatory agencies, as well as public information and third parties. 


·       Monitoring information 

·       Any recent risk assessments, self-identifications, and self-assessments 

·       Prior Scope Summary, Supervision Plan, or similar document produced by state or prudential regulators 

·       Prior Examination Reports and Supervisory Letters, and supporting workpapers (internal and from the prudential regulator(s), state regulator(s), or other agencies) 

·       Information about prior supervisory actions, consumer remediation, and responses to Examination Reports and Supervisory Letters 

·       Information on enforcement or other public actions (if applicable) 

·       Correspondence from prudential or state regulator(s) and Bureau correspondence files 

·       State licensing information for the entity 

·       The CFPB Consumer Complaint database 

·       FTC Consumer Sentinel database 

·       Uniform Bank Performance Report (UBPR) and Call Reports, if applicable

·       Previous years' FFIEC Home Mortgage Disclosure Act Loan Application Registers (HMDA LARs) 

·       Home Affordable Modification Program data 

·       Fair lending analyses and supporting documentation 

·       Office of the Comptroller of the Currency (OCC) Federal Housing Home Loan Data System (FHHLDS) report, if applicable 

·       Mortgage Call Report (MCR) from the Nationwide Mortgage Licensing System (NMLS) 

·       Registration or licensing information for mortgage originators (Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) 


·       Institution securities filings, its offered securitizations, and similar public records 

·       Industry publications showing credit ratings, product performance, and areas of profitability 

·       Newspaper articles, web postings, or blogs that raise examination-related issues

·       Neighborhood Watch

·       Service providers and other third-party arrangements 

·       Content of the supervised entity's website


The Bureau's rating system is organized under three broad categories: 

1.     Board and Management Oversight, 

2.     Compliance Program, and 

3.     Violations of Law and Consumer Harm. 

I will not outline the rating system here. Suffice it to say that it is complex and is used to reflect the implementation of assessment factors considered within each category, with some cross-referencing, along with narrative descriptions of performance. The first two categories, Board and Management Oversight and Compliance Program, are used to assess the strength of an institution's CMS. Examiners evaluate the assessment factors within these two categories commensurate with the institution's size, complexity, and risk profile. 

All institutions, regardless of size, should maintain an effective CMS. The sophistication and formality of the CMS typically will increase commensurate with the size, complexity, and risk profile of the entity. 

The Bureau's compliance expectations contained within the narrative descriptions of the foregoing two categories extend to third-party relationships[ii] utilized by the financial institution. There can be certain benefits to financial institutions engaging in relationships with third parties, including gaining operational efficiencies or an ability to deliver additional products and services. Still, such arrangements may expose financial institutions to risks if they are not managed effectively.

Board and Management Oversight – Assessment Factors 

The Board and Management Oversight category is where the authority of self-identification resides. The examiner evaluates the institution's board of directors and management as appropriate for their respective roles and responsibilities based on the following assessment factors:  

o   Oversight of and commitment to the institution's CMS; 

o   Effectiveness of the institution's change management processes, including responding timely and satisfactorily to any variety of changes, internal or external, to the institution; 

o   Comprehension, identification, and management of risks arising from the institution's products, services, or activities; and 

o   Self-identification of consumer compliance issues and corrective action undertaken as such issues are identified. 

There are assessment factors relating to the Compliance Program, such as whether the institution's policies and procedures are appropriate to the risk in the products, services, and activities of the institution; risk assessment and self-identification activities; the degree to which compliance training is current and tailored to risk and staff responsibilities; the sufficiency of the monitoring and audit to encompass compliance risks throughout the institution; and the responsiveness and effectiveness of the consumer complaint resolution process. 

There are assessment factors relating to Violations of Law and Consumer Harm, such as the root cause, or causes, of any violations of law identified during the examination; the severity of any consumer harm resulting from violations; the duration of time over which the violations occurred; and the pervasiveness of the violations. 


As I have said repeatedly, a strong compliance program is proactive. It promotes consumer protection by preventing, self-identifying, and proactively addressing compliance issues. Accordingly, the Bureau's rating system provides incentives for such practices through the definitions associated with its top rating. The fact that your MRA states that you have not conducted self-identification reviews and, consequently, the Bureau expects you to perform them shows that you are adversely affecting your overall risk rating. 

Self-identification and prompt correction of violations of law reflect strengths in an institution's CMS. A robust CMS appropriate for the size, complexity, and risk profile of an institution's business will often prevent violations or facilitate the early detection of potential violations. In other words, by not conducting the self-assessments, you may have caused compliance violations that could have been prevented.   

This early detection can limit the size and scope of consumer harm. Moreover, self-identification and prompt correction of serious violations represent concrete evidence of an institution's commitment to address underlying risks responsibly. In addition, appropriate corrective action, including both correction of programmatic weaknesses and full redress for injured parties, limits consumer harm and prevents violations from recurring in the future. Thus, the rating system recognizes institutions that consistently adopt these strategies. 


Lenders Compliance Group pioneered the Compliance Tune-up®. Many years ago, we realized that mortgage origination and servicing can be deconstructed into its constituent elements. Consequently, we extrapolated each component into a separate module, each one targeting a department, function, regulation, and relationship. 

Each Compliance Tune-up® provides a self-assessment that offers an audited approach to internal due diligence. We wanted it to be affordable, quick, and focused, and we wanted it to provide a report, with recommendations and a risk rating, that provides the overall strengths and weaknesses of departments, functions, and regulatory compliance. In many ways, the Compliance Tune-up® series emulates a regulatory examination. 

The series covers the primary rules, regulations, banking laws, Best Practices, and department and function operations. To date, our efforts have been met with considerable acceptance by the mortgage community and regulators. 

Visit our Compliance Tune-up® page for more information.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group

[i] See Dodd-Frank Act, §§ 1024(b)(4) and 1025(a)(3)

[ii] For the purposes of assessing compliance ratings, the Federal Financial Institutions Examination Council (FFIEC) refers to these relationships as being with "third parties." Because the Bureau has adopted the FFIEC's Consumer Compliance Rating System, the Bureau uses that terminology. However, the Bureau generally uses the term "service provider" in its supervisory documents. See Bureau Bulletin 2016-02.