Quick Takes On CFPB’s Supervision & Examination Manual Version 1.0 – Part One
I like Top 10 Lists. They’re concise and to the point. With that, I’d like to share my top 10 takeaways from a first read of the CFPB’s Supervision and Examination Manual, Version 1.0. Here are No’s 1-5:
1. Not much by way of safe-harbors or objectively-measurable guidelines can be found. It appears the CFPB is going to judge each lender on its scope, size and relative risk to the overall system. That’s not such a bad thing for smaller, regional players. The key is to make sure you have all of the bases covered regardless of your product array and loan volume; which brings us to No. 2.
2. Your Compliance Program should include the following:
a. Chief Compliance Officer (CCO) and Staff. The CCO may be someone with other responsibilities / titles and could be someone that works on a part-time basis, but there must be someone who is primarily responsible for the compliance program, that can supervise compliance staff (whether W-2 or contracted), and that has a reporting line to senior management.
b. Board / Senior Management Oversight. Directives regarding compliance must come from the top and the top has a continuing responsibility to ensure the program is adequate for the Company’s operation. Board minutes will be reviewed. In fact, an audit or risk committee should exist to receive regular reports and to perform on-going assessments as to the adequacy of the program. Regulators will also look to see that the Company devotes adequate resources to the Program. For example, does the CCO have adequate tools to monitor legislative or regulatory changes?
c. The Three Main Components: (1) Policies and Procedures; (2) Training; and (3) Monitoring and Corrective Action. Lenders tend to have adequate P & Ps or SOPs, but regulators will be looking for evidence of on-going training and adequate audit activities. Thus, the program must include a regular training program and systemized compliance audits. Findings should be reported periodically to the Board of Directors or an Audit Committee.
d. Customer Complaint Program. Every customer complaint should be documented categorized, investigated and appropriately dealt with. This may include an examination of third-party vendors involved in your operation. Make sure that whoever is assigned the task of dealing with complaints understands the significance of a Qualified Written Response.
3. Don’t Ignore Your Advertising / Marketing Practices. Practices deemed Unfair, Deceptive or Abusive may happen with less frequency than other compliance violations, but they can result in a substantial magnitude of harm to the Company’s reputation or bottom line. Print, radio, and television advertisements should go through some type of compliance review and evidence of the review should be kept for the applicable record retention periods. For lenders that operate a direct-to-consumer channel, scripts and phone call monitoring should be part of the program. Customer Complaints can provide insight to potentially misleading communications.
4. Separate But Equal. Whenever possible, the Compliance Program should be managed outside of operations. Compliance should be independent and given adequate respect to do its’ job well.
5. Monitor Third Party Contractors Too. The type of monitoring that is appropriate varies greatly based on the service provided. Historically, the biggest risk arises via the third party originator (TPO). This risk is managed in a number of ways and involves various positions within your company, from broker approval to operations to compliance. At a minimum, some basic due diligence should be completed upon entering into the relationship and regular monitoring should be done, such as requiring a TPO to provide internal audit reports, evidence of compliance training, customer complaints and the like.
6. Adequately Train and Monitor Affiliates / Subsidiaries.