risk assessments: what we’ve learned€¦ · place to mitigate that risk. cfpb’s residual risk...

RISKASSESSMENTS:WHATWE’VELEARNEDSteveLevine,ChiefLegal&ComplianceOfficer

WHATISARISKASSESSMENT?

↗ AccordingtotheCFPB,theRiskAssessmentprocessisdesignedtoevaluateonaconsistentbasistheextentofrisktoconsumersarisingfromactivitiesofanentityandtoidentifysourcesofthatrisk.

↗  “Risktoconsumers”isthepotentialforconsumerstosuffereconomiclossorotherlegallycognizableinjuryasaresultoffailuretofollowfederalconsumerfinancelaws.

WHATISARISKASSESSMENT?

AsdefinedbytheCFPB,“inherentrisk”includesfactsthatincreasethepotentialforunfair,deceptiveorabusiveactsorpractices,fordiscrimination,orforviolationsofotherFederalconsumerfinanciallaws.Italsoincludesfactorsthatincreasethecompliancemanagementchallengesofabusinessandtherebyincreasetheriskofsuchviolations.

WHATISARISKASSESSMENT?

“RiskControls”includesfactorsrelatedtobothmanagingandmitigatingspecificinherentriskaswellasthestrengthofanentity’soverallsystemofcompliancemanagement.

WHATISARISKASSESSMENT?

TheresultofcombiningthesetwoconceptsisananalysisthatinvestigatesBOTHthepracticesthatrepresentrisktoconsumersANDwhatcontrolsthebusinesshasputinplacetomitigatethatrisk.

CFPB’SRESIDUALRISKMATRIX

CFPB’SRESIDUALRISKMATRIX

↗ TheCFPBtemplateprovidesaseriesoffactorsthatbearoninherentriskandrelevantriskcontrols.Examinersconductingtheassessmentshouldrateeachrelevantfactor(low,moderateorhighinherentrisk;strong,adequateorweakcontrolsandmitigation.

↗ Thefactorratings,takenasawhole,resultinaRiskSummary,whichisaconclusionaboutwhethertheoverallrisktoconsumersislow,moderateorhigh.

WHATARISKASSESSMENTISNOT

Ariskassessmentisnotadeterminationastowhetheraviolationofanyspecificlawexists.Itisaninvestigationintopracticesaswellasbusinesscontrolsinplace.

Conclusionsarebasedonriskpresentedtoconsumersaswellasadequacyofcontrolsinplace.

RISKASSESSMENTTOPICSINCLUDE↗ Website;

↗ Advertisingand

Marketing; ↗ AcquisitionNetwork;

↗ AdverseAction;↗ UnderwritingandScoring;↗ AncillaryProducts; ↗ FeesChargedtothe

Customer; ↗ CollectionCallFrequency↗ Thirdpartycontact;

↗ MilitaryAccounts;↗ Repossessiondecisions;↗ AdherencetoCallScripts;↗ ComplaintManagement;↗ BankruptcyAccounts;↗ CreditReporting;↗ CreditDisputeHandling;↗ StarterInterrupt/GPS

accounts;↗ CPI↗ ANDMORE

ADVANTAGESOFARISKASSESSMENT↗ Globalviewofoverallbusiness,notsilos;↗ Identifieswheretoinvestresourcesandbudget;↗ Measuresprogress;↗ Setspriorities;↗ Avoidfiredrills;↗ DemonstrateadequacyoftheCompliance

ManagementSystem;↗ Facilitatesworkingrelationshipbetweenbusiness

andcomplianceteams;

KEYSTOASUCCESSFULRISKASSESSMENT

↗ Projectshouldbeaprocess,notadocument;↗ Itshouldbedynamic,notstatic;↗ Allowsassessmentofcurrentconditionswithgoalof

improving;↗ Don’tjustconsiderwhereyouarebutwhereyouare

going,i.e.newproducts,markets,profitcenters,yields;

↗ Maketheriskassessmentforwardlookingtoo.

KEYSTOASUCCESSFULRISKASSESSMENT

ENGAGETHEBUSINESS!

↗ Collaboratewiththeallemployeesontheproject;↗ Earlybusinessbuy-iniskeytoacceptance;↗ Involveeveryoneinthedevelopmentofanalysis;↗ Don’twaitforthefinalreporttodeliverbadnews;↗ Recognizeandhighlightthe“goods”;↗ Fixtheproblem,nottheblame;↗ Supportmustcomefromtop;

BIGGESTRISKASSESSMENTMISTAKES

↗ Thinkingthatthisismerelyacompliancedepartmentfunction;

↗ HidetheBallMentality;↗ Attemptingtodothisin-house;↗ NotinvolvingalllevelsoftheCompany;↗ ConfusinganAssessmentwithanAudit.

OURGENERALOBSERVATIONS

↗ Thereisoftenadisconnectbetweenseniorleadershipandtheemployeesdoingthedaytodaywork.Thisistrueforbothareasofriskandcontrols.

↗ It’shardtogetaccesstotherightinformation.Thisisconcerningbecausethecompanymustdemonstrateitsefforts!;

↗ Thereismisunderstandingaboutrolesandresponsibility;

OURGENERALOBSERVATIONS

↗ Companiesthinktheirtraininginitiativesarealotmoreeffectivethantheyare;

↗ Companiesstrugglewithanalyzingtheirbusinessthroughthelensof“consumerrisk”andtendtofocusontheirownrisk;

↗ Weoftenhear“it’snotillegaltomakemoney”asadefensetotheofferingofproductsandservices.Thequestioniswhetherthereistransparencyandfairnesstotheconsumer.

OURGENERALOBSERVATIONS↗  “FOLLOWTHEMONEY”isagoodwaytoidentifyrisk.Someof

themostprofitableinitiativesalsocontainthemostrisk,forinstancefees,aftermarketproducts,CPI,etc.

↗  Businessestendtoembellishthecontrolsthatareinplace;whatappearsonacompanyorganizationchartmaybeverydifferentthanwhatactuallyhappens;

↗  Thereisn’tnecessarilyacorrelationbetweencustomercomplaintsandareasofrisk;however,nothavingstrongcomplaintmanagementisinitselfarisk;

D

OURGENERALOBSERVATIONS

↗  Therearesomepracticesthatareinherentlyrisky(CPI,Advertising)andinthoseareasevenstrongcontrolsinplacemayresultina“moderate”riskassessment;

↗  Similarly,thereareareasofmoderateorevenlowriskthatcanbeassessedas“moderate”riskbecauseofweakcontrols;

↗  Beinganindependentthirdpartyallowsamorehonestassessmentbecausethereisnopre-existingprejudice;

POLICIESANDPROCEDURES

↗  PoliciesandProcedures,standingalone,donotconstitutestrongcontrols.

↗ Digdeeperandintovariouslevelsofthecompanytolearnfamiliaritywiththepolicies,howoftentheyareexaminedandupdated,andhowstrongandthoroughisthetrainingreceivedbypersonnel.

INDIRECTLENDING↗  Indirectlendersthatbuycontractsfrom

hundredsorthousandsofdealersneedtohavestrongcontrols,(underwriting,contractsaccepted,thirdpartyproducts);

↗ Unfortunately,budgetaryandvolumepressuresmakeithardtosticktothesecontrols.

VENDORMANAGEMENT↗  Generally,companiesaren’tasstrongwith

thisfunctionastheythinktheyare;

↗ Policiesarenotalwaysfollowed,exceptionsaremade,mostprominentlyinrepossession;

↗ TherecentWellsFargofinehadsomegoodinsightintomanagingvendors,askingpenetratingquestionsandbeingproactive.

COMPLAINTMANAGEMENT

↗ Mosthaveapolicyandprocessbutwidedivergencewithitcomestoremediation;

↗ Companiesdon’tdocumentwelland“losecredit”forcomplaintstheyresolvequickly;

↗ 3mostcommonarea)poorservice;b)employeerude;andc)reporelated.

THIRDPARTYCONTACTS

↗  Thereisconfusionastowhenathirdpartycanbecontacted,anditoftencontactismadewhenlocationofcustomerisknown;

↗ Companieslackamechanismtotrack“donotcall”instructionsfromthirdparty;

↗ Managersdon’tliketheruleandtrytocircumvent.

CREDITREPORTING↗ Disputehandlingfunctionisnotadequately

staffedinmanyinstances;confusiononwhat“adequateinvestigation”means;

↗ Furnisherobligationsaren’talwaysunderstoodandauditsdon’tmatchsizeandcomplexityofbusiness;

↗  Inherentlyhighrisktopic,sotrainingvital.Staffisoftennotadequatelytrainedandinheritjob.

COLLECTIONSANDSERVICING

↗ Scriptsdon’talwaysexistandwhentheydotheyareoftennotfollowed;

↗ Collectionnotesarenotalwayspresentandoftennotclear;

↗ Datanotalwayseasytolocate;

↗ Integrationbetweenvarioussystemsneeded.

MeetusattheAfterParty!

ContinuedDiscussiononourwebinar!

RiskAssessments:WhatWeLearnedFor2018

WednesdayJune6th

2PMCDT

Emailinfo@ignitecp.comtoregister!

IgniteConsultingPartnersconsultsBHPHdealers,financecompanies,andotherlendersoncompliance,cyber-threatassessment,processimprovementandhowtoleveragetechnologyto

driveefficiencyandperformance.

SteveLevineChiefLegalandComplianceOfficer

(817)803-3143DirectSteve.Levine@IgniteCP.com

FollowSteveonTwitter@LawyerLevine