an overview of the cfpb enforcement guide · an overview of the cfpb enforcement guide ari karen...

AN OVERVIEW OF THE CFPB

ENFORCEMENT GUIDE

Ari Karen | Offit Kurman

[email protected]

917-312-2294 | 301-575-0340

Examination Principles

• CFPB will focus on an institution’s ability to detect,

prevent, correct practices that present significant risk of

legal violation.

• CFPB will use same procedures to examine all entities

offering similar products but will recognize differences

based on size and complexity of institution

• Nonbank Supervision Risk Analytics and Monitoring

team will determine what non-depository institutions

pose greatest risk to consumers

• Depository institutions ongoing monitoring of

supervisory and public information

2© 2012 Offit Kurman, PA. All Rights Reserved.


• Non-depository institutions will be examined based on

asset size, business volume, extent of state oversight,

and overall risk to public.

• CFPB will coordinate with state entities to maximize

coverage

• Generally will be notified in advance

• Target reviews generally arise from a particular situation

that has come to CFPB’s attention

• Horizontal reviews come from particular products or

practices identified at other institutions



• Evidence of tax law on-compliance to be

referred to IRS

• Evidence of misrepresentation of financial data

can referred to DOJ for criminal enforcement

• ECOA violations referred to DOJ

• Will refer borrower fraud to DOJ


Examinations

• For most examinations there will be an initial scope summary

and risk assessment prepared, prior contact with entity and

providing information in response to inquiries.

• Within 60 days on-site examination

• After examination there will be rating assigned from 1-5 (5

being worst)

• Rating determined by determination of present compliance

with financial laws; management commitment to compliance;

management’s ability to take steps to assure compliance;

adequacy of internal systems, procedures, controls and audit

activities.


General Compliance Principles

• Sound compliance management system

integrated into all operations

• Compliance should be part of day-to-day

considerations of management and employees

• Entity is expected to be able to self-identify

issues and initiate corrective action

• This applies to third-party relationships


General Compliance Principles

• CFPB expects every regulated entity to have effective

compliance management that will include self-review, self-

testing, self-initiated corrective action.

• Compliance must be significantly managed. This can be

managed firm-wide or through outside consultant.

• Nature and extent of compliance will take account of size and

complexity of operations, but there must be specific

compliance plans, practices, procedures and on-going

coordinated oversight in place.

• Not enough to simply have documents in place. Need

ongoing attention by management.


Expectations for Management

• Demonstrates expectation for compliance throughout

entity and to third-party providers

• Adopted clear policies and procedures

• Appointed an appropriately qualified chief compliance

officer. Depending on size and complexity, full time

compliance officer may not be required but there must

be sufficient management concern for compliance and

dedicated personnel/consultants sufficient to carry out all

compliance responsibilities.



• Established compliance functions to set and

evaluate policies, procedures, standards for entity.

• Allocate sufficient resources to the compliance

function commensurate with size and complexity of

operations

• Address consumer compliance issues and risks

• Require audit coverage of compliance matters and

review results of periodic compliance audits



• Provide for recurring reports of compliance

risks, issues, and resolutions.

• Compliance program must include policies

and procedures; training; monitoring; and

corrective action plans.


Unfair Acts or Practices

• Act is covered as UAP if it

– Causes or is likely to cause substantial injury to consumers, meaning there is significant risk of concrete harm either resulting from small widespread harm or minimally applicable large harm.

– Injury is not reasonably avoidable by consumers, meaning that the practice interferes with or hinders decision-making

– The injury is not outweighed by countervailing public benefit of the practice.


Deceptive Acts or Practices

• A representation, omission, act, or practice

misleads or is likely to mislead consumers,

including but not limited to price claims; bait and

switch; offering unavailable product; omitting

material conditions; failing to provide promised

services.

• The representation, etc., is to be considered

from the reasonable consumer’s perspective.

Even if a significant minority are mislead its

sufficient to be DAP.


Deceptive Acts or Practices

• Must be material – meaning that it is likely to

affect a consumer’s behavior/decision-making

• Certain categories of information, including cost,

availability, benefits and restrictions. Express

claims about a financial product – considered

material.

• Knowingly false statements are considered

material


UAP/DAP

• Consumer complaints will be critical in

identifying practices

• Institution should itself monitor websites such as

ripoffreport.com; complaints.com; BBB; FTC;

state agencies; and other popular consumer

complaint channel.

• A transaction can be a UAP/DAP even if

technically compliant. E.g., advertisement

complies w/TILA but other inaccurate statements


UAP/DAP

• Examination objectives: assess entity’s risk

management systems; identify practices that

materially increase chances of DAP/UAP

• To determine whether entity engages in

challenged practices

• To determine appropriate enforcement actions

• Be aware of horizontal reviews in this situation


UAP/DAP

• Entity must have thorough process for intake and review

of consumer complaint and a process to address third-

party complaints

• Entity has established policies and controls to address

employee and related third-party conduct including

training, performance reviews, audits, discipline policies

and records, appropriate contracts, appropriate

compensation and monitoring.

• Internal controls must be documented


UAP/DAP Transactional

Testing

• Entity underwrites a product based on ability to repay

• Profitability of product depends on penalties or back-end

rather than up-front fees

• Features are combined and difficult to understand

• A product targeted to specific group without appropriate

tailoring of marketing, disclosures or other materials

designed to ensure understanding by consumers

• Penalties upon termination of relationship

• Fees for access to information or account access


ECOA Examination

• Relies in large part on Interagency Fair Lending

Examination principles (IFLEP) from August of

2009

• Remember 2009 was before LO comp rule and

before people started saying that fixed pricing

was necessary to fair lending compliance


ECOA “Special Attention”

• Creditor establishes most branches in

predominantly non-minority areas but does most

business in minority areas

• Advertisements targeted to certain groups with

different products

• Underwriting or pricing guidelines contain

unusual criteria that could create disparate

impact (e.g., zip codes)


ECOA “Special Attention”

• Policies and procedures that are vague with respect to pricing,

underwriting, referrals to alternative channels, classifying applicants,

recommendations on products to consumers.

• Exceptions to underwriting, pricing, product recommendation

permitted and/or subjective and/or widespread and/or broad

discretion.

• Does creditor rely on third parties for part of credit operations.

• Does any employee receive incentives depending on

terms/conditions of credit product sold or price of such product.

• CFPB desires to use statistical analysis whenever appropriate to

scope of fair lending exam.


HMDA

• Examines the institution’s ability to collect and report accurate data concerning applications, originations, purchases, refinances, home improvement loans, home purchase loans for calendar year.

• Are there assigned adequate individuals for overseeing HMDA reporting and are all relevant employees including LO’s properly trained.

• Are data collections procedures followed throughout entity at all branches

• Is there adequate separation of duties concerning data entry, review, oversight and approval.

• Document retention for 3 years HMDA data and 5 years HMDA disclosures

• Different rules for depository/non-depository institutions


TILA

• Determine adequacy of internal controls including analysis of

organizational charts, process flowcharts, policies and

procedures, loan documentation and disclosures,

checklists/worksheets, computer programs

• Significant deficiencies are reported to management

• Record retention practices are compliant

• Verify accuracy of TILA disclosures and determine proper

disclosures given to proper customers in timely manner.

• When testing APR calculations they will test on a

transactional basis


TILA

• Testing to determine whether LO compensated

based on terms of the loan

• No specifics provided on how they are going to

test this

• Also incorporates steering prohibition and

requirements of the 3 loan beauty pageant

• Not that it does not exclude creditor from the

analysis in accordance with Regulation Z


TILA

• Valuation independence – determine no attempt

at undue influence into valuation

• Determine valuation does not materially

misrepresent value of dwelling. No statement as

to how this will be audited.

• No conflicts of interest with appraiser

• Confirm customary and reasonable

compensation


RESPA

• Review GFE/HUD1/Servicing transfer

disclosures affiliated business disclosures for

compliance with Reg X

• If electronic disclosures ensure compliance with

ESIGN

• Review policies and operating procedures and

confirm through discussion with

compliance/management


RESPA

• Must have policies and procedures to provide revised

GFE’s and to cure violations in a timely manner (30

days)

• Must have policies and procedures to cure technical or

inadvertent error in HUD-1 within 30 days

• Interviews with lending personnel to determine source of

referrals, nature of any services provided by referring

sources, the identity of settlement service providers used

by entity.

• Interviews as to timing of GFE and how fee information

is determined


RESPA

• Assess overall knowledge and understanding of

mortgage lending personnel

• Review sample of loan files to determine

whether GFE was completed as required

• Using same sample review to determine that

HUD 1 was properly completed

• Determine whether management is aware of

prohibitions on payment of unearned fees or

receipt of referral monies


RESPA

• Review financial records to ascertain existence

of unearned fees or kickbacks for referral of

service.

• If referral to affiliated service provider confirm

that ABA disclosure statement was provided

Horizontal and/or targeted reviews likely based

on another institution’s records.


HPA

• Determine whether adequate internal controls exist

• Review of internal audit compliance and whether significant issues were reported by management

• Review sample transactions for compliance

• Review sample written requests for cancellation of PMI to ensure proper handling

• Review non high risk cancelled if 78% LTV or lower

• Review sample of loans at midpoint of amortization that are current to confirm whether PMI cancelled

• Review high risk loans with 77 LTV or lower to determine whether cancelled

• Review to determine that all unearned premiums returned w/in 45 days


Privacy Laws (GLB)

• Through discussions and available information

identify sharing practices with affiliates and

nonaffiliated third parties

• Delivery of required notices and opt-outs

• Review of information sharing agreements

• Internal controls to ensure compliance, and

review of servicing arrangements and marketing

arrangements


Privacy Laws

• Compliance is focused with respect to

compliance with notices and intentional

treatment of information as opposed to focusing

on theft of information

• Examines nature and extent of non-public

information obtained from other parties and

whether such information is subject to proper

information sharing agreements


Risk Assessment

• Nature and structure of products – looking to

determine whether consumers will have difficulty

understanding and/or could easily be misled

• Consumers to whom products are offered –

looking to determine whether targeting

particularly vulnerable section of population

• Marketing methods and sales – examines

incentives underlying compensation to

determine whether encourages high cost

products regardless of consumer’s situation


Risk Assessment Marketing

methods/Sales organization

• Examines incentives underlying compensation

to determine whether encourages high cost

products regardless of consumer’s situation

• Manner in which performance and/or

compensation is established

• Discretion to set pricing and lack of responsibility

for performance

• Marketing materials unclear or confusing


Risk Assessment Marketing

methods/Sales organization

• Advertising includes teaser rates or omits

material information

• Complex products offered to customers not likely

to benefit

• Product marketing in a manner that may be

discriminatory

• Advertising uses media outlets targeting

particular groups


Risk Management

• Ongoing customer relationship management

indicates lack of connection to customer service

• Compensation impacted by use of discretion to

modify and/or adjust prices

• Vendors not based on quality of customer

service

• Insufficient numbers of customer service staff

and/or systems

• Complaint management


Risk Assessment Compliance

Challenges

• Extensive decentralized retail network

• Multiple un-integrated information systems

concerning origination of loans

• Use of internet and mass media

• Solicitation through active cross selling,

telemarketing, third-party direct marketing


Risk Assessment

Management

• Adoption of comprehensive policies, practices, procedures

• Commitment to compliance

• Regular and meaningful reports regarding compliance issues

• Management identifies and responds in timely manner to risks

• Allocates sufficient resources to compliance, including

monitoring

• Compliance staff are independent and have sufficient

authority and access

• Unit or individual performance expectations involve

compliance concerns and authority exists to require

compliance


Risk Assessment Management

• Compliance and risk management properly

tailored to organization

• Regular testing and monitoring, including self

assessment

• Proper and timely corrective action of identified

compliance problems

• Compliance staff are involved in structuring of

incentives for those interacting with employees


Risk Management Training

• Appropriate training to all staff including those in

all aspects of operations

• Training is timely, repeated as necessary

• Requires all staff to take responsibility for

compliance

• Policies and procedures support training


Thank You

Ari Karen | Offit Kurman

[email protected]

917-312-2294 | 301-575-0340

an overview of the cfpb enforcement guide · an overview of the cfpb enforcement guide ari karen...

Documents