Consumer Compliance Outlook > 2014 > Third Quarter 2014

Consumer Compliance Outlook: Third Quarter 2014

Consumer Compliance Management Program — Common Concerns and Best Practices Webinar Questions and Answers

By Katina Tsagaroulis, Compliance Risk Specialist, Federal Reserve Bank of Boston

On April 10, 2014, the Federal Reserve System conducted an Outlook Live webinar titled “Consumer Compliance Management Program — Common Concerns and Best Practices.” Participants submitted a significant number of questions during the session. Because of time constraints, only a limited number of questions were answered during the webinar. This article addresses some additional questions we received.1

As examiners, do you expect to see a consumer compliance management program instituted in all banks, or is it first a recommendation and then a requirement beyond a certain asset size?

In November 2013, the Federal Reserve Board (Board) announced in Consumer Affairs Letter (CA Letter) 13-19 that it was implementing a new Community Bank Risk-Focused Consumer Compliance Supervision Program (RFS Program).2 As discussed in the CA Letter, the RFS Program outlines compliance risk management practices for state member banks with assets of $10 billion or less, including their subsidiaries.3 The Board expects the institutions it supervises to have an effective consumer compliance management program in place, appropriate to the institution’s risk profile.4 In addition, Supervisory Letter (SR Letter) 08-8/CA 08-11 outlines compliance risk management program information for large banking organizations with complex compliance profiles.

Although there is no specific formula for creating a consumer compliance management program, every program should be tailored to the size, complexity, market, and assessment area of the institution. A sound program contains the following four essential elements:5

• Board and senior management oversight
• Policies, procedures, and limits
• Risk monitoring and management information systems
• Internal controls

When developing a consumer compliance management program, management should consider, among other things, the institution’s organizational structure (taking into account the level of independence of functions responsible for compliance oversight, as well as the institution’s hiring, turnover, and succession planning practices), business model and strategy, new product development, and internal compliance testing and audit procedures.6

An institution’s senior management and board of directors should ensure that the consumer compliance management program focuses on identifying, measuring, monitoring, mitigating, and controlling risks related to consumer protection laws and regulations.7 For small institutions that engage solely in traditional banking activities in which senior management is actively involved in daily operations, relatively basic risk management systems may be adequate. In such institutions, these systems may include an informal compliance program with both written and unwritten policies addressing material areas of operation, such as lending, basic internal control systems, on-the-job training, and management and board reports.8 Larger, more complex institutions likely require more formal and comprehensive programs to maintain satisfactory levels of compliance, including detailed policies and sophisticated management reporting to allow senior management to evaluate and mitigate risks.9

Is there guidance for a bank’s compliance risk assessment?

Compliance risk assessments are detailed in the Board’s CA Letter 13-19. As discussed in the guidance, “the risk assessment presents a comprehensive view of the institution, delineating the areas of supervisory concern, and serves as a platform for the supervisory plan.”10 To conduct a risk assessment, an institution first gauges the inherent consumer compliance risk, which is defined as the likelihood and consequences of violating consumer laws and regulations associated with the products and services offered by the institution. Risk management and controls are evaluated in the context of their likely effectiveness in achieving compliance. The assessment then considers residual risk, which is defined as the risk that remains for a product or service after considering the effects of risk mitigants (i.e., residual risk equals inherent risk controlled by risk mitigants).

It is important that an institution examine all of the products and services it offers to document each of the laws, regulations, and guidance that may apply and evaluate the effectiveness of its compliance controls. In addition, the institution may determine that some laws and regulations should always be considered regardless of the products and services offered. Typically, these are laws and regulations in which violations can create significant consumer harm, such as fair lending laws, and Unfair or Deceptive Acts and Practices under Section 5 of the Federal Trade Commission Act. For further details on risk assessments for state member banks, refer to CA Letter 13-19.

Must the bank have a vendor management policy? What are the bank’s responsibilities when using a third-party service provider?

In December 2013, the Board issued “Guidance on Managing Outsourcing Risk” to highlight to financial institutions the potential risks arising from the use of service providers and to describe the elements of an appropriate service provider risk management program.11 The guidance discussed several key points, including:

The use of service providers does not relieve a financial institution’s board of directors and senior management of their responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations. Policies governing the use of service providers should be established and approved by the board of directors, or an executive committee of the board. These policies should establish a service provider risk management program that addresses risk assessments and due diligence, standards for contract provisions and considerations, ongoing monitoring of service providers, and business continuity and contingency planning.12

Institutions should manage third-party vendor relationships as they would any other business line, division, or function of the bank. If not managed effectively, the use of third-party vendors may expose an institution to significant compliance risks. Therefore, institutions must take adequate precautions to ensure that the vendor complies with all appropriate laws and regulations, considers the institution’s specific business needs, and aligns its practices with those needs.

Finally, senior management has a duty to establish acceptable performance metrics, effectively monitor contractual requirements, and keep the board of directors properly informed about the performance of the vendor management program. Effective board oversight is critical to ensuring a successful vendor management program. Therefore, the board should routinely review the policy, along with the risk assessment(s), internal testing and monitoring reports, and formal audit reports.

For additional information, refer to Guidance and the recent Outlook Live webinar and Outlook articles on Vendor Risk Management.13

Are there examples of a change management process that you can share with us?

Given the changing regulatory landscape with additional responsibilities of banks under new or revised regulations and pressures to follow competitors as new products are introduced in the marketplace, establishing a change management process can be an effective tool not only to manage changes but also to track any steps the institution has taken to mitigate potential harm and risks to consumers and the institution. The methods of developing and implementing a change management process may vary based on the institution’s size, complexity, and resources available.

Change management should be a structured and disciplined process that can be repeated since change can always be expected. The RFS Program describes that an effective change management process:

• requires management and staff from all affected functions — potentially including compliance, accounting, risk, internal audit, and line management — to review and recommend a response or change proposal for senior management or board approval that clearly articulates expected results. The entire life cycle of a product or service affected by the change must be considered, whether it involves the introduction of a new product or service or a change affecting existing bank operations.
• incorporates appropriate approval processes associated with implementation.
• requires that operating policies and procedures are updated to provide clear guidance to staff on how to comply with all legal or regulatory requirements.
• requires that staff be properly trained regarding the change.
• incorporates monitoring of the deployment of the new or revised process, product, or service.
• requires a review after implementing a change to determine whether the actions taken achieved the expected results.14

An effective regulatory change management process will identify new or revised regulations, consider their complexity and impact (i.e., potential harm and risk) to consumers and the institution, and assign responsibility as appropriate for implementing compliance with new rules. For example, to implement recent changes to the federal flood insurance law (i.e., the Biggert-Waters Flood Insurance Reform Act and the Homeowner Flood Insurance Affordability Act), the institution must assess whether it has the resources to implement the change, as well as the effect of the changes on its systems and processes, and the need to provide training for staff. If vendors are involved, the institution must ensure that they are aware of the changes and that they are properly implementing them.

Some elements of a regulatory change management process can include:

• A standing agenda item for regulatory change on a consumer compliance committee meeting that incorporates members enterprise-wide, such as risk, operations, lending, vendor management, training, internal audit, and legal
• Dedicated staff to research, develop, and publish a regulatory change management newsletter for distribution to management and staff with daily consumer compliance responsibilities for information and training purposes
• A robust training system that includes industry training, conferences, webinars, and seminars whereby participating individuals return to their institutions to share knowledge gained, updates, and tips with management and staff with consumer compliance responsibilities
• A subscription to the regulatory monitoring services to learn about current and future regulatory activities

Regulatory change has become the new norm in the aftermath of the financial crisis and the passage of the Dodd-Frank Act. Regardless of the size of the institution, an effective process must be in place to manage change. A successful program will help to ensure that institutions implement regulatory changes in a timely manner and that institutions conduct appropriate due diligence and analyses before offering new products and services.

What are some insights that you might be able to offer financial institutions, particularly community banks, considering the use of social media?

Compliance risks for social media were discussed extensively in the Federal Financial Institutions Examination Council’s recent guidance, “Social Media: Consumer Compliance Risk Management Guidance.”15 For additional information, refer to the recent article by Kurtis Haygood, “Consumer Compliance Risk Management for Social Media,” Outlook (Second Quarter 2014).

Conclusion

A strong consumer compliance management program helps to ensure that a bank is complying effectively with federal consumer protection laws and regulations. Specific issues and questions should be raised with your primary regulator.

• ¹ The webinar has been archived and is available on the Outlook Live website.
• ² CA Letter 13-19 , “Community Bank Risk-Focused Consumer Compliance Supervision Program,” November 18, 2013
• ³ Under Section 1025 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), the Consumer Financial Protection Bureau conducts consumer compliance examinations of depository institutions with assets greater than $10 billion. See 12 U.S.C. §5515 .
• ⁴ See CA Letter 08-11 , “Community Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles,” October 8, 2008.
• ⁵ See RFS Program at 12.
• ⁶ See RFS Program at 9.
• ⁷ See RFS Program at 3.
• ⁸ See RFS Program at 22.
• ⁹ See RFS Program at 22 and CA Letter 08-11.
• ¹⁰ See RFS Program at 12.
• ¹¹ See CA Letter 13-21 , “Guidance on Managing Outsourcing Risk,” December 5, 2013.
• ¹² See CA Letter 13-21 , “Guidance on Managing Outsourcing Risk.”
• ¹³ Cathryn Judd and Mark Jennings, “Vendor Risk Management — Compliance Considerations,” (Fourth Quarter 2012 Outlook); Anthony Ricks and Timothy Stacy, “Vendor Risk Management,” (First Quarter 2011 Outlook), and “Vendor Risk Management–Compliance Considerations,” Outlook Live webinar, May 2, 2012.
• ¹⁴ RFS Program at 23
• ¹⁵ CA Letter 13-22 , “Social Media: Consumer Compliance Risk Management Guidance,” December 11, 2013