Consumer Compliance Outlook: Second Quarter 2015

Managing Risk Throughout the Product Life Cycle

By Mark Serlo, Senior Supervision Analysis Team Leader, and Janis Frenchak, Assistant Vice President, Federal Reserve Bank of Chicago, and Jason Lew, Compliance Risk Coordinator, Federal Reserve Bank of San Francisco

Welcome to the seventh anniversary issue of Consumer Compliance Outlook. This issue is dedicated to product risk management, the process by which a financial institution identifies, controls, and mitigates risks for its products and services. The Federal Reserve has published several articles on managing risks associated with new products and services in its Community Banking Connections1 and FedLinks2 publications, reflecting a safety and soundness perspective. This edition of Outlook leverages those articles and examines specific consumer compliance–related risks in greater detail throughout the product life cycle.

Product risk management can be approached in different ways. In this issue, we present a framework for evaluating product risk based on the product life cycle. The cycle begins when a product or service is conceptualized and ends when the institution stops offering it or the consumer stops using it (voluntarily or involuntarily). Each stage of the cycle can be subject to its own risks and challenges, so this article discusses various approaches to managing compliance risk at each product stage. For example, when a lender forecloses on a defaulted residential mortgage loan (the termination phase), specific regulatory requirements that apply must be considered. In contrast, when a financial institution considers a marketing campaign for a new product or service, the institution should ensure that it has considered the applicable laws and regulations at that stage of the product life cycle. The framework we discuss here — focusing on the product life cycle — is simply one approach to the process of product risk management. While this framework references new products and services, it may also be useful for managing the compliance risk of existing products and services.

The format of this issue is slightly different from our regular format. Since we are devoting the entire issue to product risk management, we are dividing each stage of the product life cycle into individual chapters. For easy reference, we have listed the chapters on the table of contents on this page.

Introduction

In today’s highly competitive banking environment, a financial institution may believe that making changes to the products and services it offers provides an advantage over its rivals and a path to higher profits. While it is understandable that an institution may want to respond to a competitive environment with new products and services, this decision is not without risks. New products or services may be subject to complex regulatory requirements and may necessitate staff training, new disclosures and forms, updated policies and procedures, and system changes and testing. Changes to products and services should also be consistent with corporate strategic objectives. We have found that financial institutions that are successful in introducing new products or services employ a structured and repeatable process to manage any associated compliance risks. “By considering risks before introducing new products and services, management can identify and mitigate them in advance and avoid potentially costly and unintended consequences.”3

Although compliance risk is typically greater for new products than for existing ones, financial institutions must still be vigilant in conducting risk management for their current products as well. One approach is to consider compliance risks throughout a product’s life cycle.

The Product Life Cycle

The product life cycle consists of different stages that a product or service goes through from inception to termination. The following table details the different stages and provides an illustrative (though not exhaustive) list of factors to consider at each stage of the process to help manage consumer compliance risk.

Each of the following chapters discusses a stage in the life cycle process, associated risks at each stage, and some of the management considerations at that specific stage.

The Product Life Cycle
Stage	Definition	considerations
Strategic Considerations	Incorporates the strategic analysis behind an established, new, or modified product: this includes analyzing the strategic fi for the institution and its customers, as well as any components tied to product development (controls, compensation, platforms, etc.) and the overall benefit of the product to the institution and to consumers	Strategic goals and areas of expertise Involvement of the board of directors, management, business line, legal, and compliance Regulations or guidance Emerging issues related to the product, including legal activity Processes (developing procedures and operating systems, training staff, monitoring activities, and setting controls) Use and role of third parties
Product Design	Addresses the process of developing the actual product and specific considerations such as profi ability and fee structure	Target market Relationship to other products Applicability of laws and regulations Types of fees assessed Delivery systems
Marketing	Outlines the manner in which the product is targeted and marketed	Advertising Cross-selling to customers Targeting solicitations
Product Delivery	Incorporates the components of the initial interface, including the selling and/or application process	Steering risk Applications Disclosures Fees and terms Role of compensation and incentives
Origination or Consummation	Describes the process by which a customer qualifies for and obtains the product or service	Disclosures Incentives and compensation structures Pricing and underwriting discretion
Product Use and Duration	Incorporates any and all aspects of a product after the origination or consummation stage; includes servicing, maintenance, dispute and resolution, changes in terms, default or misuse, additional fees, or other costs	Periodic statements and disclosures Servicing practices and third-party servicers Communications Repayment options Mobile banking platforms Delivery systems Complaints
Termination	Addresses the process of the consumer voluntarily discontinuing use of the product, or the institution’s process of discontinuing the product, or any other process in which the relationship between the consumer and the product ends	Communication Procedures and practices Loss mitigation, collection, and foreclosure

Chapter 1 — Strategic Considerations

Board and Senior Management Involvement

“Educating and engaging board members can be valuable in the strategic planning process. Conversely, jumping into a new product or business line without effective challenge from board members can result in future headaches.”
—“Financial Institution Strategies in the New Year: Trends and Examples” by Cathy Lemieux, Community Banking Connections (First Quarter 2014)

The products and services that a financial institution offers reflect the board’s and senior management’s compliance risk appetite and should align with the institution’s strategic plan and its level of expertise. It is important that all key stakeholders — directors, compliance officers, marketing officers, general counsel, operations management, and other senior management — be involved in strategic product decisions. Fully engaging key stakeholders enhances the process of identifying and managing risks.

It is helpful to articulate strategic goals for new products and services with measurable objectives (e.g., to increase market share or to increase noninterest income) and to identify the expected benefit to customers. The goals should be vetted with the board and senior management who need to consider the following issues:

The financial institution’s risk appetite
Its areas of expertise and its ability to deliver the new product or service
Consumers’ perceived need for the product
Current federal and state consumer protection laws, regulations, and guidance
Financial institution resources
Anticipated future regulatory requirements4
Legal challenges related to the product or service, including lawsuits, consumer complaints, or public enforcement actions

From a supervisory standpoint, compliance examiners will often evaluate new products and services because they can increase consumer compliance risk.5 Management teams are encouraged to discuss proposed new products and services with their regulators to ensure that any regulatory concerns are addressed early in the decision-making process.

Resources and Expertise

Another consideration is whether the institution has the resources and expertise to offer the product or service. We have seen management teams too often introduce product offerings without fully understanding the compliance requirements, the potential risks, the impact on customers, and the resources needed to successfully introduce and provide ongoing operational support for the new product or service. Potential factors to consider include the following:

What knowledge is needed to effectively deliver the product or service?
Does the financial institution currently possess, or can it cost effectively acquire, the required expertise and staffing level — not only in the business line but also in the compliance and audit areas?
Can the financial institution’s computer systems handle the increased usage resulting from any new products or services?
Does the financial institution currently possess, or can it cost effectively acquire, operational capacity to deliver the product or service (e.g., automated processing, centralized operations, use of third-party service providers)?
What are the consequences of noncompliance or failure to deliver the product as promised?

Third Parties

The decision to use third-party vendors for a product or service should be considered during the strategic planning process. When properly chosen and managed, third parties can provide an institution with valuable expertise and service that the institution cannot cost effectively provide on its own.6 The depth and formality of a service provider risk management program will depend on a number of factors, including the complexity and materiality of the activity being outsourced.

Nonetheless, overreliance on third parties increases compliance risk if they are not adequately monitored. In our experience, financial institutions that do not have the requisite expertise or that do not ensure adequate oversight over their service providers are more likely to encounter challenges complying with the applicable regulatory requirements. In more serious instances, they may be exposed to third-party activities that adversely impact consumers, and such actions may result in adverse outcomes for the financial institution, including enforcement actions and penalties in the most extreme cases.

Chapter 2 — Product Design

Considerations at this stage include the specific features and benefits that will define the product. Examiners occasionally observe that compliance staff members are either absent from the product design and development process or involved only in the final review of a product before it is introduced or after it has been launched and transactions have been consummated. Successful management teams involve compliance staff throughout the entire design and development process.

Risk analysis in the design stage should focus on the specific requirements applicable to the particular product as designed. This helps to ensure that the institution develops an appropriate internal control infrastructure around the product to ensure compliance and to reduce the risk of harm to the consumer.

Fairness

Successful products and services are designed with fairness in mind. This means delivering a value proposition in which the financial institution earns a profit while satisfying a customer need. It is more than simply complying with specific regulatory requirements, since technical compliance alone does not mean that a product is free from potential consumer harm. As the Federal Reserve Board and the Federal Deposit Insurance Corporation (FDIC) stated in their 2004 joint guidance for unfair or deceptive acts or practices (UDAP): “[T]here may be circumstances in which an act or practice violates section 5 of the FTC Act even though the institution is in technical compliance with other applicable laws, such as consumer protection and fair lending laws. [Financial institutions] should be mindful of both possibilities.”7

With the continued regulatory focus on fairness and consumer harm, institutions should always consider possible UDAP implications for their products and services and should address them early in the design process and monitor them throughout the product life cycle. Examples of questions to ask include:

Does the product or service provide a win-win situation in which a customer need is satisfied and the bank earns a profit?
Are the features or terms difficult for the customer to understand?
Can communication about the product’s terms and features be made clearly, conspicuously, accurately, and timely?
Does the product have unintended consequences that could be harmful to customers?8

Complexity

As financial products and services become increasingly complex, the potential for consumer harm increases. Product features such as numerous conditional requirements, options, or variations contribute to complexity and the level of inherent compliance risk. When a product is overly complex, consumers may not understand all of its features or costs. Moreover, institutions may not be able to deliver the product as promised. Product attributes that may contribute to increased inherent compliance risk include:

Offering large numbers of similar accounts — for example, credit cards or deposit accounts — that have many different features, terms, or conditions makes it challenging for the consumer to compare them and understand the differences.
Making product changes during the life cycle that will require additional disclosures and/or actions by the institution to comply with legal or regulatory requirements.
Including features that can be explained only with disclosures that use dense, legal language and that span many pages.

To mitigate the risk involved with complex products and services, management may wish to consider simplifying product and service offerings during this stage.

Chapter 3 — Marketing

Marketing involves much more than simply advertising, and the associated compliance risks extend well beyond meeting technical advertising rules. For example, the Interagency Fair Lending Examination Procedures discuss fair lending risks that can arise in marketing, such as the use of marketing programs for residential loan products that exclude geographies within the institution’s assessment or marketing area that have significantly higher percentages of minority group residents than the rest of the assessment or marketing area.9 For this reason, it is important that compliance and marketing staff collaborate in developing all marketing strategies. Bringing compliance into the process early is a sound practice because it is more difficult and costly to make changes later in the process.

An illustrative list of marketing questions for management to consider includes:

Is the product accurately portrayed and disclosed in all marketing materials (this would include not just advertising but scripts, training materials, and similar items)?
Can a consumer readily understand and reap the benefits of the product?
Has staff been appropriately trained to sell the product?
Did the compliance staff participate in, or at least review, the marketing strategies and materials for compliance with applicable laws and regulations?

UDAP risk increases when products and services are targeted to potentially vulnerable populations. As stated in the UDAP Guidance:

The need for clear and accurate disclosures that are sensitive to the sophistication of the target audience is heightened for products and services that have been associated with abusive practices. Accordingly, financial institutions should take particular care in marketing credit and other products and services to the elderly, the fi vulnerable, and customers who are not financially sophisticated.10

A number of federal laws and regulations apply to advertisements for consumer products and services. Some of the common applicable federal laws and regulations include (but are not limited to):

Product/Service	Law/Regulation
All consumer financial products and services	UDAP
Credit	Equal Credit Opportunity Act (ECOA)/Regulation B Fair Housing Act Truth in Lending Act/Regulation Z
Deposit	FDIC regulations Truth in Savings Act/Regulation DD
Overdrafts	Electronic Fund Transfer Act/Regulation E Truth in Savings Act/Regulation DD
Credit reports	Fair Credit Reporting Act/Regulation V

It is important that advertisements, including those on the web and in social media,11 are reviewed to ensure they comply with these and any other applicable laws or regulations. State law also may apply and should be considered.

Chapter 4 — Product Delivery

During the product delivery stage, risk analysis should focus on the initial customer interaction, including the sales and application processes. The interaction will vary based on the institution’s delivery channels, which may include traditional retail branches, the Internet, mobile applications, social media, brokers, referral sources, or other channels. It is essential that the risks within each delivery channel are identified. For example, institutions that use social media for product delivery may be exposed to increased reputation risk arising from any negative public reviews or comments. Activities that result in dissatisfied customers and/or negative publicity could harm the reputation and standing of the financial institution, even if the financial institution has not violated any laws. Therefore, financial institutions engaged in social media will want to be sensitive to, and properly manage, the reputation risks that arise from these activities.

During product delivery, compliance risks arise from regulatory requirements and restrictions regarding applications and the delivery and content of disclosures. For example, creditors must comply with the ECOA (Regulation B), which limits applicant information that may be collected, sets time frames for responding to applicants, and requires applicants to be notified of the action taken within a certain time frame.12 As another example, Regulation E imposes disclosure requirements and substantive restrictions on overdraft programs. Generally speaking, a financial institution may not impose an overdraft fee for a point-of-sale transaction unless the consumer has been given a disclosure and has elected to opt in to the program.

Increasingly, financial institutions are using third parties to deliver the institution’s products or are engaging in cobranding relationships in which third-party products are offered under the institution’s name. In many of these arrangements, the third party is positioned directly between the financial institution and the customer and is closely involved in product and service delivery, often with unfettered access to consumers. Because the board and senior management are ultimately responsible for all aspects of the institution’s operations, effective due diligence and ongoing supervision of the third parties will help to mitigate risks from these arrangements. A proactive approach to oversight may also help financial institutions identify and correct issues as they arise and before they result in violations of law or harm to consumers. As discussed earlier, institutions should also consider fairness in product delivery.

Another key concern is the risk that a customer may be inappropriately steered to a particular product, especially one that involves higher cost or questionable benefit given the particular customer’s circumstances. This risk is exacerbated when incentives, including compensation structures, reward employees or third parties for selling products. Appropriate disclosure of the product cost, features, and limitations to the consumer is critical for these types of products. For example, many institutions offer an overdraft line of credit. If a fee is incurred to transfer funds from the line of credit to the customer’s savings or checking account to cover an overdraft, or if an annual fee is incurred to maintain the line of credit, the fees should be adequately disclosed. If customers do not receive a clear explanation of the overdraft program, or if misleading sales tactics are used, they may be unable to make an informed decision about the product and may expose the institution to UDAP risk.

To help manage product delivery risk, management should consider the following illustrative list of questions:

Has the institution identified and addressed the risks associated with the applicable delivery channels?
How will the institutions comply with the laws and regulations that govern the sales and application processes?
Are there compensation or other incentives that may drive risky behavior by employees?
If third parties are used, is the oversight sufficient and effective?
Will consumers receive all the necessary information to make an informed decision about the product during their initial interaction with the financial institution?

Chapter 5 — Origination or Consummation

Once the customer has decided on a product or service, factors to consider at the origination or consummation stage include qualifying the customer for the product, providing the required disclosures, and ensuring the disclosures accurately reflect the contractual costs and terms of the transaction. Depending on the product or service being offered and its means of delivery, specific regulatory requirements, including disclosures, may apply. For example, an institution that originates products online will also generally provide the requisite disclosures through electronic means, subjecting the institution to the provisions of the Electronic Signatures in Global and National Commerce Act (E-Sign Act).13 For credit products, the institution should also consider potential fair lending risk. Inadequately controlled pricing and underwriting discretion increases the risk of disparities on a prohibited basis. Strong controls around product pricing and underwriting can mitigate these risks. Financial institutions should have well-documented qualification standards and pricing guidelines. Recognizing, documenting, and monitoring exceptions to policy are critical for mitigating fair lending risk.

When evaluating for UDAP risk during origination and consummation, the disclosures, product materials, and contractual agreements should be consistent with one another and clear, especially as they relate to the costs and terms of the transaction. In addition, disclosures or any other product information provided to the consumer should not include claims, representations, or statements that may mislead consumers about the cost, value, availability, cost savings, benefits, or terms of the product. As discussed earlier, compliant disclosures alone are not sufficient to prevent a UDAP finding if the consumer was otherwise misled about material product features.

To ensure the risk is appropriately managed during origination and consummation, management should consider the following illustrative list of questions:

Has the financial institution considered the risks for each origination channel? For example, risks associated with retail originations will differ from wholesale originations.
Has the financial institution considered the potential for fair lending and UDAP risk during product origination and consummation?
Has the institution implemented appropriate controls to mitigate any perceived risk?
Are the disclosures, product materials, and contractual agreements consistent with one another and clear?

Chapter 6 — Product Use and Duration

The compliance risk of a product or service varies depending on its complexity and the duration of its use. The risk is typically greater for complex products such as a home equity line of credit or products that involve change over their life cycle (such as a variable rate mortgage), and when the usage period is long (such as a 30-year mortgage).

By contrast, products that only involve a single point-in-time transaction have less risk. For example, the servicing of a mortgage loan is subject to numerous regulatory requirements during its long life cycle. These can include frequent borrower communications (such as periodic statements and subsequent disclosures), processing of regular payments, and the need to abide by specific servicing rules. Conversely, a remittance transfer, once sent, will likely have regulatory risk only if a consumer files a dispute, which generally must be done within 180 days of the disclosed funds availability date.14

Regulatory Requirements and Guidance

Depending on the product, service, or the delivery system used, specific regulatory requirements and restrictions may apply.

The more common requirements and restrictions may include, but are not limited to:

Annual privacy notices
Periodic statements

Subsequent disclosures may include those for:

Changes in terms
Account renewal/maturity
Interest rate adjustment and/or payment change
Force-placed insurance
Adverse action

New servicing practices may include those for:

Prompt crediting of payments
Timely provision of payoff statements
Error resolution and information requests
Default monitoring and servicing of delinquent accounts
Loss mitigation and foreclosure
Debt collection

An institution should also consider guidance issued by regulatory agencies. For example, the federal banking agencies recently issued guidance on home equity lines of credit (HELOCs) nearing their end-of-draw periods.15 As noted in the guidance, supervised institutions are expected to promote compliance with applicable laws and regulations and to have adequate risk management practices to monitor, manage, and control the risks in their HELOC portfolios as lines near their end-of-draw periods.

Complaints

Regularly reviewing and evaluating customer complaints can provide insights into how well customers understand the institution’s products and services. Complaints can come from a variety of sources, including customer service calls, written complaints to the financial institution or its primary regulator, customer reviews, or social media.

Because complaints can serve as an early indicator of potential concerns, managing a product or service successfully will include a process to monitor and analyze complaints. While it is important to address the specific concerns of any particular customer, determining whether an issue is systemic and whether other customers may be affected is also important.

Chapter 7 — Termination

The last phase of the product life cycle involves terminating a product or service. This may occur when a product has a fixed maturity, a customer voluntarily closes an account, or bank management decides to discontinue a product or service. Over time, especially in an environment of rapid technological change, customer demand for certain products and services may change. For example, consumers have largely shifted away from using paper checks and are relying instead on bill pay services, debit and credit cards, and, increasingly, mobile payments to make payments or purchase goods and services.

An illustrative list of factors to consider during both customer and financial institution initiated termination of a product or service includes:

Financial Institution Initiated Termination

Does the financial institution provide advance notice to customers to allow them sufficient time to migrate to another product or service?
Is the institution complying with any applicable regulatory requirements? For example, the Real Estate Settlement Procedures Act (Regulation X) requires mortgage loan servicers to notify mortgage borrowers at least 15 days in advance when the servicer changes.16 Similarly, the Truth in Lending Act (Regulation Z) requires that if the owner of a loan sells or transfers it, the new owner must notify the borrower of the transfer.17
Has the institution trained staff to answer questions from affected customers?
Is the institution discontinuing a credit product entirely or closing only certain accounts? If the latter is the case, would the closure criteria disproportionately affect customers on a prohibited basis?
Are the institution’s foreclosure processes and controls effective and do they comply with consumer protection regulations?18

Product Maturity and Voluntary Account Closures

Does the institution respond accordingly to voluntary account closures? For example, Regulation Z19 contains specific requirements for responding to payoff requests.

Does the financial institution comply with applicable regulatory and contractual agreements at product maturity or voluntary account closure? For example, when a certificate of deposit account automatically renews, the financial institution may be required to send a maturity notice and renew the certificate of deposit according to the previous account agreement.20

Conclusion

Innovation, market conditions, and consumer demand will always lead to new products and services in the financial services industry. The institutions that are most successful in introducing new products and services consider consumer compliance risk throughout the product life cycle. This framework considers various institutional, legal and regulatory, and environmental risk factors that may be present at each life cycle stage of the product or service. This comprehensive approach for managing compliance risk helps to ensure that financial institutions can obtain the benefits of the new products and services and avoid the unintended consequences that can derail an institution’s product strategy. Specific issues and questions should be raised with your primary regulator.

¹ Teresa Curran, “Considerations When Introducing a New Product or Service at a Community Bank,” Community Banking Connections (First Quarter 2013).
² “Introducing a New Product or Service,” FedLinks(September 2014).
³ Teresa Curran, “Considerations When Introducing a New Product or Service at a Community Bank,” Community Banking Connections (First Quarter 2013).
⁴ The Consumer Financial Protection Bureau (CFPB) publishes a semiannual regulatory agenda that provides information on its current rulemaking activities. The most recent agenda was released on May 22, 2015.
⁵ See Federal Reserve Board, Consumer Affairs Letter (CA Letter) 13-19, “Community Financial Institution Risk-Focused Consumer Compliance Supervision Program,” November 18, 2013.
⁶ The Federal Reserve has published various resources pertaining to outsourcing risk, including CA Letter 13-21, “Guidance on Managing Outsourcing Risk,” December 5, 2013; a Consumer Compliance Outlook article by Anthony W. Ricks and Timothy P. Stacy, titled “Vendor Risk Management” (First Quarter 2011); and an Outlook Live webinar presented on May 2, 2012, titled “Vendor Risk Management — Compliance Considerations.”
⁷ “Unfair or Deceptive Acts or Practices by State-Chartered Financial Institutions,” on p. 5 (UDAP Guidance). In addition to the UDAP Guidance, the Federal Reserve issued Consumer Compliance Examination Procedures for the Unfair or Deceptive Acts or Practices Provisions of Section 5 of the Federal Trade Commission Act ; hosted a webinar on March 5, 2013, through Outlook Live titled “UDAP — Analysis, Examinations, Case Studies, and Emerging Risks” ; and hosted a webinar on July 29, 2015, titled “Common Violations and Hot Topics.”
⁸ The CFPB is considering rules for payday loans, vehicle title loans, deposit advance products, and certain high-cost installment and open-end loans.
⁹ The 2009 Interagency Fair Lending Examination Procedures, p. 12. The Federal Reserve hosts annual interagency fair lending hot topics sessions.
¹⁰ UDAP Guidance on pp. 8–9
¹¹ On December 11, 2014, the banking agencies issued guidance on compliance concerns for social media.
¹² Regulation B, 12 C.F.R.1002
¹³ Outlook reviewed these requirements. See Jeffrey Paul and Gary Louis, “Moving from Paper to Electronics: Consumer Compliance Under the E-Sign Act.” Consumer Compliance Outlook (Fourth Quarter 2009).
¹⁴ 12 C.F.R. §1005.33(b)(1)(i)
¹⁵ CA Letter 14-4.
¹⁶ 12 C.F.R. §1024.33(b)(3)
¹⁷ 12 C.F.R. §1026.39
¹⁸ CA Letter 13-6 “Minimum Standards for Prioritization and Handling Borrower Files with Imminent Scheduled Foreclosure Sale,” issued April 23, 2013, sets forth guidance on sound business practices for residential mortgage servicing that Federal Reserve-supervised financial institutions are expected to address in their collections, loss mitigation, and foreclosure processing functions.
¹⁹ 12 C.F.R. §1026.36(c)(3)
²⁰ 12 C.F.R. §1030.5