Consumer Compliance Outlook: Second Quarter 2015

Managing Risk Throughout the Product Life Cycle

By Mark Serlo, Senior Supervision Analysis Team Leader, and Janis Frenchak, Assistant Vice President, Federal Reserve Bank of Chicago, and Jason Lew, Compliance Risk Coordinator, Federal Reserve Bank of San Francisco

Welcome to the seventh anniversary issue of Consumer Compliance Outlook. This issue is dedicated to product risk management, the process by which a financial institution identifies, controls, and mitigates risks for its products and services. The Federal Reserve has published several articles on managing risks associated with new products and services in its Community Banking Connections1 and FedLinks2 publications, reflecting a safety and soundness perspective. This edition of Outlook leverages those articles and examines specific consumer compliance–related risks in greater detail throughout the product life cycle.

Product risk management can be approached in different ways. In this issue, we present a framework for evaluating product risk based on the product life cycle. The cycle begins when a product or service is conceptualized and ends when the institution stops offering it or the consumer stops using it (voluntarily or involuntarily). Each stage of the cycle can be subject to its own risks and challenges, so this article discusses various approaches to managing compliance risk at each product stage. For example, when a lender forecloses on a defaulted residential mortgage loan (the termination phase), specific regulatory requirements that apply must be considered. In contrast, when a financial institution considers a marketing campaign for a new product or service, the institution should ensure that it has considered the applicable laws and regulations at that stage of the product life cycle. The framework we discuss here — focusing on the product life cycle — is simply one approach to the process of product risk management. While this framework references new products and services, it may also be useful for managing the compliance risk of existing products and services.

The format of this issue is slightly different from our regular format. Since we are devoting the entire issue to product risk management, we are dividing each stage of the product life cycle into individual chapters. For easy reference, we have listed the chapters on the table of contents on this page.


In today’s highly competitive banking environment, a financial institution may believe that making changes to the products and services it offers provides an advantage over its rivals and a path to higher profits. While it is understandable that an institution may want to respond to a competitive environment with new products and services, this decision is not without risks. New products or services may be subject to complex regulatory requirements and may necessitate staff training, new disclosures and forms, updated policies and procedures, and system changes and testing. Changes to products and services should also be consistent with corporate strategic objectives. We have found that financial institutions that are successful in introducing new products or services employ a structured and repeatable process to manage any associated compliance risks. “By considering risks before introducing new products and services, management can identify and mitigate them in advance and avoid potentially costly and unintended consequences.”3

Although compliance risk is typically greater for new products than for existing ones, financial institutions must still be vigilant in conducting risk management for their current products as well. One approach is to consider compliance risks throughout a product’s life cycle.

The Product Life Cycle

The product life cycle consists of different stages that a product or service goes through from inception to termination. The following table details the different stages and provides an illustrative (though not exhaustive) list of factors to consider at each stage of the process to help manage consumer compliance risk.

Product Life Cycle

Each of the following chapters discusses a stage in the life cycle process, associated risks at each stage, and some of the management considerations at that specific stage.

The Product Life Cycle
Strategic Considerations

Incorporates the strategic analysis behind an established, new, or modified product: this includes analyzing the strategic fi for the institution and its customers, as well as any components tied to product development (controls, compensation, platforms, etc.) and the overall benefit of the product to the institution and to consumers

  • Strategic goals and areas of expertise
  • Involvement of the board of directors, management, business line, legal, and compliance
  • Regulations or guidance
  • Emerging issues related to the product, including legal activity
  • Processes (developing procedures and operating systems, training staff, monitoring activities, and setting controls)
  • Use and role of third parties
Product Design

Addresses the process of developing the actual product and specific considerations such as profi ability and fee structure

  • Target market
  • Relationship to other products
  • Applicability of laws and regulations
  • Types of fees assessed
  • Delivery systems

Outlines the manner in which the product is targeted and marketed

  • Advertising
  • Cross-selling to customers
  • Targeting solicitations
Product Delivery

Incorporates the components of the initial interface, including the selling and/or  application process

  • Steering risk
  • Applications
  • Disclosures
  • Fees and terms
  • Role of compensation and incentives
Origination or Consummation

Describes the process by which a customer qualifies for and obtains the product or service

  • Disclosures
  • Incentives and compensation structures
  • Pricing and underwriting discretion
Product Use and Duration

Incorporates any and all aspects of a product after the origination or consummation stage; includes servicing, maintenance, dispute and resolution, changes in terms, default or misuse, additional fees, or other costs

  • Periodic statements and disclosures
  • Servicing practices and third-party servicers
  • Communications
  • Repayment options
  • Mobile banking platforms
  • Delivery systems
  • Complaints

Addresses the process of the consumer voluntarily discontinuing use of the product, or the institution’s process of discontinuing the product, or any other process in which the relationship between the consumer and the product ends

  • Communication
  • Procedures and practices
  • Loss mitigation, collection, and foreclosure

Chapter 1 — Strategic Considerations

Board and Senior Management Involvement

“Educating and engaging board members can be valuable in the strategic planning process. Conversely, jumping into a new product or business line without effective challenge from board members can result in future headaches.”
—“Financial Institution Strategies in the New Year: Trends and ExamplesExternal Link by Cathy Lemieux, Community Banking Connections (First Quarter 2014)

The products and services that a financial institution offers reflect the board’s and senior management’s compliance risk appetite and should align with the institution’s strategic plan and its level of expertise. It is important that all key stakeholders — directors, compliance officers, marketing officers, general counsel, operations management, and other senior management — be involved in strategic product decisions. Fully engaging key stakeholders enhances the process of identifying and managing risks.

It is helpful to articulate strategic goals for new products and services with measurable objectives (e.g., to increase market share or to increase noninterest income) and to identify the expected benefit to customers. The goals should be vetted with the board and senior management who need to consider the following issues:

From a supervisory standpoint, compliance examiners will often evaluate new products and services because they can increase consumer compliance risk.5 Management teams are encouraged to discuss proposed new products and services with their regulators to ensure that any regulatory concerns are addressed early in the decision-making process.

Resources and Expertise

Another consideration is whether the institution has the resources and expertise to offer the product or service. We have seen management teams too often introduce product offerings without fully understanding the compliance requirements, the potential risks, the impact on customers, and the resources needed to successfully introduce and provide ongoing operational support for the new product or service. Potential factors to consider include the following:

Third Parties

The decision to use third-party vendors for a product or service should be considered during the strategic planning process. When properly chosen and managed, third parties can provide an institution with valuable expertise and service that the institution cannot cost effectively provide on its own.6 The depth and formality of a service provider risk management program will depend on a number of factors, including the complexity and materiality of the activity being outsourced.

Nonetheless, overreliance on third parties increases compliance risk if they are not adequately monitored. In our experience, financial institutions that do not have the requisite expertise or that do not ensure adequate oversight over their service providers are more likely to encounter challenges complying with the applicable regulatory requirements. In more serious instances, they may be exposed to third-party activities that adversely impact consumers, and such actions may result in adverse outcomes for the financial institution, including enforcement actions and penalties in the most extreme cases.

Chapter 2 — Product Design

Considerations at this stage include the specific features and benefits that will define the product. Examiners occasionally observe that compliance staff members are either absent from the product design and development process or involved only in the final review of a product before it is introduced or after it has been launched and transactions have been consummated. Successful management teams involve compliance staff throughout the entire design and development process.

Risk analysis in the design stage should focus on the specific requirements applicable to the particular product as designed. This helps to ensure that the institution develops an appropriate internal control infrastructure around the product to ensure compliance and to reduce the risk of harm to the consumer.


Successful products and services are designed with fairness in mind. This means delivering a value proposition in which the financial institution earns a profit while satisfying a customer need. It is more than simply complying with specific regulatory requirements, since technical compliance alone does not mean that a product is free from potential consumer harm. As the Federal Reserve Board and the Federal Deposit Insurance Corporation (FDIC) stated in their 2004 joint guidance for unfair or deceptive acts or practices (UDAP): “[T]here may be circumstances in which an act or practice violates section 5 of the FTC Act even though the institution is in technical compliance with other applicable laws, such as consumer protection and fair lending laws. [Financial institutions] should be mindful of both possibilities.”7

With the continued regulatory focus on fairness and consumer harm, institutions should always consider possible UDAP implications for their products and services and should address them early in the design process and monitor them throughout the product life cycle. Examples of questions to ask include:


As financial products and services become increasingly complex, the potential for consumer harm increases. Product features such as numerous conditional requirements, options, or variations contribute to complexity and the level of inherent compliance risk. When a product is overly complex, consumers may not understand all of its features or costs. Moreover, institutions may not be able to deliver the product as promised. Product attributes that may contribute to increased inherent compliance risk include:

To mitigate the risk involved with complex products and services, management may wish to consider simplifying product and service offerings during this stage.

Chapter 3 — Marketing

Marketing involves much more than simply advertising, and the associated compliance risks extend well beyond meeting technical advertising rules. For example, the Interagency Fair Lending Examination Procedures discuss fair lending risks that can arise in marketing, such as the use of marketing programs for residential loan products that exclude geographies within the institution’s assessment or marketing area that have significantly higher percentages of minority group residents than the rest of the assessment or marketing area.9 For this reason, it is important that compliance and marketing staff collaborate in developing all marketing strategies. Bringing compliance into the process early is a sound practice because it is more difficult and costly to make changes later in the process.

An illustrative list of marketing questions for management to consider includes:

UDAP risk increases when products and services are targeted to potentially vulnerable populations. As stated in the UDAP Guidance:

The need for clear and accurate disclosures that are sensitive to the sophistication of the target audience is heightened for products and services that have been associated with abusive practices. Accordingly, financial institutions should take particular care in marketing credit and other products and services to the elderly, the fi vulnerable, and customers who are not financially sophisticated.10


A number of federal laws and regulations apply to advertisements for consumer products and services. Some of the common applicable federal laws and regulations include (but are not limited to):


Product/Service Law/Regulation
All consumer financial products and services UDAP
Credit Equal Credit Opportunity Act (ECOA)/Regulation B Fair Housing Act
Truth in Lending Act/Regulation Z
Deposit FDIC regulations
Truth in Savings Act/Regulation DD
Overdrafts Electronic Fund Transfer Act/Regulation E Truth in Savings Act/Regulation DD
Credit reports Fair Credit Reporting Act/Regulation V


It is important that advertisements, including those on the web and in social media,11 are reviewed to ensure they comply with these and any other applicable laws or regulations. State law also may apply and should be considered.

Chapter 4 — Product Delivery

During the product delivery stage, risk analysis should focus on the initial customer interaction, including the sales and application processes. The interaction will vary based on the institution’s delivery channels, which may include traditional retail branches, the Internet, mobile applications, social media, brokers, referral sources, or other channels. It is essential that the risks within each delivery channel are identified. For example, institutions that use social media for product delivery may be exposed to increased reputation risk arising from any negative public reviews or comments. Activities that result in dissatisfied customers and/or negative publicity could harm the reputation and standing of the financial institution, even if the financial institution has not violated any laws. Therefore, financial institutions engaged in social media will want to be sensitive to, and properly manage, the reputation risks that arise from these activities.

During product delivery, compliance risks arise from regulatory requirements and restrictions regarding applications and the delivery and content of disclosures. For example, creditors must comply with the ECOA (Regulation B), which limits applicant information that may be collected, sets time frames for responding to applicants, and requires applicants to be notified of the action taken within a certain time frame.12 As another example, Regulation E imposes disclosure requirements and substantive restrictions on overdraft programs. Generally speaking, a financial institution may not impose an overdraft fee for a point-of-sale transaction unless the consumer has been given a disclosure and has elected to opt in to the program.

Increasingly, financial institutions are using third parties to deliver the institution’s products or are engaging in cobranding relationships in which third-party products are offered under the institution’s name. In many of these arrangements, the third party is positioned directly between the financial institution and the customer and is closely involved in product and service delivery, often with unfettered access to consumers. Because the board and senior management are ultimately responsible for all aspects of the institution’s operations, effective due diligence and ongoing supervision of the third parties will help to mitigate risks from these arrangements. A proactive approach to oversight may also help financial institutions identify and correct issues as they arise and before they result in violations of law or harm to consumers. As discussed earlier, institutions should also consider fairness in product delivery.

Another key concern is the risk that a customer may be inappropriately steered to a particular product, especially one that involves higher cost or questionable benefit given the particular customer’s circumstances. This risk is exacerbated when incentives, including compensation structures, reward employees or third parties for selling products. Appropriate disclosure of the product cost, features, and limitations to the consumer is critical for these types of products. For example, many institutions offer an overdraft line of credit. If a fee is incurred to transfer funds from the line of credit to the customer’s savings or checking account to cover an overdraft, or if an annual fee is incurred to maintain the line of credit, the fees should be adequately disclosed. If customers do not receive a clear explanation of the overdraft program, or if misleading sales tactics are used, they may be unable to make an informed decision about the product and may expose the institution to UDAP risk.

To help manage product delivery risk, management should consider the following illustrative list of questions:

Chapter 5 — Origination or Consummation

Once the customer has decided on a product or service, factors to consider at the origination or consummation stage include qualifying the customer for the product, providing the required disclosures, and ensuring the disclosures accurately reflect the contractual costs and terms of the transaction. Depending on the product or service being offered and its means of delivery, specific regulatory requirements, including disclosures, may apply. For example, an institution that originates products online will also generally provide the requisite disclosures through electronic means, subjecting the institution to the provisions of the Electronic Signatures in Global and National Commerce Act (E-Sign Act).13 For credit products, the institution should also consider potential fair lending risk. Inadequately controlled pricing and underwriting discretion increases the risk of disparities on a prohibited basis. Strong controls around product pricing and underwriting can mitigate these risks. Financial institutions should have well-documented qualification standards and pricing guidelines. Recognizing, documenting, and monitoring exceptions to policy are critical for mitigating fair lending risk.

When evaluating for UDAP risk during origination and consummation, the disclosures, product materials, and contractual agreements should be consistent with one another and clear, especially as they relate to the costs and terms of the transaction. In addition, disclosures or any other product information provided to the consumer should not include claims, representations, or statements that may mislead consumers about the cost, value, availability, cost savings, benefits, or terms of the product. As discussed earlier, compliant disclosures alone are not sufficient to prevent a UDAP finding if the consumer was otherwise misled about material product features.

To ensure the risk is appropriately managed during origination and consummation, management should consider the following illustrative list of questions:

Chapter 6 — Product Use and Duration

The compliance risk of a product or service varies depending on its complexity and the duration of its use. The risk is typically greater for complex products such as a home equity line of credit or products that involve change over their life cycle (such as a variable rate mortgage), and when the usage period is long (such as a 30-year mortgage).

By contrast, products that only involve a single point-in-time transaction have less risk. For example, the servicing of a mortgage loan is subject to numerous regulatory requirements during its long life cycle. These can include frequent borrower communications (such as periodic statements and subsequent disclosures), processing of regular payments, and the need to abide by specific servicing rules. Conversely, a remittance transfer, once sent, will likely have regulatory risk only if a consumer files a dispute, which generally must be done within 180 days of the disclosed funds availability date.14

Regulatory Requirements and Guidance

Depending on the product, service, or the delivery system used, specific regulatory requirements and restrictions may apply.

The more common requirements and restrictions may include, but are not limited to:

Subsequent disclosures may include those for:

New servicing practices may include those for:

An institution should also consider guidance issued by regulatory agencies. For example, the federal banking agencies recently issued guidance on home equity lines of credit (HELOCs) nearing their end-of-draw periods.15 As noted in the guidance, supervised institutions are expected to promote compliance with applicable laws and regulations and to have adequate risk management practices to monitor, manage, and control the risks in their HELOC portfolios as lines near their end-of-draw periods.


Regularly reviewing and evaluating customer complaints can provide insights into how well customers understand the institution’s products and services. Complaints can come from a variety of sources, including customer service calls, written complaints to the financial institution or its primary regulator, customer reviews, or social media.

Because complaints can serve as an early indicator of potential concerns, managing a product or service successfully will include a process to monitor and analyze complaints. While it is important to address the specific concerns of any particular customer, determining whether an issue is systemic and whether other customers may be affected is also important.

Chapter 7 — Termination

The last phase of the product life cycle involves terminating a product or service. This may occur when a product has a fixed maturity, a customer voluntarily closes an account, or bank management decides to discontinue a product or service. Over time, especially in an environment of rapid technological change, customer demand for certain products and services may change. For example, consumers have largely shifted away from using paper checks and are relying instead on bill pay services, debit and credit cards, and, increasingly, mobile payments to make payments or purchase goods and services.

An illustrative list of factors to consider during both customer and financial institution initiated termination of a product or service includes:

Financial Institution Initiated Termination

Product Maturity and Voluntary Account Closures

Does the institution respond accordingly to voluntary account closures? For example, Regulation Z19 contains specific requirements for responding to payoff requests.

Does the financial institution comply with applicable regulatory and contractual agreements at product maturity or voluntary account closure? For example, when a certificate of deposit account automatically renews, the financial institution may be required to send a maturity notice and renew the certificate of deposit according to the previous account agreement.20


Innovation, market conditions, and consumer demand will always lead to new products and services in the financial services industry. The institutions that are most successful in introducing new products and services consider consumer compliance risk throughout the product life cycle. This framework considers various institutional, legal and regulatory, and environmental risk factors that may be present at each life cycle stage of the product or service. This comprehensive approach for managing compliance risk helps to ensure that financial institutions can obtain the benefits of the new products and services and avoid the unintended consequences that can derail an institution’s product strategy. Specific issues and questions should be raised with your primary regulator.