Consumer Compliance Outlook: Third Issue 2020

Effective Bank Communications Enhance Compliance

By Joel Armstrong, Senior Counsel, Federal Reserve Board, and Alinda Murphy, Senior Examiner, Federal Reserve Bank of Kansas City

Every day, the nation’s banks — ranging from the smallest community banks to the largest financial institutions — communicate with their customers. These communications are a critical aspect of a bank’s operations because the messages share priorities, provide updates on important issues, and convey an institution’s culture to its customers and communities. Moreover, during periods of economic or social stress and bank operational change, effective communication is necessary to share clear and consistent messages that support the bank‒customer relationship. Reviewing those communications can enhance the customer experience and mitigate regulatory, legal, and reputational risks, thus contributing to business success. Banks can control their communications and manage their messaging by implementing policies and practices around a clearly defined corporate culture.1 Effective compliance programs monitor how bank communications enact corporate principles and identify areas where stronger controls may be required. This article provides ideas on how to assess consumer compliance risks in customer communications and strategies for enhancing a bank’s risk controls.


Identifying the various communication channels a bank uses to convey messages to its customers and communities can be a useful first step in promoting effective communication. One approach is to first categorize communications, including oral communications, hard-copy documents, and digital media and electronic communications, which include online platforms such as email, social media, the web, and mobile banking.

Second, the bank may consider whether it uses multiple communication methods for a single customer transaction. For example, loan operations may have separate communications for applications, underwriting, originations, servicing, and collections. Similarly, deposit account operations may have separate communications for onboarding, transaction information, error resolution, and collection functions.

Third, the bank may review whether it communicates with customers, the community, or other business partners through automated systems or third-party vendors. For example, automated and third-party communications could include using interactive voice response systems that intersperse information about bank products between musical selections or the information the bank furnishes to consumer reporting agencies.2

Regardless of bank size or complexity, the resulting list of communication methods the bank uses may be extensive. After the communication methods are identified, it may be appropriate to concentrate compliance resources on the types of communications most likely to result in consumer harm or pose the highest risk of not complying with federal consumer protection laws and regulations. Some banks attribute lower risk to written communications, such as disclosures and notices (e.g., ATM receipts) that have undergone robust compliance reviews. Communications focusing solely on bank name recognition and containing no statements about bank products or services may have lower compliance risk. Consumer chats, text-messaging services, and oral communications during in-person and telephone contacts often pose higher compliance risk absent strong procedures, controls, and monitoring. In addition, communications designed to reach specific populations, such as seniors, racial or ethnic groups, or residents in certain geographic locations, may present higher compliance, legal, and reputational risks.3


Bank communications should accurately reflect the bank’s products and services and maintain the appropriate level of privacy. Failures in these areas expose the bank to compliance, legal, and reputational risks for violating federal consumer protection laws and regulations, including Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices (UDAP).4 Several of these laws and regulations require accurate written and oral bank communications.5 A bank may consider the following methods to assess the effectiveness of its communications and whether they comply with federal consumer protection laws and regulations.

Compare Communications

After identifying bank communications and assessing the risks they pose, a bank may review high-risk communications as an additional control — for example, to ensure they accurately reflect the bank’s policies and practices. A good starting place may be to evaluate whether the information in those communications is consistent with other written documents, scripts, automated messages, marketing, all types of Internet activity, and recordings. Reviews for consistent communications may also consider the timeframes within which communications are provided to ensure that promotions or other time-sensitive communications were appropriately and consistently handled. It may also be useful to review a sample of internal and third-party service provider (TSP) recordings, emails, and social media communications for consistency.

Protect Customer Privacy

Banks should communicate information with an appropriate level of security and privacy, consistent with applicable laws and regulations. Privacy requirements cover written and oral communications that may range from email transmissions to conversations in a branch lobby.6 Consistent with applicable law, written, electronic, and oral privacy disclosures to customers should accurately reflect the bank’s policy and practices related to the release of nonpublic, personal financial information and data sharing.7 For example, a teller who orally states the balance remaining in a customer’s account or the amount of funds being withdrawn in a manner that may be clearly overheard by others in the lobby. This could expose the customer’s nonpublic personal information to other customers or potential fraudsters and violate privacy and other consumer protection laws and regulations.

Train Frontline Staff

Training the bank’s frontline staff members to ensure they have access to and understand the appropriate bank systems and procedures for providing information to customers may be useful. For example, bank staff can be trained to avoid providing inconsistent deposit interest rate information to customers because of different internal databases. As another example, administrative staff, loan officers, and underwriters can be trained to provide consistent messages to a customer regarding the status of a loan application regardless of the message source. In addition, staff can be trained to provide consistent information to customers for loan and deposit account transactions, including fees, interest rates, and loan or deposit balances ― regardless of how customers receive that information from the bank. To avoid compliance pitfalls, staff can be trained in providing accurate and consistent messaging to prevent discrepancies between hard-copy and electronic contracts, disclosures, notices, marketing materials, scripts, chat logs, and staff and TSP oral statements.

Prepare a Contingency Plan

Strong compliance programs generally have risk management strategies that include contingency planning to help the bank adapt to changing internal and external situations. Effective bank communication plans consider the possibility that events may occur that require implementing new or flexible ways of communicating with customers and communities.8

Providing accurate and consistent messaging can be particularly important when a bank experiences a problem with its operations. For example, a bank customer contacted a Federal Reserve Bank to express concern that a branch closed for the afternoon without advance notice or signage. Customers contacting other bank locations were provided different explanations for the branch closure, leading to rumors within the small community that ranged from a computer system failure to the bank’s permanent closure. In fact, the branch closed because of an isolated area power outage. The situation presented substantial reputational risk because bank management had no contingency plan to ensure its staff was armed with timely, accurate information and for timely customer messaging such as posted notices.

As another example, a bank closed multiple branch locations in response to the current pandemic health crisis but delayed posting signs with accurate information about which branches remained open. This delay resulted in increased call volume and customer complaints about long hold times. The bank also received complaints from customers traveling to multiple branches to find an open lobby. In addition to posting accurate signs at closed branches, the bank ultimately updated the branch information on its website and emailed accurate branch closure information to its customers.

Effective communication can also help during an operation’s emergency if the bank must reduce customers’ access to some channels and redirect them to other channels. A natural disaster might make customers more reliant on drive through, telephone, and mobile applications to obtain services. Such unplanned limitations on customer access highlights the importance of contingency planning covering all communication exigencies.

Designate Spokespersons

Typically, a strong communication compliance strategy clearly identifies who communicates bank messages to customers and the public as well as the types and timing of the messages communicated. Banks can establish a governance structure defining roles and responsibilities, including who will speak, talk, post, tweet, chat, or email on behalf of the bank.9 For example, a bank can develop a process for how and when a loan officer may appropriately communicate an underwriting decision or policy to a credit applicant. Compliance issues have arisen when loan officers erroneously indicated favorable credit decisions before bank underwriting staff had made a final determination regarding a loan application. The complexity of the product or service and the nature of customer contacts may make it feasible to provide designated bank staff with scripts to ensure appropriate messaging. If the bank uses scripts for staff or TSPs, the compliance function may consider periodically assessing whether the scripts are actually in use and, if not, how this affects communication risk.

Avoiding Incentives That Blur the Message

A seemingly clear policy statement may be blurred by monetary or other incentives that convey different messages to bank staff. Instances have been noted in which bank staff does not consistently communicate the provisions in written disclosures or procedures because there are incentives for not doing so. When discussions with staff reveal conflicting bank communications, a bank can consider whether there may be underlying pressures or rewards fostering the inconsistencies.

Managing TSP Communications

Banks are responsible for ensuring their TSP communications comply with federal consumer protection laws and regulations. Banks should monitor TSP communications to customers and communities made on their behalf. In addition to compliance and legal risks, there may also be heightened reputational risk when TSPs use bank branding that results in customers and the community being unable to determine whether their communications are with the TSPs, an affiliated entity, or the bank. TSP contracts can be reviewed to determine whether they reflect bank policies and provide the bank with mechanisms for monitoring and correcting the messages provided to bank customers and communities. Contract provisions can also be reviewed to determine whether they reflect service levels, as appropriate, and customer information security expectations in alignment with the bank’s service culture and risk tolerance. Generally, effective provisions clearly articulate how much control the bank has regarding TSP customer contacts and messaging and how the bank may monitor complaints and conduct oversight activities.10 This can be particularly important when there are emergencies and natural disasters during which bank communications are vital to its customers.


Understanding and managing risks related to bank communications, including communications contingency planning, are essential for an effective consumer compliance program. This article has suggested strategies to help banks strengthen their communications with customers and communities. The bank is responsible for all of its communications, including those conducted through TSPs. The messages sent to customers reflect bank culture and priorities. Banks face significant risks when customer communications are inaccurate, inconsistent, or fail to safeguard customer privacy and comply with the federal consumer protection laws and regulations. Financial institutions should contact their primary regulators with any specific questions.

Related discussion: “Communication Risks Can Result in UDAP Concerns”


1 Robert L. Triplett, III, “Understanding How Culture Drives a Bank’s Mission,” Consumer Compliance Outlook, First Issue 2018.

2 The Fair Credit Reporting Act (12 C.F.R. §1022.42(a)) requires entities furnishing data to consumer reporting agencies to have reasonable policies and procedures for ensuring the accuracy and integrity of the data provided. For more information on these requirements, see Maureen Yap, “Furnishers’ Obligations for Consumer Credit Information Under the CARES Act, FCRA, and ECOA,Consumer Compliance Outlook, Second Issue 2020; Kenneth Benton, “Furnishers’ Compliance Obligations for Consumer Credit Information Under the FCRA and ECOA,” Consumer Compliance Outlook, Second Quarter 2012; and “Supervisory Highlights Consumer Reporting Special Edition,” Consumer Financial Protection Bureau, Issue 20, Fall 2019.

3 For supervisory observations related to using fintech technology for targeted, Internet-based marketing, see the Consumer Compliance Supervision Bulletin (December 2019).

4 See 15 U.S.C. Section 45.

5 Some federal consumer protection law provisions communications that are accurate and not misleading include Regulation M (12 C.F.R. §1013.7(a)); Regulation Z (12 C.F.R. §1026.16(a); 12 C.F.R. §1026.16(d)(5), 12 C.F.R. §1026.16(f), 12 C.F.R. §1026.24(a); 12 C.F.R. §1026.24(i)); Regulation DD (12 C.F.R. §1030.8(a)); Regulation H, Subpart H on Consumer Protection in Sales of Insurance (12 C.F.R. §208.83(b)); Regulation V (12 C.F.R. 1022.54(b)(1)(iv)(G)); and, Fair Debt Collection Practices Act (15 U.S.C 1692, §807). Regulation Z (12 C.F.R. §1026.24(d)), closed-end credit “triggering terms” provisions require additional oral or written disclosures when communications state certain product features.

6 See 12 C.F.R. §1016.10. State laws may contain additional privacy requirements.

7 See Regulation P and Fair Credit Reporting Act (12 C.F.R. §1022).

8 SR 20-3/CA 20-2, “Interagency Statement on Pandemic Planning,” March 10, 2020, indicates an effective pandemic contingency framework includes plans for communicating with customers, including anticipating how to serve customers when access to institution facilities must be curtailed.

9 See CA letter 13-22, “Social Media: Consumer Compliance Risk Management Guidance,” December 11, 2018.

10 See CA letter 13-21, “Guidance on Managing Outsourcing Risk,” December 5, 2018.

Communication Risks Can Result in UDAP Concerns

Communications that are inaccurate, misleading, do not align with actual benefits customers will receive, or omit information customers need to make informed decisions pose substantive legal, reputational, and compliance risks pursuant to Section 5 under the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices (UDAP). This applies to all bank messages. Here we review how such communications have resulted in enforcement actions by federal regulators.

In 2015, federal bank regulators cited a bank for UDAP because the bank failed to implement the deposit reconciliation practices stated in its written policies, account opening disclosures, and oral communications with customers.1 Simply put, the bank’s communications did not align with its actual practice.

In other cases, bank communications about loan discounts or deposit account benefits did not align with bank practices2 or banks miscommunicated information to credit reporting agencies.3 In a 2017 case, the Federal Reserve issued a UDAP enforcement action concerning discount points on mortgages. Notwithstanding the plain language in several bank disclosures, many borrowers who paid discount points received no interest rate reduction or a reduction not commensurate with the discount points paid.4

Similarly, communications that omit material information can lead to deceptive or unfair practices.5 In 2018, the Federal Reserve issued a UDAP enforcement action because a bank misrepresented in communications to customers that the full bundle of deposit account add-on product benefits would be available upon enrollment.6 The bank did not adequately inform customers that they must take action after enrollment to receive some of the benefits. As a result, customers were assessed monthly fees for add-on product benefits even though they could not receive the benefits.

In another enforcement action, in 2019, a bank’s communications omitted information material to the customer’s understanding of the product.7 The Federal Reserve cited deceptive practices for misleading bank communications about how deposit account add-on products operated and their benefits. For example, the bank incorrectly informed customers that a tool would automatically monitor customers’ deposit accounts for fraudulent transactions. However, customers had to review their deposit account transactions each day to identify and report fraudulent transactions before 2:00 p.m. The bank also failed to inform customers of an additional step the customer had to complete online to receive the product’s benefits.

The Federal Reserve has also addressed practices involving third-party vendors. In 2014, 2015, and 2016, the Federal Reserve issued UDAP enforcement actions because banks’ vendors misled students about options and costs associated with financial aid disbursements through the vendor’s debit card under the names of both the banks and students’ schools.8 The enforcement actions specifically addressed communications that misled students about fees and other deposit account terms.9 The lesson is that banks are responsible for communications made on their behalf by their vendors.

Inaccurate or misleading communications by the bank or its vendor present consumer compliance risks. Banks should therefore ensure their communications provide accurate and complete information about products, services, and their benefits.


1 See In the Matter of RBS Citizens Financial Group, Inc. (CFPB docket #2015-CFPB-0020, August 11, 2015).

2 See In the Matter of The Bancorp Bank, FDIC-11-698b.

3 See In the Matter of Conduent Business Services, LLC, Administrative Proceeding File 2017-CFPB-0020.

4 See In Matter of Peoples Bank, FRB Docket 17-041-B-SM (November 28, 2017).

5 See 15 U.S.C Section 45, Dodd‒Frank Wall Street Reform and Consumer Protection Act, 15 U.S.C. Chapter 53.

6 See In the Matter of Community Trust Bank, Inc., FRB Docket 18-024-B-SM (July 25, 2018).

7 See In the Matter of SunTrust Bank, FRB Docket 19-028-B-SM (November 19, 2019).

8 See In the Matter of Cole Taylor Bank, FRB Docket 14-021-E-SMB and 14-021-CMP-SMB (June 26, 2014).

9 See In the Matter of Higher One, Incorporated, FRB Docket 15-026-E-I and15-026-CMP-I (December 23, 2015); see also In the Matter of Customers Bank, FRB Dockets 15-027-B-SM and 15-027-CMP-SM (December 2, 2016).