CFPB Issues Flurry of Settlement Actions

Since June 13, the Consumer Financial Protection Bureau (CFPB) has issued five settlement notices for a total of over $361 million in restitution or redress and over $16 million in civil money penalties (CMPs). Under the administration of former CFPB director Richard Cordray, that may not have come as a surprise. But considering that under acting director Mick Mulvaney, the CFPB had only issued one other settlement notice in 2018, that of Wells Fargo, this flurry of recent activity is somewhat unexpected.

CFPB Settlements in Last Six Weeks

A review of the five settlement notices indicates that violations of the unfair, deceptive or abusive acts and practices (UDAAP) section of the Consumer Financial Protection Act (CFPA) account for the majority of issues. Violations of the Truth in Lending Act (TILA) also appear in more than one settlement.

Here is a brief synopsis of the notices:

July 20 Settlement with TCF Financial 

In early 2017, the CFPB alleged in a Complaint filed in court that this regional bank had violated Reg E and the CFPA. In September of the same year, the bank filed a Motion to Dismiss, which was only partially upheld by the court. While the Reg E claim was dismissed, the CFPA claim stood, although it was “limited to those claims to customers who opened their accounts on or after July 21, 2011.”

The CFPA claim stemmed from alleged deceptive and abusive conduct by the bank in regard to its overdraft services. Specifically, “Banks must first obtain a consumer’s consent before they can lawfully charge overdraft fees on one-time debit purchases and ATM withdrawals. When attempting to obtain this consent, TCF obscured the fees it charged and made consenting to overdraft fees seem mandatory for new customers to open an account.”

TCF was ordered to pay $25 million in restitution and a $5 million CMP, however, the CFPB agreed to accept a $3 million CMP in consideration of the correlating CMP issued by the Office of the Comptroller of the Currency (OCC).

July 19 Settlement with Triton Management Group

This small-dollar lender is alleged to have violated TILA and the CFPA by engaging in deceptive acts or practices when it misrepresented finance charges on auto loans in Mississippi. The judgment calls for equitable monetary relief in the amount of $1,522,298, which represents the amount customers paid in excess finance charges. The CFPB, however, indicated it would accept $500,000 to satisfy this obligation, in part because of the institution’s “lack of financial resources.” This was also noted as the reason for the $1 CMP imposed on Triton as part of the settlement.

July 13 Settlement with National Credit Adjusters and its CEO

The CFPB alleges that this firm engaged in “unlawful debt collection practices,” which violate the CFPA. The settlement notes that, the firm “engaged in unfair and deceptive acts or practices in the collection and sale of consumer debt.”

The firm and its former CEO were each fined $3 million, however, the CFPB said that, “full payment of those amounts is suspended” as long as National Credit Adjusters pays a $500,000 CMP and the former CEO pays a $300,000 CMP.

June 30 Settlement with Citibank

After conducting an internal review, Citibank self-identified and self-reported violations of TILA to the CFPB. Per the settlement, Citibank agreed to pay $335 million in restitution to affected customers. The CFPB did not assess a CMP because the bank discovered the violations on its own and voluntarily reported them.

June 13 Settlement with Security Group, Inc.

The settlement agreement alleges that Security Group, Inc., which provides consumer loans, “engaged in unfair acts or practices” in violation of the CFPA. The notice also alleges violations of the Fair Credit Reporting Act (FCRA).

Specifically, “Respondents visited consumers’ homes and places of employment, as well as the homes of their neighbors, to collect or attempt to collect delinquent debt.” This is alleged to have occurred over the course of 12 million visits to over 1.3 million customers. Security Group, Inc. was ordered to pay a $5 million CMP.

CFPB Settlements Do Include Some Leniency

It should be noted, that despite the unexpected flurry of settlements from the CFPB in the last six weeks, the Bureau does appear to be taking all circumstances into account and affording respondents with some leniency in terms of financial consequences. In all but the Security Group’s settlement, which reads as the most egregious, the CFPB either agreed to accept a lesser amount than originally stated or it chose to impose no CMP or only a nominal one. This likely reflects the philosophy of the current administration.

 

 

Advertisements

Communication: The Oft Forgotten Component of Bank Compliance

green headphones near laptop and microphone
Photo by samer daboul on Pexels.com

Banks spend enormous sums of money each year to meet their federal and state regulatory compliance requirements. They hire professionals with the requisite experience to tackle things like their Bank Secrecy Act and Information Security programs; they invest significant budget dollars in today’s sophisticated compliance software tools; and they spend countless hours developing policies, processes, and procedures to stay compliant.

But despite all that time, money, and effort, the one thing that often gets overlooked when it comes to bank compliance is communicating about it often and to everyone in the organization.

A Steady Stream of Communication

Several years ago, the Financial Crimes Enforcement Network (FinCEN) issued an Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance. While this publication was geared toward BSA programs in 2014, its logic still applies today to a bank’s enterprise approach to compliance. Just as FinCen suggested then, it still is today: “The culture of an organization is critical to its compliance.”

Building a culture of compliance requires a steady stream of communication.

Upstream Communication

Ever since the 2008 financial crisis, federal banking regulators have emphasized that bank boards are ultimately responsible for all business operations, including compliance. Often, board members come from a variety of industries. Even those with a background in financial services often do not have particular compliance expertise.

That’s why they rely on those within the Compliance or Risk Management Office with the requisite expertise to keep them abreast of changes to regulatory guidance and laws, as well as to internal or external environmental changes that could impact the bank’s ability to comply with existing or changing regulations.

Cross-stream Communication

The Compliance Office is an interdependent function of almost every other bank area, including individual business units, corporate communications, e-commerce, finance, information technology, legal, marketing, product development, operations, risk management, and even third-party service providers. An institution’s ability to effectively comply with their regulatory requirements demands an open and healthy back-and-forth line of communication between the Compliance Office and these other areas.

For instance, if marketing is working with product development to roll out a new product and its corresponding marketing collateral, the Compliance Office should be in the loop. Conversely, if a new regulation is going into effect, such as the General Data Protection Regulation did in May, then it is incumbent upon the Compliance Office to provide timely details and periodic updates to the managers of all directly and indirectly impacted functions.

Downstream Communication

The everyday task of complying with many banking regulations falls on the shoulders of employees in either customer-facing or operations roles. They cannot be expected to do a good job at such compliance if they do not have the support and information they need.

Support comes in the form of senior management emphasizing their dedication to a culture of compliance in every word and action they take. Employees only buy-in when they believe senior management is on board and leading the way.

Information should come from the Compliance Office on a timely and routine basis, so that employees understand their responsibility to specific regulations, the importance of complying with them to the overall health of the institution and its customers, and  where to go for help if they don’t understand either.

Don’t Let a Failure to Communicate Undermine Your Compliance Efforts

Sophisticated technology has certainly helped streamline bank compliance efforts, but it shouldn’t be considered a replacement for good, old-fashioned communication, which today, thanks to such technology, can be delivered in any number of ways to those who need it, so that it is at their fingertips at all times.

And by good, old-fashioned communication, I mean exactly what your sixth grade English teacher taught you. Explain the who, what, where, when, and why of the situation as concisely and yet comprehensively as possible.

The by-product of such communication is proof to bank examiners of your commitment to building a culture of compliance.

 

Federal Banking Regulators Mete Out $1.078 Billion in CMPs Since April

pexels-photo-164527.jpeg
Photo by Pixabay on Pexels.com

On May 25, the Federal Deposit Insurance Corporation (FDIC) published its April enforcement actions, which included four orders to pay civil money penalties (CMPs), totaling $160,000. That’s not much of a story, but further digging reveals that between the FDIC, the Office of the Comptroller of the Currency (OCC), the Financial Crimes Enforcement Network (FinCEN), the Consumer Financial Protection Bureau (CFPB), and the Federal Reserve Board (FRB), federal banking regulators handed out $1,078,384,245 in CMPs from early April to early May.

(No enforcement actions were found for this time period on the National Credit Union Administration’s website.)

A closer look at these enforcement actions adds interesting context to the hefty fine total.

Both Individuals and Institutions Fined

In addition to the FDIC’s four orders to pay a CMP, the OCC issued seven such enforcement actions, while FinCEN and the CFPB issued one each, and the FRB issued two, for a total of 17 enforcement actions involving monetary fines. Those actions break down as follows:

  • Seven levied against institution-affiliated individuals: These current and former executives and/or directors were fined a total of $410,000, with CMPs ranging from $5,000 to $175,000.
  • Seven levied against traditional financial institutions: PNC Bank and Wells Fargo were each fined twice and three other banks were fined once by various agencies for a total of $1,069,974,245 in CMPs. The OCC and CFPB-combined $1 billion fine against Wells Fargo represents the majority of the bank fines. However, two other banks were still hit with significant fines: The OCC fined PNC $15 million and the FRB fined Goldman Sachs $54.75 million.
  • One levied against a casino: Per the USA PATRIOT Act’s broader definition of “financial institution,” FinCEN fined a casino (or card club) $8 million.

The Alleged and Admitted Violations

The seven institution-affiliated individuals were fined for a variety of reasons, including conducting unsafe and unsound practices, such as masking reporting losses; violating previous consent orders or failing to correct deficiencies cited in them; understating the allowance for loan and lease losses (ALLL) leading to a false or misleading CALL Report; and causing “the Bank to pay for personal expenditures without disclosure or authorization.”

The remaining CMPs levied against institutions involve the following laws or regulations:

  • Three institutions allegedly violated flood-related regulations: This includes a $5,000 fine from the FDIC, a $12,000 fine from the FRB, and a $207,245 fine from the OCC.
  • Two institutions allegedly violated the Federal Trade Commission Act (FTCA): The OCC fined PNC $15 million for deceptive acts or practices in violation of the FTCA, and it fined Wells Fargo $500 million for unsafe and unsound practices in violation of the same.
  • One institution allegedly violated the Consumer Financial Protection Act (CFPA): The CFPB fined Wells Fargo $1 billion for unfair and deceptive acts in violation of the CFPA, however it credited the OCC’s $500 million CMP towards the satisfaction of its own fine.
  • One institution admittedly violated the Bank Secrecy Act (BSA): FinCEN’s $8 million enforcement action against the above-referenced casino was due to its failure to establish and implement an effective anti-money laundering program as per the BSA.
  • One institution allegedly conducted unsafe and unsound practices in its Foreign Exchange Trading Business: The FRB fined Goldman Sachs “for deficiencies in Goldman’s internal controls and oversight of traders who buy and sell U.S. dollars and foreign currencies for the firm’s own accounts and for customers.”

The Million and Billion Dollar Fines

If you haven’t kept count, of the eight institutional fines, five of them exceeded a million dollars, three of them consisted of multi-million dollar CMPs, and Wells Fargo’s total fine hit the $1 billion mark.

Perhaps it is worth noting that the other three institutional fines ($5,000, $12,000 and $207,245) were the flood-related violations.

While the Trump administration’s deregulation stance is providing some much welcomed regulatory relief, this month’s worth of CMPs indicates that compliance with remaining laws and regulations is still a priority for federal banking regulators.

 

The OCC’s Risk Outlook

This week the Office of the Comptroller of the Currency (OCC) published its Semiannual Risk Perspective, which gives bank compliance officers and risk managers an important glimpse into the federal banking agency’s current outlook on risk.

Here is a brief summary of the report.

The Basics of the OCC’s Semiannual Risk Perspective

Every six months, the OCC’s National Risk Committee (NRC) issues the agency’s Semiannual Risk Perspective. According to the introduction to the Perspective, the NRC is made up of senior OCC supervisory and policy officials who meet quarterly.

The NRC is responsible for monitoring “the condition of the federal banking system and identifying key risks,” as well as monitoring emerging threats.

This Spring 2018 Semiannual Risk Perspective was published on May 24, 2018, and is based on data as of March 31, 2018, except where otherwise noted.

Overall Report Card

The Perspective’s Executive Summary provides an overall status of the banking system:

  • Condition of Federal Banking System: Strong
  • Comparison of System’s Condition: 2017 and 2018 show improvement over 2016
  • Economic Environment: Supports loan growth and profitability
  • Asset Quality: Sound
  • Capital and Liquidity: Near historical highs
  • Earnings: Improving
  • Overall Risk Management Practices: Incrementally improving

On Operational Risk

The OCC reports that “Operational Risk is elevated as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”

Specific threats to operational risk include the following:

  • Ever increasing threat of cyber attacks
  • Growing bank reliance on third-party vendors to perform critical functions
  • Concentration of third-party risk due to the “consolidation among large technology service providers”
  • Evolving business and operating models that include new delivery channels, products, and services

On Compliance Risk

The OCC warns that Compliance Risk “remains elevated,” with particular concern in the following areas:

  • Bank Secrecy Act (BSA) Compliance Challenges: The combination of the “dynamic nature” of money laundering along with “evolving delivery channels” makes complying with the BSA difficult. The OCC warns banks that are “engaging in such offerings” to refine and update their BSA compliance programs to ensure they are adequately mitigating the associated risks.
  • BSA and Anti-Money Laundering (AML) Compliance Risk Management Systems: The OCC notes that, such BSA/AML risk management systems “often do not keep pace with evolving risks, resource constraints, changes in business models, and regulatory changes.”
  • OFAC Sanctions: The OCC questions whether bank OFAC compliance programs are keeping pace with the increasing number and complexity of sanctions programs.
  • Overall Regulatory Complexity: The number of amended regulations and/or highly complex requirements continue to present challenges for banks.
  • Specific Complexity of TRID: The OCC acknowledges the continued bank struggle to incorporate the Truth-in-Lending RESPA Integrated Disclosure (TRID) forms.

On Interest Rate Risk

The OCC states that, “There is uncertainty in how bank deposits will react to increasing interest rates. Banks may experience unexpected adverse shifts in liability mix or increasing costs that may adversely affect earnings or increase liquidity risk.”

Read the OCC’s complete Semiannual Risk Perspective for Spring 2018 for an even more in-depth analysis of the current state of banking in the United States.

 

Wells Fargo Consent Orders Are Must-Reads for Bank Risk Management

pexels-photo-259027.jpegIt has been 10 days since news broke that the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) filed consent orders against Wells Fargo, resulting in a combined $1 billion civil money penalty (CMP). Many headlines about this story focused on the bank’s mortgage and auto lending practices. In reality, there is a more informative story here, especially for anyone involved in bank risk management or compliance.

Of course the 16-page OCC Consent Order for Civil Money Penalty, the 35-page OCC Cease and Desist Order, and the 35-page CFPB Consent Order are not as thrilling to read as a New York Times bestseller, but they are telling. And reading through the orders provides more details than the news blips about them, details that bank risk management and compliance officers can find useful in strengthening their own risk management and compliance practices.

 5 Telling Facts in Consent Orders Against Wells Fargo

  1. The Financial Hit Goes Beyond $1 Billion: Most TV and print outlets announced that Wells Fargo was fined $1 billion by the two regulatory agencies. That is true in that their net CMP was $1 billion. It is interesting to note, however, that the OCC fined the bank $500 million and the CFPB fined it $1 billion for a total of $1.5 billion in CMPs, although the CFPB agreed to accept the $500,000 collected by the OCC as part of its settlement. In addition, the orders call on the bank to develop remediation plans for customers it is alleged to have harmed, which will lead to additional costs for the bank.
  2. The OCC Focus Is on Risk Management: While news stories ran with the mortgage and auto lending practice allegations, likely because that was the message in the CFPB order, the OCC focuses first and foremost on risk management before addressing the other two issues. The order’s opening paragraph states that, “The OCC has identified deficiencies in the Bank’s enterprise-wide compliance risk management program that constituted reckless unsafe or unsound practices and resulted in violations of the unfair acts or practices provision of Section 5 of the Federal Trade Commission Act…”
  3. The Alleged Risk Management Deficiencies Extend in Time and Scope: The OCC claims that, “Since at least 2011, the Bank has failed to implement and maintain a compliance risk management program commensurate with the Bank’s size, complexity and risk profile.” The alleged deficiencies also impacted almost every aspect of the program, including the plan’s execution, the expertise of the personnel involved, the assessment and testing of the plan, the reporting to the Board, and its overall implementation.
  4. UDAP and UDAAP Used by OCC and CFPB: As discussed before in this blog, unfair, deceptive or abusive acts or practices (UDAAP) and its cousin unfair and deceptive acts and practices (UDAP) are often handy regulations for regulatory agencies to cite because of their broad scope. In addition to the OCC’s unfair claim outlined in point #2, the CFPB alleges unfair acts and practices in violation of the Consumer Financial Protection Act (CFPA) in regard to Wells Fargo’s mortgage and auto lending practices. On the former, the CFPB claims that the bank “unfairly failed to follow the mortgage-interest-rate-lock process it explained to some prospective borrowers.” On the latter, it claims the bank “operated its Force-Placed Insurance program in an unfair manner.”
  5. Vendor Management Comes into Play: Both the OCC and the CFPB orders indicate that the auto lending practices in question involved the bank’s vendor, reinforcing the fact that banks are ultimately responsible for the functions being performed by their vendors.

The moral of this story for banks and credit unions of all sizes: make sure that 1) your risk management practices are appropriate for your risk profile; 2) nothing you or your vendors are doing in word or deed can be deemed unfair, deceptive or abusive; and 3) you are routinely monitoring your vendors to ensure that they are fully and effectively complying with all the rules and regulations that apply to your institution and to them.

 

FFIEC Weighs In on Cyber Insurance

Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement regarding cyber insurance from its member agencies: the Board of Governors of the Federal Reserve System (FED), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC indicated that the purpose of the statement was “to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.”

Why Now

While the statement specifically states that it does not contain “any new regulatory expectations” and that cyber insurance is not required by any member agencies, it also describes various factors in the existing environment that call for broader awareness, and the possible acquisition, of cyber insurance:

  • The ever-growing threat of cyber attack: Symantec’s Internet Security Threat Report of March 2018 provides additional context for this factor: “With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so.”
  • Possible inadequacy of general insurance policies: The FFIEC notes that, “traditional insurance policies for general liability or basic business interruption coverage may not fully cover cyber risk exposures without special endorsement or by exclusion not cover them at all.” In addition, “coverage may also be limited and not cover incidents caused by or tracked to outside vendors.”
  • Evolution of cyber insurance marketplace: As cyber attacks grow and evolve, so too does this particular segment of the insurance marketplace.
  • And everything is at risk: The FFIEC warns that nearly every aspect of a financial institution can be harmed by cyber attacks: its financial footing, operational status, legal posture, compliance adherence, strategic plan, and reputation.

First-party Coverage Versus Third-party Coverage

The FFIEC notes that cyber insurance can be structure multiple ways, from a stand-alone policy to a specific cybersecurity endorsement added to an existing policy. It also explains the difference between first-party and third-party coverage:

  • First-party coverage: “Insures direct expenses incurred by the insured party and may address costs related to customer notification, event management, business interruption, and cyber extortions” (i.e., ransomware attacks).
  • Third-party coverage: “Protects against the claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents at financial institutions.”

Analyzing the Need for Cyber Insurance

For institutions trying to determine whether or not they need cyber insurance, the FFIEC recommends the following actions:

  • Ensure all key parties are involved in the decision-making process: This includes representatives–with expertise and authority–from legal, risk management, finance, information technology, and information security.
  • Conduct appropriate due diligence: This covers both internal due diligence (i.e., compare what you currently have with what you need to fill any insurance gaps) and external due diligence (i.e., examine and analyze possible cyber insurance vendors as you would other third-party vendors).
  • Review cyber insurance needs periodically: The FFIEC recommends including cyber insurance in your annual insurance review and budgeting process.

The Final Word

The FFIEC makes it clear that while cyber insurance can help protect financial institutions, it does not relieve them of their information security obligations. “Purchasing cyber insurance does not remove the need for a sound control environment,” which “may be a component of a broader risk management strategy.”

Inside the CFPB Semi-annual Report: Enforcement Actions

cfpb_seal_blog_270x270.originalThe CFPB’s most recent Semi-annual Report detailed the enforcement actions it was involved in from October 1, 2016 through September 30, 2017. Although, the current CFPB leadership under Acting Director Mick Mulvaney is very different from that of former Director Richard Cordray, whose tenure includes the period above, an examination of these enforcement actions can still provide valuable insight about the CFPB to financial institutions and their risk and compliance management.

Length, Status of CFPB Enforcement Action Proceedings

Of the 54 enforcement action proceedings summarized in its April 2, 2018 Semi-annual Report, the majority (27) were originated by the CFPB in 2017. Another 20 were leftover from work begun in 2016 (12) and 2015 (8). Seven total actions lingered from 2014 (4), 2013 (2), and 2012 (1).

In 31 of the 54 actions, the result was an Order and/or Final Judgement against the defendant(s), while 20 cases are still pending and three were dismissed.

Make-up of Defendants in CFPB Enforcement Actions

The majority of actions described by the CFPB involve traditional financial institutions, however, other less traditional financial institutions (as per the USA PATRIOT Act) as well as other types of entities were caught up by the CFPB’s broad reach. These include debt relief firms (2), debt collectors (2), payday lenders (5), title companies (2), lead aggregators (2), laws firms (5), credit reporting agencies (3), and pawn brokers (3).

Alleged Violations in CFPB Enforcement Actions

Overwhelmingly, the enforcement actions, either specifically (11) or generally (30), described alleged violations of Unfair, Deceptive and Abusive Acts or Practices (UDAAP) as per the Consumer Financial Protection Act (CFPA). At least under Cordray, UDAAP was clearly a go-to violation for the CFPB, as its broad definitions provide the Bureau with signficant leeway. Only time will tell if the CFPB under Mulvaney continues this trend.

Other allegations include, but were not limited to, violations of the Real Estate Settlement Procedures Act (RESPA) (4), the Home Mortgage Disclosure Act (HMDA) (1), the Electronic Funds Transfer Act (EFTA) and Regulation E (3), and the Financial Credit Reporting Act (FCRA) (3).

CMPs and Other Fines in CFPB Enforcement Actions

Perhaps the most telling statistics in regard to the CFPB’s enforcement actions are the monetary ones.

  • The CFPB meted out 37 civil money penalties (CMPs) totalling $117.85 million.
  • The largest CMP was $40 million, followed by a $20 million CMP.
  • Out of the 37 CMPs, 16 were over $1 million.
  • The CFPB ordered defendants to pay restitution/redress/refunds/compensation to victims in the total amount of $279.65 million.
  • The largest redress demand was $107 million, followed by $95 million.
  • One defendant had to forgive or reduce loan amounts totaling $183.3 million.
  • The CFPB ordered disgorgement, the repayment of ill-gotten gains, in the amount of $1.35 million.

This concludes Bank Risk and Compliance Writer’s inside look at the CFPB’s Semi-Annual Report, which also included explanations of the CFPB’s upcoming proposed rules and its upcoming final rules.