Wells Fargo Consent Orders Are Must-Reads for Bank Risk Management

pexels-photo-259027.jpegIt has been 10 days since news broke that the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) filed consent orders against Wells Fargo, resulting in a combined $1 billion civil money penalty (CMP). Many headlines about this story focused on the bank’s mortgage and auto lending practices. In reality, there is a more informative story here, especially for anyone involved in bank risk management or compliance.

Of course the 16-page OCC Consent Order for Civil Money Penalty, the 35-page OCC Cease and Desist Order, and the 35-page CFPB Consent Order are not as thrilling to read as a New York Times bestseller, but they are telling. And reading through the orders provides more details than the news blips about them, details that bank risk management and compliance officers can find useful in strengthening their own risk management and compliance practices.

 5 Telling Facts in Consent Orders Against Wells Fargo

  1. The Financial Hit Goes Beyond $1 Billion: Most TV and print outlets announced that Wells Fargo was fined $1 billion by the two regulatory agencies. That is true in that their net CMP was $1 billion. It is interesting to note, however, that the OCC fined the bank $500 million and the CFPB fined it $1 billion for a total of $1.5 billion in CMPs, although the CFPB agreed to accept the $500,000 collected by the OCC as part of its settlement. In addition, the orders call on the bank to develop remediation plans for customers it is alleged to have harmed, which will lead to additional costs for the bank.
  2. The OCC Focus Is on Risk Management: While news stories ran with the mortgage and auto lending practice allegations, likely because that was the message in the CFPB order, the OCC focuses first and foremost on risk management before addressing the other two issues. The order’s opening paragraph states that, “The OCC has identified deficiencies in the Bank’s enterprise-wide compliance risk management program that constituted reckless unsafe or unsound practices and resulted in violations of the unfair acts or practices provision of Section 5 of the Federal Trade Commission Act…”
  3. The Alleged Risk Management Deficiencies Extend in Time and Scope: The OCC claims that, “Since at least 2011, the Bank has failed to implement and maintain a compliance risk management program commensurate with the Bank’s size, complexity and risk profile.” The alleged deficiencies also impacted almost every aspect of the program, including the plan’s execution, the expertise of the personnel involved, the assessment and testing of the plan, the reporting to the Board, and its overall implementation.
  4. UDAP and UDAAP Used by OCC and CFPB: As discussed before in this blog, unfair, deceptive or abusive acts or practices (UDAAP) and its cousin unfair and deceptive acts and practices (UDAP) are often handy regulations for regulatory agencies to cite because of their broad scope. In addition to the OCC’s unfair claim outlined in point #2, the CFPB alleges unfair acts and practices in violation of the Consumer Financial Protection Act (CFPA) in regard to Wells Fargo’s mortgage and auto lending practices. On the former, the CFPB claims that the bank “unfairly failed to follow the mortgage-interest-rate-lock process it explained to some prospective borrowers.” On the latter, it claims the bank “operated its Force-Placed Insurance program in an unfair manner.”
  5. Vendor Management Comes into Play: Both the OCC and the CFPB orders indicate that the auto lending practices in question involved the bank’s vendor, reinforcing the fact that banks are ultimately responsible for the functions being performed by their vendors.

The moral of this story for banks and credit unions of all sizes: make sure that 1) your risk management practices are appropriate for your risk profile; 2) nothing you or your vendors are doing in word or deed can be deemed unfair, deceptive or abusive; and 3) you are routinely monitoring your vendors to ensure that they are fully and effectively complying with all the rules and regulations that apply to your institution and to them.



FFIEC Weighs In on Cyber Insurance

Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement regarding cyber insurance from its member agencies: the Board of Governors of the Federal Reserve System (FED), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). The FFIEC indicated that the purpose of the statement was “to provide awareness of the potential role of cyber insurance in financial institutions’ risk management programs.”

Why Now

While the statement specifically states that it does not contain “any new regulatory expectations” and that cyber insurance is not required by any member agencies, it also describes various factors in the existing environment that call for broader awareness, and the possible acquisition, of cyber insurance:

  • The ever-growing threat of cyber attack: Symantec’s Internet Security Threat Report of March 2018 provides additional context for this factor: “With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so.”
  • Possible inadequacy of general insurance policies: The FFIEC notes that, “traditional insurance policies for general liability or basic business interruption coverage may not fully cover cyber risk exposures without special endorsement or by exclusion not cover them at all.” In addition, “coverage may also be limited and not cover incidents caused by or tracked to outside vendors.”
  • Evolution of cyber insurance marketplace: As cyber attacks grow and evolve, so too does this particular segment of the insurance marketplace.
  • And everything is at risk: The FFIEC warns that nearly every aspect of a financial institution can be harmed by cyber attacks: its financial footing, operational status, legal posture, compliance adherence, strategic plan, and reputation.

First-party Coverage Versus Third-party Coverage

The FFIEC notes that cyber insurance can be structure multiple ways, from a stand-alone policy to a specific cybersecurity endorsement added to an existing policy. It also explains the difference between first-party and third-party coverage:

  • First-party coverage: “Insures direct expenses incurred by the insured party and may address costs related to customer notification, event management, business interruption, and cyber extortions” (i.e., ransomware attacks).
  • Third-party coverage: “Protects against the claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents at financial institutions.”

Analyzing the Need for Cyber Insurance

For institutions trying to determine whether or not they need cyber insurance, the FFIEC recommends the following actions:

  • Ensure all key parties are involved in the decision-making process: This includes representatives–with expertise and authority–from legal, risk management, finance, information technology, and information security.
  • Conduct appropriate due diligence: This covers both internal due diligence (i.e., compare what you currently have with what you need to fill any insurance gaps) and external due diligence (i.e., examine and analyze possible cyber insurance vendors as you would other third-party vendors).
  • Review cyber insurance needs periodically: The FFIEC recommends including cyber insurance in your annual insurance review and budgeting process.

The Final Word

The FFIEC makes it clear that while cyber insurance can help protect financial institutions, it does not relieve them of their information security obligations. “Purchasing cyber insurance does not remove the need for a sound control environment,” which “may be a component of a broader risk management strategy.”

Inside the CFPB Semi-annual Report: Enforcement Actions

cfpb_seal_blog_270x270.originalThe CFPB’s most recent Semi-annual Report detailed the enforcement actions it was involved in from October 1, 2016 through September 30, 2017. Although, the current CFPB leadership under Acting Director Mick Mulvaney is very different from that of former Director Richard Cordray, whose tenure includes the period above, an examination of these enforcement actions can still provide valuable insight about the CFPB to financial institutions and their risk and compliance management.

Length, Status of CFPB Enforcement Action Proceedings

Of the 54 enforcement action proceedings summarized in its April 2, 2018 Semi-annual Report, the majority (27) were originated by the CFPB in 2017. Another 20 were leftover from work begun in 2016 (12) and 2015 (8). Seven total actions lingered from 2014 (4), 2013 (2), and 2012 (1).

In 31 of the 54 actions, the result was an Order and/or Final Judgement against the defendant(s), while 20 cases are still pending and three were dismissed.

Make-up of Defendants in CFPB Enforcement Actions

The majority of actions described by the CFPB involve traditional financial institutions, however, other less traditional financial institutions (as per the USA PATRIOT Act) as well as other types of entities were caught up by the CFPB’s broad reach. These include debt relief firms (2), debt collectors (2), payday lenders (5), title companies (2), lead aggregators (2), laws firms (5), credit reporting agencies (3), and pawn brokers (3).

Alleged Violations in CFPB Enforcement Actions

Overwhelmingly, the enforcement actions, either specifically (11) or generally (30), described alleged violations of Unfair, Deceptive and Abusive Acts or Practices (UDAAP) as per the Consumer Financial Protection Act (CFPA). At least under Cordray, UDAAP was clearly a go-to violation for the CFPB, as its broad definitions provide the Bureau with signficant leeway. Only time will tell if the CFPB under Mulvaney continues this trend.

Other allegations include, but were not limited to, violations of the Real Estate Settlement Procedures Act (RESPA) (4), the Home Mortgage Disclosure Act (HMDA) (1), the Electronic Funds Transfer Act (EFTA) and Regulation E (3), and the Financial Credit Reporting Act (FCRA) (3).

CMPs and Other Fines in CFPB Enforcement Actions

Perhaps the most telling statistics in regard to the CFPB’s enforcement actions are the monetary ones.

  • The CFPB meted out 37 civil money penalties (CMPs) totalling $117.85 million.
  • The largest CMP was $40 million, followed by a $20 million CMP.
  • Out of the 37 CMPs, 16 were over $1 million.
  • The CFPB ordered defendants to pay restitution/redress/refunds/compensation to victims in the total amount of $279.65 million.
  • The largest redress demand was $107 million, followed by $95 million.
  • One defendant had to forgive or reduce loan amounts totaling $183.3 million.
  • The CFPB ordered disgorgement, the repayment of ill-gotten gains, in the amount of $1.35 million.

This concludes Bank Risk and Compliance Writer’s inside look at the CFPB’s Semi-Annual Report, which also included explanations of the CFPB’s upcoming proposed rules and its upcoming final rules.



Inside CFPB Semi-annual Report: Final Rules Expected

This week Bank Risk and Compliance Writer has been analyzing the CFPB’s Semi-annual Report, which was published on April 2. Monday’s post discussed the CFPB Acting Director’s call for remodeling the Bureau, which includes changing how it is funded and its level of independence. Tuesday’s post covered the CFPB’s plans for upcoming proposed rules, which leads us to today’s post–Final Rules Expected from the CFPB.

Upcoming Final Rules Per CFPB’s Semi-Annual Report

According to its report, there are three proposed rules that the CFPB anticipates finalizing in the near term.

  1. Proposed Rule to Amend the Gramm-Leach-Bliley Act (GLBA): This rule was originally proposed by the CFPB on July 1, 2016 to correspond to Congress’ amended changes to GLBA in connection with passage of Fixing America’s Surface Transportation Act (FAST Act) in December 2015. As proposed, it would mirror the FAST Act in exempting financial institutions meeting certain conditions from sending annual privacy notices to customers as per GLBA. Financial institutions “can use the annual notice exemption if it limits its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customers.” When finalized, this should provide some compliance relief for institutions that meet the exempting criteria.
  2. Amendments Relating to Disclosure of Records and Information: Originally published in the Federal Register on August 24, 2016, this rule was proposed by the CFPB to revise its original 2011 rule protecting the confidentiality and disclosure of information. The CFPB’s stated purpose for the revision was “to clarify, correct, and amend certain provisions based on its experience over the last several years.” As proposed, the rule would revise and/or clarify these items: 1) rule’s definitions; 2) practices related to the Freedom of Information Act; 3) procedures for requests for information; 4) protection and disclosure of confidential information generated or received by the CFPB in its work; and 5) the Chief Privacy Officer’s authority.
  3. Amendment to the Federal Mortgage Disclosure Requirements under TILA (Reg Z): The CFPB published this proposed amending rule on August 11, 2017. According to the proposal’s summary, this rule relates “to when a creditor may compare charges paid by or imposed on a consumer to amounts disclosed on a Closing Disclosure, instead of a Loan Estimate, to determine if an estimated closing cost was disclosed in good faith.” It goes on to indicate, “Specifically, the proposed amendments would permit creditors to do so regardless of when the Closing Disclosure is provided relative to consummation.” In its comment letter of October 10, 2017 the American Bankers Association expressed its general support of the amendment relieving unintended consequences of the TILA-RESPA Rule. It also summarized its understanding of the amendment for further clarification.

Tomorrow, in the final post of this series, look for an analysis of recent CFPB enforcement actions outlined in the Semi-annual Report.

One Month to Legal Entity Customer Due Diligence Requirements Taking Effect

DepositoryBank Risk and Compliance Writer is taking a brief break today from its series on the CFPB’s Semi-annual Report to remind banks that there is one month remaining before FinCEN’s Customer Due Diligence Requirements for Financial Institutions takes effect.

On May 11, 2018, financial institutions will be required to complete customer due diligence tasks on any legal entity customer opening a new account. This includes identifying and verifying the identity of any person or entity with 25 percent ownership (ownership prong of the rule), as well as one person in a significant role, such as CEO or CFO (control prong of the rule).

To help financial institutions understand the rule, FinCEN originally published a CDD Frequently Asked Questions (FAQ) bulletin in July 2016 that covered 26 questions. With the deadline looming, FinCEN added a second CDD FAQ last week, this time covering 37 questions.

A Quick Glimpse at Latest FAQ’s First 10 Questions

Here is a quick recap of the topics covered in the first 10 questions in FinCEN’s most recent FAQ, along with a summary of some of its answers:

  1. Beneficial Ownership Threshold: FinCEN indicates that financial institutions may use a lower ownership threshold than the rule’s stated 25 percent if it deems that appropriate for its risk profile. In other words, institutions can choose to be more stringent than the rule.
  2. Beneficial Ownership and other AML requirements
  3. Complex Ownership Structures: According to the FAQ, “Covered financial institutions must obtain from their legal entity customers the identifications of individuals who satisfy the definition, either directly or indirectly through multiple corporate structures.” FinCEN provides a written and graphic example of this that is helpful for explaining the rule to employees who will be responsible for this task.
  4. Methods for Identification and Verification: FinCEN notes that, “Covered financial institutions must verify the identity of each beneficial owner according to risk-based procedures that contain, at a minimum, the same elements financial institutions are required to use to verify the identification of individual customers under applicable customer identification program (CIP) requirements.”
  5. Beneficial Owner Address: Banks may gather either a residential or business address for beneficial owners.
  6. Legal Entity Representative
  7. Existing Customer as Beneficial Owner of New Legal Entity Customer Account: Per the rule, financial institutions must identify and verify the beneficial owners at the time the new account is opened. The FAQ provides some additional nuance to this requirement, stating that, “If the individual identified as the beneficial owner is an existing customer of the financial institution and is subject to the financial institution’s CIP, a financial institution may rely on its possession to fulfill the identification and verification requirements, provided the existing information is up-to-date, accurate, and the legal entity customer’s representative certifies or confirms (verbally or in writing) the accuracy of the pre-existing CIP information.”
  8. Use of Certification Form: FinCEN clarifies in the FAQ that banks are not required to use its Certification Form, which is available in a Word format and a fillable format. If choosing not to use FinCEN’s form, just make sure to capture all the information it does.
  9. Multiple Sets of Beneficial Ownership Certification Documents
  10. Single Entity Customer Opening Multiple Accounts

As you prepare for next month’s implementation date, make sure to review FinCEN’s most recent FAQ and include it in your employee training on the rule.

Tomorrow, Bank Risk and Compliance Writer will return to discussing the CFPB’s Semi-annual Report, specifically the anticipated Final Rules expected from the Bureau in the near term.