November 1, 2016
Are You Committing "Compliance Malpractice"?
Eric L. Johnson
In a prepared statement to the Consumer Bankers Association earlier this year, Consumer Financial Protection Bureau Director Richard Cordray indicated that consent orders issued in specific enforcement actions are "intended as guides to all participants in the marketplace to avoid similar violations and make an immediate effort to correct any such improper practices." He further stated that these "orders provide detailed guidance for compliance officers across the marketplace about how they should regard similar practices at their own institutions." He put the cherry on top by stating that it would be "compliance malpractice" for company executives "not to take careful bearings from the contents of these orders about how to comply with the law and treat consumers fairly."
The take-away from Director Cordray's remarks was clear: The CFPB's consent orders are not limited to the parties involved; they are meant to have a precedential effect and act as a deterrent for all market participants. If you don't follow the detailed guidance provided in consent orders about how you should regard similar practices at your own company, you are committing "compliance malpractice."
The CFPB's 'regulation by enforcement' strategy has been widely criticized by various industries. Rather than take the time to carefully draft rules that would regulate a product or practice that may cause consumer harm, the CFPB has been using its consent orders to impose industry-wide standards. I liken this approach to what the Federal Trade Commission used to do in the pre-CFPB days: line up the alleged bad actors against the wall, shoot them, and then tell the industry not to do what those alleged bad actors did. When the CFPB uses this 'regulation by enforcement' strategy, the industry or other stakeholders aren't able to provide input on the proposal, and the CFPB is not required to consider the impact that its industry-wide standards will have on an industry.
So, how does this theory work in practice? Take, for example, the CFPB's recent action against First National Bank of Omaha. The CFPB ordered FNBO to provide $27.75 million in relief to 257,000 consumers who were allegedly harmed by illegal practices with credit card add-on products. FNBO allegedly engaged in deceptive marketing tactics and illegally billed consumers for add-on credit products, in violation of the Dodd-Frank Act, which prohibits unfair, deceptive, and abusive acts or practices. FNBO was also ordered to pay a $4.5 million civil money penalty to the CFPB's Civil Penalty Fund. Finally, the CFPB took the unusual step of requiring FNBO to develop "a written enterprise-wide Unfair, Deceptive, and Abusive Acts or Practices ('UDAAP') risk management program for any consumer financial products or services" it offers, either by itself or through its service providers.
Now, you normally wouldn't think to look at a CFPB consent order against a national bank to see what compliance obligations an auto finance company has. But, with the CFPB's 'regulation by enforcement' strategy, that's exactly what you must do.
In making the UDAAP risk management program requirement part of the consent order, the CFPB indicated its expectation that those who provide a consumer financial product or service must develop and implement a UDAAP risk management component as part of their overall Compliance Management System.
The CFPB expects the following components to be included in an enterprise-wide UDAAP risk management program:
1. A written comprehensive assessment, to be conducted on an annual basis, of the UDAAP risk associated with the governance, control, marketing, sales, delivery, servicing, and fulfillment of consumer financial products and services;
2. The development and implementation of written policies and procedures to effectively and continuously manage, prevent, detect, mitigate, and report the UDAAP risks;
3. Comprehensive written training procedures for appropriate employees and service providers on applicable federal consumer financial laws, a company's policies and procedures, and UDAAP; and
4. Written policies and procedures to ensure that risk management, internal audit, and corporate compliance programs have the requisite authority and status so that appropriate reviews of products and services marketed or sold by the company or through its service providers may occur and deficiencies are identified and properly remedied.
In addition, a company must periodically conduct an assessment of its compliance with the UDAAP risk management program. Finally, a company should actively monitor and analyze trends in consumer complaints, new products and services, and customer demographics and make periodic adjustments to the program.
If you fail to follow the FNBO consent order and other CFPB consent orders in connection with similar practices at your own company, the CFPB may allege that you are committing "compliance malpractice." So, sign up for the CFPB's press releases, speeches, and other alerts. Read the CFPB's consent orders and look for detailed guidance about how you should regard similar practices, products, or services at your own company. You don't want to have to defend a charge of "compliance malpractice."