Overview
On May 22, 2014, the Consumer Financial Protection Bureau ("CFPB") issued its latest in a series of periodic reports that highlights significant activities and findings of its Office of Supervision. In this edition of the "Supervisory Highlights" report, the CFPB focused on the results of its examinations of non-bank companies, including credit reporting agencies, payday lenders, and debt collectors. Although the report runs twenty-nine pages long and consists of thousands of words, it might as well be a single line consisting of just two simple words, typed in all capital letters, bolded, underlined, and punctuated with an exclamation mark: COMPLIANCE MANAGEMENT!
The CFPB's Compliance Management Expectations
By now, it should come as no surprise that the CFPB expects providers of consumer financial products and services to self-regulate their businesses so that supervisory examinations and law enforcement investigations are not required to uncover or correct violations of law or to protect consumers from harm.
The CFPB has announced its expectations regarding compliance management loudly and repeatedly. For example, the CFPB's Supervision and Examination Manual (the "Manual") devotes an entire chapter to establishing detailed standards for compliance management systems. The Manual states that "the CFPB expects every regulated entity under its supervision and enforcement authority to have an effective compliance management system adapted to its business strategy and operations." According to the Manual, the components of such a system include:
- active oversight of a company's compliance management activities by its board of directors and management; the establishment of a robust compliance program, led by a qualified and experienced chief compliance officer, to set compliance policies and procedures covering all product and service lifecycles, to monitor the company's business units for and to correct compliance weaknesses, and to train the company's directors, managers, and employees about their compliance responsibilities; the establishment of a system for logging, tracking, and promptly investigating and responding to consumer complaints and for taking both individualized and systemic corrective actions in response to such complaints, as appropriate; a periodic independent audit of the company's compliance with consumer financial laws and adherence to internal policies and procedures.
Both the Manual and a 2012 CFPB bulletin likewise make clear that the CFPB expects regulated companies not only to comply with consumer financial laws, but also to ensure that any third party service providers that they hire do so as well. These expectations include:
- selecting third party service providers carefully; inserting provisions in contracts which hold third party service providers accountable for non-compliance; monitoring the work of third party service providers; insisting that third party service providers take corrective actions, when necessary; and terminating contracts with third party service providers, when appropriate.
Moreover, in almost every CFPB enforcement order that the CFPB has published to date, the CFPB has alleged that the regulated companies it investigated failed to prevent, detect, or remedy conduct that constituted violations of law; it has also prescribed enhancements to the companies' compliance management systems to prevent such violations from recurring in the future.
A Recent Enforcement Example
In one recent consent order, for example, where the CFPB alleged that a large bank marketed credit protection add-on products in a deceptive manner to its credit card customers, the CFPB also alleged that "[t]he Bank's compliance monitoring, Service Provider management, and quality assurance yielded ineffective oversight and did not, in certain instances, prevent, identify, or correct... improper sales practices in marketing the Credit Protection Covered Products." The CFPB ordered the bank to cease marketing these products until it submits to the CFPB a compliance plan "specifically designed to prevent all violations of applicable Federal consumer financial laws in the sale and administration" of the products. It also required the bank to improve its service provider management program and to augment its policies for preventing unfair, deceptive, and abusive acts and practices.
The CFPB imposed these remedies in addition to requiring the bank to provide $727 million in relief to consumers and pay a $20 million civil money penalty. Other CFPB consent orders allege similar compliance management failures and prescribe similar substantial remedies.
Further Emphasis on Compliance Management
In each prior edition of the Supervisory Highlights report, the CFPB has emphasized the paramount significance of compliance management. In the Summer 2013 edition of the report, the CFPB noted that "[n]early every examination or targeted review conducted by the CFPB contains an assessment of an entity's [compliance management system]." In the Fall 2012 edition, the CFPB stated that "one of the most important responsibilities of the CFPB supervisory program is assessing the quality of the compliance management systems employed by the financial institutions under the CFPB's jurisdiction."
Notwithstanding the CFPB's consistent emphasis on compliance management and its public floggings of those companies that have failed to heed its warnings, the latest CFPB's Supervisory Highlights report is rife with examples of egregious failures of compliance management. The report cites consumer reporting agencies, debt collectors, and payday lenders that CFPB examiners found to have no formal compliance management systems, insufficient board and management oversight of systems, and either no chief compliance officers or ineffective ones, as well as companies that have failed to document their policies and procedures in writing, update policies and procedures regularly, track or analyze consumer complaints, and exercise adequate oversight of their business relationships with third party service providers.
Compliance Management Excuses
Why are many regulated companies still failing to meet even their basic compliance obligations almost three years after the inception of the CFPB? Numerous excuses exist, but none of them appear to be acceptable to the CFPB. Moreover, many of these excuses are based upon mistaken or delusional understandings of how the CFPB operates. Below are a few of the most commonly expressed excuses along with brief refutations of their validity.
The CFPB can't possibly be serious.
This is a frequent and naïve refrain that is voiced mostly by non-bank companies which are unaccustomed to either any oversight from federal or state regulators, to sustained and systematic oversight, or to the particular brand of oversight that the CFPB brings to the table. For regulated companies that have yet to endure a CFPB supervisory examination or an enforcement investigation, these experiences are the corporate version of a body cavity search - they are invasive, uncomfortable, thorough, and likely to uncover whatever secrets are hidden inside. For those companies that expect lax, episodic, infrequent, or incompetent oversight from the CFPB - similar, perhaps, to what they may have experienced from other regulators - they will find that CFPB is uniquely motivated and well-equipped to do its job. In sum, the CFPB is very serious about its work.
I'm too small to be scrutinized by the CFPB.
Another common and misguided view is that the CFPB pursues only the biggest fish in the pond and that smaller fish are free to swim through the water with reckless abandon. It is true that the CFPB does not supervise banks and credit unions with $10 billion or less in assets or smaller participants in certain non-bank markets. It is also true that, in general, the CFPB prioritizes companies and conduct that have the broadest impact on consumers. However, companies should not conclude from these facts that the CFPB lacks the authority, will, or resources to focus on smaller companies.
As to small banks and credit unions, the CFPB may not have primary jurisdiction to supervise them, but it can require reports from them, participate in examinations of them performed by their primary regulators, provide input into their examination reports produced by such regulators, and refer any violations of law that they discover to these regulators.
As to non-bank companies in the debt collection, credit reporting, and student loan servicing markets that are too small to be subject to the CFPB's supervisory jurisdiction (pursuant to rules that limit such jurisdiction to larger participants in those markets), the CFPB has stated that it can and will utilize its ancillary authority to acquire jurisdiction over such companies to the extent that it deems them to be engaging in practices that pose risks of harm to consumers. Regardless of whether the CFPB finds it necessary to supervise these companies, it is authorized to engage in law enforcement actions against them. It is also important to note that certain categories of non-bank companies are subject to the CFPB's supervisory jurisdiction regardless of their size, including payday lenders, providers of private education loans, residential mortgage originators, brokers, and servicers, loan modification providers, and foreclosure relief service providers.
Moreover, the CFPB's enforcement record makes clear that it does prioritize actions against small companies to the extent that they are engaged in conduct that is particularly egregious. For example, some of the CFPB's earliest enforcement actions targeted small companies alleged to be perpetrating brazen mortgage loan modification scams.
Although the CFPB has limited resources at its disposal to conduct examinations and investigations of small companies, its capabilities to do so are expanding rapidly as it continues to hire examiners and enforcement attorneys at a brisk clip. The latest Supervisory Highlights report states that last year, the CFPB conducted roughly 100 examinations and that this year, the CFPB plans to increase that number by 50 percent. The CFPB also has developed strong partnerships with state regulators and attorneys general, which allows it to augment its resources by referring matters to state agencies that it cannot handle itself.
I have a binder of policies and procedures; I've done enough.
Many regulated companies make the mistake of concluding that all they need to do to satisfy the CFPB is to produce some evidence of a written policy that requires its employees to comply with applicable laws. This conclusion is mistaken because, as noted above, the CFPB expects compliance management systems not only to exist on paper, but also to be implemented and to be effective.
To properly implement a compliance management system, a company must, as noted above, appoint an appropriately qualified and experienced chief compliance officer and endow that individual with the requisite authorities, stature, independence, and resources to do his or her job effectively.
For a compliance management system to be effective, it must actively assess whether a company's business practices, and those of its service providers, actually adhere to written policies and procedures and otherwise comply with consumer financial laws, and, if not, it must prescribe corrective actions to reform such practices.
Even as to policies and procedures themselves, it is not sufficient merely to have in place vague, perfunctory, or static statements of compliance responsibilities. Policies and procedures must be specific, comprehensive, current, and communicated to appropriate individuals within the organization.
My compliance program is effective; I've received only a few consumer complaints and I've resolved them all.
Some companies erroneously believe that, if they receive only a few consumer complaints and resolve all of those complaints promptly and to the satisfaction of consumers, then their compliance management systems must be working properly. Although the CFPB does consider a dearth of consumer complaints and their prompt and fair resolution to be indicators of an effective compliance system, these factors are by no means dispositive.
Indeed, a company's business practices may pose risks to consumers without consumers' knowledge, such that a lack of complaints may not equal an absence of risk. Furthermore, even the receipt of a single complaint by a company may trigger the CFPB's concern if the complaint alleges serious misconduct or harm to consumers that the CFPB believes should not have occurred under the watch of an effective compliance management system.
Likewise, the fact that a company has resolved each of its complaints to the satisfaction of the complaining consumers may not suffice to satisfy the CFPB if the company did not also analyze the complaints to ascertain and address their root causes and to also redress any harm suffered, not only by the complaining consumers, but also by all similarly situated consumers that did not file complaints.
I can safely rely upon contractual provisions to protect me from liability arising from third party conduct.
Although most banks are accustomed to regulators requiring them to account for the conduct of their third party service providers, this is an unfamiliar concept to many non-banks. Some non-banks believe that are safely insulated from the misdeeds of their service providers because of provisions in their contracts which represent and warrant that service providers are complying and will continue to comply with all applicable laws. They also think they are shielded by contractual provisions which indemnify them from liability arising from the actions of their service providers. Reliance on such contractual provisions is misplaced.
While regulated companies must hold their service providers contractually accountable for compliance with consumer financial laws, contractual provisions alone will not suffice to protect regulated companies from liability. The CFPB has stated clearly that "[d]epending on the circumstances, legal responsibility [for compliance management failures of service providers] may lie with the supervised bank or nonbank as well as with the supervised service provider." Indeed, if a company knows or should know that its service provider is not complying with consumer financial laws, but fails to take action to prevent or mitigate consumer harm, then the CFPB will likely hold that company responsible for the actions of its service provider.
Even an indemnification provision cannot protect a company in certain circumstances. In its enforcement orders, the CFPB typically prohibits companies from seeking or accepting, directly or indirectly, indemnification for or reimbursement of any civil money penalties that it imposes, including reimbursement pursuant to insurance policies. Moreover, indemnification for liabilities other than penalties cannot insulate a company from any reputational or competitive harms that it may suffer if it becomes subject to a public CFPB enforcement action or if, as a part of such an action, the CFPB orders the company to cease-and-desist from providing its products or services to consumers unless and until specified compliance management improvements occur.
Compliance management is too expensive.
Lastly, many regulated companies - particularly if they are small in size - complain that the compliance management systems are too onerous and expensive to implement and maintain. These companies calculate that it is cheaper for them to avoid establishing or bolstering compliance management systems unless and until the CFPB uncovers specific weaknesses and orders them to take action. This calculation is a risky one and too often, it turns out to be dead wrong.
Although effective compliance management systems are indeed costly and difficult to implement and maintain, this expense and burden do not justify ignoring or postponing compliance obligations. To be blunt, the CFPB believes that companies should not be in business if they truly cannot afford to operate their businesses in a manner that is safe for consumers. That said, the CFPB is not entirely insensitive to the issues of cost and burden. As set forth in the Manual, the CFPB permits regulated companies to establish compliance management programs that are commensurate with their respective sizes and with the complexities of their business operations and of the particular laws and regulations to which they are subject. For example, the CFPB recognizes that it may not be necessary for small and simple companies to hire dedicated chief compliance officers; instead it may be appropriate for such companies to assign the responsibilities of a chief compliance officer to an existing employee with other responsibilities.
Companies should also recognize that, however painful it may seem to divert their precious resources to compliance management, this pain will be significantly greater if the lack of an effective compliance management system permits legal violations to occur that the CFPB uncovers during the course of its examinations or enforcement investigations. The costs of remedying such violations can be extremely high, and these costs are likely to be higher if the CFPB concludes that compliance management weaknesses contributed to or exacerbated the violations. The Dodd-Frank Act authorizes the CFPB to increase its assessment of civil monetary penalties from up to $5,000 per violation per day to up to $25,000 per violation per day if violations are reckless, and up to $1 million per violation per day if violations are knowingly occurring.
In other words, companies should construe upfront expenditures on compliance management systems as investments that, in the long term, will yield net benefits associated with avoiding "unforced errors" and the burdens and costs of correcting such errors.
Conclusion
In conclusion, no valid excuses exist for companies regulated by the CFPB to continue to postpone or shirk their obligations to establish, implement, and maintain effective compliance management systems. Unless companies are content to serve as fodder for future editions of the CFPB's Supervisory Highlights report and as the subjects of glowing CFPB press releases announcing eye-popping consumer recoveries and civil money penalties, they will finally make the investments that are necessary to effectively regulate their own conduct and to minimize the risks they pose to consumers.
Additional Resources
