By Carol R. Van Cleef, Keesha N. Warmsby, Robert S. Niemi
The prospect of a Consumer Financial Protection Bureau (CFPB) examination can be unnerving for even the most seasoned financial institution. For all, the CFPB examination is an important step in the agency's exercise of its supervisory authority, and in some cases it could be a critical step toward an enforcement action. In either case, preparation is essential.
Preparation is time consuming and the CFPB continues to expand the scope of its supervisory efforts, with respect to both frequency and complexity of examinations, even in the face of an uncertain future. Currently, the CFPB oversees 26 federal consumer financial laws, including eight rules issued by the Federal Trade Commission as well as evolving oversight to prohibit unfair, deceptive, or abusive acts or practices.
With limited exceptions, the CFPB sends a Notice of Examination (Notice) approximately 60 days before beginning the examination. Regardless of what type of entity you are or what type of consumer products you offer, 60 days is not enough time to address the CFPB's requests. Based on our experience, if you want to be ready, here is our list of the top 10 things you should consider before you receive the Notice.
1. Develop a CMS ... before you receive the Notice.
The focus of a CFPB examination is the institution's compliance with federal consumer financial laws. An effective compliance management system (CMS) is essential to mitigate the risks of noncompliance to your institution. The CFPB expects an institution to implement a unique CMS that is commensurate with the institution's size and is appropriately adapted to its business strategy and operation. A CFPB exam includes an off-site review of the CMS to determine the scope and intensity of the on-site examination. Weaknesses identified during this review will focus the exam on concerns. Violations of law uncovered during this process can be the basis for an enforcement action initiated by the CFPB.
Ideally, a strong CMS serves as the channel through which the institution:
- Learns about responsibilities with regard to impact of its consumer products.
- Ensures employees understand their roles and responsibilities throughout the product life cycle.
- Reviews operations to ensure these responsibilities are met daily.
- Updates training or product parameters, and takes corrective action when necessary.
- Tracks, reviews and responds to customer complaints, not just those in the CFPB database.
- Reports detailed results to management on a regular basis.
The development of a robust and vibrant CMS deployed across all consumer business lines cannot be accomplished during a 60-day notice period. Establishing a CMS before receiving a Notice will permit you the time to address potential violations of law and position your organization for a positive examination.
2. Ensure compliance is everyone's responsibility.
From the front line to the boardroom, effective compliance should be part of everyone's day-to-day responsibilities. A stout CMS includes an engaged team that understands the value of comprehensive policies and has a thorough knowledge of procedures addressing all consumer financial activities. Training is essential to provide all employees with a better understanding of their appropriate roles and responsibilities. Additionally, a CMS should provide for regular internal audits, complaint tracking and evaluation, followed by regular reporting to leadership regarding results and trends. Realize that the CFPB will hold leadership accountable. Thus, the success or failure of any CMS begins with the institution's leadership.
3. Build your team.
The CMS should also include a designated exam response team. The exam process, like any successful operation, must be managed to address information technology needs and ensure the involvement of human resources, key vendors and a representative of your institution's senior management. Your CMS should identify the Single Point of Contact (SPOC) in your institution for various exams and audits, not just for the CFPB examination. The process should be scripted and rehearsed like a fire drill. The receipt of a Notice should not cause a mad dash for the exits.
4. Read and respond properly.
Once the Notice arrives, circulate it among your team and evaluate the nature and scope of the impending exam. Your SPOC should acknowledge the Notice, identify the Examiner in Charge (EIC) and determine whether there is also a SPOC for the CFPB. Next, establish the acceptable forms of communication, including whether and to what extent email, reports and data transmissions should be encrypted. Your SPOC will need to control and track the flow of information to and from the CFPB immediately.
Quickly identify when the CFPB is expecting your response and whether additional resources are required to collect the data. Begin arranging the appropriate secure space for the CFPB and for your team.
Remember to notify everyone when CFPB examiners will be on-site. Inform your team that all communications with the examiners are on the record and that well-schooled examiners are adept at initiating informal interactions to gain insights, for example, during smoke breaks or even in the elevator. Any off-the-cuff remark could inadvertently impact the direction of your exam.
5. Refine the scope.
Certainly, you will need to provide the CFPB, in a timely manner, with all the data it requests, but you need to clarify and seek to limit the request if it is confusing or overly broad. Also, provide information only as requested. While a standard report may include data specifically requested by the CFPB, it may also include additional and unrequested data that might cause the CFPB to head down another path. This could cause your organization to incur additional expenditures of manpower and other resources.
6. Determine whether you are the target.
Earlier we hinted at two other types of CFPB examinations that do not adhere to the CFPB's standard 60-day notice period. The first instance occurs when the entity is the target of a potential enforcement action. Target Exams focused on a single institution typically are triggered by frequent and questionable conduct. They also may be generated by the nature or extent of consumer complaints that have drawn the attention of the CFPB.
The second is called a Horizontal Exam. This examination looks across multiple institutions and scrutinizes a specific financial product or business practice that may need greater supervision or could be the subject of an enforcement action.
In either circumstance, the CFPB is likely to provide notice of an examination fewer than 60 days in advance. As a result, the organization will have even less opportunity to prepare and refine the scope.
7. Embrace the data by making it a tool in your arsenal.
For the CFPB, data is king. CFPB Supervision and Examination Process - Overview
emphasizes that the supervision and examination process rests on the analysis of data about activities of the institution. Be prepared for the CFPB to have extensive information on your institution before the exam even starts. The CFPB has access to information from public and regulator reporting requirements, consumer complaints it has received, previous examinations conducted or shared by other regulators, and more. Also expect the CFPB to request more data during the examination process for comparison and evaluation.
8. Track your progress.
Your SPOC should closely track the efforts of your exam team, working to review, manage and timely respond to all EIC requests. The reports you generate, along with every customer file, supporting document, communication and record of meetings, should be memorialized. This exercise will certainly be tedious, but will prove invaluable if the exam takes a negative course. If the exam process moves to enforcement, this history will be critical when working with counsel.
9. Decide when to call in reinforcements.
Inevitably your legal team will be stretched during the course of a CFPB examination. Determine in advance when and how outside counsel may be helpful. Whether it is the added perspective or just a less impassioned view, outside counsel can be helpful either behind the scenes or by taking a more active role. Outside counsel can be essential if your institution becomes the subject of a Target or Horizontal Exam. In the event any issues or CMS shortcomings are identified, outside counsel can assist with negotiating the terms of a nonpublic agreement.
10. Identify the right circumstance for a voluntary disclosure.
Your plan should have a strategy for determining when and how to self-disclose a violation of law or regulation â€” especially if it is discovered after the Notice has been received. Ideally, any issue or potential violation impacting consumers will be identified through your CMS before you receive a Notice. This will allow your team to correct and remediate any potential harm to consumers. In reality, not all issues are uncovered through the CMS, and when preparing for an exam, it is not uncommon to identify a compliance deficiency or potential violation.
Disclosures of a regulatory deficiency or violation can be problematic, as the CFPB likely will believe that its examiners would eventually uncover the issue during the examination and therefore discount the late self-disclosure. Again, outside counsel should be consulted on how and when to disclose the issue.
If your institution truly has a robust CMS and meaningfully engages in what the CFPB describes as "responsible conduct," this will favorably affect the resolution and potential action. Certainly, all work done prior to receiving the Notice will have an impact, but if you are subject to a Target or Horizontal Examination, the odds of enforcement dramatically increase and outside counsel will be practical.
The prospect of a CFPB examination can be unsettling. Appropriate anticipation of and preparation for what will happen during the examination can diffuse some of the anxiety and ensure the best possible result for your organization.