2013 cfpb update for internal auditors in financial services

The Consumer Financial Protection Bureau (CFPB)

What Internal Auditors inFinancial Services Should Know

March, 2013

© 2013 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

2

CFPB’s Recent Areas of Focus

Challenges for Internal Audit

A Deeper Look – Student Lending and Vendor Management

Q&A

CFPB Examinations

Agenda

CFPB Focus Areas


4

The Consumer Financial Protection Bureau (CFPB) assumed transitional authority on July 21, 2011, the first year anniversary of the Dodd-Frank Act (DFA).

The CFPB: An Overview

Mission:

• Conduct rule-making, supervision, and enforcement for federal consumer financial protection laws• Restrict unfair, deceptive, or abusive acts or practices• Take consumer complaints• Promote financial education• Research consumer behavior• Monitor financial markets for new risks to consumers• Enforce laws that outlaw discrimination and other unfair treatment in consumer finance

CFPB Authority is Unprecedented

• Rulemaking• Annual and Special Reporting• Enforcement: up to $1 million per day civil penalties• Examination and Supervision

Priorities

• Consumer Disclosures• Consumer Complaint Intake and Resolution• Unfair, Deceptive or Abusive Acts or Practices (UDAAP)• Specific Activities, Business and Practice


5

• Exam procedures to verify that credit reporting companies are following the law (Sept. 2012)• Study on comparing credit scores sold to creditors and those sold to consumers (Dec. 2012)• Accepting consumer complaints about credit reporting, and issued report detailing how the

nation’s largest credit bureaus manage consumer data (Oct. 2012)

• Appointed 25 consumer experts from outside the federal government to Consumer Advisory Board and created three additional advisory councils: the Credit Union Advisory Council (CUAC), the Community Banks Advisory Council (CBAC), and the Academic Research Council (Sept. 2012)

• Established various partnerships (Department of Defense; FHFA; Department of Justice; Newark, NJ 4311 hotline)

Partnerships and Advisory Councils

• Proposed updates to existing regulations to make it easier for spouses or partners who do not work outside the home to qualify for credit cards (Oct. 2012)

• Announced seeking public comment on how the Credit Card Accountability Responsibility and Disclosure Act of 2009 impacted consumers and the credit card market. (Dec. 2012)

CFPB – Main Themes

Credit Reporting Evaluation

Consumer Credit Card Lending


6

• Finalized January 14, 2013, with a compliance date of January 10, 2014.

• Cover nine (9) key areas, including:

1) Periodic billing statements

2) Interest-rate adjustment notices for ARMs

3) Prompt payment crediting and payoff statements

4) Force-placed insurance

5) Error resolution and information requests

6) General servicing policies, procedures and requirements

7) Early intervention with delinquent borrowers

8) Continuity of contact with delinquent borrowers

9) Loss mitigation procedures

• Generally apply to the entire servicing industry, with limited carve-out for companies that “self-service” 5,000 loans or fewer.

• Broadly “beef up” existing rules under Regs. Z and X, and continue to develop and broaden the applicability of standards first established by the federal banking agencies in their April 2011 consent orders, and National Mortgage Settlement of February 2012.

Mortgage Servicing Rules

CFPB – Main Themes (Continued)


7

• Action against The Gordon Law Firm and the National Legal Help Center for allegedly conducting loan modification scams (December 11th, 2012)

• Three American Express subsidiaries to pay $85 million related to various credit card practices (Oct. 2012)

• Capital One: $140 million in customer restitution, $25 million in CMPs to CFPB, $35 million in CMPs to OCC related to marketing practices (July 2012)

• Discover: pay $200 million consumer refund related to marketing (Sept. 2012)

• Issued warning letters to approximately 12 mortgage lenders advising them to revise potentially misleading advertisements targeted towards veterans and older Americans (Nov. 2012)

• Released bulletin to nationwide specialty consumer reporting agencies regarding their obligation under the law to provide a streamlined process for consumers to request a free annual consumer report under the Fair Credit Reporting Act (Nov. 2012)


Enforcement Actions and Warnings


8

• January 2013 appeals court ruling invalidated recess appointments made to the National Labor Relations Board

• Ruling potentially significant for financial services industry as CFPB Director Cordray was appointed under the same process

• If invalidated, certain of CFPB’s authorities – especially related to non-bank supervision and new rulemakings – would be called into question

• Ultimate impact of ruling still uncertain; case could go to the Supreme Court for a final decision, or Congress and Obama administration could reach compromise allowing Director Cordray to be confirmed by the Senate, bypassing the recess question altogether


Confirmation Hearings

A Deeper Look – Student Lending and Vendor Management


10

Private Student Loans and Campus Financial Products

A Deeper Look

1

• Student Loan report – three major findings (October 16 th, 2012)

‒ Surprises cause borrower confusion

‒ Borrowers report getting the runaround from servicers

‒ Borrowers faced refinancing dead-ends

• Service members have difficulties accessing student loan benefits and protections granted to them under federal rules (October 18th, 2012)

‒ Service members Civil Relief Act (SCRA) gives interest rate and payment benefits to the military

• Exam procedures for student loans to verify that lenders are complying with requirements of federal consumer financial law (December 17th, 2012) including

‒ Using accurate, non-discriminatory advertising or marketing

‒ Making appropriate disclosures

‒ Providing borrowers with accurate account information

‒ Handling borrower inquiries and complaints

• Inquiry on the impact of financial products marketed to students through colleges and universities (January 31st, 2013)


11

• “Clarifying Bulletin” issued April 2012

• CFPB reiterates its authority to examine service providers directly

• Covered banks and non-banks expected to:

‒ Conduct thorough due diligence to validate that service provider is capable of complying with applicable consumer laws;

‒ Obtain and review service providers’ policies, procedures, and other control documentation;

‒ Obtain appropriate contractual commitments;

‒ Establish controls and monitoring to verify compliance;

‒ Promptly and fully resolve any issues, including terminating the relationship if necessary.

• Although concepts are broadly similar to prior federal banking agency guidelines, specific focus on independent P&P reviews and active monitoring is creating significant concerns for industry

• Firms struggling to capture and isolate inventories of their “CFPB vendors” and evaluate how to address these challenges in a risk-focused manner

A Deeper Look (Continued)

Vendor Management Guidance2

CFPB EXAMINATIONS


13

Focus on consumers1

Data driven2

Consistency3

Supervision and Examination Principles


14

The Supervision and Examination Cycle

From: CFPB Supervision and Examination Manual – Version 2, October, 2012


15

A central point of contact for regulatory examiners is formally identified

When requests for information, exam “first day” letters, and similar correspondence is received, ownership of and a due date for each item is assigned and tracked by the central point of contact

A process exists to validate the accuracy and completeness of all requested information before providing it to examiners

The company tracks and is able to reproduce all information provided to examiners

Controls exist to ensure that examiners are directed to the appropriate process owners and/or subject matter experts for each process within the scope of their reviews

A documented process exists to document and track the progress of commitments made to regulators

Financial institutions should establish a formal process to manage regulatory examinations and other requests from/interaction with their supervisory agencies.

Best Practices – Manage Regulatory Examinations


16

Responsibility for managing compliance-related regulatory examinations is formally assigned

Compliance-related examination and self-identified findings and deficiencies, and associated action plans, are tracked centrally

Timely resolution of noted findings and deficiencies is monitored and past due action plans are escalated appropriately to senior management

Status of outstanding compliance issues is furnished periodically to senior management and management and Board committees

Issues and management responses are tracked and action plans tested for effectiveness

Management should establish processes to manage internal and external regulatory reviews, audits and examinations. Management should coordinate these activities and track compliance-related findings and ensure appropriate, sufficient, timely and complete corrective action.

Best Practices – Remediate Identified Compliance Deficiencies


17

The CFPB has clarified that a Civil Investigative Demand (CID) from the Bureau may be challenged by the recipient and that the Director of the Bureau can respond in the following ways:

1. Reaffirm the CFPB’s decision to obtain the information

2. Modify the demand

3. Not move forward with the demand

Early in 2012, the CFPB launched an investigation of alleged kickbacks paid to private mortgage lender and servicer PHH Corp.

PHH Corp. challenged the CID from the CFPB and requested further clarification on the nature of the request.

The CFPB Director responded to the challenge by ordering the organization to comply with the CID within 21 days and made the challenge and the response a public record.

The CFPB has since clarified that challenges to CIDs as well as the CFPB Director’s response will generally be treated as a matter of public record and will be posted on the CFPB website.

Important Dynamics to be Aware of: The PHH Case


19

We’ve noted certain common challenges that the creation of CFPB has generated for Audit functions, including:

• Understanding Unfair, Deceptive or Abusive Acts and Practices (UDAAPs)

• Addressing skills gaps

• Line of defense discussions

• A different auditing mindset

Understanding and adapting to the CFPB’s point of view (different from the perspective of legacy regulators): the CFPB is more concerned with considerations that extend beyond the specific technical requirements of the regulations, e.g.:

• Interest in the extent to which customers understand the products and services a bank offers

• Effective processes to see things from consumer perspective >> is anyone in the business empowered to act as the voice of the customer?

• Responsibility for third-party vendors >> vendor risk management



20

• Top priority for Internal Audit

• Potential risk in virtually every practice associated with consumer financial products and services.

• Challenge: unlike “typical” consumer protection laws, standards for identifying and avoiding UDAAPs are subjective, and not always easy to tie to a single process owner.

• Need: Internal Audit to be more proactive, creative, and willing to have tough discussions with management about avoiding UDAAPs with consumers.

‒ UDAAP enforcement actions to-date show that how a product operates in practice is at least as important as how it was designed to operate.

‒ Deep understanding of process and technology controls throughout the product’s lifecycle (marketing > origination > servicing) is critical.

Understanding UDAAP


21

• Expectation to take a much more technically sophisticated approach to consumer-related Internal Audit work

• E.g. examination of regression-based statistical analysis used to monitor actual lending data for anti-discriminatory practices

• Examiners increasingly focused on/critical of skills of third-party outsourced and co-sourced providers

• Challenges:

‒ Few Internal Audit departments have these highly technical skill sets

‒ Increased competition and cost for specialized expertise

• Need:

‒ Creative leveraging of skill sets across the IA function (e.g., IT, Basel, etc.)

‒ More thoughtful strategies and robust methodologies for selecting and actively managing external partners.

Addressing Skills Gaps


22

• CFPB’s examination model increasing pressure on firms to build more effective first and second lines of defense.

• Banks:

‒ Debates about how or whether monitoring activities across the three lines of defense should be coordinated

‒ Howls of protest from process owners about need to support continuous reviews/audits/exams from multiple parties

‒ Resource competition internally and from a hiring perspective for compliance SMEs

• Non-banks: in many cases, non-banks are having to formalize first-line activities that previously had been undocumented “spot check” exercises, and consider creating a dedicated second line of defense.

Line of Defense Discussions


23

A Different Auditing Mindset

Challenge

Needs

• View on effectiveness of relevant processes

• Proactive behavior

• Customer protection perspective

• Be able to hold tougher discussions with process owners

Examinations beyond the technical boundaries

of rules scrutinizing intent and

even behaviors

+More CFPB rules

underway =Internal Audit to adjust its own perspective and

behavior


24

Q & A


25

Refer to Protiviti’s website for more resources related to Dodd-Frank and other regulatory reforms:

Protiviti (www.protiviti.com/regulatoryreform)

The Solvency Modernization Initiative – Reviewing Key Changes from Recent NAIC Working Groups White paper [CLICK to DOWLOAD]

Executive Perspectives on Top Risks for 2013 Survey results [CLICK to DOWLOAD]

Implementing AML Transaction Monitoring Systems: Critical Considerations Point of View [CLICK to DOWLOAD]

Key Challenges Facing Financial Services in 2013 FS Insights (Volume 4, Issue 2) [CLICK to DOWLOAD]

Setting the 2013 Audit Committee Agenda The Bulletin(Volume 5, Issue 1) [CLICK to DOWLOAD]

Protiviti’s Guide to U.S. Anti-Money Laundering Requirements: Frequently Asked Questions, Fifth Edition Resource Guide [CLICK to DOWNLOAD]

Deriving Value from Mandated Stress Testing FS Insights (Volume 4, Issue 1) [CLICK to DOWNLOAD]

Three Notices of Proposed Rulemaking:1. Proposal on Regulatory Capital and Implementation of Basel III2. Proposal on Advanced Approaches on Market Risk and Risk-Based

Capital Rule3. Proposal on the Standardized Approach for Risk-Weighted Assets

Point of View [CLICK to DOWNLOAD]

Resources

http://www.protiviti.com/en-US/Documents/White-Papers/Industries/Solvency-Modernization-Initiative-Key-Changes-NAIC-Protiviti.pdf

http://www.protiviti.com/en-US/Documents/Surveys/NC-State-Protiviti-Survey-Top-Risks-2013.pdf

http://www.protiviti.com/en-US/Documents/POV/Implementing-AML-Transaction-Monitoring-Systems-Protiviti.pdf

http://www.protiviti.com/en-US/Documents/Newsletters/FS-Insights/FS%20Insights-V4-I2-Key-Challenges-2013-Protiviti.pdf

http://www.protiviti.com/en-US/Documents/Newsletters/Bulletin/The-Bulletin-Vol-5-Issue-1-2013-Audit-Committee-Agenda-Protiviti.pdf

http://www.protiviti.com/en-US/Documents/Resource-Guides/Guide-to-US-AML-Requirements-5thEdition-Protiviti.pdf

http://www.protiviti.com/en-US/Documents/Newsletters/FS-Insights/FS%20Insights-V4-I1-Corporate-Culture-Protiviti.pdf

http://www.protiviti.com/en-US/Pages/Model-Validation.aspx


26

Thank You!


27

Confidentiality Statement and Restriction for Use

This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half International Inc. ("RHI"). RHI is a publicly-traded company and as such, the

materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be

used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be distributed to third parties.

2013 cfpb update for internal auditors in financial services

Business

companys internal use

consumer data

consumer experts

consumer advisory board

credit cards

credit scores

consumer financecfpb

credit card market