Self -Policing- An excellent way to Control Your Compliance Destiny

Self- Policing- An excellent way to control your own destiny!

So you are the compliance officer and while doing a routine check on disclosures, you notice a huge error that the Bank has been making for the last year.  The beads of sweat form on your forehead as you realize that this mistake may impact several hundred customers.   Real panic sets in as you start to wonder what to do about the regulators.  To tell or not to tell, that is indeed the question!

Many of our clients struggle with the question of what to do when your internal processes discover a problem.  We have always believed that the best policy is to inform the regulators of the problem.    CFBP Bulletin 2013-06 discusses what it calls “responsible business conduct” and details the grounds for receiving consideration for getting enforcement relief from the CFPB.  In this case, “consideration is somewhat vague and it depends on the nature and extent of the violation, but the message is clear.  It is far better to self-police and self-report than it is to let the examination team discover a problem.

Why Disclose a Problem if the Regulators Didn’t Discover it?  

It is easy to make the case that financial institutions should “let sleeping dogs lay”.  After all, if your internal processes have found the issue, the thing is that you can correct it without the examiners ever knowing, move on and everybody is happy.  Right?  In fact, nothing could be further from the truth.   There was a time when the relationship between regulators and the banks they regulate was collegial, but that is most certainly not the case any longer.   Part of the process of rehabilitating the image of banks is to ensure that they are being well regulated and that misbehavior in the area of compliance is being addressed.

Self- Policing

It is not enough that a bank discovers its own problems and addresses them.  In the current environment, there is a premium placed on the idea that a bank has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  An attitude that compliance is important must permeate the organization starting from the top.  To impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This seems like a reasonable response, right?

This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal of a Bank should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile of bank decreases and the less likely enforcement action will be imposed.


While at first blush self-reporting seems a lot like punching oneself in the face, this is not the case at all.   The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the more likely it is that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust the regulators have in the management of the bank in general and the effectiveness of the compliance program in particular.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  In point of fact, the regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).

It is important to remember here that the reporting should be complete and as early as possible, keeping in mind that you should know the extent and the root cause of the problem.  It is also advisable to have a strategy for remediation in place at the time of reporting.


What will your bank do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did the Bank make sure that whatever the problem is has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  For instance, if it turns out that the problem has been improperly disclosing transfer taxes, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files for the past 12 months
  • Reimbursement of all customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation.
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring


Despite the very best effort at self-reporting and mediation, there may still be an investigation by the regulators.  If the regulators start to investigate an area that you have already disclosed, such an instance calls for cooperation not hunkering down.  The more the bank is forthcoming with the information about its investigation, the more likely that the regulators will determine that there is nothing more for them to do.

At the end of the day, it is always better to self-detect, report and remediate.  In doing so you go a long way toward controlling your destiny and reducing punishment!

Customer Complaints- Manage Them or the Whole World Will Know!

Customer Complaints are a Part of the Dodd Frank Act:

As many of us are well aware, the Dodd Frank Financial Regulation Act (“Dodd Frank” or the “Act”) introduced sweeping changes to bank regulation.  Many provisions of Dodd Frank were implemented immediately and are at this point well known.  However, there are several provisions that have either not yet been enacted or are less well known.  Among the less well known provisions is section 1034 of the Act.  This section directs the Consumer Financial Protection Bureau (“CFPB”) to develop a national complaint system.  The system is designed to track both the complaints of consumers that use financial products and the responses of the institutions that offer the products.  The compliant system first went live in 2011 when only complaints about credit cards were accepted.  Since that time, the CFPB has taken complaints about mortgages, bank accounts and services, private student loans, other consumer loans credit reporting, money transfers, debt collection and payday loans.

Did you know that the complaints that are made against you can be made public?   As of July of 2015, not only will complaints be public, but the narrative of the complaint can also be published at the customer’s request! While many of the lobbying groups for banks have found this last part abhorrent, we believe that this practice creates an opportunity for improvement.

The complaint process:

The complaint process is described in the Company Portal Manual that was released by the CFPB in 2011.  The basic process is as follows:

  1. Consumer submits a complaint by web, telephone, mail, or fax to the CFPB, or another agency forwards the complaint to the CFPB.
  2. Consumer Response reviews the complaint for completeness and consistency with [1] our authority and roll out schedule.
  3. Consumer Response forwards the complaint to the company identified by the consumer via the secure company portal (portal). The goal is to route complaints within 24-48 hours of receipt.
  4. Company [2] reviews the complaint, communicates with consumer as appropriate, and determines its response and any related actions.
  5. Company responds to Consumer Response via the portal.
  6. Consumer Response invites the consumer to review and evaluate the company’s response by logging into the secure consumer portal or calling the CFPB’s toll-free number. [3]
  7. Consumer Response prioritizes for investigation complaints where the company failed to respond within the requested timeframe or the company’s response is disputed by the consumer[4]

For banks and financial institutions, it is very important to respond in a complete and timely manner to complaints.  The CFPB’s system will track complaints and will show response times as past due in the event that a complete response is not received.  Make sure that your institutions complaint response policies and procedures are up to date!

When a response is a response

The requirements for a proper response are described in the guidance that was published in June 2013.  The guidance notes that is always up to the institution to decide how best to respond to the customer.  However, it is clear that any response is expected to be completely documented.   For example, if a complaint is about a credit card closing, the documentation that is expected includes the following:

Account closings:

  • Adverse Action notice, including the reasons for the adverse action *
  • Date the account was closed
  • Date the notice was sent to the customer
  • Whether notice sent by postal mail or electronically
  • If sent by postal mail, the address to which the statement (or notification, as applicable) was sent[5]

It is likely that a response that does not include all of this information will result in additional inquiries from the CFPB.  The more complete the document that is relied upon for the response, the better.

Your Complaint may become public  

As of July 2015, the CFPB has decided that the narratives from the customer’s complaints can be made public if the customer consents.  Financial institutions can also ask that their responses also be made public.  Many groups, including the American Bankers Association, expressed grave concerns about the potential for reputation harm based upon the publication of complaints.  Nevertheless, the CFPB determined that the public good was better served by allowing consumers the option to publish their complaints.[6]  The possibility that a complaint against your bank may be published means that your procedures for responding are of critical importance.  Documentation of the reasons for the response should be complete and accurate.  Remember, there will be a possibility that the whole world will see!

Turning a negative into a positive:

The good news in all of this is that one institution’s pain is another’s opportunity for growth!   The results of complaints are published on both an annual and a monthly basis.  This is YOUR opportunity!       Find out what the complaints are and treat each one like an opportunity.   If you note that complaints about debt collection are the most prominent, it will be a good idea to review your banks procedures for debt collection.   Has your bank incorporated the most recent rules and guidance in this area of your practices?  If you are using a vendor, have you completed due diligence of the vendor recently?

The CFPB has made it clear that they are reviewing complaints, compiling the results and directing resources to the areas that experience the highest level of complaints.  The complaint system will be a good barometer for determining the areas of emphasis for examinations in the near future.

[1] The “our” in this quote refers to the CFPB

[2] “Company refers to the institutions who will use the reporting system

[4] CFPB Company portal manual

[5] CFPB  Response Guidance July 2013

[6] Note:  Only “verified” complaints can be made public-there has to be a relationship with the person complaining and a valid basis for the complaint.

Changes in CRA Questions and Answers May Bring Welcome News

One of the more difficult tasks that our clients must accomplish is to try to meet the community development and community service tests in the Community reinvestment Act (“CRA”). For many community banks the opportunities to do community service that qualifies under the requirements of the CRA are very limited.  The same is true with opportunities to conduct community development activities while staying within ones assessment area.   In many cases, the service opportunities have been limited to teaching classes at organizations that serve community needs.  Lending and investment opportunities are often “gobbled up” by the large banks in the assessment area, leaving the community banks to scramble to try and comply with the requirements of the regulation.

In November of 2013, the FFIEC announced changes to the Community Reinvestment Act Q & A that have the potential to greatly expand a bank’s ability to meet the tests of CRA while doing CRA activities outside of the assessment area.  [1] In addition, the ability to perform community service has also been expanded.  Just remember along with new powers come additional responsibilities and therefore additional risks!

The Changes

There are actually several changes that were adopted in November, 2013. We are only discussing a few that we believe directly impact compliance with the community development tests for small and intermediate banks.  Large Banks are encouraged to read the full text of the changes.

In the past there was wording that suggested that banks could do community development activities outside of the assessment area, the caveat for how these activities might qualify for credit to the bank performing them was unclear.     The original Q & A stated the following:

Q&A §     .12(h) – 6 stated that examiners would consider such activities if an institution, considering its performance context, had adequately addressed the community development needs of its assessment area(s).

In particular, the language created doubt that activities outside of a defined assessment area would be given credit at all. The agencies first proposed new language that indicated that as long as these activities were performed in a safe and sound manner and weren’t done in lieu of activities within the assessment area, they would be okay.  However, because many comments were received [2] the language was changed.  The adopted new language says:

  • .12(h) – 6 states, with respect to community development activities that are conducted in the broader statewide or regional area that includes the institution’s assessment area(s), that “examiners will consider these activities even if they will not benefit the institution’s assessment area(s), as long as the institution has been responsive to community development needs and opportunities in its assessment area(s).”

The definition of what a broader statewide or regional area was left fairly open to a common sense application. There are not specific guidelines for defining these.   It is safe to say that a definition that includes contiguous counties or economic zones that cross state lines (Lake Tahoe in California and Nevada for example) would be an acceptable definition.

Another significant change is the service that can qualify as community service on the part of bank employees.   The current Q & A stated that service to a community group was defined as

  • .12(i) – 3 stated that providing technical assistance to organizations that engage in community development activities (as defined by the regulation) is considered a community development service

For many of our clients this language has been taken to limit the things that bank employees may do to get credit for the community service. The FFIEC clearly wanted to expand that definition and in particular wanted to add that serving on the Board of community service organization can indeed count as community service

  • .12(i) – 3 to clarify that service on the board of directors of a community development organization is an explicit example of a technical assistance activity that could be provided to community development organizations that would receive consideration as a community development service

The idea here is that the service on the Board of these organizations must be active and not symbolic. In what looked almost like a throw away, the FFIEC also added the following:

In addition, in response to commenters’ suggestions, the Agencies are adding the following example of a technical assistance activity that might be provided to community development organizations: providing services reflecting financial institution employees’ areas of expertise at the institution, such as human resources, information technology, and legal services.

Of course this language greatly expands the sort of services that a bank may provide to community development organizations while meeting the service requirements of the CRA.

Broader Implications

Simply put, the more work you do upfront, the more leeway you get!   For example, being able to prove that there is broader region that you serve outside of your assessment area and that this region is legitimately economically connected is an important step in being able to perform community development activities out of the assessment area.

The second step is being able to show that the plan for activities allows the bank to serve the needs of the immediate assessment area while expanding.

We believe that for a plan to expand to activities beyond the assessment must be well thought out, and there must be documentation to show that the plan does not ignore low to moderate income groups within the assessment area. However, for banks that do not have these populations directly within the established assessment area, this is a significant opportunity to expand and reach new levels of community development that had heretofore been unattainable.

The key to a successful expansion is being able to document the idea that the Bank understands the credit needs of the people within the established assessment area.   In conjunction with understanding those needs the bank must be able to show how their activities meet those needs

[1] For the full text of the changes see

[2] We continue to remind our clients that the agencies do read and consider comments they receive!

Your Partner in Balancing Compliance