Recently the Consumer Financial Protection Bureau (CFPB) lost a federal appeals court decision that may affect the financial services industry. In the matter, the CFPB fined the company for actions dating back to 2008, a time frame well before the CFPB was formed in 2010 as a result of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank). Typically a company would be fined for actions dating back just three years.
In addition to this issue, the CFPB was cited for using its own formula to penalize the company, which raised the fine from $6.4 million to $109 million.(1) This was possible because under Dodd-Frank, CFPB violations may be assessed penalties based on a tiered approach. The first tier may amount to a penalty of up to $5,000 per day for violations of federal consumer protection laws. Reckless violations fall under the second tier and may result in penalties of up to $25,000 per day. Institutions that knowingly violate federal consumer protection laws may be assessed penalties of up to $1,000,000 per day.(2)
Implementing better measures to mitigate regulatory risk
Dodd-Frank brought additional regulation to the already heavily regulated financial services industry. For many companies, risk mitigation efforts have focused primarily on putting the proper controls in place, but there is another piece of the strategy that can make a significant difference. Companies that focus on compliance and the effectiveness of associated controls tend to be more successful in identifying and remediating potential violations, and understanding new regulations. Solely focusing on the existence of controls falls short of accomplishing these objectives. The culture and structure of these companies typically aim to self-identify potential violations embedded in their processes, and manage new and evolving issues for their businesses before visits by regulators uncover issues and result in costly remediation.
The following are tips for staying in front of potential regulatory issues, avoiding costly missteps that could result in compliance violations.
Automate wherever possible
Highly manual processes lead to errors; errors lead to violations; violations lead to fines. Lack of automation and detailed documentation is common in the financial services industry, however. This can lead to additional risk. For example, I recently had a conversation with a client who was about to begin a large reconciliation effort. The client explained that the relevant reconciliations processes were documented only through handwritten notes. While there were controls related to the process and reconciliation effort, the effectiveness of the controls to ensure proper reconciliation had not been tested.
Undocumented and unchecked, a particular task within the reconciliation process (which was previously considered low risk) had created a significant issue for the company, and brought about the potential for litigation and regulatory scrutiny. The issue could have been mitigated through automation of complex tasks; formal documentation of the reconciliation processes; and more frequent, risk-based, targeted assessments on the effectiveness of controls in place related to the reconciliation tasks.
To help develop plans to further automate the business, the boards and executive teams that oversee business line management at successful companies can assist in the formation of strategies and implementation of plans to automate or improve processes that mitigate inherent potential compliance issues.
Expand your compliance program
Other traps that many companies fall into are taking small sample sizes and leaving too much time between assessments (usually annually). This approach is not likely to uncover significant issues that can arise in incremental, complex processes. These situations can occur due to process changes over time; system enhancements; or updates to federal, state and agency regulations.
Set up a PMO
If your regulator has identified a matter requiring remediation, incorporating a strong project management office (PMO) into your remediation will help facilitate buy-in from all stakeholders, and provide better assurance that the remediation work is completed thoroughly and correctly. This will decrease the chance that the regulator will have additional or follow-up issues upon review, and will help ensure that deadlines set by the regulator(s) are met, thereby avoiding additional penalties. An effective PMO incorporates:
Validate the steps taken
Realistic deadlines for completion
Strong leadership and communication
Tools to both accomplish the task efficiently, and document the efforts and results effectively
An independent validation process by a third party can be valuable to boards of directors and audit committees. In my experience, regulators appreciate a well-documented validation plan, as well as reports and/or work papers that support its conclusions. Independence allows for a review of the process that will determine if all factors were considered to identify the population that required remediation, confirm that all issues were adequately captured and remediated, and ensure that consumers who may have been harmed were made whole.
It isn’t known yet what this legal decision may mean to companies regulated by the CFPB. Although the loss weakens the CFPB in terms of its unilateral ability to monitor and fine companies, the ruling does not appear to affect the frequency, transparency or ability to fine companies it finds in violation of the vast array of regulations under its purview. At the least, the ruling serves as yet another reminder for financial services organizations to get well ahead of the curve when it comes to developing and implementing forward-thinking risk mitigation processes.
Grant Thornton LLP regularly works with clients to develop, assess and implement comprehensive risk mitigation plans.
Frederick J. Kohm Jr.
Forensic Advisory Services
T +1 215 376 6040