By Lyn Farrell and Kathryn Reimann
Much has happened since December 2020, when we last provided our thoughts on 2021 compliance priorities. Compliance professionals must be agile and able to pivot so their priorities match the changing events in the country as well as the dynamic regulatory environment that a new administration brings. In our first post we suggested a focus on Fair Lending, UDAAP, CARES Act and COVID-related risks, and Fair Credit Reporting Act compliance. We have seen some developments that reinforce our belief in this list. Here are a few updates, as well as a few more suggestions:
The push for racial justice in the U.S. has intensified and the Consumer Financial Protection Bureau has made clear that this will be a focus of the agency. It is imperative that compliance leaders take a clear-eyed look at their fair lending analyses across their product lines. If anomalies occur, dig into the data to find any problems as early as possible. Devise a rigorous plan to correct them and have your story well in place before any examinations happen.
Also in conjunction with fair lending, take a good look at your advertising, not just for lending, but for banking services themselves. Fair access to banking services is not fair lending, per se, but it is a close cousin and one in which the CFPB seems to have an interest. Make sure your advertising efforts are meant to reach all consumers within your market areas.
We suspected that UDAAP might be an area in which enforcement would heat up, and the alacrity with which the new administration at the CFPB has reversed its January 2020 policy on pleading and enforcing the Dodd Frank Act prohibition on abusive acts or practices serves to reinforce our view. The 2020 policy, the legality of which was not tested at law, reflected in part debate about the meaning of “abusive” as distinct from “unfair” or deceptive.” The 2020 policy stated that the CFPB would not find an activity “abusive” if it was also found to be “unfair” or “deceptive.”
In its reversal the bureau stated that the 2020 policy failed to provide additional certainty around the definition of “abusive,” and criticized the “evidence” provided in support of the director’s decision. It also noted that “adhering to a policy that disfavors citing or alleging conduct as abusive when that conduct is also unfair or deceptive is contrary to the Bureau’s current priority of maximizing the Bureau’s ability to successfully resolve its contested litigation, as it does not allow the Bureau to assert alternative legal causes in a judicial action of administrative proceeding.”
So what should compliance officers do? Bank management may expect to see the “abusiveness” prong of UDAAP once again pleaded in enforcement actions. In reviewing advertising, disclosures and features of products and services, compliance officers would be wise to pay special attention to interactions with the elderly and other consumer segments. Disclosures or assumptions that might be “fair” when analyzed against the complete consumer universe could be assessed differently if the marketing effort focused on a specific consumer segment with unique vulnerabilities. Student loan customers might arguably also fall into such a category under certain circumstances, particularly as congressional and administration policymakers increase their focus on questions about loan forgiveness. Care should continue to be taken when monitoring complaints and collection activities regarding student loan servicing activity. Complaints and call center monitoring should also be constructed to highlight trends in complaints about specific product or service features, or fees, that might suggest that a unique or particularly vulnerable consumer segment is complaining at a significantly higher rate than the overall customer base.
In this regard, when mining complaint data, be on the lookout for merchant fraud as well. Several weeks before the CFPB’s rescission of its January 2020 “abusive” statement, the bureau filed a federal court suit against payment processor Brightspeed Solutions and its former CEO. The bureau’s description of this action is instructive: The agency alleges that “Brightspeed . . . continued to process . . . remotely created check payments” for client companies that “tricked consumers, often older Americans, despite being aware of nearly 1,000 consumer complaints, several inquiries from police departments around the country, and return rates averaging more than 20 percent.”
CARES Act and COVID-related Concerns
The Paycheck Protection Program has been extended until May 31, 2021. The program continues to be a bit unwieldy, and new procedures are being written as the program persists. The press continues to highlight allegations of program abuses and fraud. Since lenders are required to certify their borrowers’ certifications, there is a possibility for liability in future reviews of the program. Having excellent risk management controls around the taking and processing of applications is essential, as is ongoing monitoring and testing of completed transactions, with fast follow-up on red flags or suspect activity.
The CFPB has made clear that it will focus on how its regulated institutions responded to government efforts to provide COVID-19 related assistance, including: whether mortgage borrowers were provided the appropriate forbearance: whether stimulus payments were subject to setoff for unpaid fees or loans; and whether banks have a policy of taking PPP applications only from pre-existing customers. Compliance leaders need to understand what their organization’s stance is on these issues and act to document the reasons for all actions taken, as well as the controls that were in place to prevent unfair activity.
Rising areas of focus: anti-money laundering programs
The Financial Crimes Enforcement Network has a raft of new powers and has recently shown that in the aftermath of successful criminal prosecutions, it will follow up with banks that provided banking services over the years to customers guilty of money laundering. Combine this with: the increasing use of cryptocurrencies and transactions in traditional channels; the Corporate Transparency Act’s tightening of oversight required for LLCs clients; and the increasing availability of better technology for managing AML monitoring with a focus on outcomes and you come up with a conclusion that prudent CCOs should be thinking about upping their banks’ AML diligence and game in general.
Food for thought
State law developments. Is your bank’s mechanism for keeping up with state legislation and driving the changes through your change management process up to the task? State legislatures and banking departments continue to be active in areas as diverse as predatory lending, privacy protections, economic access and pay parity, cannabis legalization and more.
Aspirational and other disclosures, including ESG. It is the hope of any chief compliance officer that the board and senior management set the appropriate tone at the top of their bank—backed up by the resources and supportive actions. What effect would it have if your bank management was not willing to publicly say that it was committed to placing integrity, honesty or its clients first? Would it make a difference in compliance and disciplinary program effectiveness if the bank’s employees no longer signed on to a code of conduct that required them to uphold these standards?
As we write this, the Supreme Court considers whether a public company can be sued for fraud in a class action on the ground that if the company failed to disclose a conflict to a counterparty, its public statements such as “integrity is at the heart of our business” and “our clients’ interests always come first” are fraudulent misrepresentations. Whatever your views on this issue, the evolution of environmental, social responsibility and governance topics in boardrooms and among financial regulators should be heightening focus on aspirational statements and their basis.
Who, for example, will make a determination as to whether a bank has sufficiently reasonable grounds for stating that it will be carbon-neutral in 10 years? As more financial institutions issue ESG-related reports, who in the bank is responsible for making sure that the assertions have factual basis, and perhaps more important, that the company and its employees act in a manner consistent with those assertions? As these programs develop, CCOs’ focus on related internal process, governance and ownership around the compliance issues they present will be critical. Is your compliance department involved in these discussions? Our advice is to make sure that you are aware of your institution’s strategy and continue to educate yourself and your colleagues as these areas evolve.
Lyn Farrell is a regulatory strategy advisor for Hummingbird, a regtech company. She is a regulatory attorney with 40 years of experience in banking regulation. Kathryn Reimann is a regulatory advisor to Hummingbird and other institutions and has more than 25 years of experience leading compliance functions at public companies, most recently as the chief compliance officer for Citibank and the Citi Global Consumer Bank.