Managing Compliance Risk
July 21, 2011 will be recognized as a seminal date in the history of the American banking system since this date triggers the implementation of a wide array of significant components of the Dodd–Frank Wall Street Reform and Consumer Protection Act, including the formal creation of the Consumer Financial Protection Bureau and the transfer of numerous consumer protection regulations away from the authority of the Federal Reserve and into this new entity. These changes herald the beginning of a new era, in which regulatory sensitivities regarding consumer protection have been heightened to almost unprecedented levels.
Within the sea of change, the role of the bank director in the provision of strong oversight of bank management and related operations has become increasingly critical. Directors must proactively monitor the effectiveness of management and related personnel in not only navigating the bank through trying economic conditions, but also structuring products, services, and operating practices in a manner that ensures compliance with applicable federal and state consumer protection laws and regulations. Directors must also provide continuous oversight of the bank’s compliance monitoring and audit programs in order to ensure that significant issues or concerns are identified and remediated by bank personnel rather than regulatory agencies or the courts system.
Loan Product Risk
One of the key components in the provision of effective oversight of a compliance program is ensuring that bank products are properly assessed, managed, and monitored. All bank products should be subject to periodic risk assessments in order to ensure that all relevant consumer compliance, legal, or operational concerns have been properly assessed. Ongoing assessments are a critical component of any program due to the volume of regulatory changes the banking industry has experienced within recent years. For example, the higher-priced mortgage loan revisions to Regulation Z implemented in 2009 forced many institutions to review their home loan products and pricing and modify these products to either remain below the rate ceilings implemented by this regulation or possess the necessary characteristics, such as escrow accounts and repayment ability tests, to meet compliance requirements while still generating acceptable loan yields.
In the near future, bank’s will be required to continue to re-evaluate loan products offerings, particularly for home loan products, as the Dodd-Frank Act’s provisions related to qualified residential mortgages (QRMs) are enacted. As a brief summary, QRMs are generally defined as loan’s that meet certain underwriting and structure requirements, including the following: the presence of no balloon payments that are greater than twice the average of earlier, regularly scheduled payments, full amortization of a loan’s principal balance over a given loan’s term, the inclusion of an escrow account for taxes and insurance, verified and documented income and financial resources, total fees and points that do not exceed three percent of the total loan amount, as well as several other restrictions that have yet to be fully defined by the Bureau.
Deposit Product Risk
Product compliance risk concerns do not terminate with the bank’s loan product offerings. Although these products have been subject to considerable scrutiny, in part due to the level of regulatory change that has affected consumer residential mortgage loans, deposit products have also become subject to increasingly greater levels of scrutiny, particularly in relation to Unfair and Deceptive Acts or Practices (UDAP). An illustrative example of this issue can be identified within a relatively new product in the retail banking industry: checking accounts which pay significant interest premiums after the account holder has satisfied a defined list of conditions, such as a given number of debit card transactions per month, direct deposit into a specific account, etc. These accounts have been increasingly popular and widespread within the industry; however, they can introduce serious compliance risks into the bank’s operating environment. For example, many institutions have received substantial criticism for the adequacy and accuracy of their advertising and disclosures in relation to describing the conditions that must be satisfied to earn the advertised rate premium. Although specific regulatory criticisms vary, a common finding relates to how institutions described requirements for a given number of transactions per month. Institutions often advertise accounts which require “15 debit card transactions per month”, in addition to other conditions, in order to achieve an advertised premium rate of interest. Unfortunately, problems in this form of disclosure arise because the institution has not defined if 15 debit card transactions must be initiated or posted within a given time frame, which can lead to violations of the Truth-in-Savings Act (Regulation DD) as well as UDAP violations. As a result, institutions must implement effective compliance assessment and monitoring programs to ensure these deficiencies are detected and corrected before products are introduced to the public and create the potential for serious regulatory and legal penalties.
Compliance risks do not terminate with the mix of products offered by a given institution and can instead be heightened by the bank services that accompany these products. One emerging services risk relates to the overdraft protection program offered by many institutions for transaction-oriented deposit accounts. On November 24, 2010, the Federal Deposit Insurance Corporation released guidance specifically for FDIC-regulated institutions regarding this agency’s “supervisory expectations” in regard to the administration of automated overdraft protection programs. Among the FDIC’s litany of “expectations”, the agency mandates that institution “consider” eliminating overdraft fees for transactions that overdraw an account by a de minimis amount, institute appropriate daily limits on overdraft fees, and monitor programs for excessive or chronic customer use undertake meaningful and effective follow-up action regarding financial education or alternative sources of funds in lieu of utilizing overdraft services.
In addition to the guidance released by the FDIC, the industry has also experienced a significant increase in litigation and regulatory penalties in relation to overdraft practices, including a noteworthy federal lawsuit in California in which Wells Fargo Bank was ordered to provide restitution in the amount of $203 million for overdraft practices in which items were paid in order of largest to smallest versus the order in which items were received. Within this lawsuit (Gutierrez v. Wells Fargo), the plaintiffs asserted that the payment processing order utilized by Wells Fargo constituted a blatant attempt to maximize overdraft fee income. As a result of this lawsuit and emerging regulatory guidance, institutions must re-evaluate established overdraft practices to ensure that regulatory and legal risk factors are adequately controlled.
In order to effectively manage the products and services risk discussed above, as well as ensure that compliance programs are capable of efficiently responding to changes in the regulatory environment, directors must ensure that bank management has established robust processes for the identification, assessment, and management of compliance risks. These processes should include the performance of risk assessment activities; delegation of responsibility for both compliance management and monitoring activities to qualified parties, including in-house personnel and third parties; and establishment of effective reporting of both monitoring results and risk assessment activities to the Board of Directors. Each director must also ensure that compliance with consumer protection laws and regulations maintains a key organizational priority in the upcoming years due to the fact that effective management of compliance risk and satisfactory operating performance are becoming increasingly intertwined initiatives.