Imagine the following scenario: you are the compliance officer and while doing a routine check on disclosures, you notice a huge error that your institution has been making for the last year. The beads of sweat form on your forehead as you realize that this mistake may impact several hundred customers. Real panic sets in as you start to wonder what to do about the regulators. To tell or not to tell, that is indeed the question!
There are many different theories on what to do when your internal processes discover a problem. Although it may seem counterintuitive, the best practice, with certain caveats, is to inform the regulators of the problem. CFBP Bulletin 2013-06 discusses what it calls “responsible business conduct” and details the grounds for getting enforcement consideration from the CFPB. In this case, consideration is somewhat vague and it clearly depends on the nature and extent of the violation, but the message is clear. It is far better to self-police and self-report than it is to let the examination team discover a problem!
Why Disclose a Problem if the Regulators Didn’t Discover it?
It is easy to make the case that financial institutions should “let sleeping dogs lay”. After all, if your internal processes have found the issue, you can correct it without the examiners knowing, and move on. Right? In fact, nothing could be further from the truth. The relationship between regulators and the banks they regulate was once collegial, but that is most certainly not the case any longer. Regulators have been pushed by legislation and by public outcry to be proactive in their efforts to regulate. Part of the process of rehabilitating the image of financial institutions is ensuring that they are being well regulated and that misbehavior in compliance is being addressed.
It is not enough to discover one’s own problems and address them. In the current environment, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change. An attitude that compliance is important must permeate the organization starting from the top. To impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be. For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification. This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff. The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders. This may seem like a reasonable response, but it is incomplete.
This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary. What is the follow-up from senior management? Will senior management follow up to make sure that the classes have been attended by all commercial lending staff? Will there be consequences for those who do not attend the classes? The answers to these questions will greatly impact the determination of whether there is self-policing that is effective. Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management. The more the regulators trust the self-policing effort, the more the risk profile decreases and the less likely enforcement action will be imposed.
At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all! The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action. Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program in particular. The key here is to report at the right time. Once the extent of the violation and the cause of it have been determined, the time to report is imminent. While it may seem that the best time to report is when the issue is resolved, this will generally not be the case. In point of fact, the regulators may want to be involved in the correction process. In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).
It is important to remember here that the reporting should be complete and as early as possible keeping in mind that you should know the extent and the root cause of the problem. It is also advisable to have a strategy for remediation in place at the time of reporting.
What will the institution do to correct the problem? Has there been research to determine the extent of the problem and how many potential customers have been affected? How did management make sure that whatever the problem is has been stopped and won’t be repeated? What practices, policies and procedures have been changed as a result of the discovery of the problem? These are all questions that the regulators will consider when reviewing efforts at remediation. So for example, if it turns out that loan staff has been improperly disclosing transfer taxes on the GFE, an example of strong mediation would include:
- A determination if the problem was systemic or with a particular staff member
- A “look back” on loan files that for the past 12 months
- Reimbursement of any all customers who qualify
- Documentation of the steps that were taken to verify the problem and the reimbursements
- Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
- Disciplinary action (if appropriate for affected employees)
- A plan for follow-up to ensure that the problem is not re-occurring
Despite the very best effort at self-reporting and mediation, there may still be an investigation by the regulators. Such an instance calls for cooperation not hunkering down. The more your institution is forthcoming with the information about its investigation, the more likely that the regulators will determine that there is nothing more for them to do.
At the end of the day, it is always better to self-detect report and remediate. In doing so you go a long way toward controlling your destiny and reducing punishment.