On October 14, 2011, the Consumer Financial Protection Bureau
(CFPB) issued its Supervision and Examination Manual –
Version 1.0 (Manual), which provides the first insight into the
procedures the CFPB will use in examining the depository
institutions and non-depository consumer financial services
companies under its jurisdiction. The complete Manual can be found
The Dodd-Frank Wall Street Reform and Consumer Protection Act
provides that the CFPB is responsible for enforcing "federal
consumer financial law." To that end, the Manual builds upon
examination procedures for certain consumer financial laws,
including, among others, the Home Mortgage Disclosure Act, Truth in
Lending Act, Real Estate Settlement Procedures Act, Fair Credit
Reporting Act, Fair Debt Collection Practices Act, and
Gramm-Leach-Bliley Act. It also details its examination procedures
for detecting unfair, deceptive, or abusive acts or practices and
for assessing whether mortgage servicing complies with all
applicable consumer laws.
The Manual is structured in three parts. Part I describes the
supervision and examination process. Part II details the
examination procedures. Part III consists of templates of documents
that the CFPB will use in examining the entities under its
jurisdiction. Part II, the "Examination Procedures," is
probably the most helpful guide for entities that are supervised by
the CFPB, as it provides a "road map" of the factors upon
which the CFPB will focus in compliance examinations.
Prior to examining large depository institutions and their
affiliates, the CFPB will prepare a Risk Assessment that will be
the foundation for an institution's (and its affiliates')
custom "Supervision Plan." A sample Risk Assessment is
provided in Part III of the Manual. As explained in the Manual:
CFPB's Risk Assessment is designed to evaluate on a
consistent basis the extent of risk to consumers arising from the
activities of a supervised entity or particular lines of business
within it and to identify the sources of that risk. "Risk to
consumers" for the purpose of the CFPB Risk Assessment is the
potential for consumers to suffer economic loss or other
legally-cognizable injury (e.g., invasion of privacy) from a
violation of Federal consumer financial law. The risk assessment
includes factors related particularly to the potential for unfair,
deceptive or abusive practices, or discrimination. Two sets of
factors interact to result in a finding that the overall risk in a
business or entity is low, moderate, or high. The first set of
factors relate to the inherent risk in the particular line of
business or the entity overall. The second set of factors is the
quality of controls that manage and mitigate that risk. The Risk
Assessment also includes a judgment, based on current or recent
information, about the expected change in the overall risk:
decreasing, increasing, or unchanged.
Utilizing the Risk Assessment, the CFPB will prepare a unique
Examination Scope Summary that will dictate how the CFPB will
review an institution's compliance with consumer financial
The Manual includes many consumer financial law-specific
sections that, among other things, provide background about the
law, compliance, and specific examination procedures. For example,
the Fair Credit Reporting Act section provides information related
to obtaining consumer reports, sharing information among
affiliates, disclosing information, etc. In addition, some sections
include CFPB examination checklists, providing a useful guide for
internal review of regulatory compliance.
The Manual makes explicit the CFPB expectation that every
regulated entity will have an effective compliance management
system adapted to its business strategy and operations. The CFPB
will review and test the effectiveness of compliance management
systems, focusing on: (i) board and management oversight; (ii) the
compliance program; (iii) responses to consumer complaints; and
(iv) compliance audits. The CFPB will review each of those elements
to assess the overall quality of an entity's compliance
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Nearly five years after announcing it would
"expeditiously" implement provisions of the Dodd-Frank
Act concerning data collection on small business lending, the
Consumer Financial Protection Bureau (CFPB) finally seems to be
Tomorrow the CFPB will issue an interim final rule that will increase the maximum amount of civil penalties that the CFPB and certain other enforcers can obtain for various consumer protection violations.
The authors examine the Consumer Financial Protection Bureau's foray into data security
enforcement by assessing how the bureau's data security authority compares with that
of other federal regulators.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).