Title X of the Dodd-Frank Act, entitled the Consumer Financial Protection Act of 2010 (CFP Act), established the Consumer Financial Protection Bureau (CFPB). The CFPB enjoys rulemaking, enforcement and supervisory powers over many consumer financial products and services, as well as the entities that sell them. The CFP Act transferred to the CFPB the primary rulemaking authority over many federal consumer protection laws that were enacted prior to the Dodd-Frank Act.

The CFP Act significantly alters the consumer financial protection landscape by consolidating rulemaking authority and, to a lesser extent, supervisory and enforcement authority, in one federal regulator – the CFPB. With its broad rulemaking mandate, it is clear that the CFPB maintains heightened jurisdiction over consumer protection regulations not previously held by the prudential banking regulators. In addition to its rulemaking authority, the CFPB was bestowed with supervisory authority over banks with more than $10 billion in assets, meaning that the CFPB has visitorial powers over these larger depositories. Although institutions with less than $10 billion in assets are not subject to the CFPB's direct supervision, what is becoming increasingly apparent is the growing influence of the CFPB on community banks. Since the creation of the CFPB, the prudential banking regulators have not only intensified their focus on consumer compliance, but are also now modeling their examinations and enforcement strategies after the CFPB. In short, the CFPB is having a real influence on the daily operations of community banks, regardless of size.

Community banks should be thinking proactively and broadly about this shift in supervisory philosophy toward consumer compliance. Gone are the days when a prescriptive, rules-based approach to compliance would suffice. The principle-based approach to enforcement adopted by the CFPB is fast becoming the new normal for consumer compliance enforcement and examination. The "unfair, deceptive, or abusive acts or practices," or UDAAP, provision under Dodd-Frank is a prime example of how a broad regulatory provision, combined with the CFPB's principle-based approach to consumer compliance, warrants a thorough, top-down examination of community banks' consumer compliance structure. Technical compliance with consumer protection regulations, although necessary, is not sufficient. As the CFPB states in its Supervision and Examination Manual, "a transaction that is in technical compliance with other federal or state laws may nevertheless violate the prohibition against UDAAPs. For example, an advertisement may comply with TILA requirements, but contain additional statements that are untrue or misleading, and compliance with TILA's disclosure requirements does not insulate the rest of the advertisement from the possibility of being deceptive."

Although the CFPB does not have direct supervisory authority over community banks, the prudential regulators appear to be taking cues from the CFPB. The FRB, for one, has showcased a broad-based enforcement approach to UDAAP rules and regulations and some high expectations for how banks should be identifying and resolving complaints involving abusive or deceptive practices. Some recently cited violations include underwriters inflating the income lines on residential real estate applications or charging sham origination points; abusive overdraft and billing practices; and being deceptive in the manner in which deposit products are priced. The consequences for these violations can be harsh: MOUs, downgrades of compliance and CRA ratings, and even criminal prosecutions. Some of the violations appear in response to banks making moves to offset recent margin pressure and cutting corners on compliance. Regulators have indicated that they view as red flags those banks pushing new or modified products and services to generate revenue, especially if done in conjunction with third-party vendors where fees are shared. Although revenue growth is desirable, there is also a need to ensure there is compliance with UDAAP and consideration of UDAAP risk. Some of the actions community banks should consider to manage the UDAAP risk include:

  • Conduct internal reviews. Incorporate UDAAP review into the life cycle of a product or service and determine whether any product or service could be considered unfair or deceptive.
  • Review customer complaints and identify trends.
  • Review advertising and marketing, considering how cost, value, availability, alternatives, benefits or terms are represented. Consider whether the terms advertised are actually available to most consumers.
  • Review loan officer compensation and assess whether the compensation program incentivizes behaviors or practices that increase UDAAP risk.
  • Review all third-party vendors that offer or service any aspect of any product or service; review policies and processes for selecting and managing third-parties; how third-parties are compensated; assess third-party activities to verify compliance with technical consumer compliance requirements and UDAAP.

UDAAP is just one area of consumer compliance focus. Fair lending, BSA/AML, indirect auto finance and the ability to repay/qualified mortgage rules are other hot-button compliance issues. Each of these distinct areas of consumer compliance require a rigorous review and assessment, not only by the employees specifically charged with consumer compliance, but also by the bank's board of directors and management. Regulators are increasingly holding directors and management accountable for consumer compliance lapses.

A trend is emerging in recent settlements with large, multi-national financial institutions and other regional institutions where regulators are insisting on higher-level involvement of bank officials and the board of directors in BSA/AML compliance. As part of a consent agreement to settle BSA/AML compliance issues last year, Citibank agreed to establish and maintain a board-level compliance committee including at least two outside directors, to ensure the bank was effectively implementing the law. The agreement includes a "Management and Accountability" section, requiring the bank to maintain "clear lines of authority and responsibility" for its BSA/AML activities, and "competent and independent" management to be in-place on a full-time basis. In 2012, First Bank of Delaware was stripped of its state charter and penalized $15 million for failing to implement an effective AML program. More and more, community banks are having to confront the increased regulatory scrutiny on BSA/AML policies and procedures.

Conclusion

Managing compliance effectively and successfully is now more critical than ever. Size does not matter – prudential regulators are getting tougher on everyone. Under the current regime, if the CFPB takes a different stand on an issue than a prudential regulator, the CFPB prevails. Therefore, all banks, not only the large banks directly supervised by the CFPB, must follow developments at the CFPB closely and take note of emerging issues. In order to exercise appropriate oversight over the affairs of a bank, directors must have a fulsome understanding of the risks associated with the business of the bank and establish a risk management program to mitigate those risks. To do this, directors will necessarily need to be more knowledgeable about banking and will be expected to undertake whatever is necessary in order to become better informed.