By Lyn Farrell and Kathryn ReimannAs we contemplate the new year, we once again consider regulatory compliance trends and how compliance departments should think about establishing priorities for 2022. Some of the priorities we have mentioned previously have heightened relevance, sometimes with a new twist; but we highlight new ones here that are also relevant and should be heeded:
Compliance departments should continue to focus on fair lending through a variety of lenses, as bank regulators, the DOJ and the White House have underscored activities that undermine the goal of financial inclusion—closely tied to the “S” in “ESG” (see below). DOJ’s recently announced redlining initiative, joined by the CFPB and the OCC, puts fair lending enforcement at the top of its priority list.
While traditional redlining remains a focus, it is noteworthy that CFPB Director Rohit Chopra, in announcing a more traditional redlining enforcement matter, warned that the CFPB will be “closely watching for digital redlining disguised through so-called neutral algorithms that may reinforce the biases that have long existed.” Chopra noted that “modern-day redlining”—in which using algorithms to make lending and advertising decisions may result in discrimination—creates a risk that just as families were “victimized by the robo-signing scandals from the last crisis,” “robo-discrimination” must not be allowed “to proliferate in a new crisis.”
Therefore, it is important to make sure that compliance fairness reviews encompass the creation, operation and outcomes of algorithmic decision models. The consent order in this matter also underscores that where a lender’s HMDA data show that its lending record in majority Black and/or Hispanic census tracks significant lags its market peers, this statistic disparity may lead to fair lending enforcement without a need to show intentional acts of discrimination.
The extent of fair lending protections for small businesses has been a topic on our minds for a number of years. The confluence of several events leads us to call out this issue as a compliance action item for 2022. First, the CFPB has begun the process of requiring the Dodd-Frank-mandated collection and reporting of small business loan data. In addition, the passage or proposal of legislation protecting small businesses in at least six states—California and more recently, New York, have enacted legislation— together with the proposal in Congress of the Small Business Lending Disclosure Act, make getting your small business fair lending program in shape a necessity.
Technology and consumer protection
In addition to concern over algorithm use, the CFPB is reinforcing the focus on technology that distinguished it in its early days. Is your bank ready to face the CFPB’s new technology exam module? Further, what lessons lie in the orders the CFPB issued to tech firms—who all have bank partners—with regard to their payment products and the consumer data they generate? Many of the areas of questioning should be considered as you review activities within your banks: How are you gathering and using consumer data? Do you monetize that data? Do consumers have adequate transparency and choice regarding what you do, and the third parties with which you may share data? These are not new questions. But as the regulatory and technology environments continue to change, and regulators clearly voice their concerns about the role of “big tech” in the payments process, it is useful to revisit your risk assessments in this area.
Finally, don’t make the mistake of believing that the realm of cryptocurrency and stablecoins is not in the consumer compliance officer job description. The CFPB is among the regulators of these products—and is particularly focused on consumer protection as consumers themselves turn to these digital means of making payments.
Consumer product digital marketing
At the risk of repeating ourselves from previous priorities, the issue of marketing compliance and UDAAP is going to always be on the list. The pandemic only hastened the use of digital banking across all parts of the country so that the majority of consumers’ contacts with their banks is now online. Remember to make sure that all essential facets of the product are accurately disclosed and that decisions the consumer is required to make are fairly presented. (See Farrell’s previous article on deceptive marketing practices here.)
The banking agencies continue to be concerned that their constituent banks are offering “banking as a service” to small fintech companies with little or no consumer protection apparatus. Banks small and large nationwide now serve as a banking vendor to fintech firms. And it is important to have controls in place to ensure that the bank is not inadvertently helping a company that is misleading consumers, failing to give appropriate disclosures or treating consumers unfairly. If you offer banking services to fintech companies, you must have a compliance review process in place for them not only at the outset but also periodically throughout the life of the relationship.
Market power and consumer choice
The CFPB’s first consent order under Chopra resulted in the sanctioning of JPay LLC for “abus[ing]its market power created by single source government contracts even if the customers didn’t want to do business with JPay.” The customers in this case were formerly incarcerated citizens who could obtain funds from the government only on a pre-paid card from JPay. While the facts in this matter are every specific, Chopra warned that its principles are more broadly applicable for “payments businesses [which]are network businesses and can gain tremendous scale and market power potentially posing new risks and undermining fairly competition.” In your bank, think about fairness when looking at choices you offer consumers, whether there are competitive products to your offerings, and how you introduce consumers to third parties in situations where they have no choice as to the provider (such as insurance providers or loans servicers).
The new director of the CFPB has made it clear that overdraft practice will be a focus of the bureau going forward. The acting Comptroller of the Currency recently said that the existing overdraft system is “regressive,” meaning that its impact is greater for lower income customers. Therefore, a review of banks’ overdraft programs should be a priority in the coming year. If your bank does not include these features, then consider: Establishing minimum amounts for which no overdraft fee is assessed; allowing the customer additional time to deposit funds into the account before assessing a fee; providing alternatives to overdrawing accounts such as transferring funds from savings; or using credit cards. The amount of overdraft fees are often the subject of criticism. Regulators tend to consider such fees to be excessive relative to the service provided. Consider whether your bank’s fees are high or low compared to others in your market. There is likely to be another push for overdraft rules, especially by the CFPB. Whether such a rule will be successfully implemented is another issue, but prudent risk managers will want to ensure that their banks’ practices are easy to understand and are fully disclosed to the consumer.
While it is necessary to address all three aspects of environmental, social and governance issues, financial regulators globally have elevated their focus on environmental, or climate in particular, as a newly recognized systemic risk. Even as standards remain unsolidified, banks have voluntarily reacted in a variety of ways that have included adding or expanding senior roles and resources to focus on ESG and its various sub-categories. In the case of climate risk, banks are exploring the use of funding-related levers to influence customer behavior, developing green products and making voluntary commitments, including with regard to their own carbon footprints.
Banks have made varying choices as to where and how ESG roles, resources and decision-making authority will sit. The management of climate risk in particular has compliance, reputation and regulatory risk implications that trigger a “three lines of defense” approach. How will a climate risk assessment fit within your current risk assessment regimes? What data will your bank develop and use to measure, control and report on its risk as well as its adherence to both voluntary and regulatory commitments in this area? How will compliance determine and support the accuracy of related disclosures and the marketing statements that they may spawn? How will banks make certain that lending policies and individual transactions fit within the principles that bank has embraced publicly, and assure that those principles are being applied fairly? Are AML monitoring and reporting processes equipped to deal with activities that suggest environmental crime? These and other questions need to be answered in a highly scrutinized, quickly developing but still murky regulatory environment.
Supervision in a “WFH” world
Just as we were working to get regulators and others comfortable with development in an “agile” environment, the work-from-home scenario has been added to the mix. Both as people managers of their own groups, and in their broader roles as risk managers, compliance heads need to grapple with the risks attendant to staff shortages caused by “the great resignation,” the changes in how employees work, and in their expectations, as WFH and hybrid models for in-office working evolve.
Customer-facing employees, whether in branches or on phones, are working under changed circumstances, but are still the key to meeting customer expectations and escalating issues. New or modified risks should be captured in your risk assessment, and controls should be reviewed in the context of changes that have been necessary to accommodate new information and process flows. Policies and procedures may require updating to reflect how banks are now actually operating. In addition, it is important to consider the employees involved: Are their historic job descriptions, training and tools adequate? And what steps are needed to continue to preserve your bank’s culture as well as your regulatory credibility and relationships–particularly as we see staff turnover on both sides of the table?
Finally, while the initial deadlines for issuing regulations to implement the significant changes in the Anti-Money Laundering Act of 2020 have come and gone, banks and their compliance and AML staffs will need to remain ready to respond when the time comes.
Lyn Farrell is an attorney and consultant with more than 40 years in the banking compliance space. She is currently a regulatory strategy adviser at Hummingbird, a regtech company. Kathryn Reimann is a regulatory adviser at Hummingbird and a senior adviser at Oliver Wyman, with more than 25 years of experience leading compliance functions at public companies, most recently as the chief compliance officer for Citibank, N.A. and the Citi Global Consumer Bank.