Contents noVeMBeR-deCeMBeR 2010 | Vol. 31 | no. 6

10 | Introducing the Consumer
Financial Protection Bureau

The creation of the Consumer Financial Protection Bureau will clearly impose new obligations on all providers of financial products and services directed to consumers for personal, family, or household purposes. This article provides a detailed overview of what laws and regulations the bureau will be responsible for and the institutions that it will supervise.

By Ken BaeBel, CRP and John C. SoFFRonoFF, JR.

14 | Managing the Risks of
Mortgage Partnerships

Mortgage lenders often use many types of business partners to market products and provide services to successfully get mortgage loans closed and funded. Recognizing and managing these risks is an important part of any mortgage compliance program. This article will survey those risks and recommend actions to mitigate them.

By Kathlyn “lyn” l. FaRRell, CRCM, CaMS, aMlP and CaRl g. PRy, CRCM

20 | Vendor Management:
the devil’s in the details

You probably view vendor management in the traditional sense—it’s an information technology (IT) or operations function. However, as this article reveals, vendor management and compliance are inextricably related. And, as you will see the devil is in the details.

RIChaRd h. haRVey, JR., eSq., CRCM, and ShawndRa Rutledge, CRCM

30 | Managing udaP-Related Risks in
uncertain times

Across the banking industry, numerous lawsuits and investigations remain pending involving unfair or deceptive acts and practices (UDAP).

Given the current consumer-focused regulatory environment, we should examine in more detail UDAP regulation.

By CouRtney eden

The mosT comprehensive financial regulaTory legislaTion since The 1930s, the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 was signed into law on July 21, 2010. The Consumer Financial Protection Act of 2010 is included as Title 10 of the larger act, and it establishes a new bureau within the Federal Reserve System: the Consumer Financial Protection Bureau (CFPB). The new bureau will be completely independent of the Fed’s board of governors and other financial regulatory agencies, and its mandate is to focus on issues impacting how consumers are treated in the marketplace for financial products and services.Congress was specifically concerned about treatment of servicemembers,the unbanked, and senior citizens.

The creation of the CFPB will clearly impose new obligations on all providers of financial products and services directed to consumers for personal, family, or household purposes. Understanding the new bureau’s role and responsibilities will be a major challenge to compliance managers at depository and nondepository institutions during the coming year.

The secretary of the Treasury has set July 21, 2011, as the official date for transferring certain consumer protection functions from current regulatory agencies to the CFPB. It is anticipated that significant changes to regulations as well as supervisory procedures will occur during this transition period. This article provides an overview of which laws and regulations the CFPB will be responsible for, and which institutions it will supervise.

Structure

The CFPB is an autonomous office within the overall structure of the Federal Reserve System. The Fed’s board of governors may delegate to the CFPB authority to examine persons subject to the jurisdiction of the board for compliance with federal consumer financial laws. The board may not, however, appoint or remove any employee of the CFPB, nor can it intervene in any matters before the CFPB, including examination or enforcement actions. The board is required to provide funding for the CFPB each year beginning on the designated date of the transfer of authority to the new bureau. The CFPB will be headed by a director nominated by the president, subject to confirmation by the Senate, for a term of five years.

Appointed by the director, a deputy director will lead the CFPB in the director’s absence. The principal office of the CFPB will be in Washington, D.C., and the bureau may establish regional offices in order to carry out its responsibilities. The director is authorized to hire attorneys, compliance examiners, compliance supervision analysts, economists, statisticians, and other employees as necessary to conduct the business of the CFPB.

Similar to the board’s Consumer Advisory Council, the CFPB is directed to establish a Consumer Advisory Board, with members to be appointed by the director. The membership is to include persons with expertise in consumer protection, fair lending, financial services, and community affairs, among other backgrounds. The director is supposed to include at least six persons recommended by the regional Federal Reserve Banks. The legislation requires the advisory board to meet at least twice a year.

Laws and Regulations

The Dodd-Frank Act transfers regulatory responsibility for the following consumer laws from the agencies previously given those tasks:

■ ■ The Alternative Mortgage Transaction Parity Act of 1982 ■ ■ The Consumer Leasing Act of 1976

■ ■ The Electronic Fund Transfer Act (with some exceptions) ■ ■ The Equal Credit Opportunity Act

■ ■ The Fair Credit Billing Act

■ ■ The Fair Credit Reporting Act (with some exceptions) ■ ■ The Homeo wners Protection Act of 1998

By Ken BaeBel, CRCM, CRP, and John C. SoffRonoff, JR.

Introducing the

Consumer Financial Protection Bureau

more red tape for compliance pros

10 | ABA BANK compliANce | NoVemBeR-DecemBeR 2010

The CFPB also has specific authority to prevent persons subjectto its
supervision from committing or engaging in unfair, deceptive, or abusive
acts or practices in connection with any transaction with a consumer for a
consumer financial product or service, or the offering of a consumer financial
product or service. The requirements for determining whether actions may
be unfair or deceptive are the same as those currently guiding the Federal
Trade Commission (FTC) and the federal banking agencies when examin-
ing for possible unfair or deceptive acts or practices (UDAP) violations.

■■ The Fair Debt Collection Practices Act

■■Subsections (b) through (f) of Section 43 of the Federal Deposit Insurance Act (institutions without federal deposit insurance)

■■Sections 502–509 of the Gramm-Leach-Bliley Act (privacy)

■■ The Home Mortgage Disclosure Act of 1975

Who Is Regulated

■■ The Home Ownership and Equity Protection Act of 1994

■■ The Real Estate Settlement Procedures Act of 1974

■■ The SAFE Mortgage Licensing Act of 2008

■■ The Truth in Lending Act

■■ The Truth in Savings Act

■■Section 626 of the Omnibus Appropriations Act (2009)

■■ The Interstate Land Sales Full Disclosure Act

■■Subtitles A, B, C, and E and sections 1471, 1472, 1474, and 1475 of the The CFPB will be responsible for enforcing consumer financial protection laws and regulations against any person who engages in offering or providing a consumer financial product or service; and any affiliate of such a person if that affiliate acts as a service provider to that person. The definition of financial product or service is very broad and will encompass pretty much any financial product or service offered to a consumer for personal, family, or household purposes.

123Rf Bono ToMSTudo

Mortgage Reform and Anti-Predatory Lending Act (2010)

The CFPB is given specific authority over insured depository financial institutions with assets over $10 billion. Based on the most recent call report figures, the CFPB will have responsibility to examine some 100 insured banks, savings associations, and credit unions, and their affiliates. It will also have responsibility for examining and supervising nondepository financial firms that originate, broker, or service private education loans,

NoVemBeR-DecemBeR 2010 | ABA BANK compliANce | 11

BY KATHLYN “LYN” L. FARRELL, CRCM, CAMS, AMLP, AND CARL G. PRY, CRCM

Managing the Risks of Mortgage Partnerships TISOBVIOUSTOANYONEwho’sbeenpayingattentionthatforthelastfewyears themajorplayersinthemortgagelendingindustry—includingbrokers,appraisers,and financialinstitutions—havealltakenhitsinthemedia,withregulators,andwiththe public.Withthecollapseoftherealestatebubble,fewermortgageloanapplicationsare beinggeneratedandthenumberofmortgageloanbrokersandmortgagecompanies hasdeclined.Bysomeestimates,thenumberofmortgagebrokersintheUnitedStates isonlyhalfofwhatitwasin2005. IDuetothisdecreaseinmortgagelendingproviders,some financialinstitutions(includingmanycommunitybanks)sense opportunityandhavedecidedthatthetimeisrighttogetback intomortgagelending.Insomecases,banksthathavetraditionally mademortgageloanshereandtheretosatisfyexistingcustomers aregearinguptooffermortgagesinamuchbiggerway.While thisdecisionmaymakegoodbusinesssenseandcanbebeneficial forthecommunitiesthatneedmortgageservices,therearealso risksthatshouldbeconsidered.Infact,therearemoreregulatory risksnowinthismortgagelendingareathaneverbefore.Many oftheserisksarespecificallyrelatedtotheuseofpartnersand serviceprovidersinthemortgageprocess. Becauseitisdifficult,ifnotimpossible,toparticipateinthe mortgagelendingspaceonanyscalewithoutrelyingonoutside serviceproviders,abankisforcedtoweightherisksofdealing withthirdpartiesagainstthebenefitsofbuildingaprofitable mortgagelendingoperation.Thirdpartiesincludeapplication brokers,propertyappraisers,andtitleinsurers,aswellasloan servicers,escrowcompanies,andsecondarymarketpurchasers. Inthisarticle,we’llsummarizesomeoftherisksinherentin dealingwithmortgagepartnersandoffersomeideasonwaysto mitigatetherisksinaninstitution’smortgagelendingoperations. HowDidWeGetHere?First,let’sconsiderhowthislevelofriskcametobeinthefirst place.Whilethecausesofthemortgagemeltdownandresulting economiccrisiswillbedebatedforyearstocome,itisgenerally agreedthatlenderswereatleastpartiallyresponsiblebyallowing underwritingstandardstoslipor,insomecases,byneglecting thestandardsaltogether.Someofthoseproblemshavebeenat- tributedtothelenders’mortgagepartners,whoatleastenabled someweaknesses.Whoaresomeofthepartiessharingtheblame? ;Mortgagebrokers:Becauseofaggressiveandevenabusive useofoveragesandyieldspreadpremiums,borrowerspaid muchmoreforloansthantheyshouldhave.Thesepractices fallundertheumbrellaofpredatorypracticesbutcanalsorisetothelevelofafairlendingviolationifborrowersinpredomi- nantlyminorityareasweredisproportionatelyharmed.These practicescouldhavecontributedtothecurrentsituationof excessiveforeclosuresinmanyurbanareas. ;Appraisers:Therehavebeenmanyanecdotalanddocumented casesofappraisedvaluesbeingriggedtosupportaloanamount. Thispracticeisnotonlyaregulatoryviolationbutalsoaviola- tionoftheUniformStandardsofProfessionalAppraisalPractice (USPAP)rulesandinmanycasesacriminaloffense.Butlend- erswerecomplicitinsomeofthesecases,throughsuggestion, coercion,oroutrightfraudtogetthenumbernecessaryfrom anappraisertosupporttheloan. ;Titlecompanies:Lessvisiblebutstillplayingarole,thesecom- panieswouldinsomecasesplayalongwhilemortgageswere flippedrepeatedly,predatoryloansweremade,orinextreme cases,loansweremadetomultipleborrowersonthesamehome. TheBacklash Afterthemortgagecrashandintheensuingchallengingeconomic environment,severalcriticaleventsoccurredinthemortgage marketplace: Manybanksgotoutoftheindirectlendingbusiness.Due totheriskspresentedbymortgagebrokers,dealers,andother third-partyleadgenerators,somebankssimplydecidedtoget outofthatbusinessentirely.Theydecidedthatfromnowon, mortgageloanswouldbemadedirectly;thatis,thatinitialap- plicationwouldbetakenatthebankorthroughbankchannels. Somemarketsbecameneglected.Whetheraresultofgeneral economicconditionsorinareaswheremostmortgagestradition- allycamefrombrokers,theresultisthesame:inmanymarkets, mortgagelendinghasdriedup.It’sbecomevirtuallyimpossible togetaloan(oronethatisaffordable.)Thisinturncreates… Regulatoryandlegalscrutinybegantogrowstricter.Thefact hatloansarelessavailableinmanyareascreatesredliningcon- cerns(andalsoissuesregarding“reverseredlining,”whichmeans predatoryloansorpracticesaretargetedtoparticularareasor Becauseitis difficult,ifnot impossible,toparticipate inthemortgage lendingspaceonany scalewithoutrelying onoutsideservice providers,abankis forcedtoweighthe risksofdealingwith thirdpartiesagainsthebenefitsofbuilding hebenefitsofbuilding aprofitablemortgage lendingoperation. 14 | ABA BANK COMPLIANCE | NOVEMBER-DECEMBER 2010 NOVEMBER-DECEMBER 2010 | ABA BANK COMPLIANCE | 15

ColuMnS
4 | Compliance
Management

By CaRl g. PRy, CRCM

RICHARD H. HARVE Y, JR., ESQ., CRCM, AND SHA WNDRA RU TLEDGE, CRCM I F YOU’RE A COMPLIANCE OFFICER you no doubt have very little leisure time for reading articles that appear to have little, if any, appli- cability to the numerous responsibilities you already own. Thus, at first glance you might be inclined to take a pass on this article. You probably view vendor management in the traditional sense—it’s an information technology (I T) or operations function. However, as this article reveals, vendor management and compliance are inextricably connected. And, as you will see, the devil is in the details. How did we get where we are today? Well, let’s start by taking a walk back in time. Vendor management first came on the scene as a specific topic of risk around 2000. It started in the IT area and has morphed into its own piece of the regulatory examination process. IT has always been the starting point for vendor management. It truly began with the fury of fear about the Year 2000 ( Y2K) problem in software systems. As early as December 17, 1997, statements such as the following were made by the Federal Financial Institutions Examination Council (FFIEC) regarding vendor due diligence: The purpose of these safety and soundness guidelines is to underscore the responsibilities of senior management and the boards of directors. ... This includes managing the internal and external risks presented by providers of data-processing products and services (vendors), business partners, counterparties, and major loan customers.1 Interestingly enough, before the Y2K phenomenon little can be found on vendor management, vendor due diligence, or vendor monitoring. On March 21, 2000, the FFIEC issued SR 00-5(SUP), titled “Lessons Learned from the Year 2000 Project.” 2 This SR discusses different topics regarding the process for the Y2K project and there it is: “vendor management.” The paragraph is four sentences long and has been a driving force for vendor management programs all over the country. So what exactly did it say? Financial institutions established better due diligence pro- cesses to oversee service providers and soft ware vendors that provide mission-critical services and products. Many financial institutions that relied upon service providers, soft ware vendors, and consultants found that they had substantial risk exposures related to vendor management hat were not adequately measured, monitored, man-

Vendor Management:

The Devil’s in

Vendor management has rapidly evolved into a demon of work

their analysis of the ability of service providers, software vendors, and consultants to fulfill their contractual obligations. In addition, institutions took steps to improve communications and clarify roles, responsibilities, and contractual obligations. 3

First, let’s be clear: what was said back then is notthe reality of today. Since these four sentences, vendor management has rapidly evolved into a demon of work that now includes significant components of a bank’s examination process. In 2007, the Federal Deposit Insurance Corporation (FDIC) issued a new IT officer’s questionnaire and vendor management not only is referenced throughout, but also has its own section. FDIC listed part 5 of the questionnaire with this lead-in statement: “Given the increased reliance on outside firms for technology-related products and services, please answer the following questions to help us assess the effectiveness of your vendor management and service provider oversight programs.” 4 Clearly vendor management was playinga bigger role in the IT examination process.

Did it stop there?

SHUTTERSTOCKBONOTOM

aged, or controlled. Many financial institutions expanded No. Vendor management has continued to spark flames in many areas of the examination process. The Office of the Comptroller of the Currency (OCC) listed vendor managementas a control in its public handouts for a May 6, 2003, telephone seminar about information security. 5 In that presentation the OCC stated thateach bank must understand the security of its vendor as a

20 | ABA BANK COMPLIANCE | NOVEMBER-DECEMBER 2010 NOVEMBER-DECEMBER 2010 | ABA BANK COMPLIANCE | 21

6 | Regulatory
Insider

By BonIta g. JoneS

37 | the other Side

By Stu lehR, CRCM

dePaRtMentS

UDAP Regulation and Enforement

Federal Trade Commission Act

The Federal Trade Commission (FTC) broadly regulates unfair and deceptive acts and practices under the Federal Trade Commission Act (FTCA), which provides a general “catch-all” for UDAP enforcement. Specifically, Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.” 3 This prohibition applies to all persons engaged in commerce, including the banking and finance industry, 4 and notonly to publicly available products and services, butalso to related servicing and support, design and development, and other activities thatmight not be readily apparent. The prohibition applies further, regardless of marketing channel, in order to protect consumers across markets and business sectors.

To determine whether an act or practice is unfair or deceptive, a separate and independent analysis must be completed for each; an act or practice may be found to be unfair or deceptive or both. To determine unfairness, the FTC considers whether (i) the subject act or practice causes or is likely to cause substantial consumer injury; (ii) the injury cannot be reasonably avoided; and (iii) the existence of net countervailing consumer benefits. 5 By reviewing in more detail each of these factors, your organization may be able to better mitigate UDAP-related risks associated with its programs, products, and services.

“Substantial” consumer injury usually involves financial or other tangible harm (not emotional harm). Substantial injury may be found when a small number of consumers experiences substantial economic harm, or when a large number of consumers experiences minor economic harm. Otherwise, substantial injury may be found when a significant risk of concrete harm exists. 6 Consumer decisions are not second-guessed to determine whether injury could reasonably have been avoided. Instead, this factor considers whether consumers have been subjected to undue influence, coerced into purchasing products or services, or impeded in their ability to freely decide. Consumers may be so affected by the withholding of material information or the creation of ( unnecessary) complexities in connection with the act or practice.

Countervailing benefits are not necessarily quantifiable. However, a cost-benefitanalysis is completed to determine whether net benefits exist. Costs considered may include the regulatory burden associated with adopting preventive means and measures; benefits considered may include the existence of more widely available products or services, and lower prices. Finally, although not a factor, established public policy may be considered, with all other evidence, in making the determination of unfairness. 7 To determine whether an act or practice is deceptive, the FTC uses a different three-factor test: (i) the consumer must be misled or likely to be misled (based on the act, representation, practice, or omission); (ii) the act or practice must be considered from the “reasonable consumer” perspective; and (iii) the actor practice must be material. 8

Under the first factor, the overall net impression of the act or practice is determined. Under the second factor, the targeted consumer and level of sophistication are considered. If several reasonable interpretations of an act or practice exist—with only one interpretation actually deceptive or misleading—the deceptive or misleading interpretation will apply. 9 Under the third factor, materiality is presumed for certain acts and practices, including claims regarding the cost of a product or service. Otherwise, materiality may be found when consumer choice is impacted or likely to be impacted.

Other Applicable Regulation

In the federal arena, additional regulators have UDAP review and enforcement authority. Under the FTCA, the Federal Reserve Board (FRB) regulates unfair and deceptive acts and practices in the context of reserve banks10; the Office of Thrift Supervision (OTS) regulates thrift and savings associations (including their international activities) 11; and the National Credit Union Administration (NCUA) regulates federally chartered credit unions. 12 The Office of the Comptroller of the Currency (OCC) and the Federal DepositInsurance Corporation (FDIC) also possess UDAP review and enforcement authority in the context of national banks and branches ( including their international activities and federal branches of foreign

ACROSSTHEBANKINGINDUSTRY,numerouslawsuitsandinvestigations involvingunfairordeceptiveactsandpractices(UDAP)remainpending. Examplesmaybefoundregardingadvance-feecreditcards,creditcard interestratereductions,foreclosurereliefservices,andconsumeraccount debiting,tonameafew.1Inadditiontothelitigationrisk,UDAPclaims andviolationsmayresultinsubstantialmonetaryjudgments,fees,and penalties—andimmeasurabledamagetoyourorganization’sreputationandgoodwill. 2 Giventhecurrentconsumer-focusedregulatoryenvironment,evidencedbypassage oftheCreditCardAccountability,Respon- sibilityandDisclosureActof2009(the CARDAct),weshouldexaminetheUDAP regulationsinmoredetail.ThefirstsectionofthisarticlereviewsfederalandstateUDAPregulationsandenforcement.ThesecondsectionexaminesUDAP-relatedprovi-sionsoftheCARDAct,andthethirdprovidesrecom-mendationstohelpyourorganizationaddressandmitigateUDAP-relatedrisks.