The answer also depends on how
critical the issue is. The more potentially
damaging the problem is, the more likely
you’ll want and need to do something
about it. But what about technical violations you discover? Or those that could
be problematic but have been going
on for years and haven’t been found by
regulators over multiple exams?
What is the real value of self-policing
anyway? As compliance professionals,
we’re trained to recognize risk and take
steps to mitigate it, as well as prevent
problems from occurring in the first
place. On the other hand, you could argue that if no one finds an issue—
meaning examiners in particular, but also
auditors, testers, or others—then what’s
the use of calling attention to something
that is flying under the radar?
Is it better to throw yourself on the
sword (metaphorically speaking) if examiners do discover an issue you knew
about, even if you haven’t fully resolved
it yet? Or, is it better to take your chances
that it won’t be found? This question
came up when the Consumer Financial
Protection Bureau (CFPB) issued its first
round of enforcement actions last year.
In one case, the bureau seemingly overlooked the fact that the bank had discovered its own issues, and the penalty
didn’t seem to reflect the efforts the bank
had undertaken to mitigate the issues.
The question then becomes: If that’s
the attitude of the agencies and the
consequences are the same either way,
wouldn’t we just be better off taking
our chances that a problem won’t be
identified? This question was raised in a
meeting earlier this year that the CFPB
conducted with bankers.
Clearly, the answer is no. In a recent
bulletin (2013-06), the CFPB encourages
what it calls “responsible behavior,” that
if undertaken by banks, could “resolve an
investigation with no public enforcement
action, treat the conduct as a less severe
type of violation, reduce the number of
violations pursued, or reduce the sanc-
tions or penalties sought by the bureau
in an enforcement action.” The bureau
makes a point to emphasize that its guid-
ance is not a rule or regulation and is not
a promise or get-out-of-jail-free card, but
that exercising of this type of conduct
“may warrant favorable consideration.”
There are four aspects to “responsible
conduct:” self-policing, self-reporting,
remediation, and cooperation.
Self-Policing
Synonymous with self-monitoring or
self-auditing, the proactive nature of
self-policing is what makes it so benefi-
cial. This is one of the pillars of an ef-
fective compliance management system
(CMS). The CFPB’s examination man-
ual includes a bank’s CMS as a critical
element of how it “reviews operations
to ensure responsibilities are carried out
and legal requirements are met.” From
the CFPB’s perspective, early detection
of potential violations minimizes their
ultimate harm to consumers.
The bulletin contains a number
of questions it will consider when
evaluating self-policing, including how
significant the conduct is to the bank’s
business model, how longstanding or
pervasive the conduct was, how and
when the conduct was uncovered, and
the bank’s culture of compliance. It
is expected that a bank possess effective and well performing, self-policing
processes, whether it is in compliance
testing, quality control, audit, or similar
mechanisms. But what should you do
with problems you uncover?
Self-Reporting
The CFPB’s bulletin states that “prompt
and complete self-reporting to the bu-
reau of significant violations and poten-
tial violations is worth special mention”
since it enhances the CFPB’s mission
and “represents concrete evidence of a
party’s commitment to responsibly ad-
dress the conduct at issue.” Since it goes
to the heart of the issue, this is also the
most difficult of the four aspects.
Questions to ask in self-reporting in-
clude: Was it complete and effective, was
it immediate or delayed (and, if so, were
there appropriate reasons for the delay),
and was it proactive or made only in
response to discovery? It is clear that im-
mediate and complete disclosure is the
goal and will be treated most favorably.
It is also worth mentioning that the
bulletin refers to disclosure to regulators
other than the CFPB, as well. Although
this is a CFPB bulletin, the concepts are
clearly applicable to banks regardless of
regulator. Whether the other agencies
follow the CFPB’s principles precisely or
not, the general idea behind responsible
behavior is universal.
But what good does it do to find
something and report it if nothing is
done about it?
Is There Value to Self-Policing?
ONE OF THOSE LITTLE SECRETS of being a compliance officer deals with what to do when you discover a problem. Should you sweep it under the rug or try to do something about it? Of course, the politically correct answer is to try to fix things, but we all know
that isn’t always feasible for a number of reasons: lack of resources to do what
it takes, expense to change things, lack of will on the part of management,
information technology difficulties, or maybe just uncertainty as to whether
you’ve stumbled across a real problem that requires action at all. If you know it
can’t be fixed and it hasn’t been cited as a problem in the past, isn’t it better to
leave well enough alone?
