When I set out to write my article this month, I decided to focus on the basics related to involving your board of directors or collection agency executives in your compliance management system (CMS). It is clear that the CFPB has high expectations for board involvement oversight. I found it insightful to look at the big enforcement actions published against American Express, Discover Bank, and JP Morgan Chase for direction in this area, and the high level comparison of these orders provided here resulted.
Most conversations I have heard around the importance of the involvement of the board of directors in organizations under the jurisdiction of the CFPB conclude that the following metrics should be reported to the board at least annually:
- Results of compliance audits — How they are done, defects identified in the process, corrective actions recommended, and how the corrective actions are implemented.
- Training data — descriptions of the compliance training provided and its relation to the job functions of those who participate, participation data, consequences applied to those who never attended the training, the expected outcomes of the training and the measured outcomes of the training.
- Risk assessment results — areas in which risk assessments are conducted, risks identified, corrective actions recommended, how the corrective actions are implemented and then how they are tested.
- Hotline calls — data related to the sources of calls to an organization’s complaint hotline, categories in which the complaints fell, response timeframes, response types, any redress provided to complaintants, investigation processes, investigation outcomes.
While annual reporting of these metrics and their associated analysis may meet minimal reporting requirements, many organizations prefer to see this data at least twice per year, and at best, quarterly.
American Express Centurion Bank’s required board involvement includes the following:
- Required the Board to fully participate in the oversight of the CMS and made the board responsible for the approval of sound policies and objectives for the supervision of the Bank’s compliance related activities.
- Required a compliance committee of three directors, required them to meet monthly, report its discussions at regularly scheduled board meeting.
- Required the appointment of a chief compliance officer and a fair lending compliance officer.
Discover Bank saw the following specific requirements for its board:
- Board shall participate fully in the oversight of Discover’s CMS and take full responsibility for ensuring that appropriate policies and procedures are in place.
- Required internal compliance audits and quarterly reports to the board related to deficiencies noted in audit reports.
- 60 days to review, revise and/or develop as necessary a risk-based compliance management system including a comprehensive written compliance program to ensure compliance with Sec. 5 of the FTC Act at minimum, including Board designation of management responsible approval and use of marketing materials. Further requirements for the organization’s CMS were broad and detailed.
JP Morgan Chase was:
- Ordered to ensure that all submissions required by the Order are submitted.
- Ordered to take ultimate responsibility for proper and sound management of the Bank and for ensuring that the bank complies with Federal consumer financial laws and the order.
- Allowed to delegate certain approval or reporting obligations to the Audit committee as well as authorize and adopt actions as may be necessary for the Bank to perform the obligations under the terms of the Order.
- Ordered to require timely reporting by management to the board under the terms of the order.
- And ordered to require corrective action to be take in a timely and appropriate way of any material non-compliance. While only the American Express order had a debt collection component, it can be instructive to compare components of these three orders because they reveal the direction the CFPB has taken related to enforcement of federal consumer protection laws. Applying this thinking to our own practices, and thinking differently about the way we run our collection organizations now may reap many benefits later. The full text of these orders is available on the CFPB’s website at consumerfinance.gov.
|
American Express |
Discover Bank September 2012 |
JP Morgan Chase September 2013 |
|
| Laws Implicated (partial list) |
- FTC Act, Sec. 5, for debt collection practices - FCRA - TILA - ECOA |
FTC Act, Sec. 5, for Deceptive marketing of credit products |
Sections 1031 & 1036 of the CFPA for UDAAP related to scale of Add On Identity Protection products |
| Findings of Fact | - Misrepresentation about the impact of payment on credit scores, misrepresentations around intent to update information related to unreported debts - Failed to report consumer disputes to CRAs |
Material representations about the nature of calls, deceptive language about the products sold in calls |
Billed customers for credit report monitoring products while failing to provide the services, sometimes resulting in fees and over limit charges and interest |
| Restitution | $75 Million | $200 Million | Est. $309 Million in substantial harm to consumers |
| Penalty | $7.8 Million | $14 Million | $20 Million |
| Breadth of Consumer Harm |
Approx. 250,000 consumers | 4.7 Million cardholders | 2.1 Million customers |
Debra Ciskey is the Director of Compliance at Afni, Inc. She is a member of the board of directors and a certified instructor for ACA International.