The Lead Generation Company: Managing the Risk

Jonathan Foxx

President & Managing Director

Generating leads is an important way to reach consumers. It is also fraught with regulatory risk. A lead is consumer information that signals consumer interest or inquiry into products or services offered by a business, such as residential mortgage lenders and originators. There are several factors to be considered, not just licensing. I will list some rudimentary guidelines in this article, specifically with respect to contact with the consumer. Caution is urged to consult with a risk management professional to ensure compliance with federal and state guidelines required by a marketing campaign to generate leads. Although my focus is primarily on the online lead generation process, virtually all the guidelines provided herein may be extrapolated for use in offline lead generation campaigns.

My firm often is requested by clients to vet a lead generator, which I will call a Lead Generation Company. Careful risk management advice should be considered when developing and managing leads, whether obtained from an outsourced entity or a loan originator’s own website, in-house, or through online lead generation advertisements. Certainly, any loan originator that uses leads must have an internal compliance function that accounts for proper licensing of the Lead Generation Company (where required), monitoring of the data integrity derived therefrom, testing conformance with the originator’s policies, and training of staff in the appropriate use of lead generated, consumer data.

Banking departments these days are not just looking at licensing qua licensing. They are looking for loan originator compensation violations that are triggered by lead generation. For instance, they know that loans may have different cost structures depending on how the loans were initially received by the lender. A lead generated by the loan originator may be compensated differently than those generated by the creditor. As long as this doesn’t constitute a proxy for a loan term or condition, it is generally acceptable; that is, the loan officer may also be reimbursed for lead generation and other legitimate business costs, but the creditor must beware of how this may serve as a proxy for terms and conditions. It is up to the lender to make this determination (and properly document it).

Four Rules

In any lead generating marketing, the following four rules should be implemented:

1.     Complete, accessible, and straightforward disclosure of all parties’ intent regarding data collection and usage is essential;

2.     Data should not be brokered or sold without consent (or notice and choice) of all parties involved, including the consumer and the loan originator;

3.     Both the consumer, Lead Generation Company, and the loan originator should be made aware, through clear notices, of all parties involved in data collection and sharing; and,

4.     All parties should be educated and aware of current regulations regarding consumer protection and privacy.

These four rules become the bases of the policies, procedures, contractual arrangements, and protocols that ensure a viable marketing campaign that relies, in whole or in part, on lead generation.

Regulatory Focus

The regulators involved in enforcement of compliance with lead generation rules include, but are not limited to, state banking departments, state Attorneys General, the Federal Trade Commission (“FTC”),[i] and the Consumer Financial Protection Bureau (“Bureau”). We already know that the Bureau examines for whether the lead generator is a third-party provider and reviews the terms and appropriateness of the relationship. The Bureau reviews advertisements and advertising sources. It will review TV, radio, print media, Internet, scripts, recordings, and so forth. It will determine if there was proper consumer disclosure all along the way, from point of contact with the consumer to point of contact with the lender, including any intimation of fees and other terms and conditions. Plus, a review is conducted for online data security and sharing of consumer information.

Although the new loan originator qualification standards do not impose licensing requirements, every lender must ensure that each loan originator in its employ is licensed and registered in compliance with laws related to Secure and Fair Enforcement for Mortgage Licensing Act (SAFE), if applicable. Further, entities engaged in lead generation and marketing activities, as well as the companies that do business with such entities, need to pay particular attention to their activities to ensure that they do not inadvertently engage in loan originator activity. If they do, they’ll need to make sure that they meet the new loan originator qualification standards, including licensing requirements. Failure to meet these standards will give rise to severe civil liability that could impair the collectability of the loan.

The Bureau has stated that anytime a consumer gives out sensitive personal and financial information on the Internet there are risks involved to the consumer. In the context of Pay Day Loans, for instance, the Bureau has already warned consumers that if a consumer applies for a loan online, the consumer could be increasing risk significantly.

The Bureau has expressed concern that an online application or form that consumers fill out could be sold to a loan originator that offers to originate a loan on behalf of the consumer. Indeed, the Bureau also has indicated it has concerns that multiple lenders or other settlement service providers could pay for this information, thereby causing them to contact or email the consumer.

Social Media and Networking

When you think of advertising, do you include social media? These days, most of you do!

However, social media compliance - which I shall call "SMC" - is a considerable undertaking, far more involved than just issuing a policy and procedure. Often, implementing SMC includes working with internet technology and information security professionals, collaborating with sales, compliance, legal, marketing, and human resources personnel, and ensuring that virtually all employees understand their own obligations with respect to using internet communications.

We have drafted SMC policy statements that call for constant vigilance by management and appointed staff to monitor for and find the appropriate remedies to transgressions relating to use of a company's name, logo, products, and services, in casual and even formal social media interactions.

Recently, Federal Financial Institutions Examination Council (FFIEC) issued a request for comments, entitled Social Media: Consumer Compliance Risk Management Guidance ("Notice"). FFIEC issued this notice on behalf of its six members, Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the "Agencies"); and the State Liaison Committee (SLC). Succinctly put, whatever the federal agencies eventually adopt, the states will issue the final guidance as a supervisory guidance not only to the institutions that are, by extension, under its supervision but also through the State Liaison Committee, thereby encouraging state regulators to adopt the guidance.

This means that institutions will be expected to use the forthcoming guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their social media activities. State agencies that adopt the guidance will expect the entities that they regulate to use the guidance in their efforts to ensure that their risk management and consumer protection practices adequately address the compliance and reputation risks raised by activities conducted via social media.

In this article, I will consider certain features of FFIEC's social media Notice as well as some important subjects to be addressed in constructing an SMC policy and procedure.*

_______________________________________________________

IN THIS ARTICLE

Defining Social Media

Use of Social Media

Risks of Social Media

Risk Management

Risk Areas

Laws and Regulations

Major Risks

Policy and Procedures

_______________________________________________________

Defining Social Media

Social media has been defined in a number of ways. For purposes of the proposed guidance, the Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. 

Social media can take many forms, including, but not limited to, micro-blogging sites (i.e., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review Websites and bulletin boards (i.e., Yelp); photo and video sites (i.e., Flickr and YouTube); sites that enable professional networking (i.e., LinkedIn); virtual worlds (i.e., Second Life); and social games (i.e., FarmVille and CityVille).

A simple test to distinguish social media from other online media is that the social media communication tends to be more interactive.

_______________________________________________________

Use of Social Media

Financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers.

For instance, social media has been used to receive and respond to complaints. They have been used to provide loan pricing. Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions.

To manage potential risks to financial institutions and consumers, however, financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged.

_______________________________________________________

Risks of Social Media

The use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. 

The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk. 

Increased risk can arise from a variety of directions, including poor due diligence, oversight, or control on the part of the financial institution. Obviously, procedures must be implemented that help financial institutions to identify potential risk areas and appropriately address as well as ensure that they are aware of their responsibilities to oversee and control these risks within their overall risk management program.

Therefore, financial institutions should address the applicability of existing federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the CFPB.

_______________________________________________________

Risk Management

A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. 

FFIEC gives this rule of thumb: a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. 

The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. FFIEC makes it clear that a financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms and provide guidance for employee use of social media.