Creating a Culture of Compliance

Everywhere we turn, there is compliance, compliance,
and more compliance required across the board.[i]
Donald J. Frommeyer, CRMS
President of NAMB

The ancient Greek philosophers knew the fundamental distinction between theory and practice. For them “theory” (or theoria) differed from “practice” (or praxis) in that the former meant examining things and the latter meant doing things! In other words, theory was a sort of spectators’ sport, while practice was playing the sport itself. Advanced mathematics is somewhat similar: there is pure (or theoretical) mathematics and then there is applied mathematics. Some theories remain theories forever, and others are extrapolated into practice. So, as it happens, some cogent theories simply do not need to have applied applications to be cohesive theories. Practical applications, however, must be experimentally valid all of the time.

The requirements of implementing a theory can be daunting, especially when the consequences of its practical applications are not sufficiently understood. To put a fine point on this observation: what may seem perfectly acceptable in theory can be entirely unacceptable in practice. Thus, some things are possible theoretically and other things are not possible practically. In compliance, I have learned to approach the notion of something being ‘theoretically possible’ with extreme caution!

So, given the challenges of regulations (theories) and compliance requirements (practices), (1) how should a financial institution accomplish evaluations of its loan origination risks and, most importantly, (2) how to go about embedding such assessments into a culture of compliance? In this article, I am going to provide ways and means by which the management of a financial institution will be able to create a culture of compliance that serves as the foundation upon which to manage risk associated with mortgage loan originations. I will provide an extensive set of questions, the answers to which should call forth the ways and means to establish compliance solutions.*

If you have ten thousand regulations,
you destroy all respect for the law.
Winston Churchill

So, how to create a culture of compliance?

Begin at the beginning!

When was the last time that a risk assessment was performed to identify all the loan products, which departments were affected in originating them, and what staff are responsible to effectuate the origination? That is where to begin. Residential mortgage lenders and originators may offer some, or all, of the loan products subject to the Ability-to-Repay (ATR) and Qualified Mortgage (QM) rule promulgated by the Consumer Financial Protection Bureau (Bureau). But originating those loan products starts with identifying the loan flow process itself.

Furthermore, any new origination requirements will affect a number of parts of business systems and processes. For instance, a very short list of affected areas are the forms and processes used to communicate internally and externally that are subject to verification requirements; systems and processes used to underwrite loans must be considered; secondary marketing and servicing processes and systems need risk evaluation metrics, especially with respect to ATR provisions related to the refinancing of non-standard loans into a standard loans.

Specifically, are the various integrated processes and procedures set up to identify loans on the transaction systems with their definitional status under such regulations as the ATR and QM rule, which may involve creating new data element(s) within those very processing systems? Likewise, if the loan is a QM, is a formal consideration undertaken to determine levels of liability exposure and liability protection that a loan is receiving as it moves through the origination process?

To insure peace of mind
ignore the rules and regulations.  

George Ade

The American humorist, George Ade, may have found a way to peace of mind by ignoring rules and regulations. Perhaps he intuitively knew something about the stress involved in originating residential mortgage loans! If you have problems with rules and regulations, I suggest you choose another line of work, for happiness will forever elude you.

Consider this: the ATR and QM rule is just one component of the Bureau’s Dodd-Frank Act Title XIV rulemakings! Here are a few other rules that are now the law of the land:

• 2013 HOEPA Rule
• ECOA Valuations Rule
• TILA Higher-Priced Mortgage Loans Appraisal Rule
• Loan Originator Rule
• RESPA and TILA Mortgage Servicing Rules
• TILA Higher-Priced Mortgage Loans Escrow Rule

Some of these rules are directly and indirectly intersected, interlocked, overlapped, interfaced, and cross-tabulated; they are correlated, tabularized and re-tabularized, re-ordered, enumerated and re-enumerated, re-codified, and, generally, comprehensively systematized.[ii] Each of these rules affects one or more aspects of the loan origination process, organizational structure, and risk exposure. So maybe the great American humorist was on to something!

Nevertheless, if we are going to play, we will have to play within the rules. This means not only considering the compliance implications internally but also the interaction between the financial institution and third-parties upon which the institution relies for verifications, credit and other borrower information, disclosures, underwriting software, compliance and quality-control systems and processes, records management. Notwithstanding the foregoing third-parties, also to be considered are software providers, various vendors, and business partners. Training may also be necessary for these service providers and agents!

All the starting-point reviews in the world will lead to little or no action throughout an organization where certain training needs are not being met. Therefore, from the outset, it is critical to consider what training will be necessary for loan officers, secondary marketing, processing, compliance, and quality control personnel. Any staff involved at critical junctures in the loan flow process should receive training, certainly anyone who approves, processes, or monitors credit transactions.

Social Media and Networking

When you think of advertising, do you include social media? These days, most of you do!

However, social media compliance - which I shall call "SMC" - is a considerable undertaking, far more involved than just issuing a policy and procedure. Often, implementing SMC includes working with internet technology and information security professionals, collaborating with sales, compliance, legal, marketing, and human resources personnel, and ensuring that virtually all employees understand their own obligations with respect to using internet communications.

We have drafted SMC policy statements that call for constant vigilance by management and appointed staff to monitor for and find the appropriate remedies to transgressions relating to use of a company's name, logo, products, and services, in casual and even formal social media interactions.

Recently, Federal Financial Institutions Examination Council (FFIEC) issued a request for comments, entitled Social Media: Consumer Compliance Risk Management Guidance ("Notice"). FFIEC issued this notice on behalf of its six members, Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the "Agencies"); and the State Liaison Committee (SLC). Succinctly put, whatever the federal agencies eventually adopt, the states will issue the final guidance as a supervisory guidance not only to the institutions that are, by extension, under its supervision but also through the State Liaison Committee, thereby encouraging state regulators to adopt the guidance.

This means that institutions will be expected to use the forthcoming guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their social media activities. State agencies that adopt the guidance will expect the entities that they regulate to use the guidance in their efforts to ensure that their risk management and consumer protection practices adequately address the compliance and reputation risks raised by activities conducted via social media.

In this article, I will consider certain features of FFIEC's social media Notice as well as some important subjects to be addressed in constructing an SMC policy and procedure.*

_______________________________________________________

IN THIS ARTICLE

Defining Social Media

Use of Social Media

Risks of Social Media

Risk Management

Risk Areas

Laws and Regulations

Major Risks

Policy and Procedures

_______________________________________________________

Defining Social Media

Social media has been defined in a number of ways. For purposes of the proposed guidance, the Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. 

Social media can take many forms, including, but not limited to, micro-blogging sites (i.e., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review Websites and bulletin boards (i.e., Yelp); photo and video sites (i.e., Flickr and YouTube); sites that enable professional networking (i.e., LinkedIn); virtual worlds (i.e., Second Life); and social games (i.e., FarmVille and CityVille).

A simple test to distinguish social media from other online media is that the social media communication tends to be more interactive.

_______________________________________________________

Use of Social Media

Financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers.

For instance, social media has been used to receive and respond to complaints. They have been used to provide loan pricing. Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions.

To manage potential risks to financial institutions and consumers, however, financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged.

_______________________________________________________

Risks of Social Media

The use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. 

The increased risks can include the risk of harm to consumers, compliance and legal risk, operational risk, and reputation risk. 

Increased risk can arise from a variety of directions, including poor due diligence, oversight, or control on the part of the financial institution. Obviously, procedures must be implemented that help financial institutions to identify potential risk areas and appropriately address as well as ensure that they are aware of their responsibilities to oversee and control these risks within their overall risk management program.

Therefore, financial institutions should address the applicability of existing federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the CFPB.

_______________________________________________________

Risk Management

A financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium. 

FFIEC gives this rule of thumb: a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. 

The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. FFIEC makes it clear that a financial institution that has chosen not to use social media should still be prepared to address the potential for negative comments or complaints that may arise within the many social media platforms and provide guidance for employee use of social media.