SlideShare une entreprise Scribd logo
1  sur  44
The Banking & Securities series presents:


Consumer Compliance
Lending: Do You Know Your
ABCs?
John Graetz, Tammy Milliken, Margo Hines

October 28, 2008
Agenda

    • Consumer regulations overview

    • Regulatory review of compliance programs

    • Roles and responsibilities for management

    • Risk focused consumer compliance supervision
      framework




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #1
 How much do you think the consumer protections
 laws impact your business?

 •Significantly
 •Moderately
 •Somewhat
 •Not at all
 •Not applicable




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Major rules and regulations
   Alphabet soup
          A             B            C             D              E   F    G   H   I   J    K    L   M
               N            OPQR                                          STUV             W    X    Y
               Z            AA BB CC                                      DD EE FF

   •    Fair Credit Reporting Act (FCRA)
   •    FDIC's Amended Advertising Regs (Part 328)
   •    FDIC's Deposit Insurance Regs (Part 330)
   •    The John Warner National Defense Authorization Act (Talent
        Amendment)
   •    Right to Financial Privacy Act (RFPA)
   •    Servicemembers Civil Relief Act (SCRA)
   •    Treasury's Bank Secrecy Regulation
   •    Equal Credit Opportunity Act (ECOA)
                                                                                                         1
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Regulators

       •    Federal Trade Commission (FTC)
       •    Federal Reserve
       •    Office of the Comptroller of the Currency (OCC)
       •    Federal Deposit Insurance Corporation (FDIC)
       •    Securities & Exchange Commission (SEC)
       •    Office of Thrift Supervision (OTS)
       •    FINRA- Financial Industry Regulatory Authority (FINRA)
       •    Financial Crimes Enforcement Network (FinCEN)
       •    State regulators



                                                                     2
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Applicable regulations and statutes
    • Credit/Collections-Related
              –     Regulation C (Home Mortgage Disclosure)
              –     Regulation H (Flood Insurance)
              –     Regulation Z (Truth in Lending)
              –     Fair Debt Collection Practices Act
              –     Fair Credit Billing Act
              –     Fair Credit Reporting Act (related amendments-Fair and Accurate Credit
                    Transactions Act)
              – Homeowners Protection Act
              – Homeownership Counseling
              – Real Estate Settlement Procedures Act
    • The Servicemembers Civil Relief Act (SCRA)


                                                                                             3
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Applicable regulations and statutes (cont.)
   The Unfair and Deceptive Practices Act (UDAP)
   Unfair Act:
   • An unfair act is one that causes harm to a consumer. The
     injury must be substantial, which includes monetary harm,
     pecuniary, or other loss with no real countervailing benefit.
   Deceptive Practice:
   • A deceptive practice involves a representation, omission or
     action that is likely to mislead the consumer. This includes
     false representations, misleading claims, inadequate
     disclosures, and use of bait and switch techniques.

   Source: Federal Reserve Board of Governors


                                                                     4
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Applicable regulations and statutes (cont.)
   Privacy
   • The Privacy Act of 1974
   • Health Insurance Portability and Accountability Act of 1996
     (HIPAA) privacy act
   • Children’s Online Privacy Protection Act (COPPA) Rule
   • Customer Proprietary Network Information (CPNI)
   • Gramm-Leach-Bliley (GLB) Act
   • CAN-SPAM Act
   • Bank Secrecy Act
   • USA PATRIOT Act
   • Various state laws, e.g., California’s Office of Privacy
     Protection
                                                                   5
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Global Response: Proliferation of Privacy and Data
 Protection Laws & Regulations
                                                                                                                        South Korea
  Please note the below are examples and not a representative list.                  European Union
                                                             Canada                                                     Act on Promotion of
                                                                                     EU Data Protection
                                                             Federal/Provincial                                         Information and
                                                                                     Directive and Member
                 US Federal                                  PIPEDA, FOIPPA,                                            Communications
                                                                                     States Data Protection
                 GLBA, HIPAA,                                PIPA, Do Not Call,                                         Network Utilization
                                                                                     Laws, Safe Harbor
                 COPPA, Do Not                               CPNI                                                       and Data Protection
                                                                                     Principles
                 Call


                                                                                           Hong Kong
                                                                                           Personal                           Japan
                                                                                           Data Privacy
                                                                                                                              Guidelines for the
                                                                                           Ordinance
                                                                                                                              Protection of
                                                                                                                              Computer
Numerous State Laws
                                                                                                                              Processed
Breach Notification
                                                                                                                              Personal Data
States from CA to NY

                                                                                            India                                  Taiwan
                                                                                            Law pending                            Computer-
                       Chile
                                                                                            currently                              Processed
                       Law for the                                                          under                                  Personal Data
                       Protection of                                                        discussion                             Protection Law
                                                                  South Africa                            Australia
                       Private Life
                                                                  Electronic            Philippines       Federal Privacy
                                                                  Communications                          Amendment Bill,           New
                                                                                        Data Privacy
                             Argentina                            and Transactions                                                  Zealand
                                                                                        Law               State Privacy Bills in
                             Personal Data                        Act                   proposed by       Victoria, New South       Privacy Act
                             Protection Law,
                                                                                        ITECC             Wales and Queensland,
                             Confidentiality of
                                                                                                          new email spam and
                             Information Law
                                                                                                          privacy regulations
                                                                                                                                                   6
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #2
 Do you think your organization has a full grasp on the
 entire universe of consumer laws that it is subject to?

 •Yes
 •No
 •Somewhat
 •Don’t know




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Background on TILA and Reg. Z

   • Purposes of Truth in Lending Act (TILA):
          - Promote the informed use of consumer credit by
            requiring disclosures about its terms and cost.
          - Gives consumers the right to cancel certain credit
            transactions.
          - Regulates certain credit card practices, and provides a
            means for fair and timely resolution of credit billing
            disputes.
   • TILA applies to each individual or business that
     offers or extends credit

   Source: Federal Reserve Board of Governors

                                                                      7
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Housing and Economic Recovery Act of 2008
 • Primarily intended to address the subprime mortgage crisis.
 • Authorizes the Federal Housing Administration to guarantee up to $300
   billion in new 30-year fixed-rate mortgages for subprime borrowers if
   lenders write down principal loan balances to 90 percent of current
   appraisal value.
 • Requires existing mortgage holders to accept the proceeds of the
   insured loan as payment in full for all indebtedness.
 • States are authorized to refinance subprime loans using mortgage
   revenue bonds.
 • Through the powers granted to the Federal Housing Finance Agency
   (FHFA), created by the act on September 7, 2008, FHFA director James
   B. Lockhart III announced he had put Fannie Mae and Freddie Mac
   under the conservatorship of the FHFA.
 • Amends the Truth-in-Lending Act (TILA) to expand the types of home
   loans subject to early disclosures and improve loan disclosures given to
   individuals and families on original and refinancing home loans.
 Source: U.S. Senate Committee on Banking, Housing and Urban Affairs
                                                                              8
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Regulatory Review of
                      Compliance Programs




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Emergency Economic Stabilization Act of 2008
Quotes from Treasury Secretary Henry Paulson regarding the
rationale for the bailout:
 • Stabilize the economy: quot;We must... avoid a continuing series of financial
   institution failures and frozen credit markets that threaten American families'
   financial well-being, the viability of businesses both small and large, and the very
   health of our economy.quot;
 • Improve liquidity: quot;These bad loans have created a chain reaction and last
   week our credit markets froze – even some Main Street non-financial companies
   had trouble financing their normal business operations. If that situation were to
   persist, it would threaten all parts of our economy.quot;
 • Comprehensive strategy: quot;We must now take further, decisive action to
   fundamentally and comprehensively address the root cause of this turmoil. We
   must address this underlying problem, and restore confidence in our financial
   markets and financial institutions so they can perform their mission of supporting
   future prosperity and growth.quot;
 • Immediate and significant: quot;This troubled asset relief program has to be
   properly designed for immediate implementation and be sufficiently large to have
   maximum impact and restore market confidence.”
                                                                                          9
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Emergency Economic Stabilization Act of 2008 (cont.)
Quotes from Treasury Secretary Henry Paulson regarding the
rationale for the bailout:
 • Broad impact: quot;This troubled asset purchase program on its own is the single
   most effective thing we can do to help homeowners, the American people and
   stimulate our economy.quot;
 • Investor confidence: “As investors lost confidence in them some companies
   saw their access to liquidity and capital markets increasingly impaired and their
   stock prices drop sharply.”
 • Impact on economy and GDP: quot;Extraordinarily turbulent conditions in global
   financial markets... these conditions caused equity prices to fall sharply, the cost
   of short-term credit--where available--to spike upward, and liquidity to dry up in
   many markets. Losses at a large money market mutual fund sparked extensive
   withdrawals from a number of such funds. A marked increase in the demand for
   safe assets--a flight to quality--sent the yield on Treasury bills down to a few
   hundredths of a percent. By further reducing asset values and potentially
   restricting the flow of credit to households and businesses, these developments
   pose a direct threat to economic growth.quot;

                                                                                          10
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Why care?
   • Organizations, like individuals, can be found guilty of
     criminal conduct and can incur civil liability.
   • While organizations cannot be imprisoned, among other
     things, they can be:
          - Fined
          - Increased regulatory supervision
          - Ordered to make restitution
          - Embarrassed by notices of conviction
          - Exposed to applicable forfeiture or disgorgement statutes




                                                                        11
Copyright © 2008 Deloitte Development LLC. All rights reserved.
What a September!
                                                                                                                                         $700B Treasury
                                                     Jimmy Cayne                                                                           rescue plan    $700B Treasury
                                                   resigns from Bear,                                                                       approved    rescue plan passes
                                                     Alan Schwartz,
                                                          CEO                                                              ML sold to BAC. Lehman
                                         Abu Dhabi                                                                                                     Nomura
                                                                                                                                files for bankruptcy
                                        SWF invests                                                                                                    acquires
                                                                               Bear sold
                                           $7.5B                                                                                                       Lehman’s
                                                                               to JPMC
                                           in Citi                                                                                                     Asia ops
               Fed cuts
     Bear
                                                                                           Ken Thompson
                                                 China Inv
                rate by                                                                                                                     Mone
     hedge
                                                                                            resigns from
                                                   Corp
                 0.5%                                                                                                                                      Buffett
                                                                                                                                               y
     fund
                                                                                             Wachovia
                                Stan O’Neil       invests                                                                                                  invests $5B
                                                                                                                                             fund
     collapses                                                    Fed cuts                                               Govt seizes
                                                 $5B in MS                                                                                                 in Goldman
                                leaves ML                                                                                                   goes
                                                                  rate by                                             Fannie/Freddie
                                                                                                                                            below
                                                                  0.75%
                                                                                                                                              $1



                                                                                   APR
    AUG         SEP       OCT        NOV        DEC        JAN        FEB    MAR           MAY    JUN                                                             OCT
                                                                                                          JUL         AUG SEP
                                                                                    ‘08
     ‘07        ‘07       ‘07         ‘07        ‘07       ’08        ‘08    ‘08           ‘08     ‘08                                                            ‘08
                                                                                                          ‘08          ‘08 ‘08
                                                                                                                                                 Goldman,
                                                                                                                                           US
                                   Chuck           Govt of                                                                                       Morgan
      Countrywide                                                                                           IndyMac                      takes
                                   Prince       Singapore Inv   3 SWFS                                                                           become bank
       Bank run                                                                                               fails                       over
                                 leaves Citi    Corp invests      invest                                                                         holding cos.
                                                                                                                                          AIG
                                                $11B in UBS      $10B in                         Martin Sullivan
                                                                    ML                                                                        Barclays             Wachovia
                                                                                                   resigns from
                                                                                     Vikram
                                        John Thain       BAC acquires                                                                          agrees
                                                                                                 AIG, Willumstad                                                  acquired by
                                                                                     Pandit
                                         joins ML        Countrywide                                                                        to buy parts          Wells Fargo
                                                                                                  becomes CEO
                                                                                    becomes
                                                                                                                                             of Lehman
                                                                                    Citi CEO
                                                                                                                                                       Mitsubishi
                                                                                                                              Dan Mudd resigns
                                                                                                                                                       acquires 20%
                                                                                                                                     from Fannie,                 US announces
                                                                                                                                                       of MS
                                                                                                                          Herb Allison, new CEO                     that they will
                                                                                                                                                                     buy equity
                                                                                                                          Richard Syron resigns
                                                                                                                                                                  stakes in banks
                                                                                                                                                      WaMu acquired
                                                                                                                                    from Freddie,
                                                                                                                                                       by JP Morgan
                                                                                                                         David Moffett, new CEO




                                                                                                                                                                             12
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Regulatory view of the need for corrective action
   Q1. What types of problems has the bank had in the past?
   Q2. Has the severity of problems progressed?
   Q3. Does the management team have a history of identifying
       problems within the bank or do outside parties usually
       surface them?
   Q4. Does the management team have the ability to fix the
       current problem?
   Q5. Has the bank been placed under an enforcement action
       before? If so, how long ago and for what?




                                                                  13
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #3
        What are some key actions Internal Audit/Compliance
        should undertake to help your organization adapt to the
        new market environment?

      • Enhancement of the risk assessment process (methodology, frequency,
        specific focus areas such as acquired operations)
      • Increase in specialized Internal Audit/Compliance resources in areas such as
        regulatory, capital markets, risk management
      • Internal Audit Plan/Compliance to be significantly expanded to address ever
        increasing/changing risk environment
      • Internal Audit Plan/Compliance to be limited to critical or high risk processes
        allowing
        Internal Audit/Compliance resources to remain flat with prior year
      • No significant changes anticipated to internal audit structure, approach or
        audit execution
      • Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Compliance program – Regulatory
   expectations
   • Compliance standards and procedures reasonably capable of
     reducing the prospect of criminal activity
   • Reductions in redundancies and clear streamlined processes
   • Oversight by high-level personnel
   • Due care in delegating substantial discretionary authority
   • Effective communication to all levels of employees
   • Reasonable steps to achieve compliance, which include
     systems for monitoring, auditing, and reporting suspected
     wrongdoing without fear of reprisal
   • Consistent enforcement of compliance standards including
     disciplinary mechanisms
   • Reasonable steps to respond to and prevent further similar
     offenses upon detection of a violation
   •    Source: Regulatory examination handbooks                  14
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Regulatory risk
    The assignment of a risk rating might be affected by
    such factors as:
    • Potential financial harm to consumers
    • Potential legal, reputation, and financial harm to a bank
    • New laws, regulations or amendments thereof
    • Historical industry compliance
    • The burden of corrective action, including potential
      supervisory actions or civil liability that could lead to
      monetary penalties




                                                                  15
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Product risk measures

   Product Management
   • Relates to the bank’s ability to identify, monitor, and
     manage the compliance risk inherent with a particular
     product.


   Product Materiality
   • Reflects the importance of a product as compared to other
     products offered by the bank.




                                                                  16
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Product risk measures (cont.)
  Product Stability
  • An assessment of such characteristics as the newness, growth, or any
    complex compliance issues associated with the product, automation
    used to comply with applicable laws and regulations, and any recent
    changes to the statutes or regulations affecting the product


    Bank Size or Market Share
  • A bank’s size or market share serves as a proxy for the number of
    consumers potentially affected by a bank’s activities. Generally, banks
    with assets of less than $250 million represent lower risk in this regard,
    while those with assets of more than $1 billion are higher risk. There
    may be instances where the market share of a product line, rather than
    the absolute size of the bank, may be the leading indicator of the impact
    on consumers.

                                                                                 17
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Sample examination approach
                                                                  REGULATION RISK TABLE
    RISK                         Statute/Regulation                                Section (s) for review
    1=low, 5=high
       1                         Real Estate Settlement Procedures Act (Reg X)     Mortgage Servicing Transfer Disclosure
       1                         Right to Financial Privacy Act                    All
       1                         Fair Debt Collection Practices Act                All
       1                         Unfair or Deceptive Acts or Practices (Reg AA)    All
       2                         Expedited Funds Availability (Reg CC)             All
       2                         Truth in Savings Act (Reg DD)                     All
       2                         Reserve Requirements (Reg D)                      All
       2                         Fair Credit Reporting Act C                       All
       2                         Consumer Leasing (Reg M)                          All
       2                         Interest on Deposits (Reg Q)                      All
                                                                                   All provisions except those rated “1” and “4”
       3                         Real Estate Settlement Procedures Act (Reg X)
                                                                                   All provisions except those rated “4”
       3                         Truth in Lending Act (Reg Z)
       3                         Electronic Funds Transfer Act (Reg E)             All
       3                         Reg. B and FHA Provisions                         All provisions not covered by FFIEC
                                                                                   interagency procedures
         4                       Truth in Lending Act (Reg Z)                      APR/Finance charge, HOEPA, and rescission
         4                       National Flood Insurance Act (Reg H)              All
         4                       Privacy (Reg P)                                   All
         4                       Real Estate Settlement Procedures Act (Reg X)     Section 8
         5                       HMDA and CRA                                      Data verification

                                                                                                                                   18
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Roles and Responsibilities
            for Management




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #4
       Does your management or governance board
       articulate the tone for your organization’s
       compliance focus?

      •Yes
      •No
      •Somewhat
      •Not Sure




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Board of directors and senior management oversight
   • The board of directors and senior management should:
             – Provide oversight of the consumer compliance program – this is
               essential
             – Periodically review the effectiveness of the bank’s consumer
               compliance risk management program, including how findings are
               reported and whether the audit mechanisms in place provide
               adequate oversight
             – Stress that quality and timeliness of the information provided to the
               key decision-makers regarding the bank’s consumer compliance
               program are important for assessing the program’s effectiveness
             – Determine sufficient resources have been devoted to the program.
             – Provide support, authority and independence to the individuals directly
               responsible for implementing the consumer compliance program and
               for performing audit/review activities
             – Make certain that consumer compliance weaknesses are addressed
               and corrective action is taken in a timely manner
                                                                                   19
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Risk management and board reporting
      Risk Implications
      • Potential interaction of multiple risks may be underestimated (internal and
        extended enterprise)
      • Risk managers may be isolated in silos

      • Risk management often focuses on compliance rather than performance,
        leading to inadequate assessments and responses

      Considerations
      • Use a common definition of risk throughout the organization, which addresses
        both value preservation and value creation
      • Use a common risk management infrastructure and framework supported by
        appropriate standards
      • Provide governing bodies (e.g., boards, audit committees, etc.) with the
        appropriate transparency and visibility into the organization’s risk
        management practices to discharge their responsibilities
                                                                                       20
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Organizational structure
   • Is the bank’s organizational structure appropriate
     for the size and complexity of its operations?
   • Does the bank have a compliance officer?
   • How independent is the compliance officer?
   • How comprehensive is the bank’s compliance
     program?
   • How much time does the compliance officer devote
     to regulatory compliance?
   • Does the bank’s compliance officer operate a
     proactive or reactive compliance program?
                                                                  21
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Risk Focused Consumer
                    Compliance Supervision
                           Framework




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Types of risk
   Product Risk
   • The characteristics of a product, such as its newness or
     complexity, that are likely to affect the probability and
     impact of noncompliance

   Regulation Risk
   • The possible consequences of noncompliance with
     applicable laws and regulations to the bank and its
     customers




                                                                  22
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Types of Risk (cont.)
   Operational Risk
   • The potential that inadequate information systems,
     operational problems, breaches in internal controls, fraud,
     or unforeseen catastrophes will result in unexpected losses
   Legal Risk
   • The potential that unenforceable contracts, lawsuits, or
     adverse judgments can disrupt or otherwise negatively
     affect the operations or condition of a bank
   Reputational Risk
   • The potential that negative publicity regarding a bank’s
     business practices, whether true or not, will cause a decline
     in the customer base, costly litigation, or revenue
     reductions
                                                                     23
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Policies and procedures

   • An effective consumer compliance program will have
     compliance policies and procedures in place, the formality
     of which (written or unwritten) depends upon the needs of
     the bank
   • The degree to which compliance policies and procedures
     are formalized is not as important as their effectiveness
   • Procedures should provide personnel with guidance that
     enables them to complete transactions in accordance with
     applicable laws and regulations




                                                                  24
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Compliance audits/reviews
   • Compliance audits, which can be performed by either in-
     house staff or external personnel, are a tool to help
     management and staff ensure continuing compliance and
     identify different risk factors in a bank
   • Compliance reviews are less comprehensive than
     compliance audits, but they are conducted more frequently,
     (e.g., daily, weekly, monthly, quarterly) and are typically
     performed by the compliance officer or a designated person
     within the department
   • The size of the bank and the scope and complexity of its
     operations will determine whether a compliance audit or a
     compliance review is appropriate

                                                                   25
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Training
   • Ongoing education of bank personnel is essential to
     maintaining a sound consumer compliance program
   • The adequacy of a bank’s training program, like that of its
     overall consumer compliance program, should be assessed
     in view of the bank’s organizational structure and the
     activities in which it engages




                                                                   26
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Poll question #5

        Does your organization separate your audit
        and compliance functions?

      •Yes
      •No
      •Not Sure
      •Not applicable




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Internal controls
   • Effective internal controls help to mitigate a bank’s
     consumer compliance risk and should be an
     integral part of the daily operations of a bank
   • Internal controls may take several forms, including:
          - Independent reviews of specific functions or tasks
          - Segregation of duties to create a system of checks and
            balances
          - Controls over default settings associated with highly
            automated calculation tools
          - Verification of data before a transaction is completed
          - Appropriate approvals and authorizations
          - Periodic transaction testing and reviews of forms and
            procedures
                                                                     27
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Questions & Answers




Copyright © 2008 Deloitte Development LLC. All rights reserved.
Join us November 19 at 2 PM EST
as our Banking & Securities series
            presents:

State Taxation: How Will New
   State Laws Impact Your
          Business?
Copyright © 2008 Deloitte Development LLC. All rights reserved.
Thank you for joining
                 today’s webcast.

                 To request CPE credit,
                 click the link below.


Copyright © 2008 Deloitte Development LLC. All rights reserved.
Contact info
 John Graetz
 Deloitte & Touche LLP
 Regulatory & Capital Markets Consulting
 Phone: +1 415 783 4242

 Tamara Milliken
 Deloitte & Touche LLP
 Regulatory & Capital Markets Consulting
 Phone: +1 704 887 1876

 Margo Hines
 Deloitte & Touche LLP
 Regulatory & Capital Markets Consulting
 Phone: +1 704 227 7920




Copyright © 2008 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and is based on the
 experiences and research of Deloitte practitioners. Deloitte is not, by means of this
 presentation, rendering business, financial, investment, or other professional
 advice or services. This presentation is not a substitute for such professional
 advice or services, nor should it be used as a basis for any decision or action that
 may affect your business. Before making any decision or taking any action that
 may affect your business, you should consult a qualified professional advisor.
 Deloitte, its affiliates, and related entities shall not be responsible for any loss
 sustained by any person who relies on this presentation.




Copyright © 2008 Deloitte Development LLC. All rights reserved.
About Deloitte

 Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member
 firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a
 detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see
 www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
 subsidiaries.




Copyright © 2008 Deloitte Development LLC. All rights reserved.
A member firm of
                                                                  Deloitte Touche Tohmatsu
Copyright © 2008 Deloitte Development LLC. All rights reserved.

Contenu connexe

Similaire à Fsi Consumer Compliance Dbriefs 102808 Show

Analyzinglegislation
AnalyzinglegislationAnalyzinglegislation
AnalyzinglegislationDr. TJ Wolfe
 
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...HospitalityLawyer.com
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...DaviesParker
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoTLAURA VIVET
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Shawn Tuma
 
Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Lance Michalson
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory LansdcapeBrian Bauer
 
FTC Privacy Roundtable Background And Summary
FTC Privacy Roundtable Background And SummaryFTC Privacy Roundtable Background And Summary
FTC Privacy Roundtable Background And SummaryInternet Law Center
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?Resilient Systems
 
All's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareAll's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareNationalUnderwriter
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory ComplianceLifeline Data Centers
 
comparison-chart-vs-epic-interpretation-final.pdf
comparison-chart-vs-epic-interpretation-final.pdfcomparison-chart-vs-epic-interpretation-final.pdf
comparison-chart-vs-epic-interpretation-final.pdfDanielBerkowitz11
 

Similaire à Fsi Consumer Compliance Dbriefs 102808 Show (20)

Analyzinglegislation
AnalyzinglegislationAnalyzinglegislation
Analyzinglegislation
 
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
Hospitality Law Conference 2010 - Information Protection & Privacy: The New H...
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoT
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer Privacy
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)Ict Compliance @ Gartner (August 2005)
Ict Compliance @ Gartner (August 2005)
 
Data Security Regulatory Lansdcape
Data Security Regulatory LansdcapeData Security Regulatory Lansdcape
Data Security Regulatory Lansdcape
 
FTC Privacy Roundtable Background And Summary
FTC Privacy Roundtable Background And SummaryFTC Privacy Roundtable Background And Summary
FTC Privacy Roundtable Background And Summary
 
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
CT, HI & VT - Oh My! What Do the Latest Privacy Regulations Mean to You?
 
All's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber WarfareAll's Fair in Love and Cyber Warfare
All's Fair in Love and Cyber Warfare
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issues
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
comparison-chart-vs-epic-interpretation-final.pdf
comparison-chart-vs-epic-interpretation-final.pdfcomparison-chart-vs-epic-interpretation-final.pdf
comparison-chart-vs-epic-interpretation-final.pdf
 

Fsi Consumer Compliance Dbriefs 102808 Show

  • 1. The Banking & Securities series presents: Consumer Compliance Lending: Do You Know Your ABCs? John Graetz, Tammy Milliken, Margo Hines October 28, 2008
  • 2. Agenda • Consumer regulations overview • Regulatory review of compliance programs • Roles and responsibilities for management • Risk focused consumer compliance supervision framework Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 3. Poll question #1 How much do you think the consumer protections laws impact your business? •Significantly •Moderately •Somewhat •Not at all •Not applicable Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 4. Major rules and regulations Alphabet soup A B C D E F G H I J K L M N OPQR STUV W X Y Z AA BB CC DD EE FF • Fair Credit Reporting Act (FCRA) • FDIC's Amended Advertising Regs (Part 328) • FDIC's Deposit Insurance Regs (Part 330) • The John Warner National Defense Authorization Act (Talent Amendment) • Right to Financial Privacy Act (RFPA) • Servicemembers Civil Relief Act (SCRA) • Treasury's Bank Secrecy Regulation • Equal Credit Opportunity Act (ECOA) 1 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 5. Regulators • Federal Trade Commission (FTC) • Federal Reserve • Office of the Comptroller of the Currency (OCC) • Federal Deposit Insurance Corporation (FDIC) • Securities & Exchange Commission (SEC) • Office of Thrift Supervision (OTS) • FINRA- Financial Industry Regulatory Authority (FINRA) • Financial Crimes Enforcement Network (FinCEN) • State regulators 2 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 6. Applicable regulations and statutes • Credit/Collections-Related – Regulation C (Home Mortgage Disclosure) – Regulation H (Flood Insurance) – Regulation Z (Truth in Lending) – Fair Debt Collection Practices Act – Fair Credit Billing Act – Fair Credit Reporting Act (related amendments-Fair and Accurate Credit Transactions Act) – Homeowners Protection Act – Homeownership Counseling – Real Estate Settlement Procedures Act • The Servicemembers Civil Relief Act (SCRA) 3 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 7. Applicable regulations and statutes (cont.) The Unfair and Deceptive Practices Act (UDAP) Unfair Act: • An unfair act is one that causes harm to a consumer. The injury must be substantial, which includes monetary harm, pecuniary, or other loss with no real countervailing benefit. Deceptive Practice: • A deceptive practice involves a representation, omission or action that is likely to mislead the consumer. This includes false representations, misleading claims, inadequate disclosures, and use of bait and switch techniques. Source: Federal Reserve Board of Governors 4 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 8. Applicable regulations and statutes (cont.) Privacy • The Privacy Act of 1974 • Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy act • Children’s Online Privacy Protection Act (COPPA) Rule • Customer Proprietary Network Information (CPNI) • Gramm-Leach-Bliley (GLB) Act • CAN-SPAM Act • Bank Secrecy Act • USA PATRIOT Act • Various state laws, e.g., California’s Office of Privacy Protection 5 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 9. Global Response: Proliferation of Privacy and Data Protection Laws & Regulations South Korea Please note the below are examples and not a representative list. European Union Canada Act on Promotion of EU Data Protection Federal/Provincial Information and Directive and Member US Federal PIPEDA, FOIPPA, Communications States Data Protection GLBA, HIPAA, PIPA, Do Not Call, Network Utilization Laws, Safe Harbor COPPA, Do Not CPNI and Data Protection Principles Call Hong Kong Personal Japan Data Privacy Guidelines for the Ordinance Protection of Computer Numerous State Laws Processed Breach Notification Personal Data States from CA to NY India Taiwan Law pending Computer- Chile currently Processed Law for the under Personal Data Protection of discussion Protection Law South Africa Australia Private Life Electronic Philippines Federal Privacy Communications Amendment Bill, New Data Privacy Argentina and Transactions Zealand Law State Privacy Bills in Personal Data Act proposed by Victoria, New South Privacy Act Protection Law, ITECC Wales and Queensland, Confidentiality of new email spam and Information Law privacy regulations 6 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 10. Poll question #2 Do you think your organization has a full grasp on the entire universe of consumer laws that it is subject to? •Yes •No •Somewhat •Don’t know Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 11. Background on TILA and Reg. Z • Purposes of Truth in Lending Act (TILA): - Promote the informed use of consumer credit by requiring disclosures about its terms and cost. - Gives consumers the right to cancel certain credit transactions. - Regulates certain credit card practices, and provides a means for fair and timely resolution of credit billing disputes. • TILA applies to each individual or business that offers or extends credit Source: Federal Reserve Board of Governors 7 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 12. Housing and Economic Recovery Act of 2008 • Primarily intended to address the subprime mortgage crisis. • Authorizes the Federal Housing Administration to guarantee up to $300 billion in new 30-year fixed-rate mortgages for subprime borrowers if lenders write down principal loan balances to 90 percent of current appraisal value. • Requires existing mortgage holders to accept the proceeds of the insured loan as payment in full for all indebtedness. • States are authorized to refinance subprime loans using mortgage revenue bonds. • Through the powers granted to the Federal Housing Finance Agency (FHFA), created by the act on September 7, 2008, FHFA director James B. Lockhart III announced he had put Fannie Mae and Freddie Mac under the conservatorship of the FHFA. • Amends the Truth-in-Lending Act (TILA) to expand the types of home loans subject to early disclosures and improve loan disclosures given to individuals and families on original and refinancing home loans. Source: U.S. Senate Committee on Banking, Housing and Urban Affairs 8 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 13. Regulatory Review of Compliance Programs Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 14. Emergency Economic Stabilization Act of 2008 Quotes from Treasury Secretary Henry Paulson regarding the rationale for the bailout: • Stabilize the economy: quot;We must... avoid a continuing series of financial institution failures and frozen credit markets that threaten American families' financial well-being, the viability of businesses both small and large, and the very health of our economy.quot; • Improve liquidity: quot;These bad loans have created a chain reaction and last week our credit markets froze – even some Main Street non-financial companies had trouble financing their normal business operations. If that situation were to persist, it would threaten all parts of our economy.quot; • Comprehensive strategy: quot;We must now take further, decisive action to fundamentally and comprehensively address the root cause of this turmoil. We must address this underlying problem, and restore confidence in our financial markets and financial institutions so they can perform their mission of supporting future prosperity and growth.quot; • Immediate and significant: quot;This troubled asset relief program has to be properly designed for immediate implementation and be sufficiently large to have maximum impact and restore market confidence.” 9 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 15. Emergency Economic Stabilization Act of 2008 (cont.) Quotes from Treasury Secretary Henry Paulson regarding the rationale for the bailout: • Broad impact: quot;This troubled asset purchase program on its own is the single most effective thing we can do to help homeowners, the American people and stimulate our economy.quot; • Investor confidence: “As investors lost confidence in them some companies saw their access to liquidity and capital markets increasingly impaired and their stock prices drop sharply.” • Impact on economy and GDP: quot;Extraordinarily turbulent conditions in global financial markets... these conditions caused equity prices to fall sharply, the cost of short-term credit--where available--to spike upward, and liquidity to dry up in many markets. Losses at a large money market mutual fund sparked extensive withdrawals from a number of such funds. A marked increase in the demand for safe assets--a flight to quality--sent the yield on Treasury bills down to a few hundredths of a percent. By further reducing asset values and potentially restricting the flow of credit to households and businesses, these developments pose a direct threat to economic growth.quot; 10 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 16. Why care? • Organizations, like individuals, can be found guilty of criminal conduct and can incur civil liability. • While organizations cannot be imprisoned, among other things, they can be: - Fined - Increased regulatory supervision - Ordered to make restitution - Embarrassed by notices of conviction - Exposed to applicable forfeiture or disgorgement statutes 11 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 17. What a September! $700B Treasury Jimmy Cayne rescue plan $700B Treasury resigns from Bear, approved rescue plan passes Alan Schwartz, CEO ML sold to BAC. Lehman Abu Dhabi Nomura files for bankruptcy SWF invests acquires Bear sold $7.5B Lehman’s to JPMC in Citi Asia ops Fed cuts Bear Ken Thompson China Inv rate by Mone hedge resigns from Corp 0.5% Buffett y fund Wachovia Stan O’Neil invests invests $5B fund collapses Fed cuts Govt seizes $5B in MS in Goldman leaves ML goes rate by Fannie/Freddie below 0.75% $1 APR AUG SEP OCT NOV DEC JAN FEB MAR MAY JUN OCT JUL AUG SEP ‘08 ‘07 ‘07 ‘07 ‘07 ‘07 ’08 ‘08 ‘08 ‘08 ‘08 ‘08 ‘08 ‘08 ‘08 Goldman, US Chuck Govt of Morgan Countrywide IndyMac takes Prince Singapore Inv 3 SWFS become bank Bank run fails over leaves Citi Corp invests invest holding cos. AIG $11B in UBS $10B in Martin Sullivan ML Barclays Wachovia resigns from Vikram John Thain BAC acquires agrees AIG, Willumstad acquired by Pandit joins ML Countrywide to buy parts Wells Fargo becomes CEO becomes of Lehman Citi CEO Mitsubishi Dan Mudd resigns acquires 20% from Fannie, US announces of MS Herb Allison, new CEO that they will buy equity Richard Syron resigns stakes in banks WaMu acquired from Freddie, by JP Morgan David Moffett, new CEO 12 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 18. Regulatory view of the need for corrective action Q1. What types of problems has the bank had in the past? Q2. Has the severity of problems progressed? Q3. Does the management team have a history of identifying problems within the bank or do outside parties usually surface them? Q4. Does the management team have the ability to fix the current problem? Q5. Has the bank been placed under an enforcement action before? If so, how long ago and for what? 13 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 19. Poll question #3 What are some key actions Internal Audit/Compliance should undertake to help your organization adapt to the new market environment? • Enhancement of the risk assessment process (methodology, frequency, specific focus areas such as acquired operations) • Increase in specialized Internal Audit/Compliance resources in areas such as regulatory, capital markets, risk management • Internal Audit Plan/Compliance to be significantly expanded to address ever increasing/changing risk environment • Internal Audit Plan/Compliance to be limited to critical or high risk processes allowing Internal Audit/Compliance resources to remain flat with prior year • No significant changes anticipated to internal audit structure, approach or audit execution • Not applicable Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 20. Compliance program – Regulatory expectations • Compliance standards and procedures reasonably capable of reducing the prospect of criminal activity • Reductions in redundancies and clear streamlined processes • Oversight by high-level personnel • Due care in delegating substantial discretionary authority • Effective communication to all levels of employees • Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal • Consistent enforcement of compliance standards including disciplinary mechanisms • Reasonable steps to respond to and prevent further similar offenses upon detection of a violation • Source: Regulatory examination handbooks 14 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 21. Regulatory risk The assignment of a risk rating might be affected by such factors as: • Potential financial harm to consumers • Potential legal, reputation, and financial harm to a bank • New laws, regulations or amendments thereof • Historical industry compliance • The burden of corrective action, including potential supervisory actions or civil liability that could lead to monetary penalties 15 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 22. Product risk measures Product Management • Relates to the bank’s ability to identify, monitor, and manage the compliance risk inherent with a particular product. Product Materiality • Reflects the importance of a product as compared to other products offered by the bank. 16 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 23. Product risk measures (cont.) Product Stability • An assessment of such characteristics as the newness, growth, or any complex compliance issues associated with the product, automation used to comply with applicable laws and regulations, and any recent changes to the statutes or regulations affecting the product Bank Size or Market Share • A bank’s size or market share serves as a proxy for the number of consumers potentially affected by a bank’s activities. Generally, banks with assets of less than $250 million represent lower risk in this regard, while those with assets of more than $1 billion are higher risk. There may be instances where the market share of a product line, rather than the absolute size of the bank, may be the leading indicator of the impact on consumers. 17 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 24. Sample examination approach REGULATION RISK TABLE RISK Statute/Regulation Section (s) for review 1=low, 5=high 1 Real Estate Settlement Procedures Act (Reg X) Mortgage Servicing Transfer Disclosure 1 Right to Financial Privacy Act All 1 Fair Debt Collection Practices Act All 1 Unfair or Deceptive Acts or Practices (Reg AA) All 2 Expedited Funds Availability (Reg CC) All 2 Truth in Savings Act (Reg DD) All 2 Reserve Requirements (Reg D) All 2 Fair Credit Reporting Act C All 2 Consumer Leasing (Reg M) All 2 Interest on Deposits (Reg Q) All All provisions except those rated “1” and “4” 3 Real Estate Settlement Procedures Act (Reg X) All provisions except those rated “4” 3 Truth in Lending Act (Reg Z) 3 Electronic Funds Transfer Act (Reg E) All 3 Reg. B and FHA Provisions All provisions not covered by FFIEC interagency procedures 4 Truth in Lending Act (Reg Z) APR/Finance charge, HOEPA, and rescission 4 National Flood Insurance Act (Reg H) All 4 Privacy (Reg P) All 4 Real Estate Settlement Procedures Act (Reg X) Section 8 5 HMDA and CRA Data verification 18 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 25. Roles and Responsibilities for Management Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 26. Poll question #4 Does your management or governance board articulate the tone for your organization’s compliance focus? •Yes •No •Somewhat •Not Sure Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 27. Board of directors and senior management oversight • The board of directors and senior management should: – Provide oversight of the consumer compliance program – this is essential – Periodically review the effectiveness of the bank’s consumer compliance risk management program, including how findings are reported and whether the audit mechanisms in place provide adequate oversight – Stress that quality and timeliness of the information provided to the key decision-makers regarding the bank’s consumer compliance program are important for assessing the program’s effectiveness – Determine sufficient resources have been devoted to the program. – Provide support, authority and independence to the individuals directly responsible for implementing the consumer compliance program and for performing audit/review activities – Make certain that consumer compliance weaknesses are addressed and corrective action is taken in a timely manner 19 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 28. Risk management and board reporting Risk Implications • Potential interaction of multiple risks may be underestimated (internal and extended enterprise) • Risk managers may be isolated in silos • Risk management often focuses on compliance rather than performance, leading to inadequate assessments and responses Considerations • Use a common definition of risk throughout the organization, which addresses both value preservation and value creation • Use a common risk management infrastructure and framework supported by appropriate standards • Provide governing bodies (e.g., boards, audit committees, etc.) with the appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities 20 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 29. Organizational structure • Is the bank’s organizational structure appropriate for the size and complexity of its operations? • Does the bank have a compliance officer? • How independent is the compliance officer? • How comprehensive is the bank’s compliance program? • How much time does the compliance officer devote to regulatory compliance? • Does the bank’s compliance officer operate a proactive or reactive compliance program? 21 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 30. Risk Focused Consumer Compliance Supervision Framework Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 31. Types of risk Product Risk • The characteristics of a product, such as its newness or complexity, that are likely to affect the probability and impact of noncompliance Regulation Risk • The possible consequences of noncompliance with applicable laws and regulations to the bank and its customers 22 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 32. Types of Risk (cont.) Operational Risk • The potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses Legal Risk • The potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or otherwise negatively affect the operations or condition of a bank Reputational Risk • The potential that negative publicity regarding a bank’s business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions 23 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 33. Policies and procedures • An effective consumer compliance program will have compliance policies and procedures in place, the formality of which (written or unwritten) depends upon the needs of the bank • The degree to which compliance policies and procedures are formalized is not as important as their effectiveness • Procedures should provide personnel with guidance that enables them to complete transactions in accordance with applicable laws and regulations 24 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 34. Compliance audits/reviews • Compliance audits, which can be performed by either in- house staff or external personnel, are a tool to help management and staff ensure continuing compliance and identify different risk factors in a bank • Compliance reviews are less comprehensive than compliance audits, but they are conducted more frequently, (e.g., daily, weekly, monthly, quarterly) and are typically performed by the compliance officer or a designated person within the department • The size of the bank and the scope and complexity of its operations will determine whether a compliance audit or a compliance review is appropriate 25 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 35. Training • Ongoing education of bank personnel is essential to maintaining a sound consumer compliance program • The adequacy of a bank’s training program, like that of its overall consumer compliance program, should be assessed in view of the bank’s organizational structure and the activities in which it engages 26 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 36. Poll question #5 Does your organization separate your audit and compliance functions? •Yes •No •Not Sure •Not applicable Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 37. Internal controls • Effective internal controls help to mitigate a bank’s consumer compliance risk and should be an integral part of the daily operations of a bank • Internal controls may take several forms, including: - Independent reviews of specific functions or tasks - Segregation of duties to create a system of checks and balances - Controls over default settings associated with highly automated calculation tools - Verification of data before a transaction is completed - Appropriate approvals and authorizations - Periodic transaction testing and reviews of forms and procedures 27 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 38. Questions & Answers Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 39. Join us November 19 at 2 PM EST as our Banking & Securities series presents: State Taxation: How Will New State Laws Impact Your Business? Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 40. Thank you for joining today’s webcast. To request CPE credit, click the link below. Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 41. Contact info John Graetz Deloitte & Touche LLP Regulatory & Capital Markets Consulting Phone: +1 415 783 4242 Tamara Milliken Deloitte & Touche LLP Regulatory & Capital Markets Consulting Phone: +1 704 887 1876 Margo Hines Deloitte & Touche LLP Regulatory & Capital Markets Consulting Phone: +1 704 227 7920 Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 42. This presentation contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering business, financial, investment, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 43. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2008 Deloitte Development LLC. All rights reserved.
  • 44. A member firm of Deloitte Touche Tohmatsu Copyright © 2008 Deloitte Development LLC. All rights reserved.