Contenu connexe Similaire à Fsi Consumer Compliance Dbriefs 102808 Show Similaire à Fsi Consumer Compliance Dbriefs 102808 Show (20) Fsi Consumer Compliance Dbriefs 102808 Show1. The Banking & Securities series presents:
Consumer Compliance
Lending: Do You Know Your
ABCs?
John Graetz, Tammy Milliken, Margo Hines
October 28, 2008
2. Agenda
• Consumer regulations overview
• Regulatory review of compliance programs
• Roles and responsibilities for management
• Risk focused consumer compliance supervision
framework
Copyright © 2008 Deloitte Development LLC. All rights reserved.
3. Poll question #1
How much do you think the consumer protections
laws impact your business?
•Significantly
•Moderately
•Somewhat
•Not at all
•Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
4. Major rules and regulations
Alphabet soup
A B C D E F G H I J K L M
N OPQR STUV W X Y
Z AA BB CC DD EE FF
• Fair Credit Reporting Act (FCRA)
• FDIC's Amended Advertising Regs (Part 328)
• FDIC's Deposit Insurance Regs (Part 330)
• The John Warner National Defense Authorization Act (Talent
Amendment)
• Right to Financial Privacy Act (RFPA)
• Servicemembers Civil Relief Act (SCRA)
• Treasury's Bank Secrecy Regulation
• Equal Credit Opportunity Act (ECOA)
1
Copyright © 2008 Deloitte Development LLC. All rights reserved.
5. Regulators
• Federal Trade Commission (FTC)
• Federal Reserve
• Office of the Comptroller of the Currency (OCC)
• Federal Deposit Insurance Corporation (FDIC)
• Securities & Exchange Commission (SEC)
• Office of Thrift Supervision (OTS)
• FINRA- Financial Industry Regulatory Authority (FINRA)
• Financial Crimes Enforcement Network (FinCEN)
• State regulators
2
Copyright © 2008 Deloitte Development LLC. All rights reserved.
6. Applicable regulations and statutes
• Credit/Collections-Related
– Regulation C (Home Mortgage Disclosure)
– Regulation H (Flood Insurance)
– Regulation Z (Truth in Lending)
– Fair Debt Collection Practices Act
– Fair Credit Billing Act
– Fair Credit Reporting Act (related amendments-Fair and Accurate Credit
Transactions Act)
– Homeowners Protection Act
– Homeownership Counseling
– Real Estate Settlement Procedures Act
• The Servicemembers Civil Relief Act (SCRA)
3
Copyright © 2008 Deloitte Development LLC. All rights reserved.
7. Applicable regulations and statutes (cont.)
The Unfair and Deceptive Practices Act (UDAP)
Unfair Act:
• An unfair act is one that causes harm to a consumer. The
injury must be substantial, which includes monetary harm,
pecuniary, or other loss with no real countervailing benefit.
Deceptive Practice:
• A deceptive practice involves a representation, omission or
action that is likely to mislead the consumer. This includes
false representations, misleading claims, inadequate
disclosures, and use of bait and switch techniques.
Source: Federal Reserve Board of Governors
4
Copyright © 2008 Deloitte Development LLC. All rights reserved.
8. Applicable regulations and statutes (cont.)
Privacy
• The Privacy Act of 1974
• Health Insurance Portability and Accountability Act of 1996
(HIPAA) privacy act
• Children’s Online Privacy Protection Act (COPPA) Rule
• Customer Proprietary Network Information (CPNI)
• Gramm-Leach-Bliley (GLB) Act
• CAN-SPAM Act
• Bank Secrecy Act
• USA PATRIOT Act
• Various state laws, e.g., California’s Office of Privacy
Protection
5
Copyright © 2008 Deloitte Development LLC. All rights reserved.
9. Global Response: Proliferation of Privacy and Data
Protection Laws & Regulations
South Korea
Please note the below are examples and not a representative list. European Union
Canada Act on Promotion of
EU Data Protection
Federal/Provincial Information and
Directive and Member
US Federal PIPEDA, FOIPPA, Communications
States Data Protection
GLBA, HIPAA, PIPA, Do Not Call, Network Utilization
Laws, Safe Harbor
COPPA, Do Not CPNI and Data Protection
Principles
Call
Hong Kong
Personal Japan
Data Privacy
Guidelines for the
Ordinance
Protection of
Computer
Numerous State Laws
Processed
Breach Notification
Personal Data
States from CA to NY
India Taiwan
Law pending Computer-
Chile
currently Processed
Law for the under Personal Data
Protection of discussion Protection Law
South Africa Australia
Private Life
Electronic Philippines Federal Privacy
Communications Amendment Bill, New
Data Privacy
Argentina and Transactions Zealand
Law State Privacy Bills in
Personal Data Act proposed by Victoria, New South Privacy Act
Protection Law,
ITECC Wales and Queensland,
Confidentiality of
new email spam and
Information Law
privacy regulations
6
Copyright © 2008 Deloitte Development LLC. All rights reserved.
10. Poll question #2
Do you think your organization has a full grasp on the
entire universe of consumer laws that it is subject to?
•Yes
•No
•Somewhat
•Don’t know
Copyright © 2008 Deloitte Development LLC. All rights reserved.
11. Background on TILA and Reg. Z
• Purposes of Truth in Lending Act (TILA):
- Promote the informed use of consumer credit by
requiring disclosures about its terms and cost.
- Gives consumers the right to cancel certain credit
transactions.
- Regulates certain credit card practices, and provides a
means for fair and timely resolution of credit billing
disputes.
• TILA applies to each individual or business that
offers or extends credit
Source: Federal Reserve Board of Governors
7
Copyright © 2008 Deloitte Development LLC. All rights reserved.
12. Housing and Economic Recovery Act of 2008
• Primarily intended to address the subprime mortgage crisis.
• Authorizes the Federal Housing Administration to guarantee up to $300
billion in new 30-year fixed-rate mortgages for subprime borrowers if
lenders write down principal loan balances to 90 percent of current
appraisal value.
• Requires existing mortgage holders to accept the proceeds of the
insured loan as payment in full for all indebtedness.
• States are authorized to refinance subprime loans using mortgage
revenue bonds.
• Through the powers granted to the Federal Housing Finance Agency
(FHFA), created by the act on September 7, 2008, FHFA director James
B. Lockhart III announced he had put Fannie Mae and Freddie Mac
under the conservatorship of the FHFA.
• Amends the Truth-in-Lending Act (TILA) to expand the types of home
loans subject to early disclosures and improve loan disclosures given to
individuals and families on original and refinancing home loans.
Source: U.S. Senate Committee on Banking, Housing and Urban Affairs
8
Copyright © 2008 Deloitte Development LLC. All rights reserved.
13. Regulatory Review of
Compliance Programs
Copyright © 2008 Deloitte Development LLC. All rights reserved.
14. Emergency Economic Stabilization Act of 2008
Quotes from Treasury Secretary Henry Paulson regarding the
rationale for the bailout:
• Stabilize the economy: quot;We must... avoid a continuing series of financial
institution failures and frozen credit markets that threaten American families'
financial well-being, the viability of businesses both small and large, and the very
health of our economy.quot;
• Improve liquidity: quot;These bad loans have created a chain reaction and last
week our credit markets froze – even some Main Street non-financial companies
had trouble financing their normal business operations. If that situation were to
persist, it would threaten all parts of our economy.quot;
• Comprehensive strategy: quot;We must now take further, decisive action to
fundamentally and comprehensively address the root cause of this turmoil. We
must address this underlying problem, and restore confidence in our financial
markets and financial institutions so they can perform their mission of supporting
future prosperity and growth.quot;
• Immediate and significant: quot;This troubled asset relief program has to be
properly designed for immediate implementation and be sufficiently large to have
maximum impact and restore market confidence.”
9
Copyright © 2008 Deloitte Development LLC. All rights reserved.
15. Emergency Economic Stabilization Act of 2008 (cont.)
Quotes from Treasury Secretary Henry Paulson regarding the
rationale for the bailout:
• Broad impact: quot;This troubled asset purchase program on its own is the single
most effective thing we can do to help homeowners, the American people and
stimulate our economy.quot;
• Investor confidence: “As investors lost confidence in them some companies
saw their access to liquidity and capital markets increasingly impaired and their
stock prices drop sharply.”
• Impact on economy and GDP: quot;Extraordinarily turbulent conditions in global
financial markets... these conditions caused equity prices to fall sharply, the cost
of short-term credit--where available--to spike upward, and liquidity to dry up in
many markets. Losses at a large money market mutual fund sparked extensive
withdrawals from a number of such funds. A marked increase in the demand for
safe assets--a flight to quality--sent the yield on Treasury bills down to a few
hundredths of a percent. By further reducing asset values and potentially
restricting the flow of credit to households and businesses, these developments
pose a direct threat to economic growth.quot;
10
Copyright © 2008 Deloitte Development LLC. All rights reserved.
16. Why care?
• Organizations, like individuals, can be found guilty of
criminal conduct and can incur civil liability.
• While organizations cannot be imprisoned, among other
things, they can be:
- Fined
- Increased regulatory supervision
- Ordered to make restitution
- Embarrassed by notices of conviction
- Exposed to applicable forfeiture or disgorgement statutes
11
Copyright © 2008 Deloitte Development LLC. All rights reserved.
17. What a September!
$700B Treasury
Jimmy Cayne rescue plan $700B Treasury
resigns from Bear, approved rescue plan passes
Alan Schwartz,
CEO ML sold to BAC. Lehman
Abu Dhabi Nomura
files for bankruptcy
SWF invests acquires
Bear sold
$7.5B Lehman’s
to JPMC
in Citi Asia ops
Fed cuts
Bear
Ken Thompson
China Inv
rate by Mone
hedge
resigns from
Corp
0.5% Buffett
y
fund
Wachovia
Stan O’Neil invests invests $5B
fund
collapses Fed cuts Govt seizes
$5B in MS in Goldman
leaves ML goes
rate by Fannie/Freddie
below
0.75%
$1
APR
AUG SEP OCT NOV DEC JAN FEB MAR MAY JUN OCT
JUL AUG SEP
‘08
‘07 ‘07 ‘07 ‘07 ‘07 ’08 ‘08 ‘08 ‘08 ‘08 ‘08
‘08 ‘08 ‘08
Goldman,
US
Chuck Govt of Morgan
Countrywide IndyMac takes
Prince Singapore Inv 3 SWFS become bank
Bank run fails over
leaves Citi Corp invests invest holding cos.
AIG
$11B in UBS $10B in Martin Sullivan
ML Barclays Wachovia
resigns from
Vikram
John Thain BAC acquires agrees
AIG, Willumstad acquired by
Pandit
joins ML Countrywide to buy parts Wells Fargo
becomes CEO
becomes
of Lehman
Citi CEO
Mitsubishi
Dan Mudd resigns
acquires 20%
from Fannie, US announces
of MS
Herb Allison, new CEO that they will
buy equity
Richard Syron resigns
stakes in banks
WaMu acquired
from Freddie,
by JP Morgan
David Moffett, new CEO
12
Copyright © 2008 Deloitte Development LLC. All rights reserved.
18. Regulatory view of the need for corrective action
Q1. What types of problems has the bank had in the past?
Q2. Has the severity of problems progressed?
Q3. Does the management team have a history of identifying
problems within the bank or do outside parties usually
surface them?
Q4. Does the management team have the ability to fix the
current problem?
Q5. Has the bank been placed under an enforcement action
before? If so, how long ago and for what?
13
Copyright © 2008 Deloitte Development LLC. All rights reserved.
19. Poll question #3
What are some key actions Internal Audit/Compliance
should undertake to help your organization adapt to the
new market environment?
• Enhancement of the risk assessment process (methodology, frequency,
specific focus areas such as acquired operations)
• Increase in specialized Internal Audit/Compliance resources in areas such as
regulatory, capital markets, risk management
• Internal Audit Plan/Compliance to be significantly expanded to address ever
increasing/changing risk environment
• Internal Audit Plan/Compliance to be limited to critical or high risk processes
allowing
Internal Audit/Compliance resources to remain flat with prior year
• No significant changes anticipated to internal audit structure, approach or
audit execution
• Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
20. Compliance program – Regulatory
expectations
• Compliance standards and procedures reasonably capable of
reducing the prospect of criminal activity
• Reductions in redundancies and clear streamlined processes
• Oversight by high-level personnel
• Due care in delegating substantial discretionary authority
• Effective communication to all levels of employees
• Reasonable steps to achieve compliance, which include
systems for monitoring, auditing, and reporting suspected
wrongdoing without fear of reprisal
• Consistent enforcement of compliance standards including
disciplinary mechanisms
• Reasonable steps to respond to and prevent further similar
offenses upon detection of a violation
• Source: Regulatory examination handbooks 14
Copyright © 2008 Deloitte Development LLC. All rights reserved.
21. Regulatory risk
The assignment of a risk rating might be affected by
such factors as:
• Potential financial harm to consumers
• Potential legal, reputation, and financial harm to a bank
• New laws, regulations or amendments thereof
• Historical industry compliance
• The burden of corrective action, including potential
supervisory actions or civil liability that could lead to
monetary penalties
15
Copyright © 2008 Deloitte Development LLC. All rights reserved.
22. Product risk measures
Product Management
• Relates to the bank’s ability to identify, monitor, and
manage the compliance risk inherent with a particular
product.
Product Materiality
• Reflects the importance of a product as compared to other
products offered by the bank.
16
Copyright © 2008 Deloitte Development LLC. All rights reserved.
23. Product risk measures (cont.)
Product Stability
• An assessment of such characteristics as the newness, growth, or any
complex compliance issues associated with the product, automation
used to comply with applicable laws and regulations, and any recent
changes to the statutes or regulations affecting the product
Bank Size or Market Share
• A bank’s size or market share serves as a proxy for the number of
consumers potentially affected by a bank’s activities. Generally, banks
with assets of less than $250 million represent lower risk in this regard,
while those with assets of more than $1 billion are higher risk. There
may be instances where the market share of a product line, rather than
the absolute size of the bank, may be the leading indicator of the impact
on consumers.
17
Copyright © 2008 Deloitte Development LLC. All rights reserved.
24. Sample examination approach
REGULATION RISK TABLE
RISK Statute/Regulation Section (s) for review
1=low, 5=high
1 Real Estate Settlement Procedures Act (Reg X) Mortgage Servicing Transfer Disclosure
1 Right to Financial Privacy Act All
1 Fair Debt Collection Practices Act All
1 Unfair or Deceptive Acts or Practices (Reg AA) All
2 Expedited Funds Availability (Reg CC) All
2 Truth in Savings Act (Reg DD) All
2 Reserve Requirements (Reg D) All
2 Fair Credit Reporting Act C All
2 Consumer Leasing (Reg M) All
2 Interest on Deposits (Reg Q) All
All provisions except those rated “1” and “4”
3 Real Estate Settlement Procedures Act (Reg X)
All provisions except those rated “4”
3 Truth in Lending Act (Reg Z)
3 Electronic Funds Transfer Act (Reg E) All
3 Reg. B and FHA Provisions All provisions not covered by FFIEC
interagency procedures
4 Truth in Lending Act (Reg Z) APR/Finance charge, HOEPA, and rescission
4 National Flood Insurance Act (Reg H) All
4 Privacy (Reg P) All
4 Real Estate Settlement Procedures Act (Reg X) Section 8
5 HMDA and CRA Data verification
18
Copyright © 2008 Deloitte Development LLC. All rights reserved.
26. Poll question #4
Does your management or governance board
articulate the tone for your organization’s
compliance focus?
•Yes
•No
•Somewhat
•Not Sure
Copyright © 2008 Deloitte Development LLC. All rights reserved.
27. Board of directors and senior management oversight
• The board of directors and senior management should:
– Provide oversight of the consumer compliance program – this is
essential
– Periodically review the effectiveness of the bank’s consumer
compliance risk management program, including how findings are
reported and whether the audit mechanisms in place provide
adequate oversight
– Stress that quality and timeliness of the information provided to the
key decision-makers regarding the bank’s consumer compliance
program are important for assessing the program’s effectiveness
– Determine sufficient resources have been devoted to the program.
– Provide support, authority and independence to the individuals directly
responsible for implementing the consumer compliance program and
for performing audit/review activities
– Make certain that consumer compliance weaknesses are addressed
and corrective action is taken in a timely manner
19
Copyright © 2008 Deloitte Development LLC. All rights reserved.
28. Risk management and board reporting
Risk Implications
• Potential interaction of multiple risks may be underestimated (internal and
extended enterprise)
• Risk managers may be isolated in silos
• Risk management often focuses on compliance rather than performance,
leading to inadequate assessments and responses
Considerations
• Use a common definition of risk throughout the organization, which addresses
both value preservation and value creation
• Use a common risk management infrastructure and framework supported by
appropriate standards
• Provide governing bodies (e.g., boards, audit committees, etc.) with the
appropriate transparency and visibility into the organization’s risk
management practices to discharge their responsibilities
20
Copyright © 2008 Deloitte Development LLC. All rights reserved.
29. Organizational structure
• Is the bank’s organizational structure appropriate
for the size and complexity of its operations?
• Does the bank have a compliance officer?
• How independent is the compliance officer?
• How comprehensive is the bank’s compliance
program?
• How much time does the compliance officer devote
to regulatory compliance?
• Does the bank’s compliance officer operate a
proactive or reactive compliance program?
21
Copyright © 2008 Deloitte Development LLC. All rights reserved.
30. Risk Focused Consumer
Compliance Supervision
Framework
Copyright © 2008 Deloitte Development LLC. All rights reserved.
31. Types of risk
Product Risk
• The characteristics of a product, such as its newness or
complexity, that are likely to affect the probability and
impact of noncompliance
Regulation Risk
• The possible consequences of noncompliance with
applicable laws and regulations to the bank and its
customers
22
Copyright © 2008 Deloitte Development LLC. All rights reserved.
32. Types of Risk (cont.)
Operational Risk
• The potential that inadequate information systems,
operational problems, breaches in internal controls, fraud,
or unforeseen catastrophes will result in unexpected losses
Legal Risk
• The potential that unenforceable contracts, lawsuits, or
adverse judgments can disrupt or otherwise negatively
affect the operations or condition of a bank
Reputational Risk
• The potential that negative publicity regarding a bank’s
business practices, whether true or not, will cause a decline
in the customer base, costly litigation, or revenue
reductions
23
Copyright © 2008 Deloitte Development LLC. All rights reserved.
33. Policies and procedures
• An effective consumer compliance program will have
compliance policies and procedures in place, the formality
of which (written or unwritten) depends upon the needs of
the bank
• The degree to which compliance policies and procedures
are formalized is not as important as their effectiveness
• Procedures should provide personnel with guidance that
enables them to complete transactions in accordance with
applicable laws and regulations
24
Copyright © 2008 Deloitte Development LLC. All rights reserved.
34. Compliance audits/reviews
• Compliance audits, which can be performed by either in-
house staff or external personnel, are a tool to help
management and staff ensure continuing compliance and
identify different risk factors in a bank
• Compliance reviews are less comprehensive than
compliance audits, but they are conducted more frequently,
(e.g., daily, weekly, monthly, quarterly) and are typically
performed by the compliance officer or a designated person
within the department
• The size of the bank and the scope and complexity of its
operations will determine whether a compliance audit or a
compliance review is appropriate
25
Copyright © 2008 Deloitte Development LLC. All rights reserved.
35. Training
• Ongoing education of bank personnel is essential to
maintaining a sound consumer compliance program
• The adequacy of a bank’s training program, like that of its
overall consumer compliance program, should be assessed
in view of the bank’s organizational structure and the
activities in which it engages
26
Copyright © 2008 Deloitte Development LLC. All rights reserved.
36. Poll question #5
Does your organization separate your audit
and compliance functions?
•Yes
•No
•Not Sure
•Not applicable
Copyright © 2008 Deloitte Development LLC. All rights reserved.
37. Internal controls
• Effective internal controls help to mitigate a bank’s
consumer compliance risk and should be an
integral part of the daily operations of a bank
• Internal controls may take several forms, including:
- Independent reviews of specific functions or tasks
- Segregation of duties to create a system of checks and
balances
- Controls over default settings associated with highly
automated calculation tools
- Verification of data before a transaction is completed
- Appropriate approvals and authorizations
- Periodic transaction testing and reviews of forms and
procedures
27
Copyright © 2008 Deloitte Development LLC. All rights reserved.
39. Join us November 19 at 2 PM EST
as our Banking & Securities series
presents:
State Taxation: How Will New
State Laws Impact Your
Business?
Copyright © 2008 Deloitte Development LLC. All rights reserved.
40. Thank you for joining
today’s webcast.
To request CPE credit,
click the link below.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
41. Contact info
John Graetz
Deloitte & Touche LLP
Regulatory & Capital Markets Consulting
Phone: +1 415 783 4242
Tamara Milliken
Deloitte & Touche LLP
Regulatory & Capital Markets Consulting
Phone: +1 704 887 1876
Margo Hines
Deloitte & Touche LLP
Regulatory & Capital Markets Consulting
Phone: +1 704 227 7920
Copyright © 2008 Deloitte Development LLC. All rights reserved.
42. This presentation contains general information only and is based on the
experiences and research of Deloitte practitioners. Deloitte is not, by means of this
presentation, rendering business, financial, investment, or other professional
advice or services. This presentation is not a substitute for such professional
advice or services, nor should it be used as a basis for any decision or action that
may affect your business. Before making any decision or taking any action that
may affect your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any loss
sustained by any person who relies on this presentation.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
43. About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a
detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries.
Copyright © 2008 Deloitte Development LLC. All rights reserved.
44. A member firm of
Deloitte Touche Tohmatsu
Copyright © 2008 Deloitte Development LLC. All rights reserved.