June 2016
Online lenders
need to raise their
compliance game
An article by John Epperson, CAMS, and Niall Twomey, CRCM
Audit / Tax / Advisory / Risk / Performance
Smart decisions. Lasting value.™
Online lenders need to
raise their compliance game
In the words of Led Zeppelin, “Your Time Is
Gonna Come” – and for those in the online
lending industry, the time for greater regulatory
scrutiny is coming indeed.
Online lending companies and specialty
finance companies can expect more
focused oversight from the Consumer
Financial Protection Bureau (CFPB)
and stepped-up supervision from state
regulators. These companies need to be
ready to demonstrate the efficacy of their
compliance programs – including their
compliance management systems (CMS) –
plus the availability of the right resources
needed to help mitigate the risks associated
with their lending activities.
The financial services industry has operated
under the CFPB’s expectations and
guidance since the bureau was created in
the wake of the 2008-2009 financial crisis,
but the more specialized areas of the
industry have only gradually been coming
under CFPB scrutiny.1 In prepared remarks
made April 20, 2016, CFPB Director Richard
Cordray seemed to indicate that 2016 is the
Year of the Online Lender, with the bureau
focused on the short-term, small-dollar
loan and auto finance industry2 and certain
money transmitters required to comply
with the Federal Reserve’s Regulation E,
“Electronic Fund Transfers.”
CFPB research data
A recent theme of the CFPB in the realm
of abusive practices has been related to
the preferential access of online lenders to
customer accounts. Repeated attempts
to capture payments, for both the full
amount and broken-out smaller amounts,
can lead to fees considered abusive to the
consumer. Recent CFPB research supports
that concern: “After analyzing 18 months
of data on more than 330 online lenders,”
said Cordray in April, “we have found that
borrowers face steep, hidden costs to their
online loans in the form of unanticipated bank
penalty fees.”
www.crowehorwath.com
For the 18-month period studied by the
CFPB, consumers incurred an average of
$185 in bank penalties. “That is on top of
any penalties the lender imposes,” Cordray
said, “as well as the average annualized
interest rate of 300 to 500 percent that is
routinely charged on these kinds of loans.”
2. Collection processes
The bureau’s research report, issued April
20, 2016, “Online Payday Loan Payments,”
outlines the study’s results, which also
support three distinct concerns of the CFPB:
The CFPB’s study also found that after one
payment request that fails, online lenders
try again three-quarters of the time – even
though 70 percent of second payment
requests fail to collect any money, and
subsequent collection attempts are even less
likely to succeed. According to Cordray’s
remarks, the CFPB’s concern is that, while
trying to debit a payment from a consumer’s
account may cost the lender next to nothing,
“it can cost the consumer serious money.”
1. Excessive fees
3. Bank account closures
Due to the structure of online loans, many
of which are repaid in multiple monthly
installments, the online lender has the
customer’s checking and/or savings
account information to allow the monthly
debit of the loan payment. In the event
that the funds are not available, the lender
can choose to either make the payment on
behalf of the customer and charge a fee
or reject the payment and charge a fee;
either way, the consumer incurs a cost.
The research also revealed that the accounts
of online borrowers who were assessed an
overdraft or nonsufficient funds (NSF) fee
when funds were unavailable to make a
payment had a high rate of account closure,
usually within 90 days of the failed payment.
According to Cordray, “We found that over
the study period, 36 percent of accounts
with a failed debit attempt from an online
lender ended up being closed by the bank or
credit union.”
3
Online lenders need to
raise their compliance game
Where to start
Whether a company specializes in payday
loans, automobile financing, or another sort
of online specialty financing, the CFPB is
focused on the adequacy of the company’s
CMS. All online lenders should critically
challenge their own CMS and governance
processes. According to the CFPB’s summer
2013 Supervisory Highlights, important
points for an online lender to evaluate include
whether its CMS:
• Establishes compliance responsibilities
• Communicates those responsibilities
to employees
• Helps ensure that responsibilities
for meeting legal requirements and
internal policies are incorporated into
business processes
• Reviews operations – including testing
and monitoring – to help ensure that
responsibilities are carried out and legal
requirements are met
• Takes corrective action
• Updates tools, systems, and materials
as necessary
To determine what it needs to do to be in
compliance, an online lender must first
assess its current program. That assessment
should include a multitude of areas, among
them the company’s:
• Board and committee governance
structure and reporting
• Policies and procedures
• Auditing and monitoring
• Employee training
• New initiatives
• Regulatory change management
• Incident response
• Complaints… and not just written ones
4
June 2016
Crowe Horwath LLP
Resource allocation
Resource adequacy – which determines
what can be done in all areas covered by a
compliance assessment – should also be
part of the risk assessment. Regardless
of the types of loan products in which
an online lender might specialize and
the avenues through which the products
are offered, burgeoning compliance
expectations could mean that a lender
with inadequate resources will not
receive a “best practice” comment from
the regulatory agencies, as it may have
in the past.
How to answer an examiner’s question
about resource adequacy would perhaps
seem to be clear-cut, but in many cases the
question is posed as, “How many people
are in your compliance group?” How a
company answers that specific question
could be the difference between receiving
a regulatory order or a pass until the next
exam. For instance, an answer based on the
number of full-time people reporting to the
chief compliance officer could short-change
the company by excluding compliance
subject-matter experts who are operating
within a line of business.
If the human resources, legal, and other
functions are assisting with the day-to-day
management of CMS components, the
company needs to consider how to portray
those roles and responsibilities across
the enterprise and not focus just on the
compliance team.
www.crowehorwath.com
Knowing that closer CFPB scrutiny is
coming, online lenders should analyze
their current resourcing plan. They need
to determine whether the plan allows for
sufficient compliance expertise within
the life cycle of the product – from the
new product development stage through
servicing and account closure.
Lines of defense
It might be a cliché, but compliance is
every employee’s responsibility. The
compliance team is only one of the three
lines of defense (operational management,
compliance and risk management, and
internal audit).3 The business owns the
risk and is expected to make proactive
compliance efforts, specifically efforts
related to control design and monitoring
of day-to-day activities associated with
compliance risk, such as a notification
of adverse action within 30 days of an
application.
The CMS is the gateway into a company’s
risk management efforts; therefore, being
able to portray the team effort it takes to
support that CMS is critical to meeting, and
possibly exceeding, agency expectations.
The compliance team is expected to
monitor compliance-related activity at a
more holistic level than the business is.
For example, the compliance team might
report on trends in denied applications
over a three-month period or report on
training content and the level of employee
participation.
5
Online lenders need to
raise their compliance game
However, compliance also plays a critical
role in staying aware of new or amended
laws and regulations and, even more
critical, helping the business to adjust its
operations in response to those new or
amended laws and regulations – that is,
to identify the need for and adequacy of
controls or disclosure amendments in order
to be compliant. The compliance function
also might manage any combination
of the following: consumer complaints,
federal and state examinations, new
product development, product offerings,
marketing initiatives and marketing material,
disclosure review, and policy review.
As the third line of defense, the internal
audit function is also responsible for
completing an independent evaluation of
the effectiveness of the company’s CMS.
Internal audit should perform, or engage a
qualified third party to perform, testing to
verify that the necessary components of
the CMS are being executed as expected.
For example, internal audit should confirm
that the compliance team has reviewed
and signed off on all marketing plans and
internal audit testing processes.
6
June 2016
In addition, formalizing the CMS – by
way of a charter, a written program, and
organizational charts and other visuals –
supports the structure that’s in place. The
structure helps to maintain a successful
compliance program and enable the
organization to articulate its compliance
activities more clearly - activities that are in
place to mitigate the risk and facilitate fair
results for customers.
The compliance program
An online lender should be prepared to
respond to a CFPB that’s focused on
excessive fees, bank account closures,
and collection efforts – as well as other
potential violations of unfair, deceptive, or
abusive acts or practices (UDAAPs) that
could be lurking. An online lender’s effective
CMS can, among other things, help to
ensure that an appropriate fee structure
is designed, monitor the accuracy of fees
being assessed, and confirm that collection
activity is appropriate. The CMS should
align with the current risk environment and
be tested on a regular basis.
Crowe Horwath LLP
www.crowehorwath.com
7
Contact
John Epperson is a principal with
Crowe Horwath LLP. He can be
reached at +1 630 575 4220 or
[email protected].
Niall Twomey is with Crowe and
be reached at +1 630 574 1806 or
[email protected].
1
See Paul R. Osborne and Reid S. Simon, “Compliance Management: Making the Shift From Fair Lending to Fair and
Responsible Banking – Taking a More Holistic View of Consumer Protection,” Crowe Horwath LLP, March 2016.
2
The CFPB issued “Short-Term, Small-Dollar Lending (Commonly Known as Payday Lending) Examination Procedures” in
September 2013. In June 2015, it issued “Automobile Finance Examination Procedures” for larger participants in the auto
financing market, defined as those originating 10,000 loans or more in a year.
3
The Institute of Internal Auditors, “The Three Lines of Defense in Effective Risk Management and Control,” IIA position
paper, January 2013.
www.crowehorwath.com
In accordance with applicable professional standards, some firm services may not be available to attest clients.
This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction.
© 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure
RISK-17022-004A