Auditing the Consumer Complaints Process
Assessing the effectiveness of an institution’s consumer complaint resolution process can help identify potential internal control deficiencies and regulatory compliance risks.
Asa Sum, CRCM
Thomas Giltrow, CRCM
Customer service-oriented companies understand the importance of responding timely to, and resolving complaints received from customers regarding products and services. More importantly, these organizations understand the significance of avoiding complaints, taking steps to build internal processes and controls that focus on consistency, transparency, and clarity in product development, delivery, pricing, and service. As the adage goes, you can’t please everyone all of the time. However, organizations should view consumer complaints as opportunities to improve their operations and differentiate themselves from their competitors.
Consumer complaints are valuable inputs into an organization’s risk management program and are key indicators of potentially unfair, deceptive, or abusive acts or practices (UDAAP). As regulatory focus on UDAAP increases, it is important for financial services internal auditors to assess how their organizations respond to and evaluate consumer complaints, and use this information to address potential deficiencies timely.
THE REGULATORY ENVIRONMENT
Consumer complaints have played an important historic role in shaping the regulatory environment for consumer financial products. Federal statutes like the Truth in Savings Act and the Equal Credit Opportunity Act, as well as other regulations, have been legislated to address perceived abuses associated with financial products and services, largely driven by feedback from consumers and often in the form of complaints.
Consumer complaints have been viewed by the federal banking regulatory agencies as important indicators of potential regulatory issues and noncompliance. Each agency has created a website specifically to help consumers with filing complaints. For example, the Office of the Comptroller of the Currency’s “Help With My Bank” website allows consumers to file, check the status of, and appeal complaints. In addition, the Federal Reserve Board (FRB) implemented Regulation AA, which, among other things, requires the agency to establish a consumer complaints process that includes collecting and processing complaints, sending written acknowledgement to the consumer, referring complaints to other federal banking agencies as appropriate, and ensuring that all investigation results are communicated to the consumer.
Other agencies such as the Federal Trade Commission (FTC) and the Financial Industry Regulatory Agency (FINRA) also have recognized the importance of consumer complaints and, as a result, have implemented processes and procedures to collect and monitor them. The FTC collects consumer complaints through its website, which it uploads into a broader database called Consumer Sentinel that is used by other civil and criminal law enforcement agencies. While the FTC does not typically respond to individual complaints, it does use information submitted to detect possible trends and direct its investigation and enforcement efforts. Annually, the FTC publishes a public summary of its consumer complaints activity, noting the most significant categories of complaints and affected institution types. FINRA is more prescriptive as it requires supervised entities (e.g., brokerage and securities firms) to report quarterly detailed complaint information in a standardized format. Consistent with the other regulatory agencies, FINRA analyzes consumer complaints data to help identify potential regulatory issues and direct its examination efforts.
With the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the U.S. Congress directed the newly-formed Consumer Financial Protection Bureau (CFPB) to collect, monitor, and respond to consumer complaints. On July 21, 2011, the CFPB launched a consumer complaints portal on its website and began collecting consumer complaints specific to credit card products and has since expanded to cover mortgages, deposit accounts and services, vehicle loans, consumer loans, and student loans. Dodd-Frank also requires the CFPB to share consumer complaints received with other federal and state agencies. For instance, an agreement signed in August 2011 between the CFPB and FTC allows the CFPB to share and access complaints through the FTC’s Consumer Sentinel system. The agreement improves transparency and federal government oversight of consumer financial products because the Consumer Sentinel is now made available to the CFPB, along with many other government and non-government entities.
The CFPB has emphasized in its Supervision Examination Manual that compliance management systems should be responsive to consumer complaints. Examiners are instructed to evaluate the manner in which supervised institutions (banks and non-banks) identify and categorize complaints, resolve complaints timely, review responsibilities for managing complaints with third-party vendors, develop reporting and escalation procedures for complaints involving legal issues that may harm consumers, incorporate complaints data into their change management processes, and assess the effectiveness of their complaints management systems. In addition, the CFPB Manual also addresses how the CFPB will use consumer complaint activity as part of its examination of supervised institutions’ compliance with particular laws and regulations (e.g., Fair Lending and UDAAP).
CHALLENGES AND TRENDS
Developing an effective process for identifying and tracking complaints can be challenging for financial institutions as operating models, products, and services and the nature of customer communication — including email and social media — become more complex. There are several key challenges that financial institutions may encounter.
Defining Consumer Complaint. A consumer complaint is defined generally in certain regulations and rules such as the FRB’s implementing regulation on Unfair or Deceptive Acts or Practices (Regulation AA) and FINRA’s quarterly consumer complaints reporting rule (Rule 4530). These rules state that complaints involve allegations of misconduct, unfair or deceptive practices, or potential noncompliance with legal and regulatory requirements. However, the plain meaning of the word complaint itself suggests a relatively broad interpretation and can be difficult to define in practice. For instance, at what point does a communication from a customer expressing dissatisfaction with, or criticism of, a financial service or product become a complaint? Financial institutions should evaluate how to distinguish among inquiries, feedback, and complaints. An institution’s complaint management program should provide clear definitions as to what constitutes a complaint, how it is recognized and then escalated, and take steps to ensure that employees are appropriately trained to recognize and take adequate measures when complaints are received.
Categorizing Complaint Data. Categorizing complaints received is critical for meaningful root cause analyses and management reporting. A complaints management program should be designed to collect all types of complaint data, even in situations when the complaint does not specifically relate to a bank product or service. Financial institutions should track complaints by affected regulations (e.g., Truth in Lending Act, Gramm Leach Bliley Act, Americans with Disabilities Act). The CFPB has further emphasized that institutions should assess complaints for potential UDAAP violations, either on an individual basis if such action is overt, but also on an aggregate basis. Although complaints might not be categorized individually as regulatory in nature, broader trends such as product terms and conditions might highlight potential UDAAP violations.
Tracking and Reporting of Complaint Data. Financial institutions should evaluate cost effective and efficient methods for consistent tracking and reporting of complaint-related data. Managing complaint data can be particularly burdensome for large institutions because complaints may be received from various sources and in various places within the institution. As such, institutions may find centralized tracking necessary to manage complaint volumes. Furthermore, institutions should identify which pieces of information must be collected for each complaint to ensure consistent tracking and management reporting. Determining the minimum amount of information needed for each complaint will assist in identifying trends and early warning signs of regulatory issues. Notwithstanding internal reporting, broker-dealers also must incorporate FINRA’s quarterly reporting-related controls into its complaints management infrastructure. Internal tracking mechanisms should correlate closely to the FINRA reporting requirements (e.g., internal complaint categories should coincide with the standard complaint categories required to be reported by FINRA).
Complaint Resolution Procedures. The process for resolving consumer complaints can be complex and impact multiple lines of business and functions. Critical to this process is defining roles and responsibilities for complaint resolution, particularly when complaints should be escalated to the institution’s compliance or legal departments. As a result, financial institutions must consider, evaluate, and design controls to address situations where a complaint involves multiple regulatory requirements and lines of business. Controls should be designed to ensure consistent research methodology and uniform documentation and retention standards, particularly for financial institutions with a decentralized complaints resolution process.
Other Sources of Complaint Data. Institutions also must be cognizant of complaints received through other non-traditional methods. Mobile banking and social media websites such as Facebook or Twitter have provided a quick and easy method for consumers to publish complaints-related comments about financial institutions. As a result, financial institutions must now address how to assess and evaluate such social media trends and, if possible, contain the spread and possible reputational and brand damage. In addition, the CFPB has indicated that it will evaluate complaints received by non-affiliated external parties, such as the Better Business Bureau or online compliant boards. Financial institutions also should include these sources in their complaints management procedures.
WHAT INTERNAL AUDITORS NEED TO KNOW
Inherently, consumer complaints are lagging indicators of risk. However, it is important that financial institutions establish robust consumer complaints tracking, response, and reporting processes such that appropriate steps are taken to respond and resolve consumer complaints. Institutions also should analyze the volume and nature of those complaints for trends and report complaints activities periodically to senior management. Given the importance of consumer complaints as key risk indicators, and the applicability of certain regulatory requirements (e.g., the FRB’s Regulation AA for state member banking institutions and the FINRA consumer complaints quarterly reporting rules for broker-dealers), internal auditors should periodically evaluate their institution’s customer complaints response processes and consider conducting complaint function-specific reviews, or incorporating this evaluation into other functional area audits (e.g., mortgage lending, deposits, and collections). In auditing consumer complaints, internal auditors should consider the following.
Policies, Procedures, and Responsibilities
Auditors should assess whether:
- The institution has established written policies and procedures to address the receipt, monitoring, and reporting of consumer complaints. Policies and procedures should be current, address any applicable regulatory requirements regarding complaints, establish internal response and documentation standards, and be followed consistently across business lines. Auditors should establish whether the policies and procedures provide appropriate guidance for the resolution of consumer complaints and outline the responsibilities for consumer complaint resolution, particularly the extent of compliance's involvement in the process.
- Policies and procedures establish clear parameters regarding the definition of a complaint, citing examples or instances that would meet the institution’s definition of a consumer complaint. Policies and procedures should address consumer comments received through social media sources and assign responsibilities for monitoring and tracking.
- The written policies and procedures are periodically reviewed and updated by business lines and compliance management.
- The responsibility for resolving consumer complaints currently resides within the institution's organizational structure and to whom these individuals report functionally. Auditors should determine whether personnel responsible for processing consumer complaints have been provided sufficient authority and independence to obtain necessary documentation timely and effect corrective action as necessary. These individuals should have knowledge and understanding of all consumer protection laws and regulations that apply to the business operations of the financial institution, as well as a general knowledge of the overall operations of the institution. Auditors should identify if and how personnel are provided training relevant to the institution's consumer complaint handling and resolution policies and procedures and applicable regulatory requirements. Personnel responsible for researching and responding to consumer complaints should receive in-depth training regarding the institution's operational procedures and systems, as well as applicable regulatory requirements to respond to complaints appropriately.
Complaints Response Processes
- Review the institution’s process for receiving, prioritizing, logging, and tracking consumer complaints to ensure they are handled appropriately and timely.
- Determine if the institution has established a process for escalating consumer complaints when warranted and involves compliance or legal personnel in the research and response processes related to certain high-risk complaints (e.g., potential discrimination, threatened litigation, and regulatory agency complaints).
- Explain to management how personnel research and investigate the nature and basis of the consumer complaint, including what systems and resources are used; what procedures, checklists, and models are employed to support decision-making; and how the results of investigations are documented for completeness and consistency. Such research should identify the potential root cause(s) of the complaint, if possible, to effectively respond to the consumer and determine the need for potentially broader corrective actions, if necessary.
- Select and review samples of consumer complaints to determine if the consumer complaints were received, tracked, and responded to appropriately and in accordance with the institution’s policies, procedures, and applicable regulatory requirements.
Trending and Management Reporting
Internal audit should:
- Determine whether and how the institution aggregates and assesses consumer complaint activities for possible trends (e.g., by products/services, lines of business, employees, or regulatory requirements) and assesses complaints for legal and regulatory impacts, such as potential UDAAP violations.
- Determine whether the institution regularly furnishes information regarding consumer complaint activities and trends to management or the board of directors.
- Review recent copies of consumer complaints trend analyses and reports provided to management and the board and discuss with management how apparent trends were identified, assessed, and investigated, and corrective actions were initiated, as appropriate.
- For FINRA-regulated broker/dealer firms, discuss with management how their quarterly consumer complaints reports are generated and submitted to FINRA timely and completely. Auditors should review a sample of consumer complaints and validate that information stored in the institution’s internal complaints tracking database and reported to FINRA is consistent with information contained in the actual consumer complaint and the institution’s written response.
Vendor Management and Oversight
Audit should consider:
- Whether consumer complaints and feedback are considered in the initial due diligence performed prior to contracting with a third-party vendor, such as per review of the Better Business Bureau website and other publicly-available sources.
- Whether and how the institution handles complaints received regarding third-party vendors performing services on behalf of the institution, whether received directly by the institution or through the third-party vendor. Auditors should identify how such complaints are received, tracked, and assessed; how complaints are factored into the assessment of the vendor’s performance (i.e., as a quality metric in a vendor scorecard); and how corrective actions are evaluated with the third-party vendors.
Technologies and Tools
Auditors should assess whether:
- The institution has developed robust tools (e.g., databases, spreadsheets, reporting) by which to track consumer complaints, including: the receipt date and source, research and results, the consumer response type and date, and corrective actions taken. The institution should design a consumer complaint tracking process that is reasonable based upon the nature, size, and complexity of the institution and the relative volume of and sources by which consumer complaints are received. Audits should determine if the technology enables management to produce reports detailing consumer complaints activities and if reporting is systematic or manual.
- If and how the institution retains documentation relevant to consumer complaints received, including the original written consumer complaint and the response, as well as any supporting documentation used to research the claim and the institutions’ documentation retention standards.
It is important for internal auditors to understand and evaluate the processes by which their institutions track, respond to, and monitor consumer complaints. In a dynamic environment dominated by enhanced regulatory oversight and the proliferation of social, electronic communications, robust complaint tracking, trending, and monitoring controls will enable institutions to quickly identify potential internal control deficiencies and areas of regulatory, financial, and reputational risk.
To comment on this article, email the FSA Times editor at firstname.lastname@example.org.