Compliance Corner - January 9, 2013

Compiled by Katie Pomphrey and Tom Giltrow, members of Protiviti’s global financial services and regulatory risk consulting practice, FSA Times’ Compliance Corner is a resource for financial services auditors to keep up to date on changing regulations and requirements affecting internal audit.
 
Lessons Learned from First CFPB Enforcement Actions

In 2012, the Consumer Financial Protection Bureau (CFPB) announced several high-profile enforcement actions against financial institutions for deceptive marketing and collections practices related to the advertising of ancillary products or services. There are several important lessons to be learned from these actions:

 
  • Ancillary products and services. Institutions that market ancillary (“add-on”) products and services (e.g.,payment protection and credit monitoring services) to customers should disclose clearly and completely the costs of such programs and eligibility requirements for advertised benefits. In addition, institutions should establish controls to ensure affirmative customer consent prior to enrollment in such products and services.
  • Vendor management. Institutions employing third-party service providers for call center and telemarketing support should review periodically adherence to published scripts and validate that adequate training is provided to service provider personnel regarding potentially deceptive marketing practices.  
  • Joint actions. Overlapping mandates may lead to multiple enforcement actions against banking institutions. The federal prudential banking regulators retain authority to examine banks for potentially unfair or deceptive acts or practices under Section 5 of the Federal Trade Commission Act. At the same time, the CFPB has authority under the Dodd-Frank Wall Street Reform and Consumer Protection Act to examine the larger banks for potentially unfair, deceptive, or abusive acts or practices (UDAAP). 
 

With monetary penalties exceeding US $450 million to date and a lack of concrete guidance regarding what constitutes UDAAP, internal auditors should consider carefully the implications of such enforcement actions and assess the strength of controls in place to govern ancillary products and services. Internal auditors should evaluate the content of and processes to review program terms and conditions, marketing materials, and telemarketing scripts for potentially deceptive acts or practices.

 
Key Consumer Protection Regulatory Developments for 2013

The following represent a limited list of anticipated consumer compliance-related regulatory rulemaking initiatives and areas of scrutiny in 2013:  

 
  • Remittance transfer rule. While the CFPB delayed the effective date of amendments to Regulation E to require new disclosures, error resolution procedures, and cancellation timeframes for foreign remittance transfers, financial institutions should anticipate implementation of such changes in 2013.
  • Integrated mortgage disclosures. The CFPB has proposed rules to integrate existing closed-end mortgage loan disclosures required by the Truth in Lending Act and Real Estate Settlement Procedures Act. These rules, and other changes necessitated by the Dodd-Frank Act, are likely to be finalized in 2013. 
  • Mortgage servicing. The CFPB is likely to finalize in 2013 rules regarding mortgage servicing requirements, many of which reflect lessons learned from the mortgage servicing consent orders and settlements in 2012 and earlier.  
  • Customer privacy notices. The House of Representatives passed in December 2012 an amendment to the Gramm-Leach-Bliley Act that would exempt financial institutions that have not changed their privacy policies or practices from requirements to provide consumers an annual privacy notice. 
 

Internal auditors should be alert to potential regulatory initiatives for the year ahead and be prepared to adjust their audit plans accordingly to accommodate these new requirements as well as their institution’s implementation efforts. Several expected changes in 2013 are sweeping in nature; as such, internal auditors should be prepared to revise their standard audit programs and checklists and adequately train staff to carry out these audit activities. 

 
CFPB Contemplates Additional Prepaid Card Regulations

The CFPB announced in May 2012 an Advance Notice of Proposed Rulemaking regarding its intention to evaluate and propose regulations concerning enhanced disclosures and consumer protections related to prepaid cards, a product that in the past has been largely unregulated by the federal regulatory agencies. Prepaid cards are defined by the CFPB as a card that consumers may use to access money they have paid in advance (e.g., gift cards and prepaid debit cards), and it has been observed that consumers are increasingly relying on prepaid cards as an alternative to traditional checking accounts. Nevertheless, existing regulatory requirements may not afford users of certain prepaid card products protections already established for other deposit accounts or gift cards. Specifically, the CFPB intends to address:

 
  • Standardized, clear, and conspicuous prepaid card disclosures.
  • Limits to consumer liability for unauthorized transactions.
  • Consumer protections related to certain card features, such as the ability to overdraw prepaid accounts. 
 

Internal auditors should be alert to potential regulatory changes related to prepaid card products. Further, internal auditors should consider a proactive review of their institution’s marketing of such products and how it discloses key terms and conditions associated with them to consumers to determine how their institutions currently address concerns raised by the CFPB. 

 

Lessons Learned from Recent 2012 High-profile AML Enforcement Actions

In 2012, high-profile anti-money laundering (AML) regulatory actions were taken by banking regulators globally against top financial institutions. There are several crucial areas that have been highlighted from these actions:

 
  • Insufficient or unqualified resources responsible for AML.
  • Inadequate identification, designation of accounts requiring enhanced monitoring, and closure of high-risk customer or affiliate accounts.
  • Inadequate scope of periodic reviews of customers.
  • Inability to assess and monitor client relationships on a bankwide basis.
  • Inadequate controls to prevent non-U.S. affiliates from circumventing sanctions-related requirements.
  • Failure to close correspondent relationships with banks whose owners have links to or present high risk of involvement with terrorist financing.
  • Inadequate scope and documentation of validation/optimization of automated transaction monitoring systems.
  • Failure to design and implement effective know-your-customer (KYC) and monitoring controls around certain high-risk product types.
  • Insufficient processes for routine information sharing among affiliates.
 

Internal auditors should assess the nature of the violations noted in these regulatory actions and take steps to enhance their audit programs to ensure that such deficiencies are address adequately, with particular focus on:

 
  • The quality and quantity of AML resources.
  • The adequacy of identification, enhanced monitoring, and closure processes associated with high-risk customers and affiliates.
  • The adequacy of periodic reviews of customers.
  • The sufficiency of measures to ensure that non-U.S. affiliates are not able to circumvent sanctions-related filters.
  • The sufficiency of relationship closure protocols for banks whose owners are identified to have links to terrorist financing.
  • The adequacy of scope and documentation of the validation/optimization of automated transaction monitoring systems.
  • The adequacy of information sharing practices and sufficiency of controls around certain high-risk product types.