Viewpoint: Time to Prepare for Your CFPB Exam (January 2013)
By Jeremy T. Rosenblum and Stefanie H. Jackman, Ballard Spahr LLP
The sky is not falling—at least yet. The ability of the Consumer Financial Protection Bureau (CFPB) to supervise smaller banks (less than $10 billion in assets) and other companies providing prepaid cards to consumers is currently limited. For participants in the prepaid industry, the CFPB’s current supervisory jurisdiction is limited to companies providing services for larger bank issuers and companies that find themselves in the CFPB’s crosshairs because the CFPB has concluded, most likely on the basis of consumer complaints, that their card program poses a risk to consumers. However, the CFPB’s enforcement authority is not limited in this way.
But clouds are on the horizon. For smaller banks, CFPB examiners already can tag along on consumer compliance examinations conducted by federal banking regulators. Additionally, the CFPB has expressed its intent to expand the definition of “larger participants” subject to CFPB supervision to include at least some companies in the prepaid card industry. As a result, the number of prepaid card participants subject to direct CFPB supervision and examination certainly will increase.
We regard legal compliance in today’s environment as a necessity, not a luxury, and see real value in the discipline of advance preparation for a CFPB exam. Even where the CFPB is currently unable to conduct an exam, it still can use its enforcement powers to undertake a wide-ranging inquiry of the business practices of any participant in the consumer financial services industry, whether supervised or not, if it has a reasonable belief that a violation of law has occurred. Many of our clients, including a number that are not subject to CFPB examination, have been targeted for CFPB investigations of this type. Moreover, state enforcement authorities have the power (and incentive) under the Dodd-Frank Act to initiate lawsuits challenging compliance with state and federal law. And the ability to demonstrate a high level of legal compliance will be important to companies seeking outside capital or considering mergers or other fundamental corporate transactions. In short, it is even truer today than in the past that ensuring compliance upfront is wiser and far less expensive than trying to defend non-compliance down the road.
In our view, participants in the prepaid industry should take proactive steps now to ensure they’ll be in the best position possible when (not if) the CFPB turns its attention to prepaid products. Therefore, before the CFPB arrives, we advise our clients to: (1) perform a critical self-assessment of current operations and potential compliance issues—essentially, a mock examination, and (2) implement a compliance management program with the kind of formal policies and procedures, board and management oversight, and training the CFPB will demand.
In its examination manuals, actual examinations and other actions to date, the CFPB has demonstrated an interest in two principal areas: (1) the company’s overall compliance management system and (2) the company’s substantive compliance with various federal laws and regulations.
While failing to implement and maintain a robust compliance management system may not by itself constitute a violation of law (the CFPB has yet to address this issue directly), it is a shortcoming sure to intensify the depth and scope of a CFPB exam and to eliminate the possibility of lenience on the part of the CFPB for any substantive problems it does uncover.
Components of a compliance management system include policies and procedures addressing the following:
- Training of new and existing employees—and the governing body of the organization (whether a board of directors, board of managers, general partners or other governors)—on applicable legal requirements, proper handling of consumer complaints, compliance responsibilities, etc.;
- Selection, oversight and control of third-party service providers, including due diligence, contracting and management during the course of the relationship, with a focus on legal compliance, including avoidance of unfair, deceptive and abusive acts and practices (UDAAP violations);
- Receipt, reporting, resolution and analysis of customer complaints, including consumer-facing procedures facilitating complaints and clear employee responsibilities for taking and resolving complaints;
- Board/senior management oversight and involvement in compliance, including procedures to ensure upstream reporting and downstream direction to the organization on compliance issues and consumer complaints;
- Data security and privacy.
The analysis of compliance with substantive legal requirements needs to address whether marketing disclosures, product terms and features, and information flows comply with the elaborate and highly technical requirements of the “enumerated consumer laws” now within the CFPB’s jurisdiction, Dodd-Frank UDAAP requirements and other applicable federal laws. The principal federal laws directly and indirectly applicable to a prepaid program include the following:
- The Electronic Fund Transfer Act (EFTA) and Regulation E. These laws impose requirements on certain payroll cards and other cards that accept transfers of federal government benefits. We expect the CFPB to expand EFTA protections to other prepaid card products in the foreseeable future. The EFTA and Reg. E also govern gift cards (and cards designed to avoid gift card status) and, effective early next year, will address remittances of funds to foreign countries.
- The Truth in Lending Act (TILA) and Equal Credit Opportunity Act (ECOA), at least for card products that are tied in some manner to lines of credit and/or cards that provide overdraft coverage.
- Bank Secrecy Act/anti-money laundering (AML) requirements. These laws are not within the purview of the CFPB but nevertheless warrant close attention in a prepaid card compliance review. It would not be surprising for the CFPB to look for possible AML violations during its examination and relay any concerns to FinCEN.
- Data security and privacy laws under the Gramm Leach Bliley Act, Fair Credit Reporting Act (FCRA) and other federal regulations.
- E-SIGN. The Electronic Signatures in Global and National Commerce Act, the Americans with Disabilities Act (ADA) and other laws addressing behaviors, acts and practices with discriminatory impacts. The CFPB has said it is intensely focused on discrimination issues. If a prepaid card program is not accessible for purposes of the hearing or visually impaired, the CFPB may perceive potential discrimination.
- Last but hardly least, Dodd-Frank UDAAP provisions. Dodd-Frank’s UDAAP prohibitions, coupled with the sweeping enforcement powers afforded the CFPB, provide the CFPB with enormous power and leverage over companies within the CFPB’s jurisdiction. In enforcement actions against Capital One, Discover Bank and American Express, the CFPB already has shown that it’s prepared to apply UDAAP laws aggressively against perceived transgressors. Given that UDAAP violations are inherently subjective in nature, a thorough assessment of all documents and practices by qualified counsel with the requisite judgment is imperative.
A well-constructed compliance assessment will start with a review of consumer documents and operating procedures. It also will require a review of any existing self-assessments and compliance audits to leverage prior work, verify that effective steps were taken to address any previously identified issues and assess whether current auditing/testing standards are sufficient to ensure compliance with applicable law. Complaint files and procedures should be reviewed to identify substantive problems and trends, and also the adequacy of related procedures. Finally, minutes and records of governing bodies and management should be reviewed to ensure the senior-level commitment to compliance the CFPB expects.
One thing is for sure: It is never too early to put your compliance house in order. It is way too late once the CFPB comes knocking. Advance evaluation and preparation are essential.
Jeremy T. Rosenblum is a practice leader of the consumer financial services group at Ballard Spahr LLP. An award-winning lawyer and fellow of the American College of Consumer Financial Services Lawyers, Rosenblum has represented participants in the prepaid card industry in the full gamut of their business, including regulatory diligence and compliance, joint ventures and new product development. He can be reached at +1 215.864.8505 or Rosenblum@ballardspahr.com.
Stefanie H. Jackman is a litigation associate at Ballard Spahr and member of the firm’s consumer financial services group and its Fair Lending and Collection Documentation Task Forces. She defends financial institutions in mortgage- and credit card-related litigation, arbitration, commercial law matters and class actions. She may be reached at +1 678.420.9490 or firstname.lastname@example.org.
In Viewpoints, prepaid and emerging payment professionals share their perspectives on the industry. Paybefore endeavors to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.