CFPB – Enforcing Compliance with a Vengeance

CFPB – High risk… Hefty Fines!

by: Dennis Dissick, Adjunct Professor, New York University Polytechnic Institute / Area Director, Eastern Region, SMLR Group, Inc.

‘Tis the season for regulation…IRS, DOJ, FTC, state AGs, and now the CFPB all make sure that regulations and audits are a year round adventure. They even investigate leads from fellow regulatory bodies including HUD and the Office of the Comptroller of the Currency.

The newest, the Consumer Financial Protection Bureau (CFPB) has a relatively free hand in issuing regulations, has a zealous staff with a mission and is increasing the level of scrutiny while flexing its regulatory and audit powers – accompanied by heavy fines where it deems to levy them.

This includes not only the direct financial institutions, but third party “service providers” as well. These are your partners and vendors. Even when your established compliance policy is violated by a partner or vendor, your organization will be held responsible for the compliance breaches.

The CFPD has direct authority over any organization that provides any financial product or service:

  • Payment processing products or services by any technological means
  • Debt collection related to any consumer financial product or service
  • Credit extension or deferred payment of debt by an organization to a consumer
  • Stored value or payment instruments; sold, provided or issued

The risks are high and can be invasive:

  • Audit risk
  • Large fines
  • Brand erosion
  • Class action law suits
  • Inclusion on a watch-list
  • Reporting to other agencies

Fines are large and get plenty of publicity – the CFPD will make sure of it.

  • $747 million paid to customers plus a $20 million civil penalty by Bank of America
  • $2 billion in restitution by Ocwen Financial and Ocwen Loan Servicing
  • $85 million fines for American Express for failing to resolve complaints
  • $98 million for discriminatory auto loan lending practices by Ally

The CFPD makes a point – they make the rules that are strictly enforced. Further, the CFPB’s power is not diminishing. On the contrary, their mandate to oversee and regulate is continually being expanded. And if they feel an audit should be conducted by another agency, they will share your information and data with federal and state regulators.

How Do You Substantiate Compliance and Secure Data Handling?

How are you going to show not only that you have set up compliance policies consistent with the CFPB regulatory requirement, but more importantly ALSO SHOW and PROVE that those policies so carefully crafted by your legal and compliance departments have been followed and not breached? And if your policies have been breached, how do you know what occurred, by whom, which organization, when and what corrective actions have been taken. And if you can’t, your organization is facing substantial fines and will become a public poster child for intensifying scrutiny from the increasingly powerful CFPB.

Let’s make two assumptions:

  1. Your attorneys and compliance officers have the CFPB Supervision and Examination Manual guide for examiners that sets the roadmap and keeps it current.
  2. How does your institution efficiently, electronically and automatically monitor and audit the internal policies created by your staffs while securing customer records.

Let’s take a quick look at each.

1)  Your attorneys and compliance officers have the CFPB Supervision and Examination Manual guide for examiners that sets the roadmap and keeps it current.

The CFPB publishes and updates this manual for its examiners providing guidance and expectations of audit. Companies must have a WISP (Written Information Security Plan) or Compliance Management System (CMS) that is followed and can be produced whenever a CFPB audit announced.

Regulators will want to evaluate each policy, how it is integrated into the organization’s operation, the responsible groups, how they interact and communicate and how the each policy is monitored and addressed. Aside from accountability, they will want to know how corrections and updates to those policies are handled with respect to both identified compliance issues as well as to new regulations.

If the inside counsel is not experienced or is just coming up to speed, and outside counsel with extensive practical experience should be engaged. SMLR will be happy to recommend several for your evaluation.

Once the compliance policies are established for your institution by your legal and compliance teams, what some might consider the harder part comes into play.

2)  How does your institution efficiently, electronically and automatically monitor and audit the internal policies created by your staffs while securing customer records.

The answer can be found by looking at how compliance policies are electronically monitored and audited in the defense industry. The defense industry?! It is not such a large leap!

Defense contractors also have compliance policy and security obligations that must be followed in order to do business with the government, including responding to audits, tracking and correcting compliance violations and using forensics to isolate these breaches to determine the cause – honest mistakes requiring training or those with malicious intent. And just like the finance industry, they have extreme security policies that must be enforced.

Raytheon has developed and uses such as system both internally and which is in use by many government branches and agencies and the military. Now, through their global alliance partner, SMLR Group, this comprehensive and effective system is available to non-federal organizations.

SureView has been operational for over 15 years. What is new is that it is now available to the private sector. Its strong compliance monitoring and security breach features have won multiple government awards. Financial institutions can utilize SureView to electronically monitor and report on breaks in policy written by your compliance and legal teams. These policies are translated into a corresponding e-policy equivalent that is used in the computerized system. Yes, new policies can added and exiting ones can be modified or removed as the need requires.

Auditors can be given direct access during their examination, reducing the time the internal staff has to spend on the audit, and security measures are applied with the appropriate action determined by the organization should a policy violation occur. Unlike other systems, there are no false positives and actions designated by the organization are automatic.

Legal, Compliance and IT work together to keep the institution free from penalties and fines, and allows the rules in dealing with CFPD policies, in addition to other operational policies, compliance policies from other regulatory bodies, IRS, DOJ, etc. can be included into a single system – eliminating duplication and confusion; there’s enough of that going around.

The system enhances transparency and flexibility to better manage, direct and control the areas under mandates and regulations.

And for security, how about integration with other security systems either in place or planned, antivirus through entrance access, and highly secure aggregation of multiple databases from a variety of different vendors into a single, secure dashboard! Now we’re talking1

Regulatory bodies are not waiting and neither should you. Lower your risk.

CONTACT US for a comprehensive overview as well as references to experienced financial outside counsel.

Posted in Compliance, Content, Continuous Monitoring, Cybersecurity, Governent Oversight, Insider Threats, Layered Defense, Legal, Risk Management, Vendor Compliance
Tags: , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *


Visit Us On TwitterVisit Us On FacebookVisit Us On LinkedinVisit Us On Google Plus

Keep Current with What’s New in Cybersecurity

Email Address:


Cybersecurity News Daily

Provides a daily summary of what's news in Cybersecurity


Recent Tweets



Get every new post delivered to your Inbox

Join other followers: