CFPB Examination Procedures CMR - Compliance Management

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 1

Compliance Management

Review

General Principles and

Introduction

Institutions within the scope of the CFPB’s

supervision and enforcement authority include both depository institutions and non-depository

consumer financial services companies. These institutions operate in a dynamic environment

influenced by challenges to profitability and survival, increased focus on outcomes to consumers,

industry consolidation, advancing technology, market globalization, and changes in laws and

regulations.

To remain competitive and responsive to consumer needs in such an environment, institutions

continuously assess their business strategies and modify product and service offerings and delivery

channels. To maintain legal compliance, an institution must develop and maintain a sound

compliance management system (CMS) that is integrated into the overall framework for product

design, delivery, and administration across their entire product and service lifecycle. Ultimately,

compliance should be part of the day-to-day responsibilities of management and the employees of

a supervised entity; issues should be self-identified; and corrective action should be initiated by the

entity. Institutions are also expected to manage relationships with service providers to ensure that

service providers effectively manage compliance with Federal consumer financial laws applicable

to the product or service being provided.

A CMS is how an institution:

• Establishes its compliance responsibilities;

• Communicates those responsibilities to employees;

• Ensures that responsibilities for meeting legal requirements and internal policies and

procedures are incorporated into business processes;

• Reviews operations to ensure responsibilities are carried out and legal requirements

are met; and

• Takes corrective action and updates tools, systems, and materials as necessary.

An effective CMS commonly has two interdependent control components:

• Board and Management Oversight; and

See CFPB Bulletin 2016-02, Service Providers (October 31, 2016), which describes the CFPB’s expectation that supervised

banks and nonbanks oversee their business relationships with service providers in a manner that ensures compliance with Federal

consumer financial law. Compliance Bulletin and Policy Guidance; 2016-02

Exam Date:

[Click&type]

Exam ID No.

[Click&type]

Prepared By:

[Click&type]

Reviewer:

[Click&type]

Supervision ID #:

[Click&type]

Entity Name:

[Click&type]

Event #:

[Click&type]

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 2

• Compliance Program, which includes:

 Policies and procedures;

 Training;

 Monitoring and/or audit; and

 Consumer complaint response.

When the two interdependent control components are strong and well-coordinated, an institution

should be successful at managing its compliance responsibilities and risks.

Additionally, an institution’s compliance expectations extend to service provider relationships

into which the institution has entered. There can be certain benefits to institutions engaging in

relationships with service providers, including gaining operational efficiencies or an ability to

deliver additional products and services, but such arrangements also may expose institutions to

risks if not managed properly. While an institution’s management may make the business

decision to outsource some or all of the operational aspects of a product or service, the institution

cannot outsource the responsibility for complying with Federal consumer financial laws or

managing the risks associated with service provider relationships.

Weaknesses in a CMS can result in violations of Federal consumer financial law and associated

harm to consumers. Therefore, the CFPB expects every institution under its supervision and

enforcement authority to have a CMS adapted to its business strategy and operations. The CFPB

understands that compliance will likely be managed differently by large banking organizations

with complex compliance profiles and a wide range of consumer financial products and services

at one end of the spectrum, than by non-bank entities that may be owned by a single individual

and feature a narrow range of financial products and services, at the other end of the spectrum.

Compliance may be managed on an enterprise-wide basis, and institutions may engage outside

firms to assist with compliance management. However compliance is managed, a provider of

consumer financial products or services under CFPB’s supervisory purview is expected to

comply with Federal consumer financial laws and appropriately address and limit violations of

law and associated harms to consumers.

The CFPB also understands that institutions will organize its CMS to include compliance with

consumer-related state and Federal laws that are outside the scope of the CFPB’s supervision

responsibilities, in addition to the matters that are within the CFPB’s scope. The CFPB,

therefore, expects that CMS will be organized within a firm, legal entity, division, or business

unit in the way that is most effective for the institution, and that the manner of organization will

vary from institution to institution.

For example, the Federal Reserve Board of Governors expects large banking organizations with complex compliance profiles to

implement firm-wide compliance risk management programs and have a corporate compliance function. SR 08-8 / CA 08-11,

October 16, 2008. The CFPB will expect no less.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 3

This CMS examination manual is divided into five Modules:

• Module 1: Board and Management Oversight

• Module 2: Compliance Program

• Module 3: Service Provider Oversight

• Module 4: Violations of Law and Consumer Harm

• Module 5: Examiner Conclusions and Wrap-Up

In general, all CFPB reviews will include Modules 1, 2, 3, and 5. Module 4 will generally be

included in targeted reviews of individual product lines, as well as examinations that will result

in the institution receiving a consumer compliance rating. The CMS review for target reviews

will generally be limited to reviewing aspects of CMS pertaining to the product line under

review. To the extent that CMS for a particular product line or a specific institution has been

previously reviewed, CFPB examiners may evaluate CMS by reviewing previous conclusions

and assessing only the changes to the current CMS program.

Module 1: Board and Management Oversight

In a depository institution, the board of directors is ultimately responsible for developing and

administering a CMS that ensures compliance with Federal consumer financial laws and

addresses and minimizes associated risks of harm to consumers. In a non-depository consumer

financial services company, that ultimate responsibility may rest with a board of directors in the

case of a corporation or with a controlling person or some other arrangement. For the balance of

this section of the Manual, references to the “board of directors” or “board” generally refer to the

board of directors or other individual or group exercising similar oversight functions. In

addition, some institutions may be governed by firm-wide standards, policies, and procedures

developed by a holding company or other top-tier corporation for adoption, use, and

modification, as necessary, by subsidiary entities.

In the absence of a board of directors and board committee structure, the examiner should

determine that the person or group exercising similar oversight functions receives relevant

information about compliance and consumer protection matters and takes steps to ensure that the

key elements, resources, and individuals necessary for a CMS commensurate with the supervised

entity’s risk profile are in place and functioning.

Under Board and Management Oversight, examiners should assess the institution’s board of

directors and management, as appropriate, for their respective roles and responsibilities, based on

the following factors:

• Oversight of and commitment to the institution’s CMS;

• Effectiveness of the institution’s change management processes, including responding

timely and satisfactorily to any variety of change, internal or external, to the institution;

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 4

• Comprehension, identification, and management of risks arising from the institution’s

products, services, or activities; and

• Self-identification of consumer compliance issues and corrective action undertaken as

such issues are identified.

Board and Management Oversight – Examination Objectives

Because the effectiveness of a CMS is grounded in the actions taken by its board and senior

management, Examiners should seek to determine whether the board and management meet the

following objectives:

Oversight of and Commitment to the Institution’s CMS

1. Demonstrate a strong commitment and oversight to the institution’s CMS.

2. Provide compliance resources including systems, capital, and human resources

commensurate with the institution’s size, complexity, and risk profile.

3. Ensure that staff is knowledgeable, empowered and held accountable for compliance with

Federal consumer financial laws.

4. Conduct comprehensive and ongoing due diligence and oversight of service providers

consistent with the CFPB’s expectations to ensure that the institution complies with Federal

consumer financial laws.

5. Exercise oversight of service providers’ policies, procedures, internal controls, and training

to ensure consistent oversight of compliance responsibilities.

Change Management

1. Respond promptly to changes in applicable Federal consumer financial laws, market

conditions, and products and services offered by evaluating the change and implementing

responses across impacted lines of business.

2. Conduct due diligence in advance of product changes, consider the entire life cycle of a

product or service in implementing change, and review the change after implementation to

determine that the actions taken achieved the planned results.

Comprehension, Identification and Management of Risk

1. Comprehend and identify compliance risks, including emerging risks, in the institution’s

products, services, and other activities.

2. Engage themselves in managing identified risks, which include using comprehensive self-

assessments and independent audits, as applicable.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 5

3. Address consumer compliance issues and associated risks of harm to consumers throughout

product development, marketing, and account administration, and through the entity’s

handling of consumer complaints and inquiries.

Self-Identification and Corrective Action

1. Proactively identify issues.

2. Promptly respond to CMS deficiencies and any violations of laws or regulations, including

remediation.

Board and Management Oversight – Examination Procedures

1. Review board meeting minutes and supporting materials during the period under review for

coverage of compliance matters.

2. Determine board committee structures and delegated responsibility for compliance matters,

such as to an audit committee or risk committee, and review the meeting minutes and

supporting materials of those committees for coverage of compliance matters.

3. Determine any management committees with delegated authority and accountability for

compliance matters, and review their composition, functions, authority, and reporting to

committees of the board or to the board.

4. Determine management’s oversight and review of heightened areas of risk, such as fair

lending; sales practices and production incentives (including performance goals); and unfair,

deceptive, or abusive practices; commensurate with the institution’s size, complexity, and

risk profile. Such review should include a review of management oversight, delegations,

authorities and input into substantive policies or procedures, audits, and monitoring related

to heightened areas of risk.

5. Determine the authority and accountability for compliance matters of regional or business

unit governance bodies; and review their composition, functions, and reporting.

6. Review the formal compliance program adopted by the board of directors or an appropriate

committee of the board, and determine whether commensurate resource allocation for

compliance is part of the entity’s budget and planning process.

7. Identify the chief compliance officer and other individuals responsible for compliance.

8. Review the role of the chief compliance officer for authority to lead a compliance program

and for independence from business units.

9. Review board and board committee records for evidence of the chief compliance officer’s

independent access to board members and governance bodies.

10. Review processes for the identification of new regulatory requirements, changes in

requirements, and planning for implementation.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 6

11. Review processes for development and implementation of new consumer financial products

or services and distribution channels or strategies, to determine degree of compliance

function participation.

12. Review board meeting minutes and supporting materials for coverage of consumer

compliance related to sales practices, including sales quotas and incentive compensation

structures, both compensation based and non-compensation based. Determine if the board

members direct compliance personnel to design and implement CMS elements related to

sales practices and performance goals that address both intended and unintended outcomes,

and provide adequate resources to do so.

13. Review board or committee consideration of compliance audit matters for coverage of key

risks, independence from business functions, and resolution of identified issues.

14. Review reporting for the identification and resolution of issues and the timeliness and

completeness of corrective actions.

15. Review policies and procedures for changes management committed to make following

monitoring, audit, and examination findings and recommendations.

16. Draw preliminary conclusions as to whether board and senior management oversight is

strong, satisfactory, deficient, seriously deficient, or critically deficient.

Module 2: Compliance Program

A sound Compliance Program is essential to the efficient and successful operation of the

supervised entity. A Compliance Program includes the following components:

• Policies and procedures;

• Training;

• Monitoring and/or audit; and

• Consumer complaint response.

An institution should establish a formal, written Compliance Program, and that program generally

should be administered by a chief compliance officer. In addition to being a planned and organized

effort to guide the entity’s compliance activities, a written program represents an essential source

document that may serve as a training and reference tool for employees. A well planned,

implemented, and maintained Compliance Program may prevent or reduce regulatory violations,

protect consumers from non-compliance and associated harms, and help align business strategies

with outcomes. The examination objectives and procedures for the Compliance Program are

divided in this module among the four components.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 7

Policies and Procedures – Examination Objectives

Compliance policies and procedures should document and be sufficiently detailed to implement

the board-approved policy documents. Examiners should seek to determine whether compliance

policies and procedures:

1. Are designed to effectively manage compliance risk in the products, services and activities

of the institution.

2. Are consistent with board-approved compliance policies.

3. Address compliance with applicable Federal consumer financial laws in a manner designed

to minimize violations and to detect and minimize associated risks of harm to consumers.

4. Cover the full life-cycle of all products and/or services offered.

5. Are maintained and modified to remain current and complete, and to serve as a reference for

employees in their day-to-day activities.

Policies and Procedures – Examination Procedures

1. Request and review policies and procedures related to consumer compliance, including, as

applicable, fair lending, sales practices, performance goals, and incentive structures (both

compensation and non-compensation based), and other Federal consumer financial laws, and

policies and procedures related to offering consumer financial products and services.

2. Review policies and procedures to determine whether and how they address new or

amended Federal consumer financial laws implemented since the most recent consumer

compliance examination.

3. Request and review policies and procedures to determine whether they cover consumer

financial products or services introduced since the most recent consumer compliance

examination.

4. Review policies and procedures relating to compliance with specific regulatory requirements

(such as fair lending regulations, or the privacy of consumer financial information) and their

implementing procedures.

5. Review policies and procedures for outdated content, the names of unaffiliated entities, or

other indicators that policies are overly general or not tailored to the needs and actual

practices of the institution.

6. Review policies and procedures for products with features that may inhibit consumer

understanding or otherwise pose heightened risks of unfair, deceptive, or abusive practices,

or fair lending.

7. Review policies and procedures related to an entity’s incentive program, including sales

quotas, performance goals, and incentive structures, both compensation and non-

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 8

compensation based. Determine whether policies and procedures provide fair and

independent processes for investigating reported issues of suspected improper behavior

related to sales practices and production incentives.

8. Determine whether policies and procedures provide clear guidance for managing the

inherent risk of sales practices and production incentives abuse in each state of the product

life cycle (as applicable):

a. Marketing and sales;

b. Account opening;

c. Account upgrades or ancillary products;

d. Account servicing; and

e. Collections

9. Review policies and procedures for products containing features that may pose heightened

risk of unlawful discrimination. Such features may include:

a. Particular incentives created by employee compensation or performance goal

structures; both compensation and non-compensation based;

b. Discretion over product selection, underwriting, or pricing; or

c. Distinctions related to geography or prohibited bases (such as age or marital status).

10. Review policies and procedures maintained by different regional, business unit, or legal

entities subject to the same corporate or board-level policies for reasonableness. Instances of

inconsistency should be justified by business necessity or market condition.

11. Review policies and procedures for record retention and destruction timeframes to ensure

compliance with legal requirements.

12. If compliance procedures are embedded in automated tools or business unit procedures,

determine whether periodic reviews of these tools and procedures were performed prior to

implementation, for compliance with policies and procedures and applicable Federal

consumer laws. Also determine whether such tools were approved by the Board or a

committee thereof, for the purpose for which they are used.

13. Draw preliminary conclusions as to whether policies and procedures are strong, satisfactory,

deficient, seriously deficient, or critically deficient.

Training – Examination Objectives

Education of an entity’s board of directors, management, and staff is essential to maintaining an

effective compliance program. Board members should receive sufficient information to enable

them to understand the entity’s responsibilities and the commensurate resource requirements.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 9

Management and staff should receive specific, comprehensive training that reinforces and helps

implement written policies and procedures. Requirements for compliance with Federal consumer

financial laws, including prohibitions against unlawful discrimination and unfair, deceptive, and

abusive acts and practices, should be incorporated into training for all relevant officers and

employees, including audit personnel. Examiners should seek to determine whether:

1. Compliance training is comprehensive, timely, and specifically tailored to the particular

responsibilities of the staff receiving it, including those responsible for product

development, marketing and customer service.

2. The compliance training program is updated proactively in advance of the rollout of new or

changed products or the effective date of new or changed consumer protection laws and

regulations to ensure that all staff is aware of compliance responsibilities.

3. Training is consistent with policies and procedures and designed to reinforce those policies

and procedures.

4. Compliance professionals have access to training that is necessary to administer a

compliance program that is tailored to the supervised entity’s risk profile, business strategy,

and operations.

Training – Examination Procedures

1. Request and review the schedule, record of completion, and materials for recent compliance

training of board members and senior management.

2. Determine the involvement of compliance officer(s) in selecting, reviewing, or delivering

training content.

3. Request and review policies, schedules, and records of completion for compliance-specific

training of compliance professionals, managers, and staff, and documents demonstrating that

service providers who have consumer contact or compliance responsibilities are

appropriately trained.

4. Request and review samples of the content of training materials, including training related to

fair lending, new or changed regulatory requirements, new or changed products or channels

of distribution, and marketing (including scripts).

5. Request and review training developed as a result of management commitments to address

monitoring, audit, or examination findings and recommendations or issues raised in

consumer complaints and inquiries.

6. Determine whether the program is designed to provide training about the specific regulatory

requirements relevant to the functions of particular positions.

7. Determine if the institution has implemented comprehensive training that addresses

expectations for sales practices and production incentives including:

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 10

a. Standards of ethical behavior, including procedures for reporting suspected incidents

of improper behavior;

b. Common risky behaviors for employees and service providers;

c. Requirements for accurately describing to consumers terms and conditions of

products and services; and

d. Regulatory and business requirements for obtaining and maintaining evidence of

consumer consent related to product opening and upselling.

8. Review records of follow-up, escalation, and enforcement for units with training completion

rates that do not meet the supervised entity’s standards or deadlines.

9. Request and review the institution’s plans for additions, deletions, or modifications to

compliance training over the next 12 months and any plans for changes to the overall

training resources and compare actual training activities to prior plans.

10. Draw preliminary conclusions as to whether the training program is strong, satisfactory,

deficient, seriously deficient, or critically deficient.

Monitoring and/or Audit – Examination Objectives

Monitoring is a compliance program element that seeks to identify CMS weaknesses in an effort

to provide for a high level of compliance by promptly identifying and correcting weaknesses.

Monitoring is generally more frequent and less formal than audit, may be carried out by the

business unit, and does not require the same level of independence from the business or

compliance function that an audit program requires. Conversely, audit is generally less frequent

and more formal than monitoring, may be carried out by an institution’s internal audit

department or outside contracted party, and is generally independent of the business or

compliance function that does the monitoring.

The audit function should review an institution’s compliance with Federal consumer financial

laws and adherence to internal policies and procedures, and should be independent of both the

compliance program and business functions that include customer sales or service. A compliance

audit program provides the board of directors or its designated committees with a determination

of whether policies and procedures adopted by the board to guide risk management are being

implemented and followed to provide for the level of compliance and consumer protection

established by the board.

Examiners should evaluate monitoring and audit programs to determine whether, considered

together, they are commensurate with the institution’s size, complexity, and risk profile. In some

instances, particularly in institutions that are small, are non-complex in their organizational or

operational structure, and that engage in products and services that present low risk of consumer

harm, it is possible that the institution’s CMS only has one of these functions. In instances where

an institution does not have both functions, examiners should evaluate whether coverage is

commensurate with the institution’s size, complexity, and risk profile.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 11

Examiners’ review of compliance monitoring and/or audit should determine whether:

1. Compliance monitoring practices, management information systems, reporting, compliance

audit, and internal control systems are comprehensive, timely, and successful at identifying

and measuring material compliance risk management throughout a specific product line

and/or the institution.

2. Programs are monitored proactively to identify procedural or training weaknesses to mitigate

regulatory violations. Program modifications are made timely to minimize compliance risk.

3. The institution is determining that transactions and other consumer contacts are handled

according to the entity’s policies and procedures.

4. Monitoring considers the results of risk assessments or other guides for prioritizing reviews.

5. Findings as a result of monitoring reviews are escalated to management and to the board of

directors, as appropriate.

6. The audit program is sufficiently independent and reports to the board or a committee of the

board.

7. The audit program addresses compliance with all applicable Federal consumer financial laws.

8. The schedule and coverage of audit activities is appropriate for the institution’s size,

complexity, risk profile; consumer financial product offerings; and manner of conducting its

consumer financial products business.

9. All appropriate compliance and business unit managers receive copies of audit reports in a

timely manner.

Monitoring and/or Audit – Examination Procedures

1. Determine the chief compliance officer’s role in the monitoring element of the compliance

program.

2. Request and review the monitoring schedule for the review period and the next 12 months,

and review the currency of reviews in process against the current schedule.

3. Request and review all applicable risk assessments, including fair lending risk assessments,

or other documents that led to the current monitoring plan.

4. Discuss with the compliance officer and/or the monitoring manager the coverage of service

providers that have contact with consumers.

5. Determine whether and to what extent monitoring includes calculation tools, the content of

consumer disclosures and notices, marketing materials, and scripts or guides for employee

contacts with consumers.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 12

6. Request and review all monitoring and corrective action reports completed during a specific

period of time. Include reports related to fair lending compliance, such as fair lending “self-

tests.” Ensure that the entity notifies you of any documents that it claims are withheld on the

basis of privilege or “self-tests” so that the applicability of the privilege or regulation can be

properly assessed.

7. If the institution has sales quotas and production incentive structures in place, including

performance-based sales goals, determine whether and to what extent monitoring of these

programs includes (but is not limited to):

a. Overall product penetration rates by consumer and household;

b. Specific penetration rates for products and services (such as overdraft, add-on

products, and online banking) and penetration rates by consumer segment;

c. Employee turnover and employee satisfaction or complaint rates;

d. Spikes and trends in sales (both completed and failed sales) by specific individuals

and by units;

e. Financial incentive payouts;

f. Fair lending analysis;

g. Account opening/product enrollment, account upgrades (including ancillary

products), and account closure/product cancellation statistics (trends), including by

specific individuals and by units, taking into account the terms of the sales practices

program;

h. Consumer complaints about unauthorized account opening/product enrollment,

account upgrades (including ancillary products) and/or sales practices.

8. Review reports for indications of weaknesses, repeat violations of law and resulting risks or

harm to consumers, or other matters of significant concern such as potential discriminatory

effects of policies or procedures or particular business units with continuing or high levels of

non-compliance.

9. Review a sample of reports and supporting documents covering potential unfair, deceptive,

or discriminatory practices or related matters that pose heightened risks to consumers for

thoroughness of review, accuracy of findings, and appropriateness of corrective action.

10. Request the institution’s audit plans and schedules for the review period and the next 12

months, and review the currency of audits in process against the current schedule.

11. If audit is performed by a third party, request and review the engagement letters or contracts

covering the review period.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 13

12. Determine the basis for the audit plan and schedule and whether reporting is to the board of

directors or to an audit committee or other committee of the board.

13. Request and review all audit reports for a specified period of time, including any fair

lending audit reports.

14. Determine whether written audit reports identify the scope, sampling techniques,

findings/deficiencies, recommendations for corrective action, and management responses

with time frames for corrective action.

15. Determine whether audit scopes include previous audit and examination findings, new

requirements, new products and channels, and self-identified higher risk areas of the

supervised entity’s operations.

16. Request and review audit work papers for a sample of audits covering fair lending laws and

regulations; potential unfair, deceptive, or abusive practices; or other areas that may pose

heightened risks to consumers.

17. Request and review all audit reports related to unauthorized account openings, upgrades,

and ancillary products; performance based sales goals and production incentives (both

compensation-based and non-compensation based); and sales practices across all product

lines.

18. Determine whether the supervised entity’s chief compliance officer and appropriate business

unit head(s) receive copies of audit reports, so that adjustments can be made to compliance

program elements in a timely manner.

19. Review audit function structure and policies and procedures to ensure that the audit

function, whether internal or external, is independent of the business line and compliance

management function.

20. Draw preliminary conclusions as to whether monitoring and/or audit is strong, satisfactory,

deficient, seriously deficient, or critically deficient.

Consumer Complaint Response – Examination Objectives

An effective CMS should ensure that an institution is responsive and responsible in handling

consumer complaints and inquiries. Intelligence gathered from consumer contacts should be

organized, retained, and used as part of an institution’s CMS. The institution should be making a

deliberate, good faith effort toward resolution of each consumer complaint.

Examiners will consider consumer complaints to determine the responsiveness and effectiveness

of the consumer complaint resolution process. Examiners will assess whether:

1. Processes and procedures for addressing consumer complaints are appropriate.

2. Consumer complaint investigations and responses are reasonable.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 14

3. Consumer complaints and inquiries, regardless of the channel through which they are

submitted, are appropriately recorded and categorized.

4. Consumer complaints and inquiries, whether regarding the entity or its service providers, are

addressed and resolved promptly.

5. Consumer complaints that raise legal issues involving potential consumer harm from unfair

treatment or discrimination, unauthorized product enrollment, account openings or upgrades

(including the addition of ancillary products), improper sales practices, imminent

foreclosures, or other regulatory compliance issues, are appropriately categorized and

escalated.

6. Management monitors consumer complaints to identify risks of potential consumer harm and

CMS deficiencies, and takes appropriate prospective and retrospective corrective action.

7. Consumer complaints result in retrospective corrective action to correct the effects of the

supervised entity’s actions when appropriate.

8. The nature or number of substantive complaints from consumers indicates that potential

weaknesses in the CMS exist.

Consumer Complaint Response – Examination Procedures

1. Obtain and review consumer complaints and inquiries received by CFPB about the entity

and its service providers.

2. Review industry or other benchmarking complaint data collected by CFPB.

3. To the extent available, obtain and review consumer complaints and any whistleblower

complaints against the institution from the prudential regulator, state regulators, state

attorneys general offices or licensing and registration agencies, and private or other industry

sources.

4. Request and review the institution’s policies and procedures for receiving, escalating, and

resolving consumer complaints and inquiries.

5. Request and review the record of consumer complaints and inquiries received by the

institution related to improper sales practices, unauthorized product enrollment, account

openings or upgrades, including the addition of unauthorized ancillary products.

6. Identify complaints, including any whistleblower complaints, that may indicate a risk of

consumer financial law violation or management issues related to controls for those risks;

for example, those alleging or creating a risk of deception, unfair treatment, unlawful

discrimination, or other significant consumer injury.

7. Determine whether the financial institution’s responses to complaints and inquiries are

prompt and complete, and based on a thorough investigation of the facts.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 15

8. Determine whether corrective action is offered or taken for any complaint resulting in a

conclusion of violation of law or regulation.

9. Determine whether complaints involving service providers or other third parties referring

business to the institution receive appropriate handling and follow-up by the entity.

10. If an institution maintains multiple consumer complaint response centers or units, determine

whether it employs a common set of practices.

11. Determine whether evaluations of consumer complaints, including whistleblower complaints,

include comprehensive root cause analysis to assess why a particular law violation or error

occurred – for example, whether an information system coding error led to inaccuracies across

a portfolio, or whether repeated data entry errors, in the absence of appropriate monitoring,

resulted in significant inaccuracies.

12. Determine whether the financial institution provides retrospective remediation to all

consumers harmed by a particular violation of Federal consumer financial law.

13. Determine whether evaluations of consumer complaints and inquiries are shared within the

institution and included in compliance reporting to the board and senior management.

14. Determine whether evaluations of root cause analysis are used in corrective action, such as

modifying policies, procedures, training, monitoring, and/or other appropriate business

adjustments.

15. Draw preliminary conclusions as to whether the supervised entity’s response to consumer

issues and concerns is strong, satisfactory, deficient, seriously deficient, or critically

deficient.

Module 3: Service Provider Oversight

The CFPB recognizes that the use of service providers is often an appropriate business decision

for institutions. Institutions may outsource certain functions to service providers due to resource

constraints, use service providers to develop and market additional products or services, or rely

on expertise from service providers that would not otherwise be available without significant

investment.

However, the mere fact that an institution enters into a business relationship with a service

provider does not absolve the institution of responsibility for complying with Federal consumer

financial law to avoid consumer harm. A service provider that is unfamiliar with the legal

requirements applicable to the products or services being offered, or that does not make efforts to

implement those requirements carefully and effectively, or that exhibits weak internal controls,

can harm consumers and create potential liabilities for both the service provider and the entity

with which it has a business relationship. Depending on the circumstances, legal responsibility

may lie with the institution as well as with the supervised service provider.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 16

Service Provider Oversight – Examination Objectives

Examiners should determine whether institutions have met the following expectations regarding

service provider oversight:

1. The institution has developed and implemented an appropriate risk management program for

service providers based on the size, scope, complexity, importance, and potential for

consumer harm of the service(s) being performed.

2. The institution’s service provider risk management program includes initial and ongoing due

diligence reviews to verify that the service provider understands and is capable of complying

with Federal consumer financial law.

3. The institution ensures that the service provider conducts appropriate training and oversight

of employees or agents that have consumer contact or compliance responsibilities.

4. The institution has included in its contract with the service provider clear expectations about

compliance, as well as appropriate and enforceable consequences for violating any

compliance-related responsibilities, including engaging in discrimination and unfair,

deceptive, or abusive acts or practices.

5. The institution has established internal controls and ongoing monitoring to determine

whether the service provider is complying with Federal consumer financial law.

6. The institution takes prompt action to fully address any problems identified through the

monitoring process, including terminating the relationship where appropriate.

Service Provider Oversight – Examination Procedures

1. Determine whether and to what extent the institution uses service providers to carry out

functions that have consumer compliance responsibilities.

2. Request and review contracts between the institution and its service providers. Determine

whether contracts contain clear expectations about compliance, as well as appropriate and

enforceable consequences for violating Federal consumer financial law.

3. Request and review the institution’s service provider risk management program.

4. Determine whether the institution’s risk management program requires initial and ongoing

due diligence reviews on service providers. Evaluate whether these reviews are sufficient to

verify that the service provider understands its consumer compliance responsibilities, is

capable of complying with Federal consumer financial law, and does not pose unwarranted

risks to consumers.

5. Determine whether the risk management program provides for ongoing monitoring reviews

sufficient to ensure that service providers are complying with Federal consumer financial

laws.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 17

6. Determine whether the institution has policies, procedures, and processes in place to take

prompt corrective action to fully address any problems identified through the monitoring

process, including termination of the service provider relationship, when appropriate.

7. Draw preliminary conclusions as to whether the institution’s service provider oversight is

strong, satisfactory, deficient, seriously deficient, or critically deficient. Consider the impact

that this conclusion has on conclusions regarding Board and Management Oversight and

components contained within the Compliance Program.

Module 4: Violations of Law and Consumer Harm

As a result of a violation of law, consumer harm may occur. While many instances of consumer

harm can be quantified as a dollar amount associated with financial loss, such as charging higher

fees for a product than was initially disclosed, consumer harm may also result from a denial of an

opportunity. For example, a consumer could be harmed when an institution denies the consumer

credit or discourages an application in violation of the Equal Credit Opportunity Act.

When violations and consumer harm are identified, it is important for examiners to consider

whether or not the institution’s CMS identified the violation and implemented appropriate

corrective action. Self-identification and correction of violations of law reflect strengths in an

institution’s CMS. A CMS appropriate for the size, complexity and risk profile of an institution’s

business often will minimize violations or will facilitate early detection of potential violations.

This early detection can limit the size and scope of consumer harm. Moreover, self-identification

and corrective action on serious violations represents evidence of an institution’s commitment to

responsibly address underlying risks. Appropriate corrective action, including both correction of

programmatic weaknesses and full redress for injured parties, limits consumer harm and prevents

violations from recurring in the future.

Violations of Law and Consumer Harm – Examination Objectives

In the event that examiners identify violations of Federal consumer financial law, they should

consider the following factors:

1. The root cause of the violation: the degree to which weaknesses in the CMS contributed to

the violation(s) of Federal consumer financial law. In many instances, the root cause of a

violation may be tied to a weakness in one or more elements of the CMS. Violations that

result from critical deficiencies in the CMS evidence a critical absence of management

oversight and are of the highest supervisory concern.

2. The severity of consumer harm: the type of harm, if any, that resulted from the violation(s) of

Federal consumer financial law. More severe harm results in a higher level of supervisory

concern. For example, some violations may cause significant financial harm to a consumer,

while other violations may cause negligible harm, based on the specific facts involved.

3. The duration of the violation: the length of time over which the violation(s) of Federal

consumer financial law occurred. Violations that persist over an extended period of time will

raise greater supervisory concerns than violations that occur for only a brief period of time.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 18

When violations are brought to the attention of an institution’s management and management

allows those violations to remain unaddressed, such violations are of the highest supervisory

concern.

4. The pervasiveness of the violations: the extent of the violation(s) of Federal consumer

financial law and resulting consumer harm, if any. Violations that affect a large number of

consumers will raise greater supervisory concern than violations that impact a limited

number of consumers. If violations become so pervasive that they are considered to be

widespread or present in multiple products or services, the institution’s performance is of the

highest supervisory concern.

Violations of Law and Consumer Harm – Examination Procedures

The following examination procedures should be conducted in the event that Examiners note

violations of Federal consumer financial law:

1. Determine the root cause of the violation(s) by identifying the weaknesses in the institution’s

CMS that contributed to the noted violations(s). Review preliminary conclusions drawn from

Modules 1, 2, and 3 on the component(s) identified as the root cause and revise those

conclusions accordingly, keeping in mind that not all violations of law indicate weaknesses in

CMS.

2. Determine whether the institution self-identified violation(s) and consumer harm, and assess

the effectiveness of any corrective action implemented as a result.

3. Draw a conclusion as to whether the violations are a result of minor weaknesses, modest

weaknesses, material weaknesses, serious deficiencies, or critical deficiencies in the CMS.

4. Assess the severity of the consumer harm that resulted from the violations(s) by determining

the degree of impact that the violation has on consumers. Consider the degree of financial

impact or impact of non-financial harm.

5. Draw a conclusion as to whether the type of harm resulting from the violation(s) would have a

minimal, limited, considerable, or serious impact on consumers.

6. Assess the duration of the violation(s) and resulting consumer harm by determining the time

period over which the violation occurred. Consider whether management was aware of the

violation(s) and whether they took action to resolve the issue or allowed it to continue.

7. Determine the pervasiveness of the violation(s) and consumer harm by considering the number

of affected consumers. Consider whether the violation(s) and consumer harm are limited or

whether they are widespread or in multiple products or services.

CFPB

Examination Procedures CMR

CFPB August 2017 CMR 19

Module 5: Examiner Conclusions and Wrap-Up

To conclude this supervisory activity, examiners must complete all the steps under this section,

regardless of the entity’s risk profile:

1. Summarize the findings, supervisory concerns and conclusions for each Module completed.

2. Identify action needed to correct weaknesses in the institution’s CMS.

3. Discuss findings with the institution’s management and, if necessary, obtain a commitment

for corrective action.

4. Record findings according to Bureau policy in the Examination Report/Supervisory Letter.

5. Prepare a memorandum for inclusion in the work papers and CFPB’s official system of

record that outlines planning and strategy considerations for the next examination and, if

appropriate, interim follow-up.