Walking into Spiderwebs: Understanding & Predicting Risk Environment
Mortgage Industry Insight: One of the great things about SCA is the range of issues we get to see, and the wealth of knowledge we get to tap into while working with dozens of clients on a monthly basis. Today, we'll share some information about Risk Management and Compliance.
By Gregg Oberg:
It’s difficult—yet crucially important to compliance management—to see all the implications of the complex web of ever-changing internal controls and regulatory obligations that overlay our business environment. While invisible to most levels of bank operations, the best risk managers understand that a failure in X is indicative of weakness in A, R, and W. This is the reason we centralize compliance responsibility in the hands of our CCO; and the reason even seemingly insignificant procedure must be held sacred and adhered to at all times.
Some of these interconnections are clear, but most are not. The classic example in bank regulation would be UDAAP and Fair Lending. Discrimination, in violation of ECOA, FHA, etc. is “Unfair” or “Abusive” in the language of most state and federal regulations. These directly connected consequences must be seen. But what about more complex, less direct risk chains?
Longview on Risk Environment: A Servicing Example
With recent delinquency rates and a few years post MSR implementation, servicing has fallen somewhat out of Vogue. The issue is particularly complex on both the deposit and mortgage sides of the house; and significantly muddied by differing state obligations. That might be changing, as the recent NPRM by CFPB on Debt Collection Practices has ramped up industry interest.
Law and (social) Economics: How Twitter Regulates Regulations (a preview)
For what it’s worth, I think evaluating regulatory change for impact solely based on probability of passage/implementation is short-sighted. We live in a world where the will of the people is made abundantly clear 280 characters at a time. Let’s stipulate that CFPB proposed the debt collection changes solely to help businesses (a view I think exists in the public conscious, although I take no position at this point). The people make clear it should not pass, so it does not pass (again, requires some imagination).
But the issue doesn’t stop there. Now you have a portion of the population outraged by 1) the current state of collections practices; and 2) the “corrupt” effort of regulation to assist business. Consumers view this relationship as a zero-sum game. Reaction doesn’t stop at “killing the bill,” now you’ve got investigative reporting describing exactly what the consumers’ gripe is—and exposing industry to reputational risk.
In short, it’s not a crazy connection to assume that any controversial proposal will elicit a (not less than) proportionate backlash of public scrutiny of the proposal’s subject matter.
Much like pending legislation/regulation, I believe you need to consider high-profile enforcement actions (criminal and civil) broadly as within the scope of your CMS External Information Gathering function for purposes of understanding the undercurrent of the Risk Environment (risk tectonics? I’m toying with a metaphor, feedback appreciated).
CFPB Civil Action v. Debt Collection Law Firm (Complaint)
First, a note: I don’t necessarily see anything deeper in this case, but instead am using to demonstrate a methodology usable in evaluating information for compliance insights.
As promised; a thrilling tale of debt collection and alleged indifference to consumer financial protection. The details are less important to the following analysis, so I’ll present only a summary factual record (read the filing here, I wouldn’t link it if I didn’t find valuable):
Law Firm (LF) collects consumer debts in agency relationship with Creditor(s);
LF further collects debts for debt buyers, which may implicate servicing transferor obligations of certain originating Creditor(s);
Some LF collected debts include HELOCs;
LF received from Creditors Nonpublic Personal Information (NPI), including SSNs and documents evidencing the alleged debt to be collected (although they often didn’t review any docs); and
The CFPB now alleges, among other counts, that LF committed UDAAP and FDCPA violations.
Why’s This My Problem?
Numerous reasons. The first being something your mother most likely told you: “you are defined by the company you keep,” or something to that effect. Multiple financial institutions—both brand names and “subs-of-subs-of-holding company types” are listed in the Compliant—do you do business with one? If so, reputational risk exists. Second and in the same vein, do/have you been in an agency relationship with any of the parties? If so, you may have legal risk too (although that’s probably a more remote possibility if you haven’t already heard from the CFPB).
In a well-functioning CMS, You Oughta Know:
External Information Gathering functions should have caught this news for at least a few different reasons; but that’s only step one. Institutions truly committed to risk management (as opposed to merely compliance) could likely automate 95% of this function through “red flag detection” systems configured to flag all mentions of third party relations within the vendor management control environment, and sort appropriately based on linguistic tagging (throw back to my old life in competitive intelligence, love to chat geek occasionally).
Think of this as a quick evaluation of direct consequences. Probably a low cost/high reward action; you don’t often get caught with zero information ahead of public disclosure if you’re overseeing your third-party relationship effectively. I’d suspect that when/if you do, it’s because you’re a “tangential third parson” or something like that—and the risk is essentially nil. Don’t need to worry too much about a 3 A.M. phone call on these items.
Proactive Compliance
If you’ve done everything up to this point; you’ve earned roughly a C-. A great CCO—adequately supported by a better team—has this taken care of before lunch, and is looking for more. The job is not done when you say “nope, not a risk.” You have to think out the logical implications of every input of data in order to properly manage risk and add value to your institution. How better to demonstrate your compliance than reading between the lines in everything you can get your hands on?
Gleaning Actionable Insights from Seemingly Tangential Information
Clear actions you can/should take include evaluation of your vendor management process for detective controls aimed at rooting out similar behavior. In a more global sense, consider the fundamental gripe the CFPB has with LF: failure to pay any real attention to their actions. Do you have vendors who just “go through the motions”? Performing a “mini-investigation” of your company and functions under CFPB acknowledged factors present in the Complaint may allow you to expand controls and demonstrate your attention to detail. Above all, document everything!
But Wait, There’s more!
The bigger reasons I raise the example is to discuss how poor third-party due diligence can Sabotage an otherwise outstanding CMS. Again, I present the Complaint merely as a hypothetical; without evaluation of magnitude related to any identified risks against the larger backdrop. This is merely how I evaluate when reading new information. Even if you service all debt internally, you can learn a thing or two.
After reviewing the more direct risk issues, we should consider the macro implications on Risk Environment moving forward. I raised two facts above that are critically important to the overall vendor management discussion; although not necessarily in this order.
First, the agency relationship between LF and Creditor(s) with regard to legal standards of liability. I’ve spent more time empirically studying Foreign Corrupt Practices Act than any singular body of law, so I often revert to these metrics for describing importance of an issue. In FCPA contexts, a majority of actions are brought against multinational organizations are completely or partially based on the actions of an agent under the alleged explicit or implicit direction of the principal. When a third party performs an action (presumably under contract) on behalf of your institution, their actions are imputed to you—if not legally then in the court of public opinion.
Second, I raised the disclosure of NPI between principal Creditor(s) and agent LF to highlight yet another hot button issue within our industry—and realistically our collective political landscape as we head to 2020—data privacy and security. Just do a Google search, everyone and their mother is talking about it, and few of us grasp the magnitude of the issue.
When combining these two points, the issue I’m attempting to highlight is that any data management discussion MUST start with an understanding of the overall data infrastructure. At least half of this requires detailed understanding of data outflows to third-party vendors, and the ways that data will be maintained and/or retransmitted thereafter.
It All Comes Back Around
Recent studies on US company adoption of GDPR regulations show a majority of companies are not meeting their obligations and do not anticipate being able to adjust to changes in regulation.
We see much the same situation when it comes to companies adopting to TRID 2.0—they’re pushing forward “2.0 Compliance” as if it’s a simple patch; despite having failed to implement the “operating system” in the form of TRID 1.0 compliant procedure (those of you stumbling through the metaphor, you won’t like the following paragraph(s)).
With the proliferation of data privacy and security related laws across the globe; and particularly passed or pending legislation in multiple U.S. states generally in line with Europe’s GDPR, we cannot focus on the “new” if we haven’t first established the “old.” Too often I see institutions turning to contractual controls and indemnification principles of traditional risk management in managing third-party risk. Sure, that may be sufficient in some cases; but I can’t see any relationships that remotely touch consumer information that would be adequately managed without a deep understanding of the data security practices—common and divergent—of the vendor and your institution.
The topic is enormous, and unique to each institution. But a “benchmarking” questions can help you understand if now is the time to panic:
Can you list every vendor who receives NPI
Do you ensure vendors meet industry recognized standards (ISO, SOC, etc.) prior to sharing data?
When did you last audit [pull random vendor from list, assuming you have one] for data security?
SCA Customer Focused: Do you have a Reg P form updated for VT law in last ~18 months?
Closing Time
Ok, that one was a freebee if you haven’t caught on just yet. At SCA, we know compliance can leave you Livin’ la Vida Loca, and meeting diverse regulator expectations can seem like a Fantasy as you Jump Around from topic to topic. As a compliance officer—no matter your experience or background—You’re Still the One expected to know everything yesterday.
But “I’m a Basket Case keeping up with every possible risk,” or “I don’t Wanna Miss a Thing, but I do have other duties,” you say. Compliance resources are scarce, particularly in community banking; you can’t pay attention to All the Small Things. Or at least you can’t alone. Call an All Star from SCA, we Wannabe YOUR Compliance partner.
So how many did you catch? Email me, first/top responses get an hour to talk about whatever compliance issue you have. You’d be doing me a favor; I love to learn from anyone and everyone curious enough to reach out.
Disclaimer
Just like you, loyal reader, I’m doing my best and trying to figure it all out. I’m not always right; and I’m not always as clear as I’d like to be. If you see a better way, a different way, or think I’m completely off base—let’s talk about it. I hope you enjoyed the blog.
Goberg@Scapartnering.com; 805-402-7797
Any views expressed are mine and not those of my employer, our clients, or any third parson. Effective Challenge drives development in all parties.
Spillane Consulting Associates has served the residential mortgage lending business since 1991. We have specialized in mortgage banking consulting services and provided quality control reviews, risk management and process consulting and employee training to credit unions, community banks and non-depository institutions. We are a thought leader on the strategic growth of residential mortgage lending. You can learn more by visiting our website, or scheduling a meeting with me or one of my colleagues.
SCA Compliance Hotline: Need a question answered quick?
Email: Compliance-Question@scapartnering.com
Call: (781) 356-2772
Thanks so much for reading our weekly newsletters. We're not always going to be perfect, but because we always do our best and try not to overpromise, we hope that we're always going to be trustworthy. Your calls and e-mails are very helpful - please keep contributing.
**These are our opinions. We're not authorized, or willing, to express those of others.**