In response to the financial crisis of 2007-2008, Congress passed the Dodd-Frank Wall Street Reform Act, which, via Title X of said act, authorized the creation of the Consumer Financial Protection Bureau. According to annual reports, the CFPB has grown from 58 employees in 2010 to 1,529 in 2015, and has levied penalties of nearly $350 million, which includes $183 million in fiscal 2015, up from $77.5 million in FY 2014. Expanding its reach well beyond credit card issuers and mortgage companies to include investigations of and actions against the payday lending, automobile finance, debt collection, for-profit education, and banking industries, the CFPB has established itself as a serious contender in the fight for consumer protection within the financial services industry.
As a result of this focus, many companies are left wondering how to effectively establish an internal compliance program that not only protects the consumer, but also the company itself. While many of the affected industries to date require licensure to practice, it can be effectively argued that licensure is not enough, as most licensure examinations are constructed to measure only minimum competency in the chosen field. Compliance, human resources and legal departments are quickly coming to realize that minimum competency is not a viable, long-term solution. Further, without specific guidelines as to what and how much training must be undertaken, it is left to the individual companies to decide how best to implement a valid and defensible culture of compliance within their organizations. Possibly relegated to the role of support function in the past, internal compliance resources are now claiming a significant seat at the management table, arguably on par with sales and marketing in terms of operational effectiveness and institutional health.
Enter the need for governance, risk and compliance (GRC) training on a much grander scale. Companies that have expanded their view of employee training are adding terms like Anti-Money Laundering (AML), Unfair, Deceptive or Abuse Acts and Practices Act (UDAAP), Real Estate Settlement Procedures Act (RESPA), Truth in Lending Act (TILA), and Bank Secrecy Act (BSA) to their vernacular and enforcing strict adherence to a compliance culture that ensures an ethically practicing and educated workforce is in place. Depending on industry and size, many companies are finding it necessary to push this same training down to third-party vendors to alleviate any exposure due to outsourcing. Few companies had a significant line item associated with compliance in the past, and now, few can afford not to. A cursory Internet search of “CFPB fines” will indicate that there is a need to take this new focus seriously. It has been said that the Internet is written in ink, and it can be argued that the fines levied against financial services firms pale in comparison to the long-term impact to their reputation, which often times is crafted over many decades. A 2013 study published jointly by Deloitte and Compliance Week revealed that 52% of respondents to a survey of companies between $1 billion to $5 billion in revenue and 5,000 to 10,000 employees dedicated five or fewer full-time personnel to compliance. Clearly, this is a need that successful companies can no longer discount. Regulatory oversight aside, the very health of our industry is at stake.
Establishing a culture of compliance is not a static goal, but, rather, an ongoing exercise that must be viewed as a process which is constantly evolving and requires support, maintenance, and, most importantly, leadership. The need for GRC training must be acknowledged, accepted and clearly established within an organization’s DNA, and this can only be accomplished through leadership — leadership in word, without question, but also leadership in action.
The process that must be undertaken, however, is not arduous and is remarkably similar for all financial services employers, regardless the size of the employee cohort in question. Be it an internally established program or one that is outsourced to a group, the devil is in the details. Constant organizational support and communication are necessary for success and, as in most projects, planning is vital. Careful consideration must be given before a course of action is taken as companies must ascertain their weaknesses, identify areas for improvement, build a solution, and, most importantly, develop processes that continually monitor the program to assure the control environment is effective.
Every day brings increased scrutiny on our industry and increased regulatory oversight is quickly becoming the only constant in our business. Without question, the time for action is now — abandon the culture of defiance and recognize the value inherent to a culture of compliance.
This column was originally published in the June 2015 issue of National Mortgage Professional Magazine.