Leadership changes at the Consumer Financial Protection Bureau (CFPB) and a push to repeal CFPB Bulletin 2013-02 (Indirect Auto Lending and Compliance with the Equal Credit Opportunity Act) might signal smoother regulatory roads ahead for auto lending. Nevertheless, the coming year is not the time to put your compliance program on cruise control. Even if automotive dealer associations and lobbies may be heralding a hands-off CFPB, the fact is that most automotive finance companies and banks are dealing with multiple regulators at various levels of their organizations, leaving the likelihood of a regulatory examination largely unchanged.
Many regulatory bodies at both the federal and state levels are poised to pick up the slack created by any pullback of the CFPB’s efforts. New York’s Department of Financial Services (NYDFS) runs a stringent examination process largely aligned with the same topics and scope of the federal agencies’ exam manuals (including a specific focus on fair lending). Other states have also been ramping up their consumer protection focus. For example, Pennsylvania’s attorney general formed a consumer financial protection unit last summer. The point is that automotive finance companies’ compliance requirements are not dramatically changing, and it remains critical for compliance programs to continue to mature.
Given the uncertainty in Washington, how can compliance leaders address the likely decrease in interest and, possibly, support from their business partners and executives? The answer lies in refocusing efforts on the holistic view of all policies, procedures, governance, and other aspects of your company’s compliance management system (CMS), while continuing to build strong relationships with your executives and business partners. Importantly, maintaining support starts with further strengthening the tone at the top.
In fact, the state of auto lending regulation coming into 2018 presents a good opportunity to bring your compliance program in for a tune-up and refocus your efforts on maturing the overall CMS.
Retune Executive Messaging
Executive support and the right tone at the top have long been regulatory expectations for a strong and effective CMS. In a period of shifting regulatory attention, it is critical for the Chief Compliance Officer to continue to strengthen his/her relationship with executive management. Review your previous messaging and presentations to the executive team. If you have consistently provided a holistic view of the compliance risks your company faces, then you are already ahead of the game. The situation is different, though, if your primary message and focus have been on fair lending risks related to various CFPB consent orders and dealer compensation for loan origination. In this case, your messaging needs to shift to a more holistic view, covering examinations risks from other federal and state agencies, as well as issues such as debt collection, ancillary products, vendor risks, and cybersecurity.
Start by meeting with individual members of your executive team on a regular basis. The only time they hear from you should not be when there are troubling headlines or exam notices. Gain consensus early by discussing the news reports surrounding the CFPB and seeking to understand how management feels the company is affected. Be prepared to present information on the multitude of other compliance risks covered by regulatory exams and the various entities that could call for an exam. Leverage any exams and interactions you may have already had with the CFPB or state agencies. If you have open recommendations from exams, stress the importance of ensuring they are adequately addressed. Exams are likely to continue and although the frequency and scope may change, examiners will still expect to see progress in your CMS. Your messaging needs to convey that the compliance journey continues despite what ultimately happens with the CFPB.
Enhance Your Risk Assessments
Risk assessments not only meet a regulatory expectation, but also serve as a key tool to provide executives with a holistic view of their regulatory risk profile. Typical assessments will generally analyze inherent risk and controls to come up with a residual risk ranking. These rankings are normally shown on a heat map to executives, with some combination of red, yellow, and green (or high, medium, and low). But does showing a certain color or arbitrary ranking really address what are likely to be the real questions from your executives? How much risk does a certain process or regulation present? Is the answer you want to provide really “red” or “high”? How do you measure the potential risk reduction versus the cost of a particular project to enhance controls or mitigate compliance risk?
A detailed risk assessment that covers all regulations, products, business units, and risks provides additional risk-based justification to both your executives and regulators to support the focus of your limited compliance resources. Provide additional data behind your rankings to better communicate the importance of the compliance function to your executives. Look for ways to fully document and understand the controls in place and how they address specific regulatory requirements. Delve into details, answering questions such as the following:
- Is the control preventive or detective in nature?
- Automated or manual?
- Has the control been tested and were issues found?
These and other details can be scored and used to compare one control to another. This data can then help answer questions of how much risk is present and justify why executives should fund various business initiatives that impact the compliance risk of a company.
The message to your executives should evolve from this:
“Process ABC has a high compliance risk, please approve a $500,000 project to improve the controls and reduce this risk.”
It should become a more compelling message that looks something like this:
“Process ABC has three inefficient manual controls that are detective in nature. Through our testing, the controls have been found to be ineffective. We are seeking approval for a $500,000 project to build automated controls into our process that help ensure compliance with the regulation, provide additional efficiencies to our business process through automation, and potentially reduce the manual costs associated with current controls.”
When performed at a detailed level, risk assessments can also provide the compliance team valuable information to further quantify the amount of risk a company faces. The additional detail gives you a more powerful message to executives and demonstrates that you can explain compliance issues in their terms. Detailed risk assessments will also help prioritize compliance work and pragmatically spend the limited compliance resources you have. If you’ve already had multiple exams or audits in a particular area, for example, it may be justified to delay the next compliance review to later in the year or early next year. Spend your resources wisely and ensure that they are focused on the high-risk items that are relevant to your business and executives.
You will also want to avoid creating the perception with regulators that the focus of your compliance program comes and goes with the news headlines. A CMS is not something that can be stopped and then restarted when the next exam notice comes along. Consistent attention and messaging will be key to maintaining credibility with regulators. Risk assessments provide the tools to demonstrate complete coverage of compliance risks and make sure the executive team has a holistic view of your compliance risk profile.
Find Compliance Program Efficiencies
Now may also be the time to search for opportunities to improve efficiencies in your compliance processes. In lieu of requesting additional job cards, explore opportunities to automate your compliance testing and risk reporting.
Governance, risk, and compliance (GRC) software can provide centralized solutions to consolidate your compliance responsibilities (risk assessments, control identification, compliance testing, exam management, and issue follow-up) and enhance your reporting capabilities. If costs still seem prohibitive, look to partner with your company’s risk and audit teams to spread the costs. Most GRC platforms include solutions to improve risk and audit processes as well as compliance. There is an additional advantage to having all three areas on a single platform, since the same information can be leveraged to enhance reporting across all areas.
Heed Rising Cybersecurity Concerns
Cybersecurity is quickly becoming the next big area of regulatory focus. Headlines continue to publicize massive data breaches, prompting calls for stronger regulation. Although the CFPB has yet to publicly focus on the topic on a wide scale, the NYDFS has enacted cybersecurity statutes that require financial services companies to have detailed cybersecurity programs in place by the spring of 2018. Many other states have increased exam questions on cybersecurity topics as well. The Federal Financial Institutions Examination Council has also published a cybersecurity assessment tool that has been a focal point in some information technology (IT) exams performed by the Federal Deposit Insurance Corporation.
While most compliance functions currently do not have direct cybersecurity responsibilities, they normally serve as the main contact point for regulatory exams. With the growing regulatory focus on cybersecurity, the time may be right to consider giving the compliance function some level of oversight responsibility for cybersecurity—particularly in non-bank financial companies participating in the automotive finance industry. This additional responsibility will allow the company to establish an independent second line of defense when primary cybersecurity responsibility lies within the IT organization (first line of defense).
Many automotive finance companies have a significant portion of their IT services (including cybersecurity) controlled or influenced by enterprise-wide functions provided by a parent company. In these situations, assigning some oversight to the compliance department allows the regulated entity to possess a fuller understanding of the processes and controls in place to address regulatory requirements. The importance of this type of oversight responsibility is even greater for companies whose enterprise IT functions may reside in other countries (most likely within the parent companies of captive finance companies). Remember that the parent company controlling the cybersecurity functions may not have the same regulatory requirements as the auto finance company.
Conducting a cybersecurity-focused risk assessment with a deep analysis of current controls can help identify an automotive finance company’s cybersecurity risks. The results of this risk assessment should be presented to your executive team to accurately depict your company’s full risk profile. This oversight by the compliance function can be used to prep IT teams for regulatory exams and is particularly important for financial services companies that are not accustomed to a regular cadence of regulatory exams.
While distractions surrounding the CFPB may temper the attention to fair lending topics at automotive finance companies in the short term, compliance leaders should not be derailed from the path to maturity of their overall CMS. With various other regulators poised to pick up any slack from the CFPB, you cannot risk allowing compliance activities to fall off. It is your responsibility to ensure that your organization maintains its focus during the industry’s current pendulum swing. There will never be a shortage of regulatory requirements on financial services companies. However, there will be shifts in the areas posing the highest regulatory risk and deserving your most immediate attention. Take this opportunity to recharge and refocus your compliance messaging to executives and to highlight the program’s value beyond addressing the compliance headlines of the day.
View as PDF
Treliant Risk Advisors
, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry, brings to you New Coordinates
, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the Outlook 2018 issue. To subscribe to our quarterly newsletter, please Contact Us