Ethical Behavior: No one is truly listening to you

When leaders in other organizations ask me how they should go about launching an ethics program, they are often enthusiastic. Whether because of an article recently read or a director’s conference recently attended, these men and women have “gotten religion” and cannot wait to go forth and conquer. For those of you who heard me recently recount my discussion with Pam (here), you know that it takes a certain kind of mindset to lead the ethics program. But leaders launching an ethics program within an existing organization are also often convinced that its success will be measurable in a manner akin to counting widgets produced per hour, or similar.

The common refrain I hear is, “We’ve got to get this [ethics] program up and running fast! We’ve already drafted communications, planned all-staff meetings at each facility. We’re going to tell people all about it, so they’ll get on board right away!”

Now I don’t know about you, but when people I don’t really know are rushing toward me smiling, frantically waving their arms, and telling me in crazed fashion that “they’re here to help”, I run the other way. And so will employees when confronted with top-down headquarters-scripted communications and town hall meetings. Many of your employees have been at their facility longer than you’ve been out of college. They’ve seen the “program of the quarter” launch, fizzle and fade more than once. Don’t let your well-intentioned (and necessary) ethics program join the fizzle-and-fade folly.

Here’s the rub…your employees aren’t really listening to you most of the time. Unless you directly impact a man or woman’s paycheck, schedule, assignments, or working conditions, you are likely immaterial to their day-to-day professional landscape. An employee can only speculate what a remote company executive does each day, but he/she can surely tell you what his/her boss is doing, not doing, saying, not saying, etc.

If your line supervisor breaks promises, falsifies expense reports, or takes office supplies home for personal use, his/her employees not only know about, but they resent the supervisor for it. That very same supervisor could talk about ethics all day long, handing out buttons and pens galore, and the employees will smirk and roll their eyes.

Bottom line is that it’s not what you say about ethics that will strengthen ethical behavior in an organization, but what you and your fellow leaders model. The measure of success for a newly-launched ethics program will be that future moment where ethical behavior has been modeled so consistently from the CEO through the ranks to the shop floor, that when one employee sees another employee about acting unethically, the first employee holds the second employee accountable.

No words or fancy slogans will be necessary from that moment on…

An Effective Ethics Program: It’s Really Not About You

Recently a colleague at another organization had sought my input regarding her plan to initiate a formal ethics program. Pam’s organization had grown both organically and through acquisition, and with it new and more delicate issues had arisen. As its senior human resource executive, she had begun to sense that the burgeoning and increasingly diverse employee population could no longer simply rely upon an employee handbook and online training modules to guide day-to-day ethical decision-making.

Pam had done her homework. She understood the basis for developing a comprehensive Code of Conduct; establishing a Fraud & Ethics Hotline; and senior leadership setting the “tone from the top.” But where Pam got stuck was identifying the individual who would lead the Ethics Program and provide its “face” and its “voice”.

We delved into the importance of objectivity and consistency in all program activities and all communication issuing forth from the Ethics Officer. Pam recognized that such communication will range from informal dialogue to formal drafted opinions. We weighed the advantages and disadvantages of various professional backgrounds from which she could draw forth a qualified individual. Successful Ethics Programs  have been led by professionals with backgrounds as diverse as Legal, Internal Audit, Human Resources, Technology, Education, and Theology.

We agreed that the common thread of objectivity must prevail. An effective ethics leader is neither solely an advocate for the employee nor for the organization, but is instead an advocate for the shared values embodied in the organization’s Code of Conduct and associated policies. Thus, an ethics leader doesn’t bring his/her own personal opinions, viewpoints, morals, or theology to bear when reviewing a matter, but instead adheres to the organization’s documented guidelines.

Quite frankly, when an ethics leader acts in accordance with the organization’s culture of shared values, he/she will occasionally have to issue a formal opinion that will contrast with his/her own personal opinion. The outcome is about the good of the organization—not about personal preference or moral judgment. It’s not about you.

Over the course of time, this consistently objective approach will result in a library of ethics opinions that will provide predictability and precedent for leaders, employees, and successor ethics leaders to rely upon. Employee trust in the impartiality of the program will accrue through this neutral approach, further strengthening the organization’s culture of compliance.

And with that, Pam set off to recruit the ethics leader that would best represent her organization.

Untamed, Unruly and Unstoppable?!?

"There's a way to do it better—find it."  ~Thomas Edison

"Success is on the far side of failure."   ~Thomas Watson Sr.


Does the title above accurately describe your professional style? Or that of your Team? Your Organization?

Why not?

Much has been written regarding the unfortunate passing of the iconic Steve Jobs. Does your own leadership experience and outlook embrace the passion for your Organization's mission that was evident as Steve Jobs spoke to those 2005 Stanford graduates? Do YOU fondly recall your own failings with the same enthusiasm that Steve Jobs exuded when describing his ouster from Apple ten years after its founding?

Are you failing enough? Are you encouraging your Team's members to fail more often?

The financial services industry continues to evolve at breakneck speed. Online bill payment, account aggregation, bank-to-bank online transfers are now "old" technologies. Single location institutions have launched mobile banking. As soon as your Public Relations Team can place a piece on the PRNewswire, a dozen other competitors or peers simultaneously issue similar independent press releases.

Despite infinite media attention and blogs devoted to the "rise of regulation amidst Dodd-Frank" and all of the other horror stories about "new fees" that abound, a select few of your competitors are conceiving, testing, retooling, retesting and preparing to launch tomorrow's customer-friendly product or service. What are YOU doing to lead your Organization to the front of that cadre? Is your Board of Directors inspired...or mired in risk aversion?

Every merger has an acquirer and an acquired (regardless of how the Communications Team attempts to portray it). Yesterday's mergers were often about growing the footprint, expanding the brand to new markets, leveraging complementary channels for optimizing profits and controlling redundant costs.

Is your Organization untamed? Are you confident enough in your professional Team to accord them a percentage of their time to be unruly enough to identify, develop and launch the products and services that will satisfy tomorrow's customers/members?

Your Organization, under your leadership, will either be the acquirer--or the acquired--in tomorrow's merger. You will either be seeking to acquire an institution through which your Organization can channel its innovative products, services and servant leaders to WOW! new customers/members...or you will be explaining to your employees why many of them will need to seek employment elsewhere?

YOU are the Leader that everyone in your Organization is looking up to. Are you the Leader that everyone in your Industry is looking up to and attempting to emulate?

If not, then perhaps it's time you moved out of the way to allow that Leader to emerge...that Leader who will ensure that your Organization and each of its fully-invested Teams become and remain: UNSTOPPABLE!

Compliance Management Programs: Good Enough is NEVER Good Enough

Audit, Compliance & Ethics professionals are not generally known for settling for mediocrity or resting upon their laurels. We spend our careers focused upon identifying, documenting, and mitigating risks. We employ people, systems, and procedures to comply faithfully with laws, regulations, and corporate policies. After decades of building and reporting on our detailed processes, we may confidently conclude to our colleagues that we are operating a best-in-class audit, compliance and ethics programs.

But every once in a while we get a reminder that our compliance management program may require a little refreshment. Like a well-intentioned home gym gathering dust in the corner of your basement, your program becomes increasingly less relevant when it is not subjected to frequent and ongoing maintenance. When I am speaking with colleagues about this topic, I hear consistent two consistent themes emerge: (1) we developed a state-of-the-art program back in 19xx, and then we got busy as the organization grew; or (2) we thought that [insert department or title] was watching over that part of the program and keeping it updated. “Best-in-class” became diluted by other competing priorities until it came to rest at “good enough” to keep the organization out of trouble with the board, the auditors, and the regulators.

Then the other shoe drops. At one time or another many of us will be faced with the realization that our compliance program has developed cob webs. Perhaps you can recall a moment of truth…a request from a board member in light of a recent penalty received by a competitor?…a finding in an internal audit report?…an observation made by a prudential regulator? Regardless of the source, having to admit that maintaining the currency and accuracy of our program may have lagged as a priority is an uncomfortable spot to find ourselves in. In the words of President Harry S. Truman, “The buck stops here,” when you’re the Chief Compliance Officer.

Your CEO and your board do not want to hear how busy you’ve been overseeing the increasingly complex regulatory compliance environment. If that is your best response when cracks in your program have been publicized, then you had better clean out your office to make way for your successor who will be up to the task. No, if you find yourself having to admit you’ve neglected the care and feeding of your compliance management program, then will be well advised to also come armed with your contingency plan to remediate your program gaps and a schedule of ongoing review and updating that will take place thereafter.

Before it gets to the point of asking for that mea culpa from your board, CEO, and regultor, perhaps it would be easier to gather the team, risk-rank elements of the compliance management program, and schedule a review of each element. While this may be a bit time-consuming in the initial phase, each subsequent periodic review should be shorter, especially if also paired with an ongoing monitoring of emerging legislation, regulation, and policy changes.

We’ve spent our entire careers getting out in front of the risks. Maybe we became complacent. Let’s return to the basics and declare boldly that “good enough” just isn’t good enough anymore.

Compliance & Ethics Guidance: “Require” or “Recommend”?

In our capacity as Compliance & Ethics professionals, we are invited daily by business line management to provide guidance on diverse topics. Because we are managing compliance and ethics across an entire organization, each topic must be reviewed with multiple internal stakeholder interests in mind. Externally, we are subject to scrutiny by our customers, our regulators, our industry, and the press. Thus, no review is undertaken in a theoretical vacuum, nor is any resulting guidance intended to provide a one-size-fits-all solution to all similarly-situated topics. Business line management doesn’t always understand those underpinnings when receiving guidance from us.

A frequent question heard by many C&E professionals upon delivering compliance guidance or an ethics opinion is, “So, is this a requirement…or merely a recommendation?” Management attaches very different treatment to our response to that question. Requirements may entail additional cost—whether an opportunity cost of a forgone initiative or a hard cost like implementing additional information system controls. Recommendations may at first blush appear to be optional activities that can be ignored and forgotten. The seasoned C&E professional knows that she must not leave management with any ambiguity about the risks of alternative future courses of action. We only add value to our organizations when we can achieve alignment between management’s risk appetites and our own governance, risk management and control frameworks.

A little confession here…at the onset of my career as an internal auditor, I wrote my recommendations as if they were self-evident edicts born of a brilliant mind. Fortunately I was also paired with managers and mentors who were equipped to deliver humbling learning opportunities to me, for which I have been ever grateful. Those formative leaders challenged me to support my assertions with specific corporate policies, statutes, or regulations. If my assertion was one supported by a matter less well-defined, such as fair trade practices or a matter of public policy, then I was urged to develop recommendations that objectively balanced the strategic interests of the business with the external interests, so as to allow management to make fully-informed decisions. These distinctions served me well. Perhaps you can relate to this transformation from your own career path.

Today I continue to improve my craft. I take great care in drafting compliance memoranda and ethics opinions that ensure well-substantiated transparency. I employ the word “require” when I seek to guide management away from the expedient pitfalls that ultimately lead to reputational loss, fines, lawsuits, or jail time for corporate officers. I employ the word “recommend” when I seek to guide management toward actions that will improve the customer experience; enhance the value of the brand; or reduce aggregate regulatory risk. To overuse “require” when “recommend” would suffice is to invite the “Chicken Little” effect and diminish Compliance & Ethics’ effectiveness. To overuse “recommend” when “require” is truly appropriate is to dilute our own integrity as C&E professionals and ignore our fiduciary duty to our organizations.

As such, when providing compliance and ethics guidance to management, I recommend (but not require) that we choose our words purposefully and substantiate objectively.

RESPA: Don’t simply assume an AfBA exists

Introduction

The Consumer Financial Protection Bureau (CFPB) enforces the Real Estate Settlement Procedures Act of 1974 (RESPA). The Congressional act was designed to implement significant reforms in the real estate settlement process needed to ensure that consumers are provided with greater and timelier information on the nature and costs of the residential real estate settlement process and are protected from unnecessarily high settlement charges caused by certain abusive practices.¹ The CFPB has promulgated regulations codified in Title 12, Part 1024 of the U.S. Code of Federal Regulations (CFR).² Among those regulations are specific sections that address the CFPB’s concerns regarding referrals, kickbacks, and Affiliated Business Arrangements (AfBA), which must be evaluated in light of referral incentive programs. RESPA has teeth, and mortgage lenders are well advised to guard against non-compliance.

While it is imperative that a mortgage lender comply fully with the law and regulations that support CFPB oversight, the lender must do so in a manner that appropriately balances the regulatory requirements and the business structure in accordance with its risk appetite. To fail to faithfully uphold RESPA’s requirements or to manipulate semantics to achieve noncompliant results would be both unethical and illegal. But to construe RESPA too broadly beyond its legislative intent, plain textual construction, and documented regulatory examination expectations would serve only to increase financial costs, generate operational complexity, and reduce sales opportunities to the lender and its shareholders without a corresponding improvement in regulatory compliance.

Commencement of RESPA Obligations

RESPA obligations apply to “all federally related mortgage loans, except for the exemptions provided” in 12 CFR 1024.5(b). Exemptions applicable to mortgage transactions include:

“(1) A loan on property of 25 acres or more;

 (2) Business purpose loans;

 (3) Temporary financing;

 (4) Vacant land;

 (5) Assumption without lender approval;

 (6) Loan conversions; and

 (7) Secondary market transactions.”³

The regulations define a federally related mortgage loan as it applies to a lender to mean “any loan…secured by a first or subordinate lien on residential real property… made in whole or in part by any lender that is either regulated by or whose deposits or accounts are insured by any agency of the Federal Government.”⁴

The regulations define settlement to mean “the process of executing legally binding documents regarding a lien on property that is subject to a federally related mortgage loan.” This process may also be called “closing” or “escrow” in different jurisdictions.⁵ Even construed most narrowly, a prospective or actual settlement process cannot exist in the absence of a real estate mortgage loan inquiry. A real estate settlement process typically involves one or more settlement services.

“Settlement service means any service provided in connection with a prospective or actual settlement”⁶, including many services commonly associated with closing a mortgage loan. While the regulation provides a non-exclusive list of settlement services, only a service that could be provided as a function of a real estate settlement process would be deemed a settlement service. A “referral” is not defined nor implied to be a settlement service under 12 CFR 1024.2(b). Services that would never be involved in a real estate settlement process are not deemed to be settlement services under RESPA.

Referrals, Kickbacks, and Affiliated Business Arrangements

Congress sought to guard against abusive referral practices that would result in kickbacks and unearned fees at the expense of the consumer. RESPA allows for civil and criminal liability for violating the prohibition against kickbacks and unearned fees including treble damages, fines and imprisonment. The CFPB has codified that “[a]ny referral of a settlement service is not a compensable service, except as set forth in §1024.14(g)(1). A company may not pay any other company or the employees of any other company for the referral of settlement service business.”⁷ While a company may not pay any other company or the employees of any other company, 12 CFR 1024.14(g)(1)(vii) explains that “Section 8 of RESPA permits: …An employer's payment to its own employees for any referral activities.”

Recognizing the potential for abusive practices among affiliated settlement service providers, especially those to whom a lender directs a mortgage loan applicant, RESPA regulates affiliated business arrangements at 12 CFR 1024.15.⁸ If a loan originator (or an associate) has either an affiliate relationship or a direct or beneficial ownership interest of more than one percent in a provider of settlement services and the loan originator directly or indirectly refers business to the provider it is an affiliated business arrangement.⁹ “Thus, both elements must be satisfied to create an affiliated business arrangement. A mere affiliated business relationship among two corporations absent the second prong whereby the loan originator refers business to an affiliated settlement service provider does not invoke the disclosure contemplated by 12 CFR 1024.15(b)(1).

The term ‘‘affiliated business arrangement’’ (AfBA) means an arrangement in which (A) a person who is in a position to refer business incident to or a part of a real estate settlement service involving a federally related mortgage loan, or an associate of such person, has either an affiliate relationship with or a direct or beneficial ownership interest of more than 1 percent in a provider of settlement services; and (B) either of such persons directly or indirectly refers such business to that provider or affirmatively influences the selection of that provider…”¹⁰ 12 CFR 1024.15(c) further clarifies that a “person who is in a position to refer settlement service business means any real estate broker or agent, lender, mortgage broker, builder or developer, attorney, title company, title agent, or other person deriving a significant portion of his or her gross income from providing settlement services.”¹¹

Determining whether an entity may derive a “significant portion” of gross income from providing real estate settlement services would require financial analysis, as an entity may also derive a significant portion of its gross income entirely unrelated to providing a “settlement service” for the closing of a “federally related mortgage loan.” It would be inappropriate to assume an attribution of significance absent quantitative support.

In clear contrast, many business lines clearly do not derive any gross income—let alone a “significant portion” of gross income—from providing settlement services. Given the products or services they offer, many entities could never be real estate settlement service providers as understood by the industry and by the regulators. As such, those lines of business and their employees would never constitute a “person who is in a position to refer settlement service business” pursuant to the regulation’s own definition.

The U.S. Department of Housing and Urban Development (HUD) has further delineated the requirement as follows:

An Affiliated Business Arrangement (AfBA) Disclosure is required whenever a settlement service provider involved in a RESPA covered transaction refers the consumer to a provider with whom the referring party has an ownership or other beneficial interest.¹²

Thus, a disclosure would not be required when the referral is given by an organization or employee of an organization that is not “a settlement service provider involved in a RESPA covered transaction.” Even a referral made by an affiliated settlement service provider where no “RESPA covered transaction” has occurred involving a “federally related mortgage loan” would not by itself trigger the 12 CFR 1024.15(b)(1) disclosure. In other words, merely suggesting that a consumer consider future use of a title insurance company in the absence of that consumer actually inquiring about or applying for a mortgage loan would mean that no settlement service provider is even required. The absence of a mortgage loan application implies the absence of a prospective or actual settlement process.

Appendix MS-1 to Part 1024¹³ further explains that the loan application triggers the RESPA obligation: “You are applying for a mortgage loan covered by the Real Estate Settlement Procedures Act (RESPA).” Once the lender’s mortgage loan application process has begun (or more conservatively, an inquiry has been made of the lender), a RESPA covered transaction has commenced. The “Affiliated Business Arrangement Disclosure Statement Format Notice” includes explicit language further memorializing this intent:

·         “…as a condition for [settlement of your loan on] [or] [purchase, sale, or refinance of] the subject property.”

·         “…we, as your lender, will require you to use, as a condition of your loan on this property, to represent our interests in the transaction.”¹⁴

Regulatory Intent and CFPB Enforcement

The CFPB is noted for its aggressive and expansive interpretation of its regulatory power. Against that backdrop, the CFPB Examination Manual procedure for AfBA testing recognizes that the lending institution’s loan origination is the trigger for AfBA compliance. According to the CFPB RESPA Examination Manual, the CFPB’s examination of Affiliated Business Arrangements entails:

25.   Determine from the HUD-1 or HUD-1A and from interviews with institution management, or through other appropriate methods, if the institution referred a borrower to a settlement service provider with which the institution was affiliated or in which the institution had a direct or beneficial ownership interest of more than 1 percent (hereinafter, an “affiliated business arrangement”).

26.   If the financial institution had an affiliated business arrangement, determine whether the affiliated business arrangement disclosure statement (Appendix D to Part 1024) was provided as required by 12 CFR 1024.15(b)(1).

27.   Other than an attorney, credit reporting agency, or appraiser representing the lender, if the financial institution referred a borrower to a settlement service provider, determine whether the institution required the use of the provider (12 CFR 1024.15(b)(2)).

28.   Determine if compensation received by the lender in connection with an affiliated business arrangement is limited to a return on an ownership interest or other amounts permissible under RESPA (12 CFR 1024.15(b)(3)).¹⁵

Appropriately Triggered Affiliated Business Arrangement Disclosures

The aforementioned review of the CFPB regulation, forms, and examination procedures indicates that unless an affiliated entity or employee of that entity is involved in the RESPA-covered transaction prior to the referral, then the AfBA would not apply. Thus, making a referral before any RESPA-covered lending transaction has begun would not trigger RESPA applicability.

It would of course follow that if a RESPA-covered transaction has been conceived by a consumer mortgage loan inquiry or application, and the prospective borrower has then been referred to or has chosen an affiliated settlement service provider, then the mortgage lender must provide the required AfBA Disclosure.

Additionally, in this scenario the affiliated entity receiving the referral has now become a settlement service provider involved in this RESPA-covered transaction vis-à-vis the federally related mortgage loan. At that point any subsequent referral by the affiliate involved in this RESPA-covered transaction also would entail the AfBA Disclosure obligation. An example of this obligation would arise if a hazard insurance affiliate involved in a federally related mortgage loan then referred the borrower to a title insurer for the RESPA-covered transaction.

Conclusion

RESPA focuses upon providing consumers with information transparency and protection from unscrupulous providers in all phases of the real estate settlement service process. Mortgage lenders and all other settlement service providers must always seek to comply fully with the law and regulations that support CFPB oversight. Organizations must also be careful not to assume REPSA obligations prior to when those obligations are actually invoked. In alignment with defined risk appetites, affiliated entities must comply in a manner that appropriately balances the regulatory requirements for settlement service providers with the business imperatives to avoid unnecessarily increasing financial costs, manufacturing operational complexity, and reducing sales opportunities. A tailored AfBA process will provide this compliant solution.

Endnotes

1            Final Rule; Official Interpretations, 12 CFR Part 1024, Docket No. CFPB-2012-0034, RIN 3170-AA14, Mortgage Servicing Rules under the Real Estate Settlement Procedures Act (Regulation X), Bureau of Consumer Financial Protection, p. 23, January 17, 2013, effective January 10, 2014.

2              12 CFR 1024, “REAL ESTATE SETTLEMENT PROCEDURES ACT (REGULATION X).”

3              12 CFR 1024.5   “Coverage of RESPA.”

4              Definitions; other terms, “Federally Related Mortgage Loan”, 12 CFR 1024.2(b).

               

5              Definitions; other terms, “Settlement”, 12 CFR 1024.2(b). 

6              Definitions; other terms, “Settlement Service”, 12 CFR 1024.2(b).   

7              Prohibition against kickbacks and unearned fees, “No referral fees.” 12 CFR 1024.14(b)

8              12 CFR 1024.15, “Affiliated Business Arrangements.”

9              “Affiliated Business Arrangements – 12 CFR 1024.15,” Examination Procedures, Regulation X Real Estate Settlement Procedures Act, CFPB Consumer Laws and Regulations, p. 17, November 2013.

10            12 USC 2602(7), “Definitions.”

11            12 CFR 1024.15(c), “Definitions.”

12            “Disclosures before settlement/closing occurs”, “An Affiliated Business Arrangement (AfBA) Disclosure”, More Information About RESPA, Department of Housing and Urban Development.

13            “Appendix MS-1 to Part 1024,” 12 CFR 1024.

14            “Appendix D to Part 1024—Affiliated Business Arrangement Disclosure Statement Format Notice,” 12 CFR 1024.

15            “Affiliated Business Arrangements – 12 CFR 1024.15,” Examination Procedures, Regulation X Real Estate Settlement Procedures Act, CFPB Consumer Laws and Regulations, pp. 56-57, November 2013.

Your Brother’s Keeper: the OCC & Third-Party Mortgage Vendor Relationships

Background

Nationally-chartered federal savings banks are subject to the prudential regulation of the Office of the Comptroller of the Currency (the “OCC”). National banks may engage in activities that are part of, or incidental to, the business of banking, or are otherwise authorized for a national bank. The business of banking is an evolving concept and the permissible activities of national banks similarly evolve over time.¹ But when your bank’s senior management decides to outsource a critical function—especially a consumer-facing function like mortgage loan origination or servicing—you truly become your “brother’s keeper.” No Chief Executive Officer or Chief Compliance Officer wishes to find himself or herself targeted by the OCC for failure to conduct adequate third-party vendor due diligence or ongoing monitoring.

It had been historically understood that when employing third-party entities to conduct all or part of a critical banking function, by not fully understanding the nature of the risks being introduced to the bank and by not ensuring appropriate risk controls, senior management and boards of directors breach their most fundamental fiduciary responsibility to depositors and shareholders.² The Federal Financial Institutions Examination Council (the “FFIEC”) very aptly highlights that although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.³

Long-standing OCC guidance

A national bank and its operating subsidiaries may make, purchase, sell, service, or warehouse house loans or other extensions of credit for its own or another’s account, including residential mortgage loans.⁴ A bank may conduct its mortgage operations in conjunction with a third-party not owned by the bank or bank holding company. Vendors, brokers, dealers, and agents can offer banks a variety of legitimate and safe opportunities to enhance product offerings, improve earnings, diversify assets and revenues, or reduce costs. In most instances the fundamental risks associated with activities introduced by third parties are no greater or less than the bank would have incurred had the bank performed the activity on its own.⁵

Historically, the OCC had very explicitly decreed that bank management cannot rely solely on third-party assertions, representations, or warranties when entering such relationships.⁶ Specifically, the OCC has long required that:

• Before entering into a major relationship with a third party, a bank should establish a comprehensive program for managing the relationship.
• Such programs should be documented and include front-end management planning, appropriate due diligence selecting a vendor, and performance monitoring.⁷

The requirements above were not merely satisfied by a bank relying solely upon its own internal Vendor Management Policy. The OCC expressly contemplated that the bank’s negotiators and signatories to the vendor contract would tailor the program to the specific vendor, and that the documentation would reflect the criteria and validation specific to that vendor with regard to the services for which the bank sought to contract.

OCC activity in the wake of Bulletin 2013-29

OCC treatment of third-party vendor risk management was recently further clarified when the agency issued Bulletin 2013-29: Third-Party Relationships - Risk Management Guidance on October 30, 2013.⁸  Among the OCC’s explicit guidance, the Agency deemed that an effective risk management process throughout the life cycle of the relationship includes:

·     plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party;

·         proper due diligence in selecting a third party;

·         written contracts that outline the rights and responsibilities of all parties;

·         ongoing monitoring of the third party’s activities and performance;

·         contingency plans for terminating the relationship in an effective manner;

·       clear roles and responsibilities for overseeing and managing the relationship and risk management process;

·        documentation and reporting that facilitates oversight, accountability, monitoring, and risk management; and

·   independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.

The OCC has wasted no time applying those third-party risk management principles immediately before and since the issuance of Bulletin 2013-29. On September 19, 2013, the OCC assessed a $60 million penalty against JPMorgan Chase and ordered the bank to reimburse consumers for unfair billing practices.⁹ In the JPMorgan Chase matter, the OCC order also requires the bank to take a number of corrective measures that include:

·         ensuring compliance with the FTC Act;

·   improving governance of third-party vendors associated with certain consumer products;

·    developing an enterprise-wide risk management program for such consumer products marketed or sold by the bank or its vendors; and

·         improving its consumer compliance internal audit program.

American Express Bank received an early Christmas present, when the OCC announced on December 24, 2013 that it would assess a $3 million penalty against the bank and order restitution to customers for unfair billing and deceptive marketing practices.¹⁰ The OCC order, whose restitution payments also satisfied related Consumer Financial Protection Bureau (CFPB) obligations, requires the bank to:

·  improve governance of third-party vendors associated with “add-on” consumer products;

·     develop a risk management program for “add-on” consumer products marketed or sold by the bank or its vendors; and

·    conduct an “add-on” product review to, among other things, identify and remediate consumer harm and any program weaknesses.

The OCC has clearly communicated that it intends to aggressively protect consumers from harmful activities resulting from a bank’s use of third-party vendors, and that it will hold a bank fully responsible for that third party’s missteps.

Critical Attention to Pre-Contractual Due Diligence

Every activity undertaken by bank management and its agents should accord with OCC requirements, and support subsequent examination by the OCC, the internal audit function, and external auditors. The contemplation of a significant third-party business relationship that contributes directly to a bank’s growth plan should be disclosed in sufficient detail by bank management to the bank’s board of directors to facilitate the board’s fiduciary responsibility. Negotiators of a third-party business relationship (inclusive of bank management, holding company management, and legal counsel) are in the best position to review, inquire, and edit contract provisions accordingly prior to execution to ensure that all contract provisions directly address OCC compliance requirements, including those relating directly to third-party risk and due diligence.

With reliance upon bank management and its agents who engage directly in the planning, negotiation, and execution of the third-party agreement, one should reasonably be able to conclude that those parties have conducted their activities in accordance with OCC Bulletin 2013-29.¹¹ In advance of executing an agreement, bank management and its agents would have engaged in and fully documented both management planning and due diligence in selecting a vendor. The agreement would further have documented the ongoing performance monitoring required to evaluate the ongoing vendor risk management posture. To have failed to faithfully adhere to the details of the Bulletin by simply relying upon professional relationships or contractual representations and warranties would be both imprudent and discordant with explicit OCC guidance.

Ongoing Risk Assessment and Improved Governance

If a CEO or CCO had not been involved in contract negotiations with a third-party vendor, then that leader may not be able to independently confirm whether or not bank management and its agents adhered to OCC requirements during the pre-contractual due diligence period. Once that leader becomes aware that such a gap may have occurred, it becomes incumbent upon that leader to undertake an independent risk assessment of the third-party vendor relationship. This obligation becomes critically important when the third-party vendor is providing consumer mortgage loan services.

The auditors assigned to conduct the independent third-party risk management review should be able to request, obtain and evaluate pre-contractual documentation, and supplement their initial conclusions with interviews with the individuals directly engaged in the planning, negotiation, and execution of the third-party vendor agreement. As with any audit, should the auditors identify exceptions to the OCC’s third-party risk management guidelines that present a material risk of non-compliance or future financial loss, then in accordance with the Chief Audit Executive, you would advise that bank management and the bank board be so advised that subsequent remedial measures be undertaken.

Conclusion

It is evident that the OCC expects governance, risk management, and controls (GRC) to be in place prior to and at the inception of third-party mortgage vendor relationships. Even as bank management remediates the existing relationship with a consumer mortgage vendor, all stakeholders should take note of the lessons learned from a less-than-thorough due diligence; explicit contractual role definition; and contractual provisions for detailed oversight, accountability, and monitoring. Future third-party vendor relationships must incorporate those onboarding elements as standard requirements of a larger enterprise-wide risk management process, lest the OCC surmise that your bank’s governance practices are insufficient to take heed of Bulletin 2013-29.

References

1     Activities Permissible for a National Bank, Cumulative, Comptroller of the Currency, Administrator of National Banks, 2011 Annual Edition, April 2012.

2      Third-Party Risk, OCC ADVISORY LETTER AL 2000–9, Comptroller of the Currency, Administrator of National Banks, August 29, 2000. (Subsequently rescinded by OCC Bulletin 2013-29)

3    Board and Management Responsibilities, IT Examination Handbook InfoBase, Federal Financial Institutions Examination Council.

4      12 USC 24 (Seventh), 371; 12 CFR 5.34.

5      Third-Party Risk, August 29, 2000. (Subsequently rescinded by OCC Bulletin 2013-29)

6      Ibid.

7      Ibid.

8  Bulletin 2013-29: Third-Party Relationships - Risk Management Guidance, Office of the Comptroller of the Currency, October 30, 2013.

9      “OCC Assesses $60 Million Penalty Against JPMorgan Chase, Orders Bank to Reimburse Consumers for Unfair Billing Practices,” Office of the Comptroller of the Currency, September 19, 2013.

10    “OCC Assesses $3 Million Penalty Against American Express Bank, F.S.B; Orders Restitution to Customers for Unfair Billing and Deceptive Marketing Practices,” Office of the Comptroller of the Currency, December 24, 2013.

11    Bulletin 2013-29, OCC, October 30, 2013.