D I S P U T E S & I N V E S T I G A T I O N S • E C O N O M I C S • F I N A N C I A L A D V I S O R Y • M A N A G E M E N T C O N S U L T I N GStrictly Private & Confidential

DISPUTES & INVESTIGATIONS ● ECONOMICS ● FINANCIAL ADVISORY ● MANAGEMENT CONSULTINGD I S P U T E S & I N V E S T I G A T I O N S • E C O N O M I C S • F I N A N C I A L A D V I S O R Y • M A N A G E M E N T C O N S U L T I N G

Click to edit Master title style

Click to edit Master subtitlestyle

DISPUTES & INVESTIGATIONS ● ECONOMICS ● FINANCIAL ADVISORY ● MANAGEMENT CONSULTING

Managing Evolving CFPB Regulatory Riskthrough Effective Change ManagementJune 17, 2015

Page 2Strictly Private & Confidential

Presenting to You Today

Jonathan L. PompanVenable LLPPartner and Co-Chair of CFPB Task Force202.344.4383jlpompan@Venable.com

Christopher P. SicuranzaNavigant ConsultingManaging Director and Banking Services Leader202.973.6545csicuranza@navigant.com

Page 3Strictly Private & Confidential

Introduction

• Rapid Pace of Regulatory Change

• CFPB and Other Regulatory Drivers of Expectations

• Compliance Management System

• The Evolving Regulatory Environment Posesa Significant Challenge

• Regulatory Change Management Deployment

• Key Challenges and Opportunities

• Questions

Page 4Strictly Private & Confidential

Rapid Pace of Regulatory Change

• Consumer Financial Protection Bureau (FY 2016) — 1,690 FTE (Projected)

o Supervision, Enforcement, and Fair Lending — 747 FTE

o Budget — $171,691,956

Percent of American Families that Rely on One or More Financial Product

Source: CFPB Strategic Plan (Feb. 2015)

Page 5Strictly Private & Confidential

Rapid Pace of Regulatory Change

Supervision and Enforcement FinancialResults (Between Oct. 1 – March 1, 2015)• Supervision

• $114 million in consumer redress toover 700,000 consumers

• Enforcement• $19 million in consumer redress

(plus $480 million in student loanforgiveness to Corinthian students)

• $32 million in civil money penalties

Consumer Complaints (July 2011-March2015): 582,600

Recent Rulemaking Activity• Small Dollar/Payday Rule Proposal• NPRM for Prepaid Market – would require

prepaid companies to limit consumers’losses when prepaid funds are stolen orcards are lost, investigate and resolve errors,provide easy and free access to accountinformation, and adhere to credit cardprotections if a credit product is offered inrelation to a prepaid account.

• Proposals to Amend Various MortgageServicing Rules

Several reports and other publications• Medical debt• Snapshot of complaints on reverse

mortgages• Consumer perspectives on credit scores and

credit reports• Consumer arbitration and “Know Before You

Owe” mortgage toolkit

Page 6Strictly Private & Confidential

Rapid Pace of Regulatory Change (cont’d)

• Debt Collection Market Highlights• Debt collection rulemaking• Bulletins• Furnishing• Supervision and Enforcement• What’s next?

• Auto Lending Market Highlights• Supervisory Exams• Fair Lending Focus• What’s next?

• Small Dollar/Payday Lending• Focus on Advertising/Lead

Generation• Rulemaking Proposal• What’s next?

Education Market Highlights• Debt collection practices• Lending practices (UDAAP)• Servicing

General Trends of Note• Supervisory Reports of

Examination• Appeals Process• Advertising and Marketing• Payment Processing• Debt Collection

Page 7Strictly Private & Confidential

CFPB and Other Regulatory Drivers of Expectations

Page 8Strictly Private & Confidential

CFPB and Other Regulatory Drivers of Expectations

CFPB and UDAAP

Page 9Strictly Private & Confidential

Compliance Management System – Role and Benefits

A compliance management system is how a supervised entity:

• Establishes its compliance responsibilities;• Communicates those responsibilities to employees;• Ensures that responsibilities for meeting legal requirements and internal

policies are incorporated into business processes;• Reviews operations to ensure responsibilities are carried out and legal

requirements are met; and• Takes corrective action and updates tools, systems, and materials as

necessary.

An effective compliance management system commonly has fourinterdependent control components:

• Board and management oversight;• Compliance program;• Response to consumer complaints; and• Compliance audit.

Page 10Strictly Private & Confidential

The Evolving Regulatory Environment Poses a Significant Challenge

Numerous updates need to be made toremain compliant, often concurrently

Areas requiring updates include:

• Business Processes• Systems• Reporting• Policies and Procedures• Controls

Volume of enforcement actions isincreasing (CFPB enforcement actionsincreased by 29% from 2013 to 2014)

Enforcement actions have resulted infines and remediation to customers inthe millions and even billions

Institutions must be able to identifychanges to laws and regulations tomaintain compliance

Changes to laws and regulations mayrequire updates and revisions tovarious business processes

High Cost of Operationalizing andMaintaining Compliance

High Cost of Operationalizing andMaintaining Compliance

Increased Enforcement ActionsIncreased Enforcement Actions

Managing Ongoing ComplianceManaging Ongoing Compliance

Complex legacy systems resulting fromearlier acquisitions

Require additional work to ensureregulatory compliance across multiplesystems

Regulators require increasedtransparency into proving compliance

Expectation for sufficiently documentedcompliance process

Numerous regulatory changes sinceDodd-Frank Act in 2010

Regulations origination from varioussources (CFPB, FRB, OCC, states)

In addition to federal regulations,changing state laws have become morecomplex to manage

Complex Legacy SystemsComplex Legacy Systems Difficulty Demonstrating ComplianceDifficulty Demonstrating Compliance

Shifting Regulatory LandscapeShifting Regulatory Landscape

Page 11Strictly Private & Confidential

Deploy an End-to-End Regulatory Change Management Process toAddress Evolving Landscape

Identify sources of

regulatory requirements

Compile and centralize

applicable regulatory

requirements

Translate as appropriate

Identify sources of

regulatory requirements

Compile and centralize

applicable regulatory

requirements

Translate as appropriateAct

ions

Act

ions

Out

puts

Out

puts

UnderstandRequirementsUnderstandRequirements

1 RemediateRemediate4TestTest3Determine

Impact, Linkand Prioritize

DetermineImpact, Linkand Prioritize

2Maintain andCommunicateMaintain andCommunicate

5

Identify and link

impacted business

processes, systems,

controls, and procedures

Determine the risk rating

Prioritize regulatory

requirements by risk

rating

Identify and link

impacted business

processes, systems,

controls, and procedures

Determine the risk rating

Prioritize regulatory

requirements by risk

rating

Test Design

• Determine whether the

procedures and

controls are designed

to mitigate risk and

ensure compliance

Test Effectiveness

• Determine whether the

procedures and

controls in place are

effective

Test Design

• Determine whether the

procedures and

controls are designed

to mitigate risk and

ensure compliance

Test Effectiveness

• Determine whether the

procedures and

controls in place are

effective

Update processes,

procedures, and controls

to address any gaps in

design and / or

effectiveness

Update processes,

procedures, and controls

to address any gaps in

design and / or

effectiveness

Deploy updated

processes, procedures,

and controls to address

any gaps in design and /

or effectiveness

Communicate with

impacted parties and

business units for

ongoing monitoring

Deploy updated

processes, procedures,

and controls to address

any gaps in design and /

or effectiveness

Communicate with

impacted parties and

business units for

ongoing monitoring

Changes to procedures,

processes, and controls

Changes to procedures,

processes, and controls

New and enhanced

procedures, processes,

and controls

New and enhanced

procedures, processes,

and controls

Current state

assessment of design

and effectiveness

Gaps

Current state

assessment of design

and effectiveness

Gaps

Impacted parties and

business units

Risk rating and priority

regulations

Impacted parties and

business units

Risk rating and priority

regulations

Regulatory

Requirements

Regulatory

Requirements

Page 12Strictly Private & Confidential

Effective Framework to Manage Regulatory Change Management

FoundationFoundation Understand and capture the requirements that govern the business provides

foundation for compliance

TraceabilityTraceability Link requirements to impacted areas (policies, procedures, controls, systems, etc.)

to provide evidence that requirements are addressed or will be addressed

TransparencyTransparency Test to identify areas of weaknesses or gaps – both in design and effectiveness

CollaborationCollaboration Cross department collaboration between legal, risk, compliance, and the business is

key to getting the desired results

Maintain andCommunicateMaintain andCommunicate

Implement a process to capture new and revised regulatory requirements

Communicate with parties and business units to update impacted areas

Page 13Strictly Private & Confidential

Key Challenges and Opportunities Identified Through Implementingthe Regulatory Change Management Process

OpportunitiesOpportunitiesChallengesChallenges

Costs ofoperationalizingand maintaining

compliance

Simplify andstreamline

procedures,processes, and

products

Identify risk areas

Complexity aroundoverlapping

processes andmultiple impacted

areas

Ongoingmaintenance of

procedures,processes, and

controlsFacilitate control

improvementopportunities;

reduce the numberof controls

Automate impactassessment forfuture regulatory

changes

Demonstratecompliance

Page 14Strictly Private & Confidential

The Regulatory Change Management Process Provides Benefits tothe Financial Institution, Customers, and Stakeholders

Enhance CustomerExperience & ReduceReputational Impacts

Enhance CustomerExperience & ReduceReputational Impacts

A consolidated changemanagement system will allow

for more efficient and timelyadoption of new regulatory

actions, eliminating potentialsources of customer

dissatisfaction and reducingreputational risk caused by non-

compliance.

Reduced Regulatory RiskReduced Regulatory Risk

Centralizing all applicableregulatory pronouncements and

mapping to existing policies,procedures, controls, etc. will

decrease the likelihood ofneglecting regulations and

eliminates individualreviews and interpretations ofregulatory pronouncements.

Create Effective andEfficient Controls

Create Effective andEfficient Controls

The ability to identify allregulatory requirements allows

for the elimination ofunnecessary redundant

procedures and allows focus onthe most stringent requirements,

simplifying operational andinternal control requirements,

while improving controleffectiveness.

ComplianceManagement

System

Page 15Strictly Private & Confidential

Questions

Jonathan L. PompanVenable LLPPartner and Co-Chair of CFPB Task Force202.344.4383jlpompan@Venable.com

Christopher P. SicuranzaNavigant ConsultingManaging Director202.973.6545csicuranza@navigant.com