RISKASSESSMENTS:WHATWE’VELEARNEDSteveLevine,ChiefLegal&ComplianceOfficer
WHATISARISKASSESSMENT?
↗ AccordingtotheCFPB,theRiskAssessmentprocessisdesignedtoevaluateonaconsistentbasistheextentofrisktoconsumersarisingfromactivitiesofanentityandtoidentifysourcesofthatrisk.
↗ “Risktoconsumers”isthepotentialforconsumerstosuffereconomiclossorotherlegallycognizableinjuryasaresultoffailuretofollowfederalconsumerfinancelaws.
WHATISARISKASSESSMENT?
AsdefinedbytheCFPB,“inherentrisk”includesfactsthatincreasethepotentialforunfair,deceptiveorabusiveactsorpractices,fordiscrimination,orforviolationsofotherFederalconsumerfinanciallaws.Italsoincludesfactorsthatincreasethecompliancemanagementchallengesofabusinessandtherebyincreasetheriskofsuchviolations.
WHATISARISKASSESSMENT?
“RiskControls”includesfactorsrelatedtobothmanagingandmitigatingspecificinherentriskaswellasthestrengthofanentity’soverallsystemofcompliancemanagement.
WHATISARISKASSESSMENT?
TheresultofcombiningthesetwoconceptsisananalysisthatinvestigatesBOTHthepracticesthatrepresentrisktoconsumersANDwhatcontrolsthebusinesshasputinplacetomitigatethatrisk.
CFPB’SRESIDUALRISKMATRIX
CFPB’SRESIDUALRISKMATRIX
↗ TheCFPBtemplateprovidesaseriesoffactorsthatbearoninherentriskandrelevantriskcontrols.Examinersconductingtheassessmentshouldrateeachrelevantfactor(low,moderateorhighinherentrisk;strong,adequateorweakcontrolsandmitigation.
↗ Thefactorratings,takenasawhole,resultinaRiskSummary,whichisaconclusionaboutwhethertheoverallrisktoconsumersislow,moderateorhigh.
WHATARISKASSESSMENTISNOT
Ariskassessmentisnotadeterminationastowhetheraviolationofanyspecificlawexists.Itisaninvestigationintopracticesaswellasbusinesscontrolsinplace.
Conclusionsarebasedonriskpresentedtoconsumersaswellasadequacyofcontrolsinplace.
RISKASSESSMENTTOPICSINCLUDE↗ Website;
↗ Advertisingand
Marketing; ↗ AcquisitionNetwork;
↗ AdverseAction;↗ UnderwritingandScoring;↗ AncillaryProducts; ↗ FeesChargedtothe
Customer; ↗ CollectionCallFrequency↗ Thirdpartycontact;
↗ MilitaryAccounts;↗ Repossessiondecisions;↗ AdherencetoCallScripts;↗ ComplaintManagement;↗ BankruptcyAccounts;↗ CreditReporting;↗ CreditDisputeHandling;↗ StarterInterrupt/GPS
accounts;↗ CPI↗ ANDMORE
ADVANTAGESOFARISKASSESSMENT↗ Globalviewofoverallbusiness,notsilos;↗ Identifieswheretoinvestresourcesandbudget;↗ Measuresprogress;↗ Setspriorities;↗ Avoidfiredrills;↗ DemonstrateadequacyoftheCompliance
ManagementSystem;↗ Facilitatesworkingrelationshipbetweenbusiness
andcomplianceteams;
KEYSTOASUCCESSFULRISKASSESSMENT
↗ Projectshouldbeaprocess,notadocument;↗ Itshouldbedynamic,notstatic;↗ Allowsassessmentofcurrentconditionswithgoalof
improving;↗ Don’tjustconsiderwhereyouarebutwhereyouare
going,i.e.newproducts,markets,profitcenters,yields;
↗ Maketheriskassessmentforwardlookingtoo.
KEYSTOASUCCESSFULRISKASSESSMENT
ENGAGETHEBUSINESS!
↗ Collaboratewiththeallemployeesontheproject;↗ Earlybusinessbuy-iniskeytoacceptance;↗ Involveeveryoneinthedevelopmentofanalysis;↗ Don’twaitforthefinalreporttodeliverbadnews;↗ Recognizeandhighlightthe“goods”;↗ Fixtheproblem,nottheblame;↗ Supportmustcomefromtop;
BIGGESTRISKASSESSMENTMISTAKES
↗ Thinkingthatthisismerelyacompliancedepartmentfunction;
↗ HidetheBallMentality;↗ Attemptingtodothisin-house;↗ NotinvolvingalllevelsoftheCompany;↗ ConfusinganAssessmentwithanAudit.
OURGENERALOBSERVATIONS
↗ Thereisoftenadisconnectbetweenseniorleadershipandtheemployeesdoingthedaytodaywork.Thisistrueforbothareasofriskandcontrols.
↗ It’shardtogetaccesstotherightinformation.Thisisconcerningbecausethecompanymustdemonstrateitsefforts!;
↗ Thereismisunderstandingaboutrolesandresponsibility;
OURGENERALOBSERVATIONS
↗ Companiesthinktheirtraininginitiativesarealotmoreeffectivethantheyare;
↗ Companiesstrugglewithanalyzingtheirbusinessthroughthelensof“consumerrisk”andtendtofocusontheirownrisk;
↗ Weoftenhear“it’snotillegaltomakemoney”asadefensetotheofferingofproductsandservices.Thequestioniswhetherthereistransparencyandfairnesstotheconsumer.
OURGENERALOBSERVATIONS↗ “FOLLOWTHEMONEY”isagoodwaytoidentifyrisk.Someof
themostprofitableinitiativesalsocontainthemostrisk,forinstancefees,aftermarketproducts,CPI,etc.
↗ Businessestendtoembellishthecontrolsthatareinplace;whatappearsonacompanyorganizationchartmaybeverydifferentthanwhatactuallyhappens;
↗ Thereisn’tnecessarilyacorrelationbetweencustomercomplaintsandareasofrisk;however,nothavingstrongcomplaintmanagementisinitselfarisk;
D
OURGENERALOBSERVATIONS
↗ Therearesomepracticesthatareinherentlyrisky(CPI,Advertising)andinthoseareasevenstrongcontrolsinplacemayresultina“moderate”riskassessment;
↗ Similarly,thereareareasofmoderateorevenlowriskthatcanbeassessedas“moderate”riskbecauseofweakcontrols;
↗ Beinganindependentthirdpartyallowsamorehonestassessmentbecausethereisnopre-existingprejudice;
POLICIESANDPROCEDURES
↗ PoliciesandProcedures,standingalone,donotconstitutestrongcontrols.
↗ Digdeeperandintovariouslevelsofthecompanytolearnfamiliaritywiththepolicies,howoftentheyareexaminedandupdated,andhowstrongandthoroughisthetrainingreceivedbypersonnel.
INDIRECTLENDING↗ Indirectlendersthatbuycontractsfrom
hundredsorthousandsofdealersneedtohavestrongcontrols,(underwriting,contractsaccepted,thirdpartyproducts);
↗ Unfortunately,budgetaryandvolumepressuresmakeithardtosticktothesecontrols.
VENDORMANAGEMENT↗ Generally,companiesaren’tasstrongwith
thisfunctionastheythinktheyare;
↗ Policiesarenotalwaysfollowed,exceptionsaremade,mostprominentlyinrepossession;
↗ TherecentWellsFargofinehadsomegoodinsightintomanagingvendors,askingpenetratingquestionsandbeingproactive.
COMPLAINTMANAGEMENT
↗ Mosthaveapolicyandprocessbutwidedivergencewithitcomestoremediation;
↗ Companiesdon’tdocumentwelland“losecredit”forcomplaintstheyresolvequickly;
↗ 3mostcommonarea)poorservice;b)employeerude;andc)reporelated.
THIRDPARTYCONTACTS
↗ Thereisconfusionastowhenathirdpartycanbecontacted,anditoftencontactismadewhenlocationofcustomerisknown;
↗ Companieslackamechanismtotrack“donotcall”instructionsfromthirdparty;
↗ Managersdon’tliketheruleandtrytocircumvent.
CREDITREPORTING↗ Disputehandlingfunctionisnotadequately
staffedinmanyinstances;confusiononwhat“adequateinvestigation”means;
↗ Furnisherobligationsaren’talwaysunderstoodandauditsdon’tmatchsizeandcomplexityofbusiness;
↗ Inherentlyhighrisktopic,sotrainingvital.Staffisoftennotadequatelytrainedandinheritjob.
COLLECTIONSANDSERVICING
↗ Scriptsdon’talwaysexistandwhentheydotheyareoftennotfollowed;
↗ Collectionnotesarenotalwayspresentandoftennotclear;
↗ Datanotalwayseasytolocate;
↗ Integrationbetweenvarioussystemsneeded.
MeetusattheAfterParty!
ContinuedDiscussiononourwebinar!
RiskAssessments:WhatWeLearnedFor2018
WednesdayJune6th
2PMCDT
IgniteConsultingPartnersconsultsBHPHdealers,financecompanies,andotherlendersoncompliance,cyber-threatassessment,processimprovementandhowtoleveragetechnologyto
driveefficiencyandperformance.
SteveLevineChiefLegalandComplianceOfficer
(817)[email protected]
FollowSteveonTwitter@LawyerLevine