The Consumer Financial Protection Bureau (“CFPB”) has issued its initial CFPB Supervision and Examination Manual (Version 1.0). According to the Bureau, the Manual is a guide to how the CFPB will supervise and examine consumer financial service providers that fall within the CFPB’s supervisory authority – depository institutions with more than $10 billion in assets and their affiliates, and nondepository entities. At first blush, the Manual seems familiar and comparable to the examination manuals and procedures currently followed by the Federal banking agencies. Indeed, the introduction pages to the Manual expressly incorporate examination procedures developed under the Federal Financial Institutions Examination Council (“FFIEC”), and the CFPB Manual states that the Bureau will use the FFIEC’s Uniform Consumer Compliance Rating System. However, upon further review, there are significant differences.
The FFIEC and other bank regulatory manuals generally state that their focus and emphasis is on determining whether a financial institution is complying with consumer laws and regulations. The Uniform Consumer Compliance Rating System states that the “purpose of the rating system is to reflect in a comprehensive and uniform fashion the nature and extent of an institution’s compliance with consumer protection and civil rights statutes and regulations.”
The CFPB’s Manual however, has a very different focus — risks and harm to consumers.
The CFPB Manual is divided into three parts. Part I discusses the supervision and examination process; Part II sets forth examination procedures; Part III includes templates to profile supervised entities, prepare a consumer risk assessment, and establish a supervision plan and examination scope and report.
Part I starts by emphasizing the purpose of the Bureau, as set forth in Section 1021 of the Dodd-Frank Act, which is “to implement and, where applicable, enforce Federal consumer financial law consistently for the purpose of ensuring that all consumers have access to markets for consumer financial products and services and that markets for consumer financial products and services are fair, transparent and competitive.” The Manual goes on to indicate that the following three principles guide the CFPB supervision process:
1. Focus on Consumers. The first principle stated by the Manual is that the CFPB will focus on risks to consumers when it evaluates the policies and practices of a financial institution.
2. Data Driven. The second principle is that the supervision function rests firmly on analysis of available data about “the activities of the entities it supervises, the markets in which they operate, and risks to consumers posed by activities in these markets.”
3. Consistency. The third principle is that the CFPB will supervise both depository institutions that offer a wide variety of products and services and non-depository companies consistently.
The next section of Part I, titled “Examinations” states that the goal of a risk-focused examination is to direct resources towards areas with high degrees of risk (which is similar to the banking agencies’ risk-focused examination philosophy). From there, however, the two diverge. While the banking regulators then go on to state that this means focusing exam resources on areas of greatest risk within an institution, the CFPB Manual states that risk-focused examinations mean that CFPB examinations focus on risks of harm to consumers, including the risk a supervised entity will not comply with Federal consumer financial law. Thus, only part of the focus is compliance with law. The primary stated focus is on risks of harm to consumers.
One of the tools built into the Manual to evaluate the extent of risk to consumers is the preparation of a Consumer Risk Assessment. According to Part I of the Manual, examiners are to update or prepare the Risk Assessment. The Risk Assessment is designed to evaluate on a consistent basis the extent of risk to consumers arising from the activities of a supervised entity or particular lines of business within it and to identify the sources of that risk. “Risk to consumers” for the purpose of the Risk Assessment is “the potential for consumers to suffer economic loss or other legally-cognizable injury (e.g., invasion of privacy) from a violation of Federal consumer financial law.” The risk assessment includes factors related particularly to the potential for discrimination or unfair, deceptive or abusive practices.
Part II of the Manual includes the FFIEC-approved procedures used to determine compliance with particular consumer laws and regulations.
Part III of the Manual sets forth the Consumer Risk Assessment template. After preparing the Risk Assessment, the examiner in charge prepares a scope summary for the examination. The initial scope summary is to address the basis for the risk assessment and examination activities. Examination activities include (i) the compliance management system; (ii) potential legal violations involving unfair, deceptive or abusive practices; (iii) fair lending compliance; (iv) issues arising from complaints; and (v) specific regulatory compliance issues.
In summary, the Manual does incorporate the FFIEC-approved procedures. However, the Manual goes well beyond that and includes procedures to identify consumer risk and procedures to review potential unfair, deceptive or abusive acts or practices. In addition, the CFPB is developing procedures for reviewing particular products or lines of business. The first of these procedures, for reviewing mortgage servicing, is included in the Manual.