Why You May Want to Give the CFPB’s Responsible Business Conduct Bulletin a Closer Look

On June 25, 2013, the Consumer Financial Protection Bureau released Bulletin 2013-06, which has potentially significant ramifications for all those with responsibilities for their credit union’s compliance program, regardless of who their primary regulator is.

Before we take a closer look at the reasons why the bulletin, titled “Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation,” merits attention, let’s consider, for the sake of discussion, a compliance scenario that could take place at your financial institution.

Imagine you’re responsible for BSA at your credit union, and you know that your examiners are coming next quarter and will be focusing on your BSA/AML monitoring system. So you’ve been using the time leading up to the examination to review your system, and today you have just discovered that you inadvertently turned off your BSA/AML monitoring system on a series of critical alerts.

For the last six months.

You consider your options:

Option 1: You could fully present the situation to your directors and the examiners. You know that the consequences could be significant.

Option 2: You could downplay the discovery and hope that it gets little attention during the examination.

Option 3: You could forget the discovery ever happened and hope that the examiners miss it.

The CFPB’s Responsible Business Conduct (“RBC”) bulletin spells out another option. Pursuing this option won’t mean that the institution will escape all consequences of the discovered violation, but it does provide a way for a credit union that uncovers “misconduct” to demonstrate that it has the issue under control and that any enforcement action considered by the Bureau should be at least partially mitigated.

While some might dismiss RBC as a whistle-blowing exercise designed to force institutions to air their dirty laundry just to make the regulator’s job easier, that knee-jerk reaction may be akin to throwing out the baby with the bathwater.

If you take a close look at the four steps of RBC, what you’ll see is the framework for a powerful strategy for keeping a compliance program within acceptable tolerance levels in terms of both demands on available compliance resources and meeting regulatory expectations. Let’s look at the four steps outlined in the regulatory bulletin.

Self-Policing

The bulletin submits that RBC would include having in place a system for assessing sooner rather than later whether your institution is in compliance. It would also include a consideration whether your institution devoted sufficient follow-up resources to assess the full scope of the problem. Finally, the system should have adequate support from those at the top of the institution.

Self-Reporting

The bulletin submits that RBC would include prompt reporting of the discovered misconduct to the institution’s regulatory agency, rather than seeking to cover it up. The reporting should be part of the institution’s overall approach to compliance, rather than in response to the Bureau’s imminent discovery of the situation due to a whistleblower or pending examination.

Remediation

RBC should consider an institution’s steps to address the misconduct and prevent it from happening again. The Bureau is interested in how long it takes to fix a problem, what remedial training or assignments were made to prevent the misconduct from happening again, and what steps were taken to make amends to those adversely impacted by the misconduct.

This may be an obvious step, but our many decades of combined experience working with financial institutions of all sizes suggest that this is frequently a missing piece of the puzzle.

Identifying a problem and even acknowledging it are really the relatively easy parts of the equation. But to fully identify the causal factor of the misconduct takes true effort. Any crime sleuth worth anything knows that uncovering the crime is one thing, but to truly get to the heart of the matter requires identifying the motive.

When a credit union actively works to find that causal factor, it can make a quantum leap in the effectiveness and efficiencies of its regulatory compliance management. No longer is it putting a bandage on a bullet wound that may temporarily stem the flow of blood, but leave untouched the deeper problems that, left untreated, will surely cause greater damage.

Cooperation

The Bureau also contends that the level of RBC it expects in order to result in the mitigation of its enforcement option includes not just meeting the minimum regulatory requirements, but cooperating fully with the Bureau.

Regardless of who their primary regulator is, all financial institutions would do well to recognize that the Responsible Business Conduct standards described in the bulletin may very well become the emerging standard in regulatory expectations. But looking beyond the regulatory expectations, a proactive financial institution will see the framework for a powerful strategy for managing a smart compliance program.

We’ll be expanding on the above principles in our upcoming webinar, “How to Practice Sound “Self-Policing” with a Compliance Risk Assessment and Related Tools” on Aug. 29, 2013. For more information, visit: http://www.neighborbench.com/self-policing-webinar-8-29-2013/

We’ve also prepared a “Plain English Summary of the Responsible Business Conduct Bulletin on Self-Policing” that is available at no charge. For more information, visit: http://nbhotlist.com/nb-hot-tip-plain-english-guide-to-hot-new-responsible-business-conduct-self-policing