It’s Time for Compliance Department Professionals to Become Technologists

Compliance professionals within financial service firms are finding that they need to demonstrate their abilities with new technologies in order to meet regulatory requirements

The expansion of governance, risk, and compliance responsibilities into new technology-related areas beyond traditional functions has created a new burden for financial service firms’ compliance departments, and placed new demands on the skills of compliance professionals.

The intersection of compliance with tech has created a need for expertise and essential coordination across firms while involving artificial intelligence, big data, data privacy, cybersecurity, and algorithmic trading, to name just a few.

Financial service firms must now fully integrate these technologies and demonstrate that the activities employing them meet regulatory requirements. For compliance professionals, it has become essential to understand how the technologies work as well as their limitations and vulnerabilities. It can even help to know the computer code that went into creating them.

Several recent enforcement cases and regulatory initiatives underscore the need for compliance departments to become more tech savvy by taking steps that include technical coordination across the company, embedding technologists within compliance teams, or increasing the tech skills of individual compliance professionals.

DOJ emphasis on data

Deputy Attorney General Lisa Monaco gave a speech last month outlining ambitious plans being embraced by the Department of Justice (DOJ) to fight corporate misconduct. Among the principles, there was significant emphasis placed on the need to demonstrate an overall compliance culture.

The DOJ made clear in its compliance program guidelines released in 2020 that prosecutors should evaluate whether companies have a “data-driven compliance program” to detect potential misconduct and to monitor the effectiveness of their compliance policies. Monaco expanded on that in her speech and in an accompanying memo to federal prosecutors.

In evaluating whether a compliance program is “adequately resourced and empowered,” the DOJ said in 2020, prosecutors should consider the following questions:

“Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”

The emphasis on “access” to data can be viewed as a signal that the DOJ needs to see people with skills in place to analyze, monitor, and interpret such data on the part of compliance departments.

Regulators emphasis on monitoring communications

The new policies put forth in Monaco’s memo also focus on monitoring the use of personal devices and third-party messaging platforms — a demanding technology task. “The ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation,” the memo stated. “The rise in use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications, poses a similar challenge.”

Other financial regulators have pursued similar priorities. In December last year, JPMorgan Chase & Co.’s securities unit was slapped with a $200 million penalty over data retention violations related to the use of personal communications and messaging devices. The Securities and Exchange Commission (SEC) imposed a $125 million share of the fine, and the Commodity Futures Trading Commission (CFTC) claimed the remaining $75 million.

The JPMorgan case represented the largest-ever fine for record-keeping violations related to communications reviews. It was followed up last week with an announcement by the SEC and CFTC of similar case settlements involving 16 other large financial institutions, which were fined $1.1 billion and $710 million by the agencies, respectively.

In the release announcing the settlements, the SEC said employees of the penalized firms had routinely communicated about business matters using text messaging applications on their personal devices. “The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities laws,” the SEC stated. “The failings occurred across all of the 16 firms and involved employees at multiple levels of authority, including supervisors and senior executives.”

Compliance takeaways

The rapidly changing and growing compliance, risk, and audit responsibilities stemming from technology innovation require compliance departments to examine their own expertise, capabilities, and skill requirements.

The 2022 Cost of Compliance Survey, published by Thomson Reuters Regulatory Intelligence, showed frustration that, despite compliance departments’ widening responsibilities, staff numbers are unlikely to grow as staff costs increase and financial service firm budgets remain tight. Therefore, outsourcing, technology, and regulatory technology may step in to plug some of the gaps. Still, there will be a growing need for compliance professionals within firms to become more sophisticated in order to better steer the type of changes required by the new technologies.

As the Compliance Survey noted: “Of the 66% of respondents who expect the cost of senior compliance staff to increase in the next 12 months, nearly half (47%) gave the demand for skilled staff and knowledge as the top reason.”

Although the use of outsourcing and third-party management has been a popular strategy for many firms due to the complexities of software development, cloud computing, and data privacy and storage, regulators still expect compliance departments to have a thorough understanding and knowledge to oversee and “own” these outsourced functions.

Courtesy of Todd Ehret, Senior Regulatory Intelligence Expert, ThomsonReuters

CFPB Bulletin 2022-04: Compliance Bulletin re: Mitigating Harm from Repossession of Automobiles
12 CFR Chapter X

The Consumer Financial Protection Bureau (CFPB) is moving to thwart illegal repossessions in the heated auto market. A compliance bulletin issued today reveals conduct observed during CFPB examinations and enforcement actions, including the illegal seizure of cars, sloppy record-keeping, unreliable balance statements, and ransom for personal property.

The bulletin became effective on March 3, 2022 and can be found here.

As a benefit to our members, NASCUS has provided a summary of that bulletin below.

Summary

The Bureau is concerned that market conditions around the automobile industry might create incentives for risky auto repossession practices, since repossessed automobiles can command  higher prices when resold.  To mitigate harms from these risks, the Bureau is issuing this bulletin to remind market participants about certain legal obligations under Federal consumer financial laws.

Generally, servicers do not immediately repossess a vehicle upon default and instead attempt to contact consumers before repossession, usually by phone or mail.  While some repossessions are unavoidable, the Bureau pays particular attention to servicers’ repossession of automobiles. Loan holders and servicers are responsible for ensuring that their repossession-related practices, and the practices of their service providers do not violate the law.  The Bureau intends to hold loan holders and servicers accountable for UDAAPs related to the repossession of consumers’ vehicles.

The bulletin summarizes the current law and highlights relevant examples of conduct observed during supervisory examinations or enforcement investigations that may violate Federal consumer financial law.

Under Dodd Frank, all covered persons or service providers are prohibited from committing unfair, deceptive or abusive acts or practices in violation of the Act. An act or practice is unfair when (i) it causes or is likely to cause substantial injury to consumers; (ii) the injury is not reasonably avoidable by consumers; and (iii) the injury is not outweighed by countervailing benefits to consumers or to competition.

Section 5 of the Federal Trade Commission Act informs decisions with regard to whether or not a particular act or practice is “deceptive.” In addition, Dodd Frank prohibits two types of abusive practices.  First, materially interfering with the ability of a consumer to understand a term or condition of a product or service is abusive.  Second, taking unreasonable advantage of statutorily specified market imbalances is abusive.  Those market imbalances include (i) a consumer’s lack of understanding of the material risks, costs, or conditions of a product or service, (ii) a consumer’s inability to protect their interests in selecting or using a product, or (iii) a consumer’s reasonable reliance on a covered person to act in their interests.

The Bureau highlights the following examples of repossession conduct (among others) to be in violation of UDAAP:

  • Wrongful repossession of consumer’s vehicles
  • Failing to provide consumers with accurate information about the amount required to bring their accounts current
  • Applying payments in a different order than disclosed to consumers, resulting in repossession
  • Applying unlawful fees that push consumers into default and repossession
  • Charging illegal personal property fees
  • Charging for collateral protection insurance after repossession

The Bureau will continue to closely review the practices of entities repossessing automobiles for potential UDAAPs, including the practices described in the bulletin.  The Bureau will use all appropriate tools to hold entities accountable if they engage in UDAAPs in connection with these practices.

CFPB Bulletin 2022-02: Compliance Bulletin on the Electronic Fund Transfer Act’s Compulsory Use Prohibition and Government Benefit Accounts

Section 913 of the Electronic Fund Transfer Act (EFTA) provides, among other things, that no person may require a consumer to establish an account for receipt of electronic fund transfers with a particular financial institution as a condition of receipt of a government benefit. The Consumer Financial Protection Bureau (CFPB) is issuing this Compliance Bulletin to reiterate that this prohibition in EFTA applies to government benefit accounts.

The bulletin became effective on February 24, 2022, and the Federal Register notification be found here.

As a benefit to our members, NASCUS has provided a summary of that bulletin below.

Summary

Section 913 of the EFTA provides, among other things, that no person may require a consumer to establish an account for receipt of electronic fund transfers (EFTs) with a particular financial institution as a condition of employment or receipt of a government benefit.  The provision is implemented in Section 1005.10(e)(2) of Regulation E.  The Bureau is reissuing this compliance bulletin to reiterate the compulsory use prohibition in the EFTA applies to government benefit accounts. Congress amended the EFTA to exempt “needs-tested” state and local electronic benefit transfer (EBT) programs.  However, all account used to distribute benefits for federally administered programs (including Federal needs-tested programs) as well as non-needs tested State and local government benefit programs remained covered by Regulation E.  In October 2016, the Prepaid Accounts rule extended Regulation E coverage to prepaid accounts.

Compulsory Provision Prohibition

The compulsory provision of the EFTA provides that no person may require a consumer to establish an account for receipt of EFT with a particular financial institution as a condition of receipt of a government benefit.  This provision ensures that consumers receiving the government benefits have a choice with respect to how they receive their funds.  As noted earlier, this provision applies to “government benefit accounts” but not does not include a government benefit account used to distribute needs-tested benefits in a program established under State or local law or administered by a state or local agency.  The Bureau provided examples of needs-tested benefits that are not subject to the compulsory use provisions, such as those used to distribute TANF (Temporary Assistance for Needy Families), WIC (Special Supplemental Nutrition Program for Women, Infants and Children) and SNAP (Supplemental Nutrition Assistance Program) funds.

Examples of government benefit accounts administered by State or local agencies that are subject to the compulsory use prohibition because they are not needs-tested include accounts used to distribute unemployment insurance, child support, certain prison and jail “gate money” benefits, and pension plan payments. In addition, all accounts used to distribute funds under federally administered benefit programs are “government benefit accounts” subject to the compulsory use prohibition; for example, accounts used to distribute Social Security, Social Security Disability Insurance and Supplemental Security Income (SSI) payments; or Federal tax credits like the Earned Income Tax Credit (EITC) or the Child Tax Credit (CTC) are subject to the compulsory use prohibition.

Additional Protections under Regulation E for Government Benefit Accounts

Government benefit accounts are entitled to the protections of the EFTA generally and Regulation E’s provisions applicable to prepaid accounts specifically.  Those protections are:

  • Disclosures – Under Regulation E, consumers are entitled to three types of disclosures for government benefit accounts – pre-acquisition disclosures, disclosures on the access device or entry point and initial disclosures.
  • Change in Terms Notices – Change in terms notices are required when a term or condition required to be disclosed in the initial disclosures, changes or the change results in an increased fee, increased liability for the consumer, fewer types of available EFTs, or stricter limitations on the frequency of dollar amount of EFTs
  • Access to Account History – Government agencies must either provide a periodic statement or must have available to the consumers (i) the consumer’s account balance, by telephone; (ii) an electronic history such as through a website of account transactions covering at least 12 months preceding the cate the consumer electronically accesses the account; (iii) written account transaction histories provided upon request must cover at lest the 24 months preceding the sate on which the government agency receives the consumer’s request for the account transaction history.

Limited Liability for Unauthorized Transfers and Error Resolution Rights – Regulation E’s limited liability protections and error resolution rights fully apply to government benefit accounts.