We've talked before about the alphabet soup of organizations that dictate compliance for the debt collection industry. The Consumer Finance Protection Bureau (CFPB) is one of the main government bodies that was solely created to protect consumers.
There was a lot of concern over new regulatory changes in debt collection compliance that came down recently. Compliance risk is a large concern for financial institutions and lenders, because failure to meet regulatory compliance can jeopardize the company’s standing, result in fines and sanctions, and damage their reputation.
The truth is that these new changes are an improvement over the previous regulations. They didn’t so much introduce significant changes or add limiting parameters for lenders as they clarified things that were too broadly defined before. Now companies can plan around more concrete rules. The wording is more precise and detailed, so you have less risk of breaching compliance regulations accidentally or due to subjectivity.
The clarifications updated antiquated rules that hadn’t yet allowed for current technology and communications. They were broad, simply stating that you couldn't harass someone in an attempt to collect a debt. But the definition of harassment could be very subjective. The new regulations lay out the number of times in a specific period that you can contact the debtor and they also updated communication methods, which needed clarifications. Technology has changed so dramatically since these laws were first created.
We've also gone over the new CFPB rules and regulations in great detail. For today's post, we'd like to dive a little deeper into compliance management systems and how they can help with compliance risk. We’ll discuss what lenders truly face in maintaining compliance. You’ll learn how manual processes can make meeting regulations difficult, if not impossible. And we’ll talk about possible repercussions a lender faces in the case of non-compliance.
What Do Lenders Face with CFPB?
The CFPB mandates certain requirements from your compliance management system. But not all CMS are created equal. In many cases, the system will help you lay out documentation and provide a structure to create policy that aligns with regulatory compliance, but most systems don’t help you to operationalize your compliance strategy to actively ensure compliance. Creating the policy isn’t enough. You need to prove that you’re actively monitoring and meeting those protocols. In many cases, companies are using their CMS to set policy but manual processes to oversee those initiatives.
If you're using a manual process, you're not going to be 100% compliant all the time. Likely you already manage too many accounts with too few resources. This is especially true for small and midsized companies. The focus needs to be on operationalizing compliance. This is what the CFPB is looking for when they flag lenders. They are looking for lenders that Take a piece meal approach to compliance and they earmark lenders that don't proactively detect issues with their vendors when those violations can cause harm to consumers.
If you're not using a compliance management system that offers automated tools to monitor and alert staff of compliance violations, this is exceptionally difficult to manage. Let's take the example of password security. This is a huge compliance issue and there are best practices and regulations that stipulate password security on all devices.
As a company, you can develop a policy that says, "All work devices must be secured at all times with a password". That policy, by itself, is not enough to put your company in compliance. You need to show that you're doing everything in your power to ensure that every computer that accesses your databases is secured with a unique password.
To do this manually, it's exceptionally time-consuming. You might try a system where you manually check a small sampling of computers to determine the percentage of compliance. For example, you might check 10 out of 100 computers. If all 10 are compliant, you might reasonably believe that your company is doing well in this regard. You've still left 90 computers completely unverified. Are you sure that percentage is right from the small sampling? What if 5 out of 10 were not password protected? Do you need to check all of them?
The written policy is not going to protect your company if regulators come in and find a percentage of computers don't meet compliance. Covering the process manually is not something most companies can afford to do on a regular basis. However, having software installed on all devices that regulates password use and reports on compliance by employees is an efficient solution. It's also a solution that provides you with proof of compliance.
And proof of compliance is one of the things that NeuAnalytics’ compliance management system helps you achieve. Our system inspects the raw data on every account and every interaction every day, to give you full reporting and alerts. It makes maintaining compliance automatic, to give you peace of mind and help your employees focus on what really matters - the work you do.
Unlike other compliance management systems, our platform not only covers the gamut of questionnaires and documentation collection that your business needs to ensure compliance, but allows you to proactively ensure that your internal and third-party teams meet regulatory standards through our innovative omni-channel monitoring and analysis solutions. We ensure licensing requirements are met by all of your vendors all of the time, we empower your team to sample calls and other interactions without having to rely on your vendors to provide you with cherry-picked interaction data and we audit account-level activities for ALL accounts, every day.
These innovative features protect your organization and allow you a better way to monitor and efficiently work within the regulatory time frame. For instance, on contact with consumers. Regulation F gives clear rules. You can call 7 times in 7 days. If you talk to the consumer, you have to wait 7 days before you try to contact them again. This sounds simple. But when you multiply that by your entire database of default accounts and across all communication channels this gets very complex very quickly
With NeuAnalytics, this is something you can easily set up with alarms. We have an automatic audit function that will flag accounts if they have been dialed too many times within the set period. The system will also alert you that the proper time period has passed. The whole point for your team is to collect and that doesn't happen without efforts to collect. But you need to stay in compliance, as well. The system ensures and automates this, so the process runs smoothly and there are fewer errors.
What should you look for in a CMS?
The CFPB stipulates that an institution must have a compliance management system that's integrated into their framework. The system needs to adhere to certain specifications in order to maintain compliance.
When you’re researching your compliance management system, you need to make certain that the tools available meet standards, current and future, and help your team monitor and manage actual practices. The CMS system you choose should not only streamline the process of maintaining compliance with current standards or just with federal regulation but give you the peace of mind that it is capable of addressing future/currently unknown scenarios and can synthesize the myriad of federal, state and local regulations into a rule set that ensure your adherence
Here's an overview of what the CFPB is looking for in your CMS.
Policies, Procedures, and Practice
To maintain compliance, you need to meet certain standards. You need to make sure that your policies align with the regulations as dictated by the CFPB. You should internally know these metrics, but your CMS vendor should also verify that they not only have compliance covered currently but that they update regularly for all aspects of your industry.
The procedures you follow need to align with your policies. The procedures that you develop need to be mandated and documented so that you can easily pinpoint any error or issue and remedy them. Lastly,you need to operationalize your compliance strategy so your actual practices match the policies and set procedures. Earlier, we pointed to an example of setting up a policy, but not following through on that policy in actual practice (the scenario with password security for work devices).
Leaving password security to chance or using a manual process of only checking a certain percentage of devices is an inferior method. Your company can’t be certain that those statistics would weigh out in an audit unless you checked EVERY computer individually.
With most CMS solutions on the market, there is no innovative component to both automate and monitor these issues. That's why NeuAnalytics developed a solution to automate the process for lenders.
Overview of the CFPB 5 Point Rating System
The Consumer Compliance (CC) rating system is a way of examining lenders to determine if they are in compliance. The rating system is given a numeric value from 1 to 5. The numbers increase with the level of compliance concern. So, a 5 would indicate the highest need for supervisory concern. The best score a lender could get is 1.
The Key Components to a Fully Functioning CMS Recognized by the CFPB
There are key components that the CFPB is looking for in a fully functioning CMS. In a CFPB review, they look at five separate modules. Modules 1, 2, 3, and 5 are all reviewed during a standard examination. Module 4 is only reviewed when there is a CC rating review.
The modules are as follows:
- Module 1: Board and Management Oversight
- Module 2: Compliance Program
- Module 3: Service Provider Oversight
- Module 4: Violations of Law and Consumer Harm
Board and Management Oversight
With board management oversight, the main concern is the creation and management of compliance. This includes creation of compliance functionality, approval of compliance policies, the selection of compliance officers, and the routine review of the company's compliance status.
Compliance Program
The compliance program needs to be a formal, written program. This includes detailed written policies and procedures. The procedures need to be organized in a flexible structure so that revisions can be made as needed. This allows companies to update and revise their policies as risks evolve or if new data is identified to signal risks.
Training
Training includes regular, specific, and comprehensive instruction for all officers and directors. The training initiatives must address all aspects of financial protection laws.
Response to Consumer Complaints
There needs to be a consumer complaint protocol. This process needs to mandate the way complaints are documented, the process to resolve complaints, and the incorporation of the information that is obtained through complaints as it pertains to compliance program revisions and oversight.
Compliance Audit
Your system needs to include organized and risk-focused internal controls. These controls should allow for constant internal monitoring, independent testing, and compliance auditing. You should also have oversight, a record of all results, and the ability to communicate these reports to the management and board so that compliance issues are internally identified and proactively corrected. Your compliance audit is partially about keeping good records, but it's also a tool to help proactively develop better processes when data shows an area that needs improvement.
Record Keeping and Review
Record keeping is an intricate part of the process. For compliance, accurate records are absolutely integral to showcasing the company's commitment to following regulations and taking all of the required steps to review and improve their commitment to consumers.
If you are reviewed, the record keeping will be your proof of compliance practices. It showcases the effort your company has put into maintaining and monitoring the policies you’ve developed and gives written records of all policies to showcase compliance.
Who Should Be Involved with the Implementation of Your CMS?
Implementing a new CMS takes research and commitment. Remember, your entire team will need to be on board with the new processes and technology. So, it's important that there is buy-in at every level of your organization.
- Senior Management. Senior management sets the tone and makes the final decisions on purchasing. They should also mandate use across the company to make sure that the processes are followed precisely.
- Compliance Officer. The compliance officer will need to be fully onboard with the CMS and be properly trained and supported in full use of the system. The compliance officer will also be able to offer input as to the effectiveness of the system and whether there needs to be additional manual effort to maintain compliance in actual practice.
- Front Line Employees. Front line employees are often the ones who do the most work with new systems. They will need adequate support and training and it's important to get employee feedback with open communication throughout any upgrade or new system implementation.
What Happens if You Fail to Comply?
What are the real-world ramifications if you're not in compliance? The short answer is that the monetary penalty can be extremely severe. The CFPB has a lot of discretion when it comes to the fining process, and it can be difficult for companies to project the type of fines or sanctions that they may face. The CFPB might fine you for every single day that you were not in compliance. This can mount very quickly and the fines themselves can be extraordinarily large.
A fine for a violation might be $5,000 a day. This is why it's so important to self-audit and catch mistakes. What happens if you don't catch an error for several weeks or months? Imagine the monetary loss to fines for a mistake that could have been caught through automation instantaneously.
The fines can be as high as $25,000 a day when they find that the company has a reckless violation. Developing a solid protocol and using a highly reputable CMS will help you avoid these large fines, providing your company is not brushing flagrant breaches under the rug.
When you commit a violation intentionally, the fine can be as high as $1 million a day. Record keeping and a solid protocol to maintain compliance are absolutely integral for your financial wellbeing.
Actionable Tips to Implement Your CMS
The implementation of any new system can sound like a great deal of effort. Every member of your team will need to be trained and new technology can often negatively impact productivity during the learning phase. Keep in mind that your compliance management system should be chosen to improve your processes. Any pain points in implementation should be minimal with the proper support and training through your chosen vendor.
We suggest some overall tips to help make your transition most productive:
- Take a Risk Based Approach
- Connect with a Broader Risk Framework
- Strike the Right Balance of Internal Resources + Structure
Take a Risk Based Approach
One of the primary purposes for investing in CMS is to keep you in compliance. To do that, you need to pinpoint areas of risk so that you’re using your tools proactively to oversee these areas and monitor your approach.
For instance, if you know that your third-party vendors pose a risk due to a lack of oversight, this is something that you need to consider when choosing your solution and developing your processes. As you implement your solution, remember that it’s a tool to help you maintain the overall structure of your compliance framework.
Connect with a Broader Risk Framework
Your CMS solution does not reinvent the wheel. You’re using the system to monitor and provide a robust solution to help you meet your broader risk framework goals and initiatives. When considering your CMS solution, choose the solution that integrates well with the framework you currently have in place and helps make the process more efficient, not only in the short-term but as your solution can scale with your business.
Strike the Right Balance of Internal Resources + Structure
Your CMS Solution gives you the capacity to oversee and create policy. It should provide the comprehensive solution for documentation and with the right tools, it helps you to take actionable steps to monitor and maintain in actual practice.
Your team has been doing many of these processes, but the system should help them improve and automate areas that pose a challenge. Optimally, your CMS makes the team’s job easier to propel productivity, increase collections, mitigate risks, and improve the overall work structure for your team.
When choosing your compliance management system, the best solution will be unique to your company. Choose a provider that specializes in your industry and/or has a wealth of experience working with companies like yours. For compliance, especially, you want to know that your solution covers all of the intricacies involved in your field. Your vendor should be up to date with all compliance regulations that impact your business so that your compliance personnel have a comprehensive solution to maintain all records and requirements.
How Can NeuAnalytics Help with Compliance Management?
NeuAnalytics provides solutions for large lenders and creditors across the financial services, automotive, energy, and retail sectors. Our solutions assist lenders and creditors in managing their default receivables,in a compliant way that puts focus on consumer protection. Our solutions are purpose-built for creditors by a team with deep domain expertise.
We offer oversight for third party vendors that you place debts with so that you can be assured that your third-party vendors are increasing debt recovery while staying compliant with federal and state-level regulations (like the CFPB).
NeuAnalytics is the only vendor that provides solutions across the entire consumer debt lifecycle. We offer the only compliance management system that’s equipped with the innovation to not only help your staff document policy and procedure, but operationalize compliance through automation. This simplifies the process for your staff, reduces possible errors, and makes time-consuming manual processes unnecessary.
NeuAnalytics does not treat receivables management, compliance, or fraud disputes and complaints in an isolated manner. Instead, we believe that these issues can only be managed well individually if they are managed well collectively. Our processes put you in control of the whole financial picture for your debt lifecycle. You can easily pinpoint individual accounts and incidents, as well as managing the overall picture of your process. These tools allow our companies to maintain compliance easily and improve the collection process with meaningful ROI.
Are you ready to increase your liquidation rate, decrease manual effort, decrease errors, and improve compliance performance? Schedule a demo today. Our experienced staff can work with you to assess your current system and recommend the best solutions for your staff and your bottom line.