|Don’t get lost in UDAAP|
How to find your way as regulators shift focus to Unfair Deceptive and Abusive Acts and Practices
June 10, 2011
By Jo Ann Barefoot and Lyn Farrell, Treliant Risk Advisors
Bank compliance spending and staffing move in only one direction: up. That’s been true since the consumer movement arrived 40 years ago, and it is alarmingly true today. The massive mandates flowing from Dodd-Frank, combined with newly aggressive enforcement, are overstretching bank compliance officers. Implementation is backlogging. Penalties are escalating. Large banks are hiring while small banks wonder if the work is even doable in their league. People speak of “pulling the ripcord.”
And the Consumer Financial Protection Bureau has not yet even opened for business.
Faced with these challenges, it’s easy to miss the fact that the regulatory burdens are not just more in number, but also profoundly, increasingly, different in nature. Consider two startling indicators of a new reality:
• A new world. The top compliance risk is suddenly UDAAP—unfair, deceptive, and abusive acts and practices—which has become a de facto mandate to assure that all bank actions are “fair” as well as compliant. (Abusive is emphasized because it is a new factor in what used to be only “UDAP.”) Bank compliance functions are not designed to deliver unfailing fairness, especially against subjective standards and amidst relentless criticism from politicians, media, customers, and regulators.
Meeting this risk will require fundamental change.
• Populist pushback. The bureau’s effective leader, Elizabeth Warren, is a fixture of late-night television, wildly cheered by audiences.
Ponder that for a moment. Bank regulation is normally arcane and colorless, with consumer compliance being (let’s face it) the dullest of the dull. Now, suddenly, everyone cares. The issues have moved from back pages of banking publications to mainstream headline news and even pop culture.
There is rap video about Professor Warren. Pundits want her to run for President.
The pace, scale, and nature of this change—unlike anything in bankers’ careers—constitute a tipping point. They cannot be well-handled through the traditional bank compliance management model.
That model—its fundamental approach, not the volume of work put through it—has been largely static for decades. (One of the authors helped design it, as a regulator, back when laws like Truth-in-Lending were young).
It’s time for a compliance metamorphosis.
That transformation should:
1. Retain the many strengths of the current model—because the old responsibilities won’t go away.
2. Equip banks to meet the fairness mandate.
3. Capture efficiencies to constrain rising costs.
The steps needed to achieve this transition can look deceptively simple, and many have long been discussed among compliance professionals. What’s different now? In the past, they were talking among themselves. Now, CEOs and line-of-business executives are increasingly ready to lead on them—or should be. CEOs know compliance can damage their banks through huge risk to brands, reputation, regulatory flexibility, and the bottom line—especially through escalating costs.
For executives who now have motivation, here are the steps to metamorphosis.
1. Become strategic and proactive
Make your bank proactive and strategic about compliance, rather than reactive and tactical.
Two factors drive this step. First, change is coming so fast that it will swamp compliance groups, units, or officers who simply wait for new rules. They will fall behind, make errors, spend too much money, and risk enforcement action in areas where standards are not yet set. Second, the most dangerous issues will be in subjective realms that require judgment calls.
To make good judgments, banks must deeply understand and manage emerging and ill-defined risks, especially UDAAP. This can only be done by getting out ahead of the risk curve, rather than reacting to it.
2. Integrate compliance with the business
The traditional compliance management model is designed to satisfy technical rules. It cannot produce “fairness” that will withstand UDAAP enforcement. To do that, Compliance (and Legal) will have to become fully integrated with business decisionmaking.
For most banks, this will be a leap. Most compliance functions tend to stand to the side of the business, performing a “check-the-box” role. They are often consulted late about initiatives like new products, asked to sign off on decisions that are nearly final. Most also use extensive stand-alone processes to achieve goals like compliance monitoring, employee training, data analysis, operational issues, and risk reporting. And while business lines may nominally “own” compliance, few senior business leaders actively engage.
This model tends to be inefficient, but has produced generally good results so long as the tasks are rule-based. The advent of UDAAP, however, will break it. Regulators, newly armed and energized by the mandates in Dodd-Frank, are already enforcing UDAAP aggressively. Banks suddenly need failsafe systems that can assure that every decision on every product, marketing tactic, or practice will be fair, transparent, and appropriate (non-“abusive”) for even vulnerable customers.
The terms “unfair,” “deceptive,” and “abusive” are subjective and broadly defined. As a result, they create a danger zone inside the clear legal line, requiring new kinds of decisionmaking.
This is no subtle shift—it changes the dialogue. Traditionally, compliance staffs will question an activity and business staff will say, “Show me where it says we can’t do that.” Today, the answer becomes, “I can’t—but it’s still high-risk.”
What comes next must be a new kind of collaboration about products, terms, marketing, and practices that will pass UDAAP muster—over full product lifecycles.
3. Redesign human resources systems
In most banks, compliance and fairness objectives are not woven into the human resources infrastructure that shapes employee performance. Most new employee orientation touches these topics briefly, if at all. Ethics policies normally omit fair treatment of customers. Core missions and values are compatible with fairness, but don’t explicitly incorporate it. Compliance is often seen as an add-on to t“real” training people need.
Similarly, compliance is a minimal or missing factor in most job descriptions, annual performance standards, and criteria for winning bonuses. Banks do, of course, expect employees to comply, but rarely make it a priority, much less tie pay and promotions to a fairness standard.
Most banks’ performance and compensation criteria form an hourglass-shaped motivation structure. At the top, executives care about compliance and especially fairness, because they own the brand, reputation, and core values focused on serving customers. At the bottom, front-line employees care because they work with customers. In the middle, however, managers are primarily focused on the profit and growth goals set by their direct superiors. Compliance staffs then engage these leaders laterally, trying to compete for their attention. That narrow part of the hourglass functions like a weak link in the motivation chain, with compliance incentives comparatively weak. The remedy is to elevate compliance accountability—not just awareness—to the top of the house and have it then flow vertically through the organization in the normal chain of command.
People do what their bosses care about.
4. Capture efficiency
While today’s regulatory activity will inevitably raise costs, the increase should not be proportional to the expansion in rules. Instead of simply layering more staff into an outdated model, banks should seek efficiency gains, from two sources.
First, most banks incur unnecessary costs because compliance must “swim upstream,” fighting a cultural current flowing against it. It’s axiomatic that quality saves money—it’s always cheapest to do things right the first time.
While all banks want to comply, negative cultural cues about compliance create a low prioritization that can lead busy people to make errors. These in turn trigger costly corrective work—especially, but not exclusively, when regulators require file searches, datagathering, and detailed remedial action. In addition, swimming against a negative current simply requires more resources to produce a given level of compliance—more monitoring, analysis, retraining, policy, procedure, more memos, more meetings … more everything.
The other way to capture efficiency is with technology, with the goal being to wring out all possible human error (leaving residual human discretion to be channeled to good outcomes).
All banks build regulatory requirements into operations and processing, but many do so tactically rather than strategically, making compliance goals an afterthought in IT planning. As mentioned, most compliance units use one-off technology systems to perform functions like monitoring and data analysis that could be readily handled through mainstream systems, with proper design.
Compliance staffs also routinely waste time or fight high error rates on problems that are easily avoidable through cheap IT solutions. Poor internal consultation—another integration failure—is why these didn’t happen. Compliance issues are often addressed with cumbersome IT “patches” and work-around processes that consume time and generate errors.
It’s also common to find compliance issues waiting low in the IT work queue for months or years, with manual solutions needed in the interim.
To transform compliance efficiency, senior executives should direct IT departments to consult with compliance and business staff on where waste is occurring, and build the answers into a long-term compliance IT strategy. When new systems are planned, compliance should be on the initial team and should be asked to suggest enterprise-wide efficiency gains.
5. Focus on results and metrics
Compliance used to be measured by exam reports. While banks now self-monitor and produce risk metrics, most senior executives and boards still cannot answer the basics: Where are our major risks? How severe are they? Are they growing or declining? Are they being managed?
Reports contain too much trivia. They are reactive rather than proactive. And they measure violations rather than risks.
The transformed compliance function should revisit the basic question: What information does the bank need?
One key enhancement is to measure UDAAP risk through really good reporting on complaints and also on customer satisfaction surveys, if the bank conducts them. Most banks consider complaints resolved if they raise no regulatory violations. However, that scenario—no violations, but customers upset that something was “unfair” or “unclear”—is the very essence of UDAAP risk. Banks need to capture all complaints (written and oral), centralize them, analyze them for trends and root causes, and produce high-value metrics on risk.
Banks also need metrics on “emerging risks.” One focus should be products and practices sparking public controversy, since UDAAP enforcement, litigation, or future regulation is likely in those areas. Another source of emerging risks is internal developments that could generate compliance issues—newly launched products or major changes like a merger, acquisition, branch expansion, or system conversion.
Reporting should also aim to capture efficiency and quality metrics—reducing error rates, speeding corrective actions, and shifting costly manual or one-off processes to efficient technologies.
6. Transform compliance leadership
These transformations will require new kinds of leadership, in two ways.
First, they necessitate that the CEO and senior team engage personally in leading compliance and fairness improvement, just as they lead on other goals. Executives must set a positive and committed “tone at the top.” They must visibly and credibly integrate compliance into their own thinking. They must also hold their direct reports accountable to do the same. The mark of a successful transformation is that the bank’s senior business people are interested and thoughtful about compliance risks and have integrated them with the bank’s mission and business goals.
Second, compliance officers should become highly effective leaders. Unlike “management,” true leadership involves motivating people to follow even when they don’t have to.
Beyond technical expertise, compliance staffs need to offer insight, collaboration, and solutions that their business colleagues will seek out and value as essential to risk management. Some may benefit from leadership training or other steps to cultivate confidence and new skills. CEOs can help by visibly elevating the chief compliance officer in all the ways that signal importance—title, position on the organization chart, office, pay, face-time with the board, and inclusion in senior meetings and key committees.
Banks might also rename the compliance function to capture the broadened fairness mandate.
7. Shift the culture
Compliance transformation is, fundamentally, a culture shift. Compliance and fairness must be interwoven positively with the bank’s core mission and values. They must be viewed as good for business, with superior fairness seen as a competitive business advantage. They must also link to ethics—no one in a bank should take a step that would make the bank do better because customers do worse.
The best compliance department in the world cannot create a bank-wide culture of compliance. Only the CEO, executive team, and board can.
A practical path toward transformation is to assign a team to accomplish it, led by a veteran project manager who has implemented past culture-changing innovations and knows how to engage all the players.
One final word: Every bank should do a UDAAP readiness review—now.
Don’t wait for agency clarification—that will lag behind the enforcement wave. Until it comes, use the common sense test—would you want this product or practice impacting your mother?
If not, either drop the practice or do it differently. •
Jo Ann Barefoot, veteran compliance consultant and regulator, and former contributing editor to ABA Banking Journal, is co-chairman at Treliant Risk Advisors. Lyn Farrell, managing director at Treliant, is a veteran banking attorney and consultant. www.treliant.com
[This report was posted on June 10, 2011 on the website of ABA Banking Journal, www.ababj.com, and is copyright 2011 by the American Bankers Association.]
| TechTopics Plus