On November 28, 2016, the Consumer Financial Protection Bureau (the “Bureau”) issued CFPB Compliance Bulletin 2016-13, titled “Detecting and Preventing Consumer Harm from Production Incentives” (the “Bulletin”). Inviting “dialogue and discussion” on issues surrounding the uses of production incentives for consumer financial products and services, the Bulletin deserves attention because the Bureau is reinforcing its expectations for a supervised entity to maintain a “robust compliance management system (CMS)” and, more ambitiously, possibly signaling no letup in considering enforcement actions involving sales practices and incentive arrangements that pose risks to consumers. In the spirit of a give-and-take of a friendly dialogue (not a testy family holiday gathering) a few observations.
Dialogue: the give . . . The starting point for the Bureau’s cautionary guidance regarding the potential harm from production incentives is qualified acceptance (but still acceptance) of incentives: “When properly implemented and monitored, reasonable incentives can benefit all stakeholders and the financial marketplace as a whole.” Incentives leading to “improved customer service” or techniques that introduce consumers to financial “products or services that are beneficial to their financial interests”—the Bureau is nodding in support. Accordingly, the object of the Bulletin is not to do away with incentive arrangements. Rather, a financial institution supervised by the Bureau is guided to “limit incentives from leading to violations of law.”
Discussion: . . . the take But, then the tone shifts. Instead of allowing the supervised financial institution to gear up sales and other incentives that can promote its employees and customers alike, the Bureau instructs the institution to tune its CMS. What CMS? The CMS that’s “robust,” yet risk-based, and tailored to the “size and complexity” of the particular financial institution, as the Bureau has “emphasized repeatedly.” That echo is real. On November 14, 2016, the Bureau joined four federal banking agencies and the State Liaison Committee, all working through the FFIEC, to issue final guidance that, as a practical matter, constitutes a mandate for a supervised financial institution to implement and maintain a CMS. The FFIEC revised the Uniform Interagency Consumer Compliance Rating System, designed to promote more consistent standards for evaluating compliance by different types of financial institutions. But the federal agencies’ clearly state their shared collective regulatory objective: “The revised CC Rating System emphasizes the importance of institutions’ compliance management systems . . ., with an emphasis on compliance risk management practices designed to manage consumer compliance risk, support compliance, and prevent consumer harm.” In its Bulletin, the Bureau zeroes in on the aspects of a financial institution’s production and other incentives that involve the “strictest controls” under its CMS, namely, if the incentives:
- Concern products or services less likely to benefit consumers;
- Have a higher potential to lead to consumer harm;
- Reward outcomes that do not necessarily align with consumer interests; or
- Implicate a significant proportion of employee compensation.
The Bulletin further notes concern regarding deceptive marketing of products, marketing of products that are less favorable for the customer, but more profitable for the financial institution, as well as selling a consumer more credit than he or she had requested or needed. The Bureau notes that it has identified examples of sales incentives driving illegal conduct in regard to credit card add-on products, overdraft opt-in, as well as deposit and credit card account opening. The Bureau ends the Bulletin by laying out specific steps that a financial institution can take, when offering or providing consumer financial products or services, to help reduce the risks associated with incentives. The Bulletin specifically describes four key components of an effective CMS: (1) Board of directors and management oversight; (2) The stuff of the compliance program—policies and procedures, training, monitoring, and corrective action; (3) A consumer complaint management program; and (4) An independent compliance audit. The Bulletin “compile[s]” enforcement actions, too – which should serve as a warning shot to financial institutions that the Bureau could use the bully pulpit of public enforcement action to raise concerns regarding a wide range of sales practices or incentive compensation arrangements. In particular, the Bureau discusses its enforcement actions involving incentives for employees of financial institutions or their service providers for credit card add-on sales and overdraft opt-in matters.
We take the Bureau at its word when the Bulletin outlines how various financial institutions “failed” to sustain a monitoring, vendor management, or quality assurance program—each a component of a CMS—and infer that each enforcement action was amplified by the predicate failure. Moreover, we think it’s important to note that such expectations apply equally to depository and non-depository financial institutions. Enforcement could follow the trail of potential or actual defects in a CMS, particularly if incentives (apart from their benefits) amplify the harms to consumers.