Risk Management & Regulatory Compliance, Issue Management, Compliance
6 minute read
Feb 24, 2021
Written by: Laurent Robert
Within days of the international declaration of the pandemic, federal leaders tossed a lifeline to small businesses in the form of the Paycheck Protection Program. But before the ink was dry on the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which offered forgivable loans to help eligible American companies keep their lights turned on and pay their employees, banks were stepping into a minefield of risk.Think about it: Banks had only 12 hours from receiving final PPP guidance to opening their doors (virtually or physically) to accept loan applications – with small businesses, sole proprietors and gig workers alike trying to claim a piece of the initial $349 billion lending pool. How well could they properly interpret regulations to develop effective, compliant lending processes for a new product in such a tight delivery window? As it turned out, some of the nation’s largest banks – which can’t always act nimbly – delayed taking PPP applications until they had established lending protocols, set requirements and trained their employees.
What quickly became clear as the program rolled out – in addition to the realization that the process certainly would not be glitch-free given the existing conditions – was that banks with healthy risk management programs met the challenge with solid, well-managed lending processes. Rather than building origination processes from scratch, they steered their energy and resources toward conducting adequate scenario analyses, with a specific eye toward identifying unique risks and protecting their institutions during a time of unprecedented financial crisis.
After so many years of being subject to heavy regulation, you would expect that most financial institutions would have robust practices, policies, procedures and controls in place by now – and those should have been foundational in supporting PPP activity. What we’re finding out, however, is that many banks didn’t have the right controls in place – and now they could be paying the price with customers and regulators.
PPP presented participating lenders with a double-edged sword: Banks stood to earn massive amounts of origination fees (and potentially interest fees for serving unforgiven borrowers) on loans that were guaranteed by the government, which one would think would make them a safe source of revenue. The government also promised not to hold those very same banks liable if borrowers didn’t play by the rules.
Of course, many financial institutions opted into the program with the mindset of helping their clients keep their heads above water, with a downstream impact of buoying their communities. At the time, no one could predict how long this black swan event might run. Now, only weeks into office, the Biden Administration has already pledged greater regulatory scrutiny.
But nearly a year after the first round of PPP funding was made available, some banks are struggling to stay ahead of litigation and regulatory scrutiny due to their processing, approval and distribution of the loans. Government oversight for financial hardship programs remains fresh in their minds from the Great Recession, as banks became accustomed, as a result of the Troubled Asset Relief Program, to looking over their shoulders at regulators and conducting rigorous stress testing. We can expect a similar legacy for PPP.
With 20/20 hindsight, we can closely identify risks left in PPP’s wake and provide strategies for banks on how to close those gaps. Let’s look at the issues and opportunities for banks to put themselves in the best position to respond to regulators, customers and legal challenges:
For most banks, risks were likely present before accepting the first applications. From the get-go, they should have known every action would fall under regulatory scrutiny, even as they waited out specific requirements under PPP. Banks will always be accountable for meeting intent, and they are simply expected to do the right thing.
Seven interim rules came out in the first month of PPP distribution. Did your bank pause to consider changes and course-correct along the way? Some banks struggled with different operational areas proceeding under different understandings of what they were expected to do, meaning processes were disparate – and the takeaway from that is always higher risk.
How to Address: Establish policies and procedures with a dynamic set of internal controls. As with any regulatory change, document your understanding of the law before you start to act. While an annual review is generally sufficient in normal times, increase the frequency in unexpected times – like a pandemic – reviewing your interpretation to assess whether your execution aligns with intent. Use time to ensure you have the foundational risk management framework in place to deliver an integrated enterprise approach.
PPP promised a fast, easy route to getting cash to businesses that needed it most within just 10 days of applying. Getting operations geared up in an urgent moment most likely caused many banks to actually introduce more risk to their processes – including opportunities for fraud. For instance, many banks deployed employees from core functions to support PPP, which left those core functions without proper oversight or daily operation. Banks didn’t have the luxury to proceed cautiously, which is critical to preventing both mistakes and fraud.
When tracking PPP’s development, my first reaction was hope that lenders were enacting super-robust processes and making sure they kept every single piece of documentation, because litigation was a certainty. Every process – new or adapted – must be accompanied by controls to ensure procedures and policies are followed, and well-managed banks should have documented every touchpoint, whether an applicant’s loan was approved or denied.
Did you keep your finger on the pulse after making lightning-speed changes to implement the new program? Within a mere six months of PPP rollout, the Department of Justice brought fraud charges against 82 individuals for loans totaling $250 million.
How to Address: Review all PPP process monitoring to understand performance while also looking for variations in other operations resulting from executing this short-term program. If you identify issues, look for root causes to ensure you’re implementing the right controls. And if you don’t have process monitoring, you’re at even greater risk – which should catapult remediation to the top of your priority list.
In traditional loan originations, banks spend more time validating customer data before making decisions. With the urgency of PPP, banks sought to mitigate risk by focusing on the customer relationships they already had. To comply with Know Your Client (KYC) rules, they could prove they recognized existing customers and were reasonably confident those business owners were asking for loans commensurate with their needs. This was a logical approach for many banks to help them protect the integrity of their lending program and meet PPP terms. While regulators have hinted at considering the unsettled environment when reviewing banks, your defense can’t rely on your expectation of leniency while you’re looking the other way at your practices.
PPP also put the responsibility on borrowers to validate the authenticity and accuracy of the supporting documents they submitted to prove payroll and rent or mortgage expenses – again offering a potential safety net for banks. But a well-managed enterprise doesn’t take shortcuts.
How to Address: Put your trusted and true loan origination practices to work. Continue to have documented procedures for validating customer information to support informed lending decisions.
Because of KYC regulatory requirements, many banks opened applications mostly to customers with current commercial relationships – which is a risk to building a diverse borrower portfolio. But it’s hard to ignore a recommendation that comes from the U.S. Treasury.
Left behind in the loan approval frenzy were women- and minority-owned businesses – a symptom of lingering hurdles in the banking industry. Those businesses were less likely to have the necessary documents for loan applications readily available, which put them further behind as they saw the PPP lifeline evaporate. Fortunately, federal leaders are working to close this gap, starting with setting aside $10 billion of the $310 billion allocated in the second round specifically for Community Development Financial Institutions (CDFIs), which provide financial access to underserved communities.
Financial institutions must ensure they are delivering against their fiduciary responsibility to all of their clients and proactively balance lending activity – particularly to those they might not interact with frequently. To echo an earlier point, financial institutions have long faced regulatory accountability under the Community Reinvestment Act and various fair lending laws, so they should have practices in place to demonstrate they acted as fairly as they could with regard to PPP. Against the social injustice unrest of 2020, this issue becomes even more critical.
One unanswered question remains for regulators: Should banks be held accountable for responding to their customers on a first-come, first-served basis?
How to Address: Slice your PPP lending data to see the population you served, including the minority percentage and income level of the census tract, customer or not, and business type. The federal coronavirus subcommittee gave some credence to the idea that resources often go to the same people, as wealthier clients passed at twice the rate of the smallest businesses with the most dire financial predicaments. You need to understand your data and be prepared to defend any gaps in lending to underserved segments, as well as ensure your documentation around how you proactively reached out to all clients is in order.
Regulations protect consumers from deceptive banking practices. Being cited for violating the terms of PPP – a shot in the arm for small businesses fighting for survival – could cause irreversible damage to a bank’s community standing.
How to Address: Continue to nurture a risk management culture where every employee shares responsibility in the well-managed operation of your bank. Start by setting expectations for your entire organization with clear internal controls, robust risk management practices, operational efficiency, and meaningful and actionable insights on your performance.
Finally, we’ve arrived at the final stage of PPP for initial borrowers: seeking loan forgiveness. How well you adhered to sound practices for reviewing applications and loan amounts now becomes a question of whether you best positioned borrowers to benefit from forgiveness. When asked if you did the right thing, your defense starts and ends with showing you had a solid process in place and followed it to a “T.” You can’t prevent the attack, but your documentation should illustrate a thoughtful process designed to protect your customers.
Between continuing to lend under any additional rounds of PPP to serving customers in seeking loan forgiveness or paying on unforgiven loans, banks will be facing compliance hurdles – big and small – at every turn. Spinnaker can provide the industry expertise to move your institution’s PPP operations into compliance while also helping you develop a risk management framework that reinforces the integrity of every banking product and service you offer.
The Big Picture Pick up recent copies of The Wall Street Journal or American Banker, and you’ll see headline after headline about consent orders and hefty fines issued by the Consumer Financial Protection Bureau to mortgage companies caught using deceptive advertising practices. This summer alone, eight have been issued. Two things immediately strike me when I see these stories: Many of these cases didn’t have to happen. And while these particular consent orders were concentrated in the mortgage sector, similarly problematic issues are most certainly occurring in other lending segments across the financial services industry. After a hundred years or so, you’d think we would know how to follow regulatory rules –particularly those put in place to protect consumers. Indeed, the first such laws were framed by the states before World War I – although the first meaty federal law, the Truth in Lending Act, wasn’t passed until 1968. Every new regulation layered in since then largely continues to further shield consumers from unfair practices – which often start with glossy ad campaigns designed to get them in the physical or digital door. The reasons why we’re still struggling with compliance aren’t too difficult to understand: turnover within organizations, competing priorities, a lack of sound controls, new staffers who are unfamiliar with existing regulations, and a never-ending list of new ones, including Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and the Mortgage Acts and Practices (MAP) – Advertising Rule. There’s also often a gap between the intent of any new regulation and how marketing teams interpret it. The risks of not crossing every “t” and dotting every “i” are significant, as evidenced by these recent consent orders. Doing things the wrong way also can mean costly penalties, time-consuming regulatory remediation, and loss of customer trust – which can translate into higher complaint volumes and even lawsuits. Let’s explore some long-lingering myths about how banks advertise their lending products – and, more importantly, what your financial institution should be doing. MYTH: Legal and Compliance don’t need to review my ad since I’m the expert in marketing. FACT: This is the biggest myth that persists in financial services marketing and advertising. Every word you use to communicate has specific and nuanced meanings, and your legal and compliance teams have a responsibility to protect your company and consumers alike. No external ads or marketing materials should be released until you get signoff from your legal or compliance team. It’s not any more complicated than that. MYTH: Our marketing team knows what Legal and Compliance have told us. We get it, but we need leeway to make our ads eye-catching and even a bit sexy so we can get business in the door. One little word change doesn’t really make a difference. FACT: Remember how former President Bill Clinton faced legal drilling over his interpretation of the word “is”? You’d be surprised at exactly what a bank must validate before it advertises anything as “free.” That word “free” – and countless more – are triggers, often requiring specific disclosures on how they apply to what you’re advertising right at that moment. Ideally, your marketing and advertising teams should collaborate almost daily with your legal and compliance teams. Of course there’s going to be some friction between the advertising folks, who see in every color of the rainbow, and the legal and compliance folks, who typically only see in black and white. The important thing is to build processes and procedures that enable effective and efficient reviews of all advertising and marketing materials, and that begins with concepts. When you involve those responsible with compliance up front, they can help rethink an approach in ways that ensure the final ad meets regulatory requirements. Also, try taking their early “no” to mean “not yet” and be open to ideas on what could translate into an easy reframing. But go to them at the end with an ad that fails on every compliance front, and their “no” will be just that. When I was at a bank that now has more than $30 billion in assets, my compliance team worked diligently to become a strategic partner to the marketing team. It took some time, but our peers came to see that we never aimed to derail their vision. As our relationship evolved, so did our interactions. In fact, we created a desktop resource that allowed marketers to easily look up the latest laws or match sales terms with the necessary disclosures, delivering a self-service tool that also empowered them to create responsibly and expedite the review process. Rest assured, the goal of your bank’s lawyers and compliance officers is not to thwart creativity, but to ensure that amazing ad concepts give consumers precise, clear information about the company’s products and services, allowing them to make smart financial decisions. Believe me: Compliance teams want powerful, compelling and even award-winning advertising that brings more revenue in the door, because when you have that, everyone benefits. MYTH: Our market competitor ran an ad just like that. If they got away with it, then it’s OK and the legal and compliance team is overreacting. FACT: This is the corporate version of your mother asking you, “If everyone was jumping off a cliff, would you do it, too?” The only truth here is that your competitor ran an ad. You don’t really know if that financial institution “got away with it.” In fact, you might learn not too far down the road that your competitor actually got caught red-handed with a compliance violation. After all, the underlying premise of advertising is to spread the word, and regulators are paying close attention. Frankly, you should be analyzing what your competitors are doing, but I’m not talking about their advertising. Take a good look at every consent order or other regulatory action you hear about and compare it to what’s happening in your shop. Are you doing things the right way? Are you identifying and avoiding the possible risks in your process? In other words, consider that the teacher has given you every answer to the test, and you don’t want to fail down the road. MYTH: The bank’s advertising agency developed that campaign – not our internal team – so we’re not going to get in any trouble. FACT: Time and time again, oversight organizations stress that any third-party vendor – whether it’s an ad agency or a cross-sell phone queue – is a seamless extension of your financial institution. If they get it wrong, so do you. You don’t outsource the compliance responsibility along with the work. MYTH: All of that applies to my bank or mortgage company – not to me as a loan officer. I’ll post a special offer on my social channels just for my customers. FACT: Your very title of “loan officer” means you’re an officer of your financial institution, and the same exact requirements apply to you. Without question, the growing influence of social media makes consumer outreach easy, but the brevity and ease of these same platforms also make it more difficult to keep your team members from going rogue. The same compliance standards apply to all of your advertising, including any unsanctioned materials. Every employee needs to understand this responsibility. (BTW, don’t forget about old-fashioned tactics, such as a quick sales flyer that a teller might create and post in a branch. Whether that flyer meets your advertising brand standards is the least of your worries, because you’re most likely out of regulatory compliance.) MYTH: Getting an internal review takes so much time that we’re losing competitive advantage. FACT: Doing it right takes a fraction of the time needed to fix things – particularly if you’re cited for a regulatory infraction – and maintains your institution’s reputation. Yes, a legal or compliance review is another step in your marketing process, but it’s a short blip in the lifetime of a successful business. In my previous role, I was intentional about building interactions with the marketing team that served everyone’s needs as efficiently as possible. If a federal agency comes at you with a consent order or Matter Requiring Attention, you’re going to spend significantly more time finding the root issue, solving for your misstep, gaining regulatory signoff and getting back to work. You also can’t rebuild consumer confidence overnight – even with the most attractive offers in your marketplace. After all, if your customers know you’ve been under scrutiny before, do you think they’re going to trust that you’re being straight with them this time around?
Risk Management & Regulatory Compliance, Compliance, Risk Management 5 minute read
The Consumer Financial Protection Bureau (CFPB) recently announced that it’s back to business as usual.
Risk Management & Regulatory Compliance, Change Management, Compliance 2 minute read
Banks keep pushing the frontier in leveraging Big Data to drive better decisions. Putting all that information – especially consumer data – to work for your organization doesn’t come without risks. That risk can escalate every time your bank takes its data usage to the next level, making it critical to proactively up your data management game.
Data & Analytics, Risk Management, Governance & Policy 3 minute read
Like how we think? Subscribe to have our articles delivered direct to your inbox each month.
Headquarters: 8000 Franklin Farms Drive, Suite 100, Richmond, VA 23229
©2022 Spinnaker Consulting Group. All rights reserved.