Living in the Regulatory World – What Happens, What Do I Do?

As Fintech companies move more and more into consumer financial services products, they move deeper and deeper into areas that are traditionally highly regulated. Even when they are providing services to a financial institution, they can face such regulatory scrutiny. This Fintech Flash will look at what type of regulators and scrutiny Fintech companies can face, what regulatory interactions can be like, and what Fintech companies can do to prepare for regulatory examinations.

Regulatory Interaction with Fintech Companies

Fintech companies can take on different roles in regard to consumer financial services. A Fintech company might be directly providing financial services or products to consumers. More often, the Fintech company may be “partnering” with a regulated financial institution such as a bank, performing various originations or servicing functions for the other institution.

State Regulatory Oversight

Regulators can touch Fintech companies in a number of ways. If a company is acting as a lender itself, it likely will need to be licensed in any states in which it does business, and will face the regulatory scrutiny of those states’ financial institutions and financial services regulators. In some states, even if the company is not itself acting as a lender, it may need to be licensed by a state agency. And in any state, the attorney general may examine companies to determine if they are complying with licensing and regulatory requirements, and to determine if they are violating any consumer protection laws or are being unfair, abusive or deceptive in their business practices.

State licensing and regulatory agencies may examine a company, either routinely or only when they believe there may be an issue that needs to be examined. If there is a specific issue of concern, state attorneys general may also start formal investigations of companies, and subpoena their records and witnesses (or may proceed with pre-investigation information requests).

As a result of examinations or otherwise, if state regulators identify serious issues, their state laws may give them various tools to limit a business’s activities or punish a business. The specific tools state regulators have available vary state by state and agency by agency, but may include the ability to impose fines or penalties, order restitution to customers, demand that a company cease and desist certain practices or the offering of certain products, or even, in extreme cases, revoke a license or order the company to cease doing business in the state.

State attorneys general usually have the power to bring law suits against companies for violations of licensing laws, consumer protection statutes, or other laws, including, in some instances, criminal statutes.

Federal Regulatory Oversight

There are a number of ways in which federal regulators can oversee Fintech companies. Perhaps most important, any business that provides consumer financial services may find itself the subject of an investigatory process that allows the Consumer Financial Protection Bureau (CFPB) to examine it and to bring enforcement actions if the CFPB has reason to believe the business is violating consumer statutes that the CFPB has authority to enforce. Examples include the Truth in Lending Act, the Real Estate Settlement Procedures Act, the Fair Debt Collection Practices Act, the Fair Credit Reporting Act, Regulation E, which governs electronic payments, and Regulation Z, which governs consumer loans. The CFPB may also have the ability to conduct enforcement investigations and examinations of Fintech companies that provide services to certain consumer financial services companies. This may include payment processors, companies that aggregate consumer information, and companies that provide services related to making, servicing and collecting consumer loans.

Many Fintech companies could also find themselves subject to broader federal supervisory oversight, as opposed to the enforcement authority of the CFPB. Thus, if a Fintech company provides products or services to a federally regulated bank, and especially if those products or services relate to the bank offering consumer financial products or services, the Fintech company may find itself under the supervisory jurisdiction of a federal banking regulator such as the Federal Deposit Insurance Corporation or the Office of the Comptroller of the Currency. Additionally, the CFPB has supervisory jurisdiction of companies that supply services to certain large providers of consumer financial products or services.

If a Fintech company finds itself under the supervisory jurisdiction of a federal regulator, it can be subject to supervisory examinations and other oversight. If a Fintech company is large enough, such federal regulators may maintain examiners on site on a full-time basis. Whether or not they maintain examiners on site on a full-time basis, federal supervisory regulators can bring specialist examiners to examine various aspects of a company’s operations on a periodic basis. Like state regulators, federal supervisory regulators may have the power to impose fines or penalties, order restitution to customers, demand that a company cease and desist certain practices or the offering of certain products, or even, in extreme cases, revoke a license or order the company to cease doing business.

How Regulators Conduct Examinations

Regulators have different examination processes and procedures, but all follow similar patterns.

Because the examined company must provide facilities (desks, computers, etc.) for the examiners, the regulator will normally advise as to how many examiners will participate and how long the examination will last.

Normally, regulators announce the topic or topics of an examination. Sometimes, the topic can be broad, such as an examination of an entire consumer loan origination operation. Other examinations may be more focused, looking at one or more subparts of a larger operational area (such as collection practices within loan servicing).

Examiners will usually send lists of what types of documents they will want available, and what topics they will want company personnel to be able to discuss. Most examination teams conduct an introductory meeting to go over the material they asked for, to discuss operational or logistical issues, and to help identify which personnel they should interview.

Either prior to the examination, or during it as they learn more about a company’s operations, examiners will identify further documents they would like to review, and specific personnel with whom they wish to meet. Most examinations will involve the examiners reviewing individual loan files and other operational files, as well as looking at compliance and risk and technology management of a certain process. In doing so, the examiners review the adequacy of the design of a particular process or product, based on policies, procedures and interviews with personnel. Then, examiners review real loan files, executed transactions and complaints to determine whether the product or process is functioning as designed, and is in compliance with the law. Examiners also consider whether a company has adequate supervision over its own operations, such as internal monitoring, audits and a system for handling malfunctions identified internally or externally through complaints and regulations.

If examiners identify an issue or problem during the examination, they will normally advise the company during the examination. It is a good practice to hold weekly meetings with examiners to ensure examiners can communicate potential issues as soon as possible. This permits the company time to provide additional information to correct examiners understandings and minimize their concerns. It also permits companies to begin correcting any identified issues. Companies are expected to start dealing with such issues immediately, and prompt correction of issues may be reflected favorably in examiners’ conclusions.

Examiners hold exit meetings with the examined company, reporting (usually orally) on the findings of the examination. If the company has been diligent in communicating regularly with examiners throughout the examination, the findings delivered in the exit meeting should normally not be a surprise. The exit meeting allows the company a chance to respond to the examiners’ findings, and gives the company a heads up as to the likely content of the final examination report. Examiners often continue their review of the company’s responses to potential issues after the exit meeting, so it is crucial to ensure that examiners leave the exit meeting with an accurate understanding of the company’s operations. The final examination report sets forth the findings of the examiners, providing a scaled rating of the company in various areas that were examined. Specific problems are identified, with usually detailed statements of what types of corrections or changes the examiners want made. The report will often indicate what further sanctions, punishments or restrictions may be imposed if the indicated changes and corrections are not made. Some reports require the company’s board of directors or executive managers to submit a formal response and plan of action to remediate the issues identified during the examination, and may impose stiff penalties for failing to do so.

When the regulator later re-examines the same topics, the final examination report is the template they use to determine if identified problems and issues have been addressed, and if further sanctions, punishments or restrictions are needed.

Key Goals in Establishing Examination Management Processes

• Have all problem issues identified before the examination, and to the extent possible and as appropriate, corrected before the examination. Self-identification and self-correction of problems is a key indicator to examiners that your company takes its regulatory and compliance obligations seriously.
• Maintain communications with examiners during the examination. If the examiners can do follow up in real time on things they have seen, matters that at first glance may seem problematic to them can be explained in a fuller context. Many problems the examiners identify can be resolved or explained quickly before the examination ends.
• Be responsive and prompt in following up on any examiner requests. Be especially responsive to any issues identified by examiners.
• Do not misinform examiners; provide accurate information to them, and avoid communications that confuse or mistakenly broaden issues. It is important that examiners understand what they are seeing. Imprecise language, generalized responses and other incomplete or inaccurate information can lead them astray or waste their time. Be sure materials created or produced are responsive, relevant and vetted.
• Do not provide either written or oral information that appears superficially responsive to an inquiry, but actually does not address the information requests of the examiner. This can lead to confusion, the examiners thinking they have the correct information when they do not, or examiners going down unproductive “rabbit holes.” Ensure examiners have a complete and accurate understanding of the potential issue, but be wary of over-producing information that examiners did not ask for.
• Make any long-term corrections needed and maintain communications with the agency on a go-forward basis after the examination. Providing consistent feedback and updates on any actions adopted to correct identified problems helps the regulator see that you are cooperative, and that the substantive issue is only a temporary concern.

Some Practical Tips to Meet the Key Goals

There are some basic process steps companies can take to ensure that they are better able to meet the above key goals for examination management:

Pre-examination

• Self-examine areas to be reviewed by examiners:
  • Have a cross-functional team look at whether there are issues in any of their areas.
  • Address all issues prior to examination start.
  • Pay special attention to highly sensitive areas, or areas where the company has had operational difficulties, high turnover, etc.
• Identify what policies, procedures apply to areas to be reviewed by examiners:
  • Have a cross-functional team review all such policies and procedures.
  • Identify gaps in existing policies and procedures.
  • Create policies and procedures to bridge gaps, if needed, before the examination begins.
  • Update or amend policies and procedures as needed before the examination begins.
• Review any subject policies and procedures that have not recently been reviewed (including any that have not been reviewed within the time period required by company practice), and thoroughly document the review.
• Identify sample files for issues being examined.
• Document the company’s existing quality control and audit processes, for example, by creating review procedures, and publishing reports. Failure to document processes may result in examination findings that such processes are inadequate.

During the Examination

• Establish protocols for responding to examiner requests for information and documents.
  • Identify a single point of contact who can serve as an efficient liaison, is knowledgeable enough about the company to triage requests to the relevant teams or individuals, and can track outstanding requests and responses in an organized manner.
• Have a process to respond to requests for existing documents and requests to create new documents:
  • Ask the examiners to direct requests to your single point of contact.
  • To the extent possible, have a team review all specifically requested documents.
  • Ensure the documents are truly responsive.
  • Ensure the documents do not inadvertently create “rabbit holes.” 
  • If the documents are not directly responsive, find other documents that are more responsive.
• Determine which personnel are likely to talk with examiners.
  • Prepare key and less experienced employees, using identified documents.  
  • Make sure all employees know they are to be cooperative, and are not to hide information. 
    • They should be responsive and open, but not provide extraneous information,
    • They should not guess at answers – it is appropriate to tell examiners you will confirm your information before providing a response, as long as you follow up in a timely manner.
    • They should be encouraged to use precise language – especially technical terminology – in the manner intended and commonly understood.
• Schedule regular, weekly meetings with examiners.
  • Ask examiners to communicate about their progress and potential findings.
  • Provide updates on steps to address issues previously identified by the examiners.
• Correct problems examiners identify during examination. 
  • Commence corrections before examination concludes, even if it is temporary fix.
  • Create a detailed action plan to make permanent changes post-examination if they cannot be completed during the examination.
    • If possible, submit the action plan to examining agency before the examination ends.

After the Examination

• Be available to the lead examiner between the time the examiners leave and when the  final examination report is completed. Answer follow-up questions promptly. 
• Upon receiving the examination report, determine whether a formal response to the agency is required. 
• Develop action plans to correct issues identified in the examination report, as well any issues or recommendations orally discussed during the examination which do not appear in the examination report.
• Provide periodic updates on the progress of all action plan items to the examining agency. 
• Meet all deadlines in the action plans.