In the mortgage industry, the potential for an audit by the Consumer Financial Protection Bureau (CFPB) is often associated with either fear or uncertainty. The level of invasiveness and the intensity with which the CFPB expects to conduct its audit could cause concern, but at the same time an organization’s existing compliance framework should also be established in such a way that successfully managing a CFPB audit is considered standard operating procedure.
At the root of a CFPB audit is the intent to determine if mortgage companies are complying with the federal guidelines designed to protect consumers from unfair lending practices. Central to ensuring adherence is a robust policy and procedure management framework that is designed to allow organizations to determine if their internal structure supports the requirements they are expected to uphold. That’s why in many ways the CFPB audit is as much an examination of adherence to policy as it is a thorough shake-down to ensure that internal culture reflects a consumer-first approach to lending practices.
So what can you do to prepare? Well, understanding the need to build a sufficient compliance infrastructure before the CFPB comes knocking is step one, and this article will take a closer look at how to not just survive an audit, but to build a culture that adheres to federal policy while making lending practices defensible and completely transparent to auditors.
Being prepared beats being aware
In addition to the obvious goal of not falling out of compliance, adhering to established policy management practices is also vital for being prepared for an unexpected visit from the CFPB. Audits are announced with only a few weeks’ notice—if your house isn’t in order by the time the audit is scheduled, it’s likely too late to establish a track record of building internal policies that show evidence of protecting consumers and training employees to act in accordance with CFPB best practices. Auditors look for high comfort levels among employees of a targeted mortgage firm to determine if they convey a sense of familiarity with CFPB policies and an awareness of the regulations put in place to protect consumers when securing a mortgage.
However, even as internal policies are established, there’s still more to do to ensure compliance with CFPB guidelines. Third-party servicing operations must also be managed and aligned with the compliance footbridge due to the sheer volume of parties involved in servicing a mortgage. In today’s environment, the lender has been made responsible for ensuring that third parties are meeting the consumer protection guidelines established by the CFPB. While this may seem like yet another hurdle for mortgage firms to overcome, by applying the same regimented and organized approach used internally to third-party vendor relationships, an audit can be an entirely manageable process.
Establishing a framework in the weeks leading up to an audit will inevitably cause panic, and delaying an audit can raise eyebrows. There is an inherent value in adopting a “strength through policy” attitude to ensure that a lender isn’t just surviving an audit, but also benefitting from having a reputation as a consumer-minded organization.
How to build a CFPB-ready culture
Of course, building a framework to prepare for an audit is easier said than done. But below are some basic steps to take that will help make the process less daunting and bring some perspective to what auditors want and why they need it when embarking on an audit.
1. Start preparing before the audit even develops: This is a critical first step in avoiding a mad scramble, stressful meetings, poor deliverables, angry management, bad findings, etc. The CFPB offers limited notice as to its intent to audit a firm, which means there’s no such thing as being over prepared. Ensure your executive team is bought into the investment and understands the value of preventive and not reactive compliance.
2. Start with a policy management program that includes comprehensive consumer coverage: Policies and other documents are typically requested before the CFPB audit team comes on-site. Having these materials organized, consistent and with documented review dates, changes, approvals, certifications and training is essential to getting started on the right foot.
3. Make sure your procedures and department level activity is aligned with your policies: Polices that don’t have supporting procedures that can be explained by the front lines (the business departments) are just shelfware risks waiting to be exploited. Know that you can answer the question of “how are you enforcing and executing this policy?” Being able to provide proof of both quickly can demonstrate you’re on top of the issues.
4. Consumer data and flow of information is critical: Expect that an audit could “follow the data” from your organization out to any of the third-party services that are involved in mortgage transactions (escrow agents, title insurers, brokers, closing agents, etc.), or within other vendors like customer service centers. Your third-party monitoring is critical in the eyes of the CFPB to protect the consumer—which is why this should be a top-priority program to have running on all cylinders.
5. Be effective at coordination, information gathering and explanation: Have a structured process for what to do when an audit happens, who will be the lead, how document requests to various groups will be handled and which reporting format will be used to present and detail the information. Having everyone know that “all hands on deck” are required and how to respond to inquiries is essential in showing the company’s internal strength in terms of execution, consumer protection and transparency within processes.
What the CFPB wants
While an audit can become a significant time burden and quite invasive, it’s important to remember than unlike the IRS, the CFPB isn’t there to analyze your bottom line: They are acting on behalf of the consumer. This is why the CFPB’s Supervision and Examination Manual places an emphasis on inspecting a firm’s practices to determine if any violations exist that can potentially violate the law or cause consumer harm. Above all else, the CFPB wants to enforce uniformity among lenders—that is, to make sure every firm abides by the same federal requirements to adhere to fair lending practices and protect the borrower.
As mentioned earlier, this commitment to protecting the consumer must be evident within third-party vendor relationships in addition to your own organization. By constructing a defensible policy framework and working with partners that support your internal procedures, it becomes possible to not only survive a CFPB audit but to effectively work collectively with auditors to demonstrate the impact your organization has on protecting the consumer interest when applying for a loan throughout the chain of parties involved in fulfilling it.
With the constantly changing regulatory landscape and the sheer number of relationships with partners, vendors and customers, corporate policies have never been so important. Today, policies not only guide how firms should operate, but have also become the primary means to evaluating an organization’s reputation.
Automating for a better tomorrow
For years, even decades, enterprises have managed policy workflows, versions, certifications, changes and exceptions/incidents with manual tools and, more recently, passive document libraries.
But as the body of regulations grows, changes become more urgent, and the number of interested stakeholders expands—which means static repositories are no longer minor annoyances, but a major cause for disruption.
Today, new technology solutions exist that replace spreadsheets, network drives and intranets with a simple, standard process for administering policy lifecycles, certifying communications, assessing performance, and managing exceptions and issues. Cloud-based platforms can provide direct and immediate access to the policies and procedures your employees and vendors need to fulfill their obligations in accordance with your standards.
In a world where governance is stringent and policies can change in the blink of an eye, mortgage firms deserve every advantage they can find—and automating key compliance tasks to ease due-diligence response efforts gives lenders a major leg up.
Todd Boehler is vice president of Product Strategy for ProcessUnity. For nearly 20 years, Todd has served in product management and strategy roles for leading technology providers. In 2003, his governance, risk and compliance (GRC) startup was purchased by Stellent, which was soon after bought by Oracle Corporation. Todd worked for Oracle for seven years before joining ProcessUnity in 2014.
This article originally appeared in the March 2016 print edition of National Mortgage Professional Magazine.
