Tag: regulatory compliance

In this new Telephone Consumer Protection Act (TCPA) era, calling your customers isn’t a thing of the past. It’s still okay to reach out to your clients by phone, whether to offer a new product or collect on an overdue bill. But strict compliance with TCPA rules is critical for any business that contacts customers by phone. Some of the very best ways you can protect yourself from TCPA exposure is to follow four steps when creating your dialing strategy: Customer consent: It’s important to maintain and update your customers’ contact preferences and consent to call them. Simply having a phone number on an application isn’t sufficient. Companies are required to have written permission, such as “I consent to calling my cell phone when there’s a problem …” Remember, permission may only be granted by the party who subscribes to the cellular service or who regularly uses that cell phone number. Landline or wireless?: Your database should also include the phone type for the telephone numbers you have for your customers. The dialing rules differ depending on the phone type, so it’s critical to know the type of phone you are calling or texting. Verify ownership: Ownership of cell phones should especially be validated to ensure the number hasn’t been reassigned and that the person who gave consent still owns the phone. One call can be made to a reassigned number with no liability, assuming you have no knowledge the number has changed. Repeating the action could lead to fines from $500 to $1,500 per infraction. Scrub Your Database: Have practices in place to remove any confirmed reassigned phone numbers from your database. This will help to improve your right-party contact rate and save you from potential TCPA headaches. No one disagrees that calling cell numbers is a risky business, but it can be done if you set the proper workflow in motion. Click here to learn more about Experian solutions that will help to reduce your TCPA compliance risk.

On June 2, the Consumer Financial Protection Bureau (CFPB) proposed a rule aimed at “payday lending” that will apply to virtually all lenders, with request for comments by Sept. 14. Here is a summary of the basic provisions of the proposed rule. However, with comments, the proposal is more than 1,300 pages in length, and the proposed rule and examples are more than 200 pages long. It is necessary to review the details of the proposed rule to understand its potential impact on your products and processes fully. You may wish to review your current and future offerings with your institution’s counsel and compliance officer to determine the potential impact if major provisions of this proposed rule are finalized by the CFPB. Coverage The proposal generally would cover two categories of loans. First, the proposal generally would cover loans with a term of 45 days or less. Second, the proposal generally would cover loans with a term greater than 45 days, provided that they have an all-in annual percentage rate greater than 36 percent and either are repaid directly from the consumer’s account or income or are secured by the consumer’s vehicle. Ability to repay For both categories of covered loans, the proposal would identify it as an abusive and unfair practice for a lender to make a covered loan without reasonably determining that the consumer has the ability to repay the loan. Or if the lender does not determine if the consumer can make payments due, as well as meet major financial obligations and basic living expenses during and for 30 days after repayment. Lenders would be required to verify the amount of income that a consumer receives, after taxes, from employment, government benefits or other sources. In addition, lenders would be required to check a consumer’s credit report to verify the amount of outstanding loans and required payments. “Safe Harbor” The proposed rule would provide lenders with options to make covered loans without satisfying the ability-to-repay and payment notice requirements, if those loans meet certain conditions. The first option would be offering loans that generally meet the parameters of the National Credit Union Administration “payday alternative loans” program, where interest rates are capped at 28 percent and the application fee is no more than $20. The other option would be offering loans that are payable in roughly equal payments with terms not to exceed two years and with an all-in cost of 36 percent or less, not including a reasonable origination fee, so long as the lender’s projected default rate on these loans is 5 percent or less. The lender would have to refund the origination fees any year that the default rate exceeds 5 percent. Lenders would be limited as to how many of either type of loan they could make per consumer per year. Outstanding loans The proposal also would impose certain restrictions on making covered loans when a consumer has — or recently had — certain outstanding loans. These provisions are extensive and differ between short- and long-term loans. For example: Payday and single-payment auto title: If a borrower seeks to roll over a loan or returns within 30 days after paying off a previous short-term debt, the lender would be restricted from offering a similar loan. Lenders could only offer a similar short-term loan if a borrower demonstrated that their financial situation during the term of the new loan would be materially improved relative to what it was since the prior loan was made. The same test would apply if the consumer sought a third loan. Even if a borrower’s finances improved enough for a lender to justify making a second and third loan, loans would be capped at three in succession followed by a mandatory 30-day cooling-off period. High-cost installment loans: For consumers struggling to make payments under either a payday installment or auto title installment loan, lenders could not refinance the loan into a loan with similar payments. This is unless a borrower demonstrated that their financial situation during the term of the new loan would be materially improved relative to what it was during the prior 30 days. The lender could offer to refinance if that would result in substantially smaller payments or would substantially lower the total cost of the consumer’s credit. Payments Furthermore, it would be defined as an unfair and abusive practice to attempt to withdraw payment from a consumer’s account for a covered loan after two consecutive payment attempts have failed, unless the lender obtains the consumer’s new and specific authorization to make further withdrawals from the account. The proposal would require lenders to provide certain notices to the consumer before attempting to withdraw payment for a covered loan from the consumer’s account unless exempt under one of the “safe harbor” options. Registered information systems Finally, the proposed rule would require lenders to use credit reporting systems to report and obtain information about loans made under the full-payment test or the principal payoff option. These systems would be considered consumer reporting companies, subject to applicable federal laws and registered with the CFPB. Lenders would be required to report basic loan information and updates to that information. The proposed regulation may be found here.

Compliance definitions LOA, CIP, FACTA, KYC — These acronyms seem endless, and navigating compliance can be both confusing and a painful drain on resources. How do you know the best approach for your institution? Should you look at regulations for Know Your Customer (KYC) or the Customer Identification Program (CIP)? What about the levels of assurance (LOAs) or the Fair and Accurate Credit Transactions Act (FACTA) Red Flags Rule? Does the USA PATRIOT Act affect your industry? The myriad guidelines, rules and mandates surrounding fraud compliance are changing the way organizations do business. Let’s start with some brief definitions. CIP/KYC The Customer Identification Program requires banks to form a reasonable belief that they know the true identity of each customer. The CIP must include procedures that specify the identifying information that will be obtained from each customer, along with reasonable and practical risk-based procedures for verifying each customer’s identity. The Know Your Customer provision is a financial regulatory rule mandated by the Bank Secrecy Act and the USA PATRIOT Act. These guidelines focus on prevention of money laundering and the use of financial institutions to finance terrorist activities. This process has three stages: the CIP, customer due diligence (CDD) and enhanced due diligence (EDD). The last two stages address customer risk from an anti–money laundering perspective. LOA/FACTA (Red Flags Rule) Levels of assurance regarding identity focus on the extent to which electronic authentication may be used to verify that the individual identified in the input data truly is the same person engaging in the electronic transaction. This can be a daunting task — even the National Institute of Standards and Technology acknowledges that electronic authentication of individual people is a technical challenge when performed remotely over an open network. To choose the level of assurance that works within your company structure, you must determine what is needed to maintain the internal compliance and risk thresholds for each business requirement. LOAs are based on two categories: trustworthiness of the identity-proofing process and trustworthiness of the credential-management function (which includes technology and implementation/management). There are four LOA levels: Minimal Assurance Moderate Assurance Substantial Assurance High Assurance The FACTA Red Flags Rule requires institutions to establish a program that identifies ecommerce “red flags.” This program should consist of a pattern, practice or specific activity that indicates the possible existence of identity theft applicable to account-opening activities, existing account maintenance and new activity on accounts that have been inactive for two years or more. Don’t be discouraged In this world of compliance regulations that read like alphabet soup, we understand the challenges of meeting regulations while providing a frictionless customer experience. When an organization strikes the perfect balance between compliance and customer service, it has a competitive advantage that can lead to additional revenue opportunities (e.g., profitably acquiring new customers, detecting fraud and reducing charge-offs, minimizing operational costs, and improving operational efficiencies). To achieve this, businesses need cost-effective, flexible tools that allow them to meet current and future guidelines, manage risk and ultimately authenticate as many true customers as possible — all while segmenting out only the real fraudsters and noncompliant identities. You can be assured that new regulations will come, existing regulations will be redefined and communications on how to comply will be difficult to interpret. To find out more about compliance, click here.

Accuracy matters. It matters in dart throwing, math calculations, and now more than ever, in data reporting. The Consumer Financial Protection Bureau (CFPB) issued a bulletin on Feb. 3 warning banks and credit unions that if they fail to meet accuracy obligations when reporting negative account histories to credit reporting companies, the result could be bureau action. As noted in the Fair Credit Reporting Act (FCRA) section 623, data furnishers have an obligation to ensure the accuracy of the information furnished to a Credit Reporting Agency (CRA). Violation of these rules presents a variety of risks, and the regulatory agencies have enforced harsh consequences. Avoiding penalties is certainly a strong incentive for data furnishers to implement a formal compliance management system and data quality program. But there are additional benefits to ensuring accuracy – most notably keeping customers happy and loyal, and maintaining a reputable brand in the marketplace. Today’s consumers increasingly understand the impact of credit scoring and data reporting, and recognize a poor credit score can impact their lives in major ways. Credit is tied to so many milestone financial moments. Securing mortgage loans, auto loans, obtaining low-interest rate interest credit cards and securing private student loans can all be derailed with an unfavorable and inaccurate credit report. Not to mention credit reports can influence one’s eligibility for rental housing, setting premiums for auto and homeowners insurance in some states, or determining whether to hire an applicant for a job. To properly serve customers who simply expect a fair and accurate representation of their financial history, data furnishers must be able to guarantee the credibility of their reported data. Those organizations that cannot ensure accuracy put their reputation at risk and may lose a customer’s trust and business. “Consumers should not be sidelined out of the basic banking services they need because of the flaws and limitations in a murky system,” Cordray said in the bulletin. “People deserve to have more options for access to lower-risk deposit accounts that can better fit their needs.” The CFPB has handled more than 105,000 credit-reporting complaints in its short history, making credit reporting the third most-complained-about consumer issue. By far the most common types of credit-reporting issues identified by consumers is incorrect information on credit report (77 percent).* Certainly these mistakes are not made intentionally. But speak to a consumer battling an inaccuracy, especially someone in the midst of applying for credit for a specific need, and frustrations can soar quickly. All lenders are advised to maintain a full 360-degree view of data reporting, from raw data submissions to the consumer credit profile. Better data input equals fewer inaccuracies. Additionally, there are comprehensive reporting solutions available to assess the accuracy of consumer credit data. The regulatory environment will without a doubt continue to be a hot topic in the media, fueled by announcements such as these by the CFPB, so lenders should take note and identify processes to ensure complete and utter accuracy. It matters in so many ways, so it’s best to make data reporting a priority now, if it’s not already. Source: CFPB August 2015 Monthly Complaint Report

By:Wendy Greenawalt In my last few blogs, I have discussed how optimizing decisions can be leveraged across an organization while considering the impact those decisions have to organizational profits, costs or other business metrics. In this entry, I would like to discuss how this strategy can be used in optimizing decisions at the point of acquisition, while minimizing costs. Determining the right account terms at inception is increasingly important due to recent regulatory legislation such as the Credit Card Act. These regulations have established guidelines specific to consumer age, verification of income, teaser rates and interest rate increases. Complying with these regulations will require changes to existing processes and creation of new toolsets to ensure organizations adhere to the guidelines. These new regulations will not only increase the costs associated with obtaining new customers, but also the long term revenue and value as changes in account terms will have to be carefully considered. The cost of on-boarding and servicing individual accounts continues to escalate, and internal resources remain flat. Due to this, organizations of all sizes are looking for ways to improve efficiency and decisions while minimizing costs. Optimization is an ideal solution to this problem. Optimized strategy trees can be easily implemented into current processes and ensure lending decisions adhere to organizational revenue, growth or cost objectives as well as regulatory requirements.  Optimized strategy trees enable organizations to create executable strategies that provide on-going decisions based upon optimization conducted at a consumer level. Optimized strategy trees outperform manually created trees as they are created utilizing sophisticated mathematical analysis and ensure organizational objectives are adhered to. In addition, an organization can quantify the expected ROI of a given strategy and provide validation in strategies – before implementation. This type of data is not available without the use of a sophisticated optimization software application.  By implementing optimized strategy trees, organizations can minimize the volume of accounts that must be manually reviewed, which results in lower resource costs. In addition, account terms are determined based on organizational priorities leading to increased revenue, retention and profitability.

Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures: • Compliance – the need to ensure each transaction is approved only when compliance requirements are met; • Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; • Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.  

In my last entry, I talked about the challenges clients face in trying to meet multiple and complex regulatory requirements, such as FACT Act’s Red Flags Rule and the USA Patriot Act.  While these regulations serve both different and shared purposes, there are some common threads between the two: 1. You must consider the type of accounts and methods of account opening: The type of account offered - credit or deposit, consumer or business – as well as the method of opening – phone, online, or face-to-face – has a bearing on the steps you need to take and the process that will be established. 2. Use of consumer name, address, and identification number:The USA Patriot Act requires each of these – plus date of birth – to open a new account.  Red Flags stops short of “requiring” these for new account openings, but it consistently illustrates the use of these Personally Identifiable Information (PII) elements as examples of reasonable procedures to detect red flags. 3. Establishing identity through non-documentary verification:Third party information providers, such as a credit reporting agency or data broker, can be used to confirm identity, particularly in the case where the verification is not done in person. Knowing what’s in common means you can take a look at where to leverage processes or tools to gain operational and cost efficiencies and reduce negative impact on the customer experience.  For example, if you’re using any authentication products today to comply with the USA Patriot Act and/or minimize fraud losses, the information you collect from consumers and authentication steps you are already taking now may suffice for a large portion of your Red Flags Identity Theft Prevention Program. And if you’re considering fraud and compliance products for account opening or account management – it’s clear that you’ll want something flexible that, not only provides identity verification, but scales to the compliance programs you put in place, and those that may be on the horizon.  

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including: 1. Do FACTA Sections 114 and 315 apply to me? 2. What do I have to do to comply? 3. What impact does this have on the customer’s experience? 4. What is this going to cost me in terms of people and process? Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues. And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program. The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly. So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.