Sept. 30, 2016
By John Epperson, CAMS, CFE, Gregg Henzel, and Clayton Mitchell, CAMS
Complying with regulatory and stakeholder requirements is a high-stakes endeavor that could mean the difference between a successful financial technology (fintech) company and one without a sustainable business model. Data and analytics are the keys to monitoring and identifying the risks.
This essential emphasis on compliance comes as regulators and banking partners of fintech companies are stepping up their emphasis on consumer protection. Compliance with regulations specifically used by regulators to address consumer protection (unfair, deceptive, or abusive acts or practices (UDAAP)) and fair lending is becoming more complex and principles-based. Regulators’ expectations for compliance monitoring efforts are increasingly data-driven.
What’s more, because the consumer offerings of fintech companies typically aren’t as diversified as those of banks and other financial services entities, compliance violations that might be a headache for a bank could put a fintech company out of business. Certainly where there is consumer harm, the reputation risk could have a significant impact on the feasibility of the business model: For example, a consumer financial application provider that made app users unhappy by charging undisclosed fees might find that the users have simply deleted the app from their smartphones.
In addition, because fintech companies are reliant on bank relationships and accounts, the companies must seek to adhere to consumer compliance regulatory and due diligence standards expected of their banking partners.
The risks associated with the rise of fintech require solutions that may differ from those at the core of past compliance risk management practices. While not every regulatory compliance risk will be driven by events, oversight needs to account for dynamic factors. The pace of disruption, innovation, development, and new sources of consumer harm have already led regulators to make their focus more data- and event-driven.
In response, fintech companies need to identify data points and combine that information with analytics tools to measure, monitor, and identify areas that require greater investment and risk mitigation. In this way, a fintech company can successfully manage the increased level of regulatory supervision and regulatory agencies’ advanced techniques and confirm that it is in compliance. (Proper management of this information can have the added benefit of revealing new business opportunities.)
As Fintech Evolves, Regulatory Scrutiny Evolves in Parallel
The growth of the fintech industry – along with that of many new forms of payments, virtual currencies, and new platforms for consumer finance – is occurring concurrently with the rise of a much more consumer-focused regulatory regime. The shift of the investigation of consumer financial complaints from the sphere of the Federal Trade Commission (FTC) to the Consumer Financial Protection Bureau (CFPB) for nonfederally chartered banks and other financial services organizations reflects this change in regulatory oversight.
The creation of the CFPB in 2011, and the development of each of the components under its mandate, can be understood as an attempt to address financial services innovations:
- Enforcement and rulemaking. The CFPB’s rulemaking and enforcement responsibilities are designed specifically to address the ongoing growth of new and specialized finance industries and services that may not have otherwise been supervised by federal regulators. The increase in industry segments subject to oversight, in combination with ongoing efforts to expand data collected by the CFPB, enhances the ability of the CFPB to enforce regulatory expectations and identify noncompliant market participants.
- Financial disclosure and consumer education. Two areas to which the CFPB has devoted substantial energy are the clarity of financial disclosures and the creation of content to assist consumers seeking financial services. Both points correspond with the risk of information asymmetries due to the emergence of complex or exotic consumer financial products.
- Monitoring for market risks and consumer response. Following the establishment of the CFPB, responsibility for complaint response and resolution was transferred from the FTC. The CFPB's Office of Consumer Response is responsible for the investigation of each complaint submitted to the CFPB. The focus on consumer response is intended as a means to identify possible institutional failures and help prevent consumer harm. The focus on consumer response and complaint investigation can also be viewed as addressing the possibility of consumer harm from entities with which the consumer may not be able to address their grievances. As of March 2016, the CFPB has published more than 633,000 complaints.
To thrive, fintech companies must finds ways to incorporate new information and innovation into what they can offer consumers. Yet, as they develop new data-driven products – new tools for determining consumer creditworthiness, for example – there’s a risk that regulators might view some of those products as unfair to certain classes of consumers. Therefore it’s essential that, as they innovate, fintech companies also focus on identifying any potential unforeseen consequences that could arise from activities regulators might view as harmful to consumers.
Regulators have begun emphasizing pretesting decision-making models to determine whether they might include factors that could discriminate against any groups. One example is cases in which the use of certain data to make lending decisions might have a disproportionately discriminatory impact on one or more protected classes. In such cases, fintech companies and banks employing financial technology need to be proactive about showing that their algorithms don’t result in illegal discrimination, even if overtly unfair or discriminatory practices are not built into the models.
For fintech companies found in violation of consumer regulations, the implications can be huge. The fines could be significant, and a fintech company found in violation could be prevented from operating in the financial space. What’s more, banking partners might steer clear of a fintech company with regulatory issues or even discontinue the relationships that are in place, which could cripple the company in the marketplace.
The Answers Are in the Data
The significant amount of information available to fintech companies, however, puts them in a good position to identify and analyze any potential compliance issues and to execute the necessary remediation activities. If they don’t know what to look for in that data, however, the task can be overwhelming and seem to provide no additional value. What those companies need is an understanding of four points:
- What regulators are looking for with regard to consumer compliance
- The key risk indicators (KRIs) needed to identify potential areas of vulnerability
- The analytic techniques needed to create the KRIs
- How to identify and collect the data to be used in analytics efforts
Fintech companies’ data risk management activities include data management and data lineage, efforts that support data sourcing, quality, and validation. Having an understanding of the data lineage – along with the execution of data risk management activities – supports the accuracy and integrity of the data. This provides organizations with confidence that the KRIs are providing accurate direction for further investigation.
Because of the increasing reliance on systems and the integrity of data flows in financial services, organizations might face systemic risk factors related to how customers are treated. And the rigor with which regulators address those factors is considerably greater than it was even just a few years ago.
Types of data helpful to fintech companies’ and banks’ consumer protection compliance efforts include:
- Organization-specific complaints and disputes
- Transactional data for compliance, timing requirements, and the like
- Socioeconomic factors and other available customer information
- Census data to impute demographic information and potential prohibited basis factors
- Market and publicly available information, including Home Mortgage Disclosure Act (HMDA) data and the contents of the CFPB’s Consumer Complaint Database
In addition to specific regulatory violations (Regulation E, Electronic Fund Transfer Act, or Regulation Z, Truth in Lending Act, for example), other areas fintech companies would be wise to monitor and analyze include:
- Fair banking, fair lending, and customer treatment including expected versus actual customer treatment
- Disparities in marketing and accessibility to certain groups or populations
- Responsiveness to customer grievances, third-party risk factors, adequacy of models in managing inherent risk factors, and UDAAP dashboards
- Clarity of disclosures and information asymmetry
- Risk of consumer fraud and abuse
- Trends and patterns in fees, first payment defaults, and the like, which can provide KRIs, including anomaly identification
Now that the CFPB is handling financial regulation compliance complaints, and more and more fintech organizations are becoming covered persons under the Consumer Financial Protection Act of 2010, fintech-related companies need to 1) change their approach to complaint management so that it is aligned with CFPB expectations and 2) proactively manage the associated risks. One significant step is recognizing that complaints are the strongest leading indicator companies can use to quickly identify and implement processes for resolving underlying compliance problems. (See sidebar below, “Aligning Complaint Management With the Consumer Financial Protection Bureau.”)
Using Analytics in Compliance Monitoring
Using data analytics in compliance monitoring requires the right mindset, approach, and methodology. When considering compliance management testing, a fintech company’s approach must be based on a recognition of the changes in how data analytics have been used in financial services as well as an awareness of regulators’ more aggressive stance toward data collection and reporting to facilitate industrywide analysis, risk-focused utilization of resources, and enforcement.
Regulators have industrywide information that they can use to identify compliance outliers and to risk-rate companies in order to target those that require greater supervision. Organizations that can identify themselves as outliers and uncover the root cause of any problems can use that information to make the changes necessary to correct them. That sort of self-discovery might be a painful process, but it is less so than the pain of fines and some of the other issues fintech companies can face if found out of compliance with consumer protection regulations.
The use of data analytics in consumer protection compliance efforts provides a number of opportunities for both fintech companies and banks. Among other benefits, they allow the company’s compliance efforts to be proactive and ongoing. Rather than waiting for compliance problems to emerge, the company can identify potential problems early and take necessary action to correct them. Employing data analytics can also:
- Expand the breadth and depth of the rules and regulations companies are able to examine
- Enable the study of large populations rather than just samples of consumers
- Help fintech companies and banks make better decisions about their use of risk models
- Enhance processes to meet regulators’ data reporting requirements
- Help identify systemic compliance risk factors and promote the alignment of remediation efforts with those of vendors
Using data analytics in compliance efforts is not without obstacles. Achieving greater depth and breadth of data analysis often necessitates a significant initial outlay of capital. In addition, moving beyond the checklist approach to compliance that is common at many organizations involves cultural changes and stakeholder communication efforts – and gaining the necessary buy-in is likely to require time and effort.
There’s also an issue of the talent required. Using data analytics to monitor consumer protection compliance requires staff with both functional expertise in compliance and a detailed understanding of data. The combination might not be easy to find and could necessitate assembly of cross-functional teams. In some cases, it might be necessary to add employees with particular areas of specialization or to look to a third-party service provider for assistance.
Additional challenges that must be overcome include issues of data integrity and data acquisition, the upfront costs of creating the compliance analytics program, the scarcity of internal resources, and the determination of the costs and benefits of using data scientists for risk management efforts rather than for building the business.
Preserving Essential Relationships
Even if a fintech company has always had a strong consumer compliance program, it won’t necessarily remain so as regulators focus more closely on consumer protection. In a period of changing regulatory emphasis, the compliance target for fintech companies isn’t stationary but instead always moving; what worked in the past may not address the present-day challenges.
Meanwhile, as banks step up their third-party risk management efforts, their recognition of the change in the regulatory climate means that more and more of their risk management efforts are consumer-focused as well. As much to maintain their essential relationships with banks as to avoid consumer protection compliance problems, fintech companies must proactively and aggressively monitor their activities to head off potential consumer protection compliance issues.
For fintech companies – as well as banks and other financial services organizations involved in financial technology activities – the answer is in data and analytics. To increase the effectiveness of their consumer protection compliance efforts – particularly in the face of current regulatory priorities – entities must understand the data they process, make sure they have the data they need, and use that data in conjunction with exploratory analytics to identify and correct potential compliance issues.
Aligning Complaint Management With the Consumer Financial Protection Bureau
Regulators have emphasized consumer complaint investigation and response as core components in the administration of UDAAP programs for fintech and nonfintech companies alike. The handling of consumer complaints is a process that many brick-and-mortar organizations may have in place, but the appropriateness of a particular process depends on the nature of the business as well as the possible triggers of consumer harm or grievance.
Numerous entities facing CFPB scrutiny have needed to create or enhance complaint management programs specifically to address UDAAP and fair lending risk factors. Following are some sound practices for aligning complaint management with the CFPB:
- Identify possible sources of consumer feedback and complaints.
- Determine the specific data points or types of complaints that need to be monitored on an ongoing basis.
- Construct a taxonomy of complaints that would represent specific attention based on risk of UDAAP or fair lending noncompliance. This could include specifically identifying complaints related to areas representing higher compliance risk such as impermissible contact activity or assessment of fees.
- Cross-reference the company’s complaint activity trends with those represented through external data sources such as the CFPB complaint database.
- Develop specific thresholds that address both deviation from historical norms and areas that may require escalation and investigation.
- Identify the process stakeholders who would need to have access to the output of complaint metrics and the steps required for ongoing administration of that information.