The CFPB published its Supervision and Examination Manual (the “Manual”) on October 13, 2011, designed to provide CFPB examiners with direction on how to determine if providers of consumer financial products are complying with consumer protection laws. The CFPB’s press release states that the Manual incorporates procedures already used by other federal regulators. The Manual does simply recite certain interagency procedures, such as for fair lending examinations. At the same time, the Manual addresses new Dodd-Frank concepts, such as unfair, deceptive and abusive acts or practices.

The CFPB will use the Manual initially to supervise the more than 100 large banks, thrifts, and credit unions that are subject to the CFPB’s examination authority pursuant to the Dodd-Frank Act (those with total assets over $10 billion, as well as their affiliates). The Bureau’s examiners will also ultimately use the Manual to supervise non-depository consumer financial service companies (e.g., mortgage lenders), with the stated goal of promoting “fair, transparent, and competitive consumer financial markets where consumers can have access to credit and other products and services, and where providers can compete for their business on a level playing field where everyone has to play by the rules.”

The CFPB Examination Framework and Philosophy

While only certain entities will be subject to CFPB examination, the Manual outlines an examination approach that is illustrative of the Bureau’s bend on matters over which it has rulemaking authority. This is particular true of its view of its authority over matters it considers unfair, deceptive or abusive acts or practices (UDAAP).

Like other bank regulators, the CFPB will prepare for examinations by gathering and reviewing a wide array of regulatory and public data about an institution:  state and/or prudential regulator reports of examination and correspondence, enforcement actions, state licensing and registration information, complaint data, call reports, HMDA LARs, HAMP data, fair lending analyses, SEC or other securities-related filings, the institution’s website and advertising, and, among other things, “newspaper articles, web postings, or blogs that raise examination related issues.” The CFPB will then contact the institution about the examination and prepare its customized Information Request.

The CPFB’s “Risk Assessment” is a living document—a profile of a particular institution that will be maintained and used to guide its examination and supervision generally. As stated in the Manual (emphasis added):

CFPB’s Risk Assessment is designed to evaluate on a consistent basis the extent of risk to consumers arising from the activities of a supervised entity or particular lines of business within it and to identify the sources of that risk. “Risk to consumers” for the purpose of the CFPB Risk Assessment is the potential for consumers to suffer economic loss or other legally-cognizable injury (e.g., invasion of privacy) from a violation of Federal consumer financial law. The risk assessment includes factors related particularly to the potential for unfair, deceptive or abusive practices, or discrimination. Two sets of factors interact to result in a finding that the overall risk in a business or entity is low, moderate, or high. The first set of factors relate to the inherent risk in the particular line of business or the entity overall. The second set of factors is the quality of controls that manage and mitigate that risk. The Risk Assessment also includes a judgment, based on current or recent information, about the expected change in the overall risk: decreasing, increasing, or unchanged.

The Risk Assessment provides the basis for an institution’s “Supervision Plan”—the Bureau’s custom approach to supervising a particular depository institution and its affiliates and for allocating supervision resources. A sample Risk Assessment is provided beginning on page four of the Manual’s Part III.

As with any other bank regulatory examination, the examination process would conclude with an exit meeting with management, the assignment of a rating, and the production of a Report of Examination (“ROE”). Prior to delivery of the ROE, the CFPB will submit its draft report to the entity’s prudential bank regulator, if any. If the report concerns other types of regulated entities, opportunities for comment by state regulators will depend on whether CFPB is conducting joint or coordinated examinations with the relevant state regulators.

The CFPB will also require a meeting with a supervised entity’s board of directors or principals when or more of the following circumstances are present:

  • The proposed compliance rating is “3,” “4,” or “5”;
  • An informal supervisory agreement or formal enforcement action is recommended; or
  • The supervised entity’s management, board, or principals requests such a meeting.

Unfair, Deceptive or Abusive Acts or Practices

One section of the Manual provides new insight into the CFPB’s intended use of its authority under Dodd-Frank to prohibit what it considers to be an “unfair, deceptive or abusive act or practice.” Under the Dodd-Frank Act, it is unlawful for any provider of consumer financial products or services to engage in any unfair, deceptive or abusive act or practice. The Act also provides CFPB with rulemaking authority and, with respect to entities within its jurisdiction, enforcement authority to prevent unfair, deceptive, or abusive acts or practices in connection with the provision of consumer financial product or services or offers to do so.

While standards for what is “unfair” or “deceptive” are somewhat established, the CFPB’s ability under Dodd-Frank to regulate practices it considers “abusive” is new territory. Under the Act, an act or practice is not “abusive” unless it:

  1. Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
  2. Takes unreasonable advantage of –
    a. A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service;
    b. The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
    c. The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.

Unlike its overview of the “unfair” and “deceptive” legal standards, the Manual does not—and arguably could not yet—provide examples of enforcement activity based on practices that are “abusive.” The Manual does, however suggest an approach to the new standard:

Based on the results of the risk assessment of the entity, examiners should review for potential unfair, deceptive, or abusive acts or practices, taking into account an entity’s marketing programs, product and service mix, customer base, and other factors, as appropriate. Even if the risk assessment has not identified potential unfair, deceptive, or abusive acts or practices, examiners should be alert throughout an examination for situations that warrant review.

Needless to say, the list of materials subject to CFPB review and transaction testing in a UDAAP analysis is comprehensive. More significantly, the template Risk Assessment provided in the Manual illustrates the CFPB’s potential reach. Many items on the Assessment’s “risk checklist” are qualitative and/or highly subjective:

“Products are bundled in a way that may obscure relative costs.”

“The terms of the product are subject to change at the discretion of the entity, and the entity has frequently made changes in the terms.”

“Complex products are marketed to consumers not likely to benefit from them or who may be likely to be harmed by them.”

CFPB architect Elizabeth Warren has said that the Bureau’s focus will be on improving disclosures, not prohibiting products. In the first iteration of the Bureau’s Examination Manual, there is room for both approaches. Describing an element of the test for “unfairness,” that the injury caused by an allegedly harmful product was “not reasonably avoidable,” the Manual states (emphasis added):

A key question is not whether a consumer could have made a better choice. Rather, the question is whether an act or practice hinders a consumer’s decision-making. For example, not having access to important information could prevent consumers from comparing available alternatives, choosing those that are most desirable to them, and avoiding those that are inadequate or unsatisfactory. In addition, if almost all market participants engage in a practice, a consumer’s incentive to search elsewhere for better terms is reduced, and the practice may not be reasonably avoidable.