Are You Ready For A CFPB Audit?


On July 21, 2010, President Barack Obama signed into law the Dodd–Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). Among other things, Dodd-Frank established the Consumer Financial Protection Bureau (“CFPB”), an independent government agency under the control of the Federal Reserve and charged with “conduct[ing] rule-making, supervision, and enforcement of Federal consumer protection laws.” Today the problem for the CFPB is that it has been overly effective at that job. There is clear political push back from financial service entities that feel the regulatory environment has become so tight and expensive that normal business operations are unduly constrained. According to a memo that emerged in early February, Jeb Hensarling, the Texas Republic who heads the House Financial Services Committee, has determined to move forward with legislation to weakening the CFPB and its enforcement powers. The basic fact, however, is that the opponents of the CFPB haven’t provided many details about how they envision what comes next. While future rule making could well be curtailed, the rules that are now in place will very likely continue to be aggressively enforced by an existing bureaucratic structure that resents having its powers curtailed.

The 924 page CFPB Supervision and Examination Manual has prompted much hand-wringing within the leadership ranks of those “supervised entities” subject to CFPB enforcement, namely depository institutions and non-depository consumer financial services companies. This article assumes that examination and enforcement will proceed unabated and is intended to illustrate ways to mitigate enforcement risk within those organizations.

Featured Sponsors:


An Overview of the Examination Process

A CFPB examination process generally involves an on-site visit lasting approximately 4 to 6 weeks. An attorney from the CFPB may be present in addition to the examiners.

The examination centers around nine modules: 1) Entity Business Model; 2) Accuracy of Information and Furnisher Relations; 3) Contents of Consumer Reports; 4) Permissible Purposes and Other User Issues; 5) Consumer File and Score Disclosures; 6) Consumer Inquiries, Complaints, and Disputes and the Reinvestigation Process; 7) Consumer Alerts and Identity Theft Provisions; 8) Prescreening, Employment Reports, and Investigative Consumer Reports; and 9) Other Products and Services and Risks to Consumers.





While future rule making could well be curtailed, the rules that are now in place will very likely continue to be aggressively enforced.

Although the CFPB has published an examination manual, one would be wise to focus on the “concepts” or those areas of particular concern to the CFPB.

The stated objectives of the examination are to “evaluate the quality of a supervised entity’s compliance management systems …”, “identify acts or practices that materially increase the risk of violations of federal consumer financial law, in connection with consumer reporting …”, “gather facts that help determine whether a regulated entity engages in acts or practices that violate the requirements of federal consumer financial law …”, and “determine, in accordance with CFPB internal consultation requirements, whether a violation of federal consumer financial law has occurred and whether further supervisory or enforcement actions are appropriate.”

1.) Preparing For The CFPB Audit

Ever wonder why open book tests seem to be the most difficult? Perhaps because there is such a large volume of information but only a few isolated concepts are tested. Although the CFPB has published an examination manual, one would be wise to focus on the “concepts” or those areas of particular concern to the CFPB. For example, consumer protection – not profitability – is a particular concern for the CFPB. If organizational decisions or operations can be viewed as sacrificing consumer protection for profitability, an audit examiner will take notice.

Featured Sponsors:


Generally, CFPB investigations begin with a Civil Investigative Demand (“CID”) addressed to an organization requesting various documentary material, tangible things, written reports, answers to questions, or oral testimony. See CFPB Rules Relating to Investigation, 12 CFR 1080.1, et. seq. (“Rules”). The following checklist is not exhaustive, but can help prepare you for the road ahead.

2.) Take a Deep Breath. You Can Do This.

>>Know that some organizations have done well on CFPB audits. So can your organization with adequate planning and implementation.

>>Assemble a Compliance Team.





In short, organizational and loan compliance begins with the loan application. Time wisely spent on your organization’s policies and loan document systems pays large dividends.

Proactively creating best practices within your organization, supported by knowledgeable professionals, are paramount in mitigating lender risk of non-compliance or adverse findings.

>>Begin to set aside the time, human capital, and financial resources to adequately prepare for an audit. Set aside amounts vary by organization, but are well worth the investment.

>>Internally, identify critical compliance management, operations, and IT personnel. Appoint a project manager (presumably, the Chief Compliance Officer) who will have direct responsibility for the audit process.

>>Externally, identify third party audit companies and attorneys who will provide compliance audits and/or legal advice relating to CFPB requests for documents and overall legal defense. Discuss with an attorney the need for legal representation before, during, and after the audit. Know that examinees also have rights that should be protected and deliverables that can be negotiated with the CFPB.

Featured Sponsors:


>>Ensure that your compliance team does not report to the business unit. This will allow the compliance team to perform independently and avoid any appearance or accusation of undue influence.

>>Stress test and train. Identify strengths and weaknesses. Focus on –and commit to writing—a plan to address and mitigate weaknesses.

>>Prepare critical employees for side-by-side sessions with a CFPB examiner. Use a neutral third party to conduct the training.

3.) Devise a Process to Isolate and Transmit Reliable Data.

>>Work with internal IT to identify Electronically stored information or “ESI” (defined in the Rules as any information stored in any electronic medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form).

>>Understand what data can be converted, stored, and/or transmitted. Address technical issues and move toward the capability to be able to deliver ESI within 30 days of a request.

>>Use sample transmissions to ensure the data will reach and be usable by the end user.

4.) Review and Test Policy and Procedures.

>>Be prepared to provide written policy and procedures for every process in the organization.

>>Evaluate internal controls to ensure that daily operations are in sync with written policy and procedures. If not, revise policy and procedure to coincide with business operations.

5.) Capture and Resolve Consumer Complaints.

>>Develop a method for obtaining and reviewing consumer complaints.

>>Document the handling and resolution of all consumer complaints.

>>Ensure that organizational documentation reflects that consumer complaints are handled timely and efficiently. If not, make necessary changes to correct the problem.

Inconsistency and the lack of organizational cohesion are easy targets for an examiner. With the proper plan and demonstrated action, any organization can avoid these pitfalls.

Penalties For Non-Compliance or Adverse Findings

The CFPB has authority to assess a range of penalties for noncompliance with Federal consumer financial laws. Although they exclude the imposition of punitive and exemplary damages, the remedies available to the CFPB are significant. See Dodd-Frank § 1055, codified in 12

USC § 5565.

1.) Administrative proceedings or court actions. A court (or the CFPB) can bring an action or proceeding to address the violation of any consumer law. Any of the following legal or equitable relief may be imposed, without limitation:

>>rescission or reformation of contracts;

>>refund of moneys or return of real property;


>>disgorgement or compensation for unjust enrichment;

>>payment of damages or other monetary relief;

>>public notification regarding the violation, including the costs of notification;

>>limits on the activities or functions of the person; and

>>civil money penalties.

2.) Recovery of costs. The CFPB, State attorney general, or any State regulator is entitled to reimbursement of its costs after winning an action to enforce any Federal consumer financial law.

3.) Civil Penalties. Monetary penalties issued by the CFPB are assessed according to the following tiers and are adjusted periodically for inflation. See 12 CFR § 1083.1.

>>Tier 1=$5,526 for each day a violation continues or remains unpaid. This applies to any violation of a law, rule, or final order or condition imposed in writing by the Bureau.

>>Tier 2= $27,631 for each day for a person who recklessly violates a Federal consumer financial law.

>>Tier 3= Up to $1,106,241 for each day for any person that knowingly violates a Federal consumer financial law.

4.) Notice and hearing. No civil penalty may be assessed under this subsection with respect to a violation of any Federal consumer financial law, unless i) the CFPB gives notice and an opportunity for a hearing to the person accused of the violation; or ii) the appropriate court has ordered such assessment and entered judgment in favor of the Bureau.

Civil fines obtained from administrative or judicial actions are collected and held in a civil penalty fund that will either distribute payment to victims or fund consumer education and financial literacy programs.

Mitigating Lender Risk Requires Proactive Efforts

In the broadest sense, mortgage compliance takes two forms: organizational compliance and document compliance. The former generally references those policies and procedures implemented by your organization and governing loan officer compensation, scheduled time delays by which your organization issues disclosures and related material upon receipt of a loan application, and loan products marketed to differing locales, to name a few. Document compliance generally refers to inclusion of particular fonts and/or point types as may be required in the loan documents by the particular jurisdiction, inclusion of certain required language defining the borrower’s rights in the loan documents, or other legal mandates governing APR, points and fees, and the like.

While a CFPB examination is intended to address both areas of compliance, loan level data review comes from the compilation and analysis of those hundreds of data points assembled while building the document and/or disclosure package. Make sure the calculations, content, real time updates based upon changes to the law, and internal loan tests (to name a few) are appropriately represented and warranted by the document provider or the law firm preparing the documents.

In short, organizational and loan compliance begins with the loan application. Time wisely spent on your organization’s policies and loan document systems pays large dividends in preparation for the regulator’s arrival.


While news of an impending audit can instantly increase one’s anxiety level, it is important to remember the three main principles that guide the audit process: 1) “we will focus on an institution’s ability to detect, prevent, and correct practices that present a significant risk of violating the law and causing consumer harm;” 2) “the supervision function [of the CFPB] rests firmly on analysis of available data about the activities of entities it supervises, the markets in which they operate, and risks to consumers posed by activities in these markets;” and 3) “In order to fulfill its statutory mandate to consistently enforce Federal consumer financial law, the CFPB will apply consistent standards in its supervision of [depository and non-depository] entities, [using] the same procedures to examine all supervised entities that offer the same types of consumer financial products or services, or conduct similar activities.”

The first word of the Consumer Financial Protection Bureau is Consumer, which is that organization’s first priority. Proactively creating best practices within your organization, supported by knowledgeable professionals, are paramount in mitigating lender risk of non-compliance or adverse findings. At the same time, you are demonstrating a commitment to protect the consumer (and your borrower), which is the resounding principle of Dodd-Frank.

About The Author

Christina Jenkins

Christina Jenkins is an Attorney and Director of Customer Service for the Middleberg Riddle Group in Dallas, Texas, where she oversees day-to day loan document preparation and provides legal counsel to mortgage lenders. Before becoming a lawyer 10 years ago, she held various positions from origination to servicing- in loan operations for two large national banks, a small community bank, and a large non-bank mortgage lender.