Channel | Actuary

Will CFPB Regulations Trickle Down to Providers & Administrators?

Tim Roncevich lends his insight on how you can prepare for changes in CFPB Regulations.
By: Tim Roncevich

Will CFPB Regulations Trickle Down to Providers & Administrators?

Alright, as an owner or executive of a company, waking up in a cold sweat at 2am happens more often than you would like. There are many different reasons for this (e.g. stress over money, kids, a big business relationship, heartburn from eating a meatball sub too late at night, etc.), but regardless of the reason, it is always unpleasant (especially the meatball sub). For some, the fear of the unknown is the worst kind of insomnia. You may think, “what can happen tomorrow which can cause everything we have built to come crashing down?” If only we could channel our inner Nostradamus and be prophetic in our thoughts about the future.

Being unprepared and caught off guard by something we could have prevented is the worst kind of feeling. However, if it is impossible to predict the future, how can we make good business decisions today? A good place to start is to look around at other industries to try to identify trends. When it comes to regulatory trends, these tend to spread from one industry to another. When asked about new government regulations, there are few who see this as a positive in their business. As many are aware, the Consumer Financial Protection Bureau (CFPB) is expanding their reach into the F&I space. As a provider and administrator, you may feel this move by the CFPB does not directly impact your operations. However, regulations tend to beget more regulations. Let’s take a look at a completely unrelated industry for a hint at how P&A companies can be affected by CFPB oversight to nonbank auto finance companies.

Title and Escrow Industry

In April 2012, the CFPB issued Bulletin 2012-03 titled “Service Providers”. The CFPB bulletin included expectations around supervised banks and non-banks (i.e. lenders) to oversee business relationships, including compliance initiatives, with their service providers. The bulletin was meant to ensure practices were in place to meet Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm. Since title and escrow companies are considered “Service Providers” to lenders, they now had to create compliance programs to demonstrate their internal controls to their lenders.

The title and escrow marketplace was baffled on the best way to demonstrate adherence to the new CFPB guidance. Amid the fog of uncertainty, the SSAE 16 (also known as SOC 1) audit became the prevailing compliance vehicle of choice when meeting the CFPB requirements. This is due to several reasons, the primary ones being; (1) the scope of the audit focused on internal controls and (2) the audit had to be performed by an independent CPA firm. To be clear, the CFPB never issued guidance “requiring” title and escrow companies to undergo the SSAE 16 audit. However, since most lenders have a preferred set of trusted title and escrow companies they typically use, it is up to the lenders discretion to monitor enforcement of compliance for their vendors. As such, although the SSAE 16 is not required, many lenders are choosing to only submit title and escrow orders to those companies who can produce evidence of a competent internal control environment which was independently audited by a CPA firm. Hence, the SSAE 16 audit is the compliance vehicle of choice.

We have seen the CFPB require lenders to monitor compliance activities of service providers. How many providers and administrators consider themselves “service providers” to lenders? Sure, no company wants their hand forced to expend precious company resources (both time and money) to comply with new government regulations. Unfortunately, we all know you can’t fight city hall. Instead of being proactive, many title and escrow companies are in reactionary mode. Reacting to compliance initiatives tends to create additional stress on internal resources, costs more money, and puts off more strategic initiatives until the compliance program is in place.

On the other hand, some title and escrow companies are choosing to be proactive. Leading from the front, rather than following from behind, is a good place to be. Besides the competitive and strategic advantages a good compliance program creates for a company, the company is also in a much better position to manage the timing of its compliance initiatives against other internal projects.

What can P&A companies do to prepare?

Clearly, title and escrow companies were caught off guard by the CFPB bulletin. Prior to the CFPB bulletin, formal compliance programs to test internal controls, although excellent business practice, was never on their radar. To these companies’ shock and dismay, they now had to create a formal internal control environment and prove the controls were in place.

Being good stewards of the company coffers is a prime reason you are in the position you are in with your company. Spending money on a “nice to have” and not a “need to have” can be a tricky sell. However, compliance is not going away anytime soon. Rather, compliance requirements will likely accelerate now and into the future. Even if spending money on a formalized compliance program may not be in your budget, there are things you can do to minimize costs while still moving in the right direction. The most basic start to a good compliance program is a strong set of policies and procedures. Not only do policies and procedures provide guidance on your internal control environment, they also provide a means of sharing knowledge transfer, which provides the added benefit of making sure key operational knowledge does not quit and walk out of your front door. Once you have a solid set of policies and procedures in place, you can then take your compliance program to the next step.

Choose the right Compliance Programs

The key to any good compliance program is flexibility. The goal is to design your internal controls to meet as many compliance initiatives as possible (e.g. SSAE 16, PCI, ISO 27001, common questions found in customer information security questionnaires, etc.). Many times, you can design an internal control structure which has controls that meet multiple compliance requirements. This is not only cost effective, but also creates a streamlined compliance program. The best time to design your compliance environment is before you are forced to undergo an audit to comply with a contractual obligation. I have spoken to many companies who have agreed to undergo compliance audits as part of the terms and conditions of doing business with a customer. Unfortunately, they executed the contract only to find out what they agreed to was excessive and cost prohibitive. A good, ethical CPA firm will give you advice before you lock yourself into a bad contractual agreement.

This article was written by:

- has written 5 posts on P&A Magazine.

Tim Roncevich is the co-founder SSAE 16 Professionals, a CPA firm specializing in SSAE 16 audits and other IT compliance reports. Roncevich is a Certified Information Systems Auditor (CISA). Roncevich is responsible for spearheading the SSAE 16 and SOC 2 methodology for the firm. Roncevich has performed over 200 SSAE 16 or SOC 2 audits throughout his career. Other areas of his expertise include operating system, database, and application control structures; IT security; protection of physical assets including critical servers; development and testing of IT general controls and change management processes.

Contact the author

The views expressed by the authors and those providing comments are theirs alone, and do not necessarily reflect the views of P&A Magazine or any employee thereof.

Leave a Reply

css.php