Posted by: David Schneier
Add new tag, assess, assessment, assessments, bank, banking, banking crisis, banks, community bank, compliance, compliance officer, compliant, control, credit, credit card, data security, Dodd-Frank, economy, enterprise risk, enterprise risk management, ERM, exam, examination, examinations, examiner, examiners, exams, Federal Reserve Bank, FFIEC, financial, financial institutions, framework, information security office, lending, LinkedIn, mortgage, NCUA, NCUA Sheila Bair, NPPI, observations, oversight, personally identifiable informaiton, PII, policy, privacy, procedure, regulation, regulations, regulations audit, regulatory, regulatory guidance, risk assess, risk assessment, risk assessments, risk management, risk-based, risks, security PII, Sheila Bair, social security numbers, technology, third party management, third party oversight, vendor, Vendor Management, vendor risk, vendor risk assessment
I was an unabashed fan of Sheila Bair and made no secret of that fact. She was a breath of fresh air in a line of work where everything is stale and always at least a little boring. Not that Martin Gruenberg is any less effective running the FDIC, he’s just a whole lot less interesting to pay attention to. And in the time since Ms. Bair stepped down I’ve just not been finding much to blog about regarding things the government is doing.
Things are looking up a bit because I have a new favorite regulatory agency to follow, the Consumer Financial Protection Bureau (CFPB). And here’s why: They focus on things that impact my day-to-day life (and yours as well).
I started tracking what the CFPB was doing about five months ago by accident. Someone I know who used to be an examiner for the FRB switched over to the newer agency right at its infancy and I noticed this courtesy of a LinkedIn update. Because I consider the Fed to be the Big Kahuna of the regulatory agencies I was surprised (you don’t leave the Yankees to sign with an expansion team unless you have to, or so I thought). Compelled a bit by the update I started poking around the CFPB website. For the first few months of this year it seemed to have potential but was little more than brochure-ware. But last month that all changed.
The first CFPB update that caught my attention was labeled 12 CFR Part 1070 and it was all about the protection of consumer data, only with a slight twist. Basically it was all about how any information they received as part of their field work would be protected exactly the same way that any third party vendor would be required to. Despite their being a Federal agency they weren’t going to hide behind that as a means to simplify their lives. They spearheaded an update to the underlying regulation that frames their charter so that consumers and their institutions can be assured that all PII and NPPI would be protected. For me it was a rare win-win topic; protection of PII and NPPI combined with a reference to vendor management (these are a few of my favorite things). And really for me it was that much more significant because I’ve known of a few situations where representatives of Federal and State regulatory agencies were responsible for the outright loss of confidential and/or restricted data. Beyond a slap on the wrist there wasn’t much else done to the offending examiner or their agency. And the affected institution couldn’t really complain too loudly because it’s always a bad idea to challenge your regulators, even when you’re in the right. So I thought this was all at once a compelling and remarkably sensible update by a regulator, not something I’d expect to see. That was the first points on the board for the CFPB.
The second set of points were scored almost on the same day. I wanted to check one of the details related to the aforementioned update and noticed this one “Consumer Financial Protection Bureau report finds confusion in reverse mortgage market“. Because I have a parent who is a senior citizen and who I think might one day soon be open to at least exploring a reverse mortgage I read with great interest. The report was in plain English, was oriented in such a way that I could share it with my family and have them understand the issues and concerns detailed within and most importantly it made sense. Reverse mortgages are growing in popularity and its main audience is the senior citizens segment of society. Seniors tend to be more easily misled, they’re under greater pressures to find new money sources (courtesy of our recession) at a time in their lives where going back to work is often not an option. And because a parent would do almost anything rather than turn to their children for financial assistance they see a reverse mortgage as a way out of their predicament. So for me having this content available was quite the relief. I can caution and advise all day and night but the risks presented by a reverse mortgage are much more credible coming from an authorized source. And so I celebrated July 4th this year by declaring the CFPB my new FDIC (the Sheila Bair inspired version, not the current blah one).
Here’s my really bizarro advice to any of you with even the slightest interest in regulatory oversight; if you haven’t already done so visit www.cfpb.gov and take a look around. It’s oriented towards lay people, not just lawyers and regulators (and practitioners like me) and addresses topics and concerns that affect the majority of our population. Basically it’s what I would expect from a regulator that still has that new agency smell but nothing like I’ve come to know from those that preceded it. To those who have had a hand in defining its charter and organizing its content, great job! Now repay my kind words by going out and getting me some juicy enforcement stories to write about.