ABA March/April 2025: Critical Steps to Take Upon Identifying Issues Requiring Remediation

While every remediation is different, there are certain key steps financial institutions (FIs) should take upon discovering an issue that might require remediation. These steps are not meant to be approached sequentially; FIs may benefit from taking many of these steps simultaneously.

Remediating consumer harm can be a difficult process. By taking the steps described below to plan for and execute a remediation, FIs can increase their chances of effectively remediating consumers while minimizing adverse impacts on the FI.

Note: While the term "consumer harm" is commonly used in the industry (including regulators), it’s important to note that remediation activities can apply to any type of consumer (or prospective consumer), regardless of whether the product or service is for consumer or business/commercial purposes. Additionally, this article is not intended to address data breach or cyber incident responses, as those have very specific and urgent timelines and may also include reporting to state entities.

Contain the problem

An initial action of any remedial effort is to conduct a triage of the situation and do a preliminary assessment of the degree of urgency, such as whether consumer harm is still occurring. If so, it is imperative to act quickly and "stop the bleeding," i.e., stop consumer harm. This initial assessment may include some degree of root cause analysis (see discussion below); however, the clock is ticking so don’t delay by trying to find the perfect solution. Consider a short-term fix and then you will have time to plan a better, long-term solution. Regulators will inquire about the steps taken upon learning of an issue, including how quickly action was taken to implement an effective response after discovery.

One common mistake is when FIs take no action, and instead wait for their regulator to tell them what to do. Regulators expect FIs to act quickly to mitigate consumer harm, and to resolve issues in a timely manner. Of course, while in more complex situations it may be a good idea to obtain regulatory guidance on the scope of remediation, it is critical to take swift action to prevent ongoing consumer harm.

Establish legal holds

Depending on the nature and scope of the issue, an FI may need to establish a legal hold in order to suspend its normal document destruction processes. Counsel can advise FIs on the need for, and appropriate scope of, any legal holds. Even when there is no need for a legal hold, an FI should consider its data retention policies to determine whether it is holding any data longer than required. Some FIs have had to provide more remediation than necessary because they retained documents for time periods that were longer than required by law, regulation, or internal policy.

Conduct a root cause analysis

An important early step in any remediation process is to determine the root cause of the issue. Typically, that means going beyond what might appear obvious, and continuing to ask "why" to delve deeper into the true cause. Locating the true root cause may be challenging. What seems like a human error could be a system issue, and what seems like an issue in one business unit may actually be occurring across multiple lines of business. Procedural or training weaknesses could be revealed, and the true root cause could involve a third-party provider.

When an FI understands the root cause of a particular issue, it can use that knowledge to guide its advocacy and remedial efforts. Sometimes FIs may need to change incentives to encourage compliance or take disciplinary action to hold individuals responsible for causing the issue. It is critically important to identify and fully understand the correct root cause to both inform the FI’s ultimate remediation approach and strategy, and importantly, to help prevent the issue from recurring.

Identifying necessary resources and stakeholders

Root cause analyses and remediation plans can be complex and involve many stakeholders. A failure to identify the necessary resources and stakeholders early in the process can lead to unnecessary delays and jeopardize remedial efforts. Interestingly, the individuals who identify an issue warranting remediation may not always be best positioned to design a remediation plan.

The development of a remediation strategy and plan should involve many internal stakeholders, including but not limited to Operations, Compliance, Risk, Legal, and potentially multiple lines of business. For matters involving potential financial restitution, Finance should also be at the table. For system issues, Information Technology is a key partner, and any resource limitations could mean developing both a short-term and a long-term fix. Once the issue has been vetted, FIs may find it necessary to include Human Resources to address any conduct risk issues. Sometimes outside counsel or external resources are needed to assist with crafting a remediation strategy due to the complexity or scope of the remediation.

Gather facts and document findings

It is essential to gather all the facts relating to the issue, communicate these facts to key stakeholders, and conduct a full analysis to support findings and decisions relating to the root cause(s). Results of exploring potential impacts to the products and services of other lines of business should also be documented. Everyone should be on the same page, making decisions from a common set of facts. FIs should exercise care in the documentation process since all documents created will likely be subject to internal audit and regulatory scrutiny.

Scope the issue and (potential) impacted population

A significant step in any consumer remediation is identifying the type of consumer harm and the population of harmed consumers. As you evaluate the harm, note that it could include direct financial harm, such as an improperly charged fee, as well as additional financial harm tied to a consumer’s loss of funds for a period of time. In some cases, the underlying issue may trigger additional consequential losses to the consumer. These situations may require evaluation on a case-by-case basis.

Most often, remediation will take the form of monetary restitution, but it may also include other corrective actions. Examples include, but are not limited to:

• Monetary:

  • Refunding fees or other charges that were incorrectly assessed;

  • Correcting interest calculations on deposit or credit transactions, including re-calculating or re-amortizing the account to fully recognize for the correction; or

  • Providing additional account credits, or other financial compensation as a gesture of goodwill to recognize the inconvenience.

• Non-Monetary:

  • Correcting credit reporting inaccuracies;

  • Revising disclosures; or

  • Inviting consumers to re-apply when the original credit application was incorrectly denied.

FIs should be sure to take an enterprise-wide approach when scoping a remediation event. Some FIs have taken steps to remediate an issue in one business unit only to discover the same issue elsewhere in the organization (years later, in some cases), thus resulting in significant and unnecessary consumer harm.

With respect to documentation, self-reporting does not mean conceding a violation of law. An FI should avoid admitting a violation in internal documents or consumer redress letters to the extent possible. Some FIs are too quick to label an issue as a "violation" without carefully analyzing it against the applicable legal standard. While it is appropriate to identify and acknowledge violations when they have indeed occurred, premature internal "admissions" of a violation can impede subsequent advocacy efforts. An FI may simply document its findings as "issues," "issues that may present regulatory risk," or "potential violations."

Develop a communication plan

Effective communication is vital to successful remediation, including regular status updates to key control functions, senior management, and the board. FIs should establish a clear communication plan rather than relying on ad hoc efforts. They should also have a plan for:

• Keeping each line of defense informed about the progress of remediation efforts;

• Communicating identified issues across the enterprise to ensure lessons learned in one business unit prevent repeat issues elsewhere; and

• Regularly updating senior leadership and the board on identified issues and the status of remedial efforts.

Confirm data quality and engage in QC/QA processes early and often

Remediation efforts rely heavily on accurate, reliable data to identify affected consumers, define scope, assess harm, identify data limitations, and correct system errors. Engaging data experts early helps to uncover potential data limitations, and ensuring data integrity upfront can prevent repeated efforts. For particularly complex issues, external resources may also be necessary.

Rushing remediation can compromise accuracy, leading to repeated efforts, including possibly having to "remediate the remediation." Quality control and assurance should be integrated early and consistently throughout the process to identify and address issues midstream.

Conduct post-remediation validation and ensure future sustainability

A remediation is not complete until it has been validated. FIs operating pursuant to a consent order or an MRA may need to obtain regulatory approval or non-objection of key milestone events. FIs operating pursuant to a self-identified and self-driven remediation plan should ensure that all corrective actions have been reviewed and validated through the audit function. It is usually sufficient to conduct the audit once the FI has substantially completed the remediation; however, in some cases, intermediate audits may be warranted.

Post-remediation, the FI should consider additional monitoring or testing routines that will ensure the sustainability of the corrective actions and help identify future occurrences of the same (or similar) issues. Such routines may be incorporated into the FI’s existing monitoring and testing activities.

Determine whether public disclosure is required

An FI should consider whether its remediation triggers a filing obligation. Depending on the scope of a remediation, an FI may need to set aside funds and report the remediation. An FI’s finance division and securities counsel should be engaged early in the remediation planning process to assess whether public disclosure will be required in financial reporting to the Securities and Exchange Commission or other third parties.

Develop remediation and communication strategies

FIs should develop a specific remediation strategy for each event that is informed by its root cause, data, fact gathering, and scoping analyses. While the strategy should determine the actions necessary to make consumers whole, it may also consider opportunities to tailor the remediation appropriately. Remediation strategies and plans should begin with the end in mind. Part of a strong remediation strategy is having a plan for communications and not leaving it to chance. FIs should be careful and intentional with all internal and external communications. Counsel can assist with devising and preparing effective remediation strategies and communications.

Conclusion

Remediating consumer harm can be a difficult process. By developing a remediation framework and taking the steps described above, FIs can increase their chances of effectively remediating consumers while minimizing adverse impacts on the institution. 

This article is the second in a three-part series on planning and executing effective remediations. To learn about the importance of self-identifying events that may warrant remediation, strategies for developing an effective remediation framework, and factors to consider when crafting an effective remediation plan, see our first article, Proactive remediation: "Self-identification and the importance of frameworks" in the January/February 2025 issue. In the next issue, we will discuss the critical importance of having an effective communication plan for communicating with internal stakeholders, regulators, and customers, and the importance of identifying lessons learned after remediations.

Check out the ABA March/April 2025 Issue HERE.

About the Authors

JEREMY HOCHBERG has 20 years of private and public sector experience in financial services. He advises banks, financial services companies, and third-party service providers on regulatory compliance and enforcement matters. Jeremy represents clients on fair lending and responsible banking issues, including matters involving claims of disparate impact; disparate treatment; and unfair, deceptive, or abusive acts or practices (UDAAP). His work in this area includes advising on underwriting, pricing, exceptions, redlining, steering, limited English proficiency, sales and marketing, artificial intelligence and machine learning, overdrafts, credit reporting, and servicing issues.

SIGN UP FOR UPDATES

Never miss our news, insights or events.

FEATURED NEWS