ABA January/February 2025: Proactive Remediation
At some point, nearly all financial institutions (FIs), no matter how well managed, discover one or more issues that require consumer remediation. While each remediation event is unique, an institution can take steps both before the event arises and immediately upon discovery to ensure a successful remediation.
This article discusses the benefits of self-identifying events that may warrant remediation, strategies for developing an effective remediation framework, and factors to consider when crafting an effective remediation plan. The second article in this series will discuss key steps for addressing issues that may prompt monetary and non-monetary forms of consumer redress. The third article will discuss the importance of having an effective communication plan for internal stakeholders, regulators, and customers, as well as the evaluation of lessons learned after a remediation.
Why Self-identify and remediate?
FIs remediate customers when they have been harmed in some way, in order to correct the harm. Consumer harm can occur in many ways that are both monetary and non-monetary, such as fees that were incorrectly charged, interest that was miscalculated, or statements that contained inaccurate information. The error or issue may be found due to a complaint, QA/QC, testing, or some other way. Whatever the reason, however it was found, effective remediation aims to make affected consumers whole, thus enhancing both customer experience and customer retention.
Proactively developing a remediation plan can also mitigate or potentially avoid regulatory and legal actions, as well as protect the institution from reputational harm that accompanies mandated remediation. Additionally, self-identifying potential violations and proactively addressing consumer harm can demonstrate various components of an effective compliance management system (CMS), including proper board and management oversight.
The CFPB and the federal prudential regulators encourage FIs to engage in responsible business conduct and state that they give them “credit” for doing so. As explained in the CFPB’s Bulletin 2020-01, Responsible Business Conduct: Self-Assessing, Self-Reporting, Remediating and Cooperating, an institution’s “swift and effective actions … to address the violation can minimize resulting harm to consumers.” The CFPB further explains that:
“[A]n entity may self-assess its compliance with Federal consumer financial law, self-report to the Bureau when it identifies likely violations, remediate the harm resulting from these likely violations, and cooperate above and beyond what is required by law with any Bureau review or investigation.” [Emphasis added.]
Depending on the nature and extent of an institution’s actions, the CFPB (and other regulators) could “exercise … discretion to close an enforcement investigation with no action or decide not to include Matters Requiring Attention in an exam report or supervisory letter.” Conversely, a failure to remediate harmed consumers in a timely manner could be considered an abusive practice, as discussed in the 2023 CFPB Policy Statement on Abusive Acts or Practices.
While remediation involving harmed or potentially harmed consumers can be expensive and may result in reputation risk, there are important benefits to taking a proactive approach. A well-executed remediation plan can help make customers whole while also garnering the trust and confidence of the regulators. And after all, it's the right thing to do and makes good business sense.
Developing an effective remediation framework
It is inevitable that, at times, errors will occur, or systems will fail. This is why risk and compliance professionals identify and monitor risks and controls. Some FIs approach each remediation event reactively, by viewing it as a one-time issue, and developing a new remediation approach, from scratch, each time. Instead, FIs can think more proactively and develop an enterprise-wide remediation framework to streamline the process for when the next remediation event occurs. Moreover, establishing remediation protocols in a methodical manner (i.e., outside the boundaries of a specific remediation) avoids decision-making that might be flawed due to being in the heat of a remediation event.
In short, nothing beats a good plan. An institution can plan for remediations both before identifying issues and immediately upon discovery. While the scope of an institution’s advance planning for remediation may vary based on its size and complexity, all FIs can benefit from developing a robust remediation framework.
A remediation framework should be somewhat flexible. While each remediation event is different, establishing and consistently applying standards across the institution may be viewed favorably by regulators. A remediation framework should include a general policy statement and remediation principles. The policy statement should address accountability, roles, and responsibilities in handling remediation efforts. The framework should be further supported by more detailed procedures that will foster consistency from one remediation project to the next. There should also be a process to determine early on whether any part of remediation efforts should be conducted under an attorney-client privilege.
Within the remediation framework, the assignment of roles and responsibilities is critical to achieve process sustainability. Roles and responsibilities will vary from one FI to another, depending on organizational structure, the maturity of a three lines of defense structure, and the availability of resources and expertise. Institutions may want to employ a hub and spoke operating model to take advantage of the efficiencies and standardization that comes with centralized governance, complemented by the flexibility and responsiveness of decentralized execution.
While an institution should generally establish within its remediation framework where ownership of certain types of remediations will reside, flexibility is still recommended. For example, while the line of business is often regarded as owning the risk, and therefore would own the remediation activity, Compliance or Legal may be assigned remediation leadership for events that are particularly sensitive in nature. Regardless, Risk, Compliance, and Legal should be key stakeholders to provide oversight, and help manage and monitor progress, timeliness, and key deliverables. In any case, excellent project management and periodic reporting are essential to document progress (including any new hurdles that arise), especially considering that complex remediations can last more than a year.
Some FIs have established an advisory group comprised of senior leaders across lines of defense and business lines, including representatives from units such as Risk, Compliance, Finance, and Legal, to review remediation proposals and provide insights from past remediations. A remediation framework should govern reporting and meeting protocols for groups or management committees that regularly provide oversight for issues management and that discuss remediation activities.
As part of its remediation framework, an institution should track remediation projects that are (1) being researched, (2) currently underway, and (3) completed. Regulators often request an institution’s tracker or project management plan to see what has been done to identify and scope issues, determine root causes, and remediate affected consumers. Regular periodic reporting and a Communications Plan for internal and regulatory reporting are both important elements of an effective remediation framework.
Factors to consider when crafting an effective remediation plan
Institutions should tailor their remediation to the specific facts and events warranting it. There may be opportunities to tailor the definition of “affected customers” by, for example, excluding certain customers who have already been refunded or received fee waivers, and describing the offset process. Data limitations may serve as a reasonable basis for limiting the scope of a lookback period, and thus the remediation. In other instances, the data may prove too unwieldy, and determining precise remediation amounts so labor intensive that it could be appropriate to select a sample timeframe or population and extrapolate to develop an appropriate lump sum payment for affected customers. It may also be appropriate to establish a de minimis refund amount such as $1, below which the institution will not process refunds. While the regulators have accepted rough justice approaches and de minimis thresholds in certain circumstances, it’s not a guarantee, especially if account credits can be processed easily.
Following a significant remediation event, there may be ways to reduce or eliminate subsequent regulatory actions. For example, the FI could distinguish its activities from more egregious activities of other institutions. Prior exam reports and communications with the regulator may suggest that the FI’s CMS is strong and that its practices comply with the law; these prior findings could support the FI’s position that the event was truly an anomaly, and that subsequent regulatory actions are unnecessary.
Conclusion
Remediating consumer harm can be a difficult process. By developing a remediation framework, tailoring a remediation, and taking proactive steps both before and immediately upon discovering an issue that requires remediation, FIs can increase their chances of effectively remediating consumers while minimizing adverse impacts on the institution.
This article is the first in a three-part series on planning and executing effective remediations. While the term “consumer” is used throughout this article, the concepts described apply to any type of customer (or prospective customer), regardless of whether the product or service is for consumer or business/commercial purposes. Additionally, this article is not intended to address data breach or cyber incident responses, as those have very specific and urgent timelines and may also require reporting to state entities.
Check out the ABA January/February 2025 Issue HERE.
About the Authors
Jeremy Hochberg has 20 years of private and public sector experience in financial services. He advises banks, financial services companies, and third-party service providers on regulatory compliance and enforcement matters. Jeremy represents clients on fair lending and responsible banking issues, including matters involving claims of disparate impact; disparate treatment; and unfair, deceptive, or abusive acts or practices (UDAAP). His work in this area includes advising on underwriting, pricing, exceptions, redlining, steering, limited English proficiency, sales and marketing, artificial intelligence and machine learning, overdrafts, credit reporting, and servicing issues.
PATTI HARTSFIELD-DAVIS is an independent consultant, currently aligned to Mitchell Sandler PLLC, with a focus on risk and compliance advisory services, including regulatory remediations, for financial FIs of all sizes. In addition to working with Mitchell Sandler, she currently serves on the Board of Directors for Sunrise Banks, N.A., a national bank that is also a Community Development Financial Institution, and currently chairs the board’s Compliance & BSA Committee. Prior to entering consulting, she held senior positions at Fifth Third Bank (Chief Compliance Officer), Ally Bank, and Bank of America, spanning roles that included regulatory and consent order remediation, policy administration, and numerous areas of compliance and operational risk management (U.S. and international; consumer and business/commercial).
SIGN UP FOR UPDATES
Never miss our news, insights or events.
FEATURED NEWS
