Mock CFPB Exam: Why Smaller Lenders Should Prioritize Alternatives for Compliance

Small to moderate sized financial institutions should skip mock exams. Here’s why we think so and what to do instead.

Mock CFPB Exams Are Not for Everyone

Small- to moderate-sized financial institutions frequently ask Bridgeforce’s Compliance and Operational Risk Practice (CORP) about conducting mock CFPB exams (See list of exams at the end of this blog). We answer “no” because conducting a detailed mock exam could be considered excessive and a drain on resources.

From our experience at CORP, most exams are in the product-realm. Two primary exceptions are ECOA and HMDA. The Compliance Management System (CMS) is always included in product exams and is often evaluated separately, especially during the early days of CFPB supervision.

Regardless of the specific exam being conducted, the notion of a mock exam might sound good in theory, but it’s numerous examination procedures are often too costly to be practical. The only way to be certain about mock exam success is to leave no stone unturned. Furthermore, the CFPB invariably requests voluminous documentation and data, but does not possess the resource levels to review or analyze everything being submitted.

In 2018, the CFPB had 1,510 staff members overseeing 127 Depository Institutions. By 2022, the staff increased by 8.1% to 1,632, and they were responsible for 176 Depository Institutions, which is a 38.6% increase from 2018. Despite the increase in staff, the CFPB struggles to keep up with the growing number and complexity of examinations. (Source: Financial Report of the Consumer Financial Protection Bureau Fiscal Year 2023)

In fact, Rohit Chopra’s 2022 testimony to the House Financial Services Committee indicated a focus on the largest financial institutions and repeat offenders.  For small to mid-sized financial institutions, the CFPB often doesn’t investigate everything and chooses specific focus areas. Therefore, a detailed mock exam can be seen as overkill and a significant waste of resources.

How to Effectively Prepare for CFPB Oversight Without Complex Mock Exams

Don’t worry, there’s a way to find clarity in regulatory oversight. Despite industry concerns about the CFPB’s regulatory agenda, proposed rulemaking, and everchanging regulation interpretation guidance, the CFPB and Federal prudential regulators are highly transparent. They may not provide a perfect prediction of the future, but they don’t leave much hidden.

Two examples show how to sleuth out where regulatory focus lies:

1. Published Guidance Shows Regulatory Focus Areas

The CFPB shares a lot of information about their current strategies and priorities. By collectively reviewing and analyzing these sources, your firm can gain valuable insights into the focus areas of the CFPB.

Here’s a list of example source materials:

• Amicus Program (“friend of the court” briefs)
• Blogs
• Consumer Advisories
• Consumer Complaints Database
• Consumer Financial Protection Circulars
• Director’s Notebook
• Enforcement Actions
• Press Releases
• Special Edition Supervisory Highlights
• Special Reports
• Speeches and Op-Eds
• Statements
• Supervisory Guidance
• Supervisory Highlights
• Testimony
• Warning Letters

2. Complaints Database and Balance Sheets Provide Critical Insights

Outside-Looking In: Most of the CFPB’s publications provide an outside-in view of focus areas. The Complaints Database is a notable exception. All institutions should monitor their own complaint trends, categorizing them by topic. This helps to identify if a surge in complaints or highly sensitive issues (such as a Fair Lending violation accusation) could potentially draw the CFPB’s attention.

Inside-Looking Out: An inside-out view is of equal importance. For institutions nearing, or recently coming under, CFPB supervision, a quick look at the balance sheet gives a good idea of what exams are most likely to be conducted. Deposits are always a potential area of focus, but loans are usually examined based on the potential for consumer harm. This means you should pay attention to the concentration of loans in different product categories, usually in terms of dollar amounts rather than the number of accounts. For instance, if your consumer portfolio is mortgage heavy, you can expect a higher probability of a mortgage origination or servicing exam. Institutions recently under CFPB supervision with small consumer portfolios are rarely examined, unless there are known issues from CFPB complaints or a whistle-blower report, which admittedly is hard to anticipate.

A Thorough Assessment Can Prepare Institutions for Regulatory Oversight Without a Mock CFPB Exam

For each type of product exam, there is a highly prescriptive examination manual that details what will be examined in each stage of the product’s lifecycle. However, regulators rarely have the resources to check everything they request. Instead, they focus on specific processes and related federal consumer financial laws based on recent industry-wide concerns and findings, unless they’ve already found problems within your organization.

Once you know what the CFPB is likely to examine, the next step is to conduct a risk-focused compliance assessment in those areas, not a mock exam.

Focus on the most high-profile, high-risk regulations for processes in an assessment. This allows you to analyze the strengths and areas for improvement. Using this approach gives a clear picture of where controls need to be enhanced. With this understanding, you can develop and execute a risk-informed, prioritized enhancement roadmap with confidence.

Take Action: From Evaluating Regulatory Compliance to Implementing Controls

Bridgeforce CORP’s experience and industry knowledge means we can give you clarity, control and confidence in your compliance program, before, during and after a regulatory exam. We can:

• Evaluate and provide regulatory compliance assessments across the three lines of defense.
• Provide pre-examination regulatory compliance evaluations (typically the first and second lines of defense).
• Deliver post-examination assistance with consent order, MRA, and corrective action execution (typically within a business line or under the direction of enterprise risk management).
• Evaluate, design, develop, and implement compliance control solutions, including governance and continuous monitoring (typically within the first line of defense, but not exclusively).

Contact us if you’re ready to build confidence in your compliance program.