CFPB: What is New Regulator's Role?Consumer Financial Protection Bureau Clarifies Mission
The Consumer Financial Protection Bureau, established under Dodd-Frank, is the newest member of the Federal Financial Institutions Examination Council.
What that means for some U.S. banking institutions is an additional layer of regulatory oversight. But how are the CFPB's policies expected to impact information security and risk management?
Banking institutions say this is where they're confused. As they prepare for traditional IT examinations conducted by other FFIEC regulators, such as the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, institutions say they aren't quite sure how or where the CFPB fits in.
The banking institutions that responded to BankInfoSecurity's queries did not want to go on the record with their concerns.
But Peter Tapling, president and CEO of Authentify, which provides online authentication solutions to banks and credit unions, is one of several observers who says he's heard concerns directly from institutions that have been reviewed by the CFPB.
"With the other regulators under the FFIEC, [institutions] know a regulatory history and have a good idea about what the demands will be, so they can put projects in place," he says. "As they move toward compliance, even if they are not quite there during an examination, they understand the regulators want to see that they have forward-looking objectives in place and plans to meet those objectives."
The new challenge: Banking institutions so far have not been given a clear view as to whether the CFPB will weigh in separately or jointly in that examination process.
"I get the sense [institutions] feel as though they've received these large, overarching comments or suggestions [from CFPB] but there is no real meat behind what they actually have to do," Tapling says.
Banking institutions' uncertainty revolves around what the CFPB might or might not do, relative to authentication and risk management, he explains.
"From the banks' perspective, they say, 'If what you are going to do is intertwine with the FFIEC, then great," Tapling says. "Let me know what that looks like, and I will build my plans to address it.' "
But CFPB spokespeople say information security is not part of this new agency's role. Questions surrounding IT examinations should still be directed to institutions' primary banking regulators, says CFPB spokeswoman Moira Vahey - a point the CFPB recently took steps to clarify.
"We want to build a constructive relationship with the companies we supervise, and we understand the importance of establishing expectations up-front," she says. "To this end, we sent a letter this week to the banks, thrifts and credit unions we will be supervising, letting them know we issued these documents."
A list of examination documents also is available on the CFPB's website.
Other banking regulators declined to comment about their expectations for CFPB. They only note that the CFPB is a voting member of the FFIEC.
The CFPB's Mission
The CFPB, which on July 21 will celebrate its second anniversary, oversees depository institutions with more than $10 billion in assets. The CFPB also has authority over non-banking entities, such as mortgage companies, payday lenders and private education lenders.
But the CFPB's actions and supervision relate only to accountability and oversight of the consumer financial marketplace, Vahey says. She also points out that the CFPB has made its general examination manual and servicing procedures public, so banking institutions and others should know what to expect during their examinations.
The CFPB would not share any details about the number of institutions it has examined since its inception, nor discuss the frequency of contact it expects to have with the institutions it oversees.
But CFPB Director Richard Cordray on June 19 told the Exchequer Club, which provides an open forum for discussion about national economic, financial and political matters, that the CFPB's basic aim is to level the playing field.
"As financial products and services evolved over time, depository institutions found themselves competing more directly against nonbank entities," he said. "The mortgage market, in particular, was squarely involved in causing the financial crisis and the ensuing economic meltdown, so this supervisory gap had to be closed. ...One of the purposes of the new agency is thus to level the playing field between banks and nonbanks under the consumer financial laws."
Going forward, the CFPB says its primary mission is to give consumers a proverbial fair shake, and to enforce laws to protect honest businesses that may previously have been impacted by competitive disadvantages. "Our supervision program is risk-based - the CFPB will generally focus its resources on the institutions that pose the greatest risk to consumers," Vahey says.
"As a new agency, we want to help companies we supervise know what we expect," she adds. "Our aim is to be transparent in our work and to provide clear guidance to the industry."