BY STEPHANIE WHITE BOOKER AND PAUL MARKER
My Klaros colleagues Lauren Sartwell and Siena Marr explained the Consumer Financial Protection Bureau’s (CFPB) recently issued interpretive rule aimed at digital advertisers in a recent Fintech Nexus article. This post focuses on the immediate next steps for banks and financial institutions.
If you are a bank or financial institution, you should be thinking about the applicability of the CFPB’s interpretative rule regarding digital marketing to your business. Many banks and financial institutions have been focused on digital transformation, expanding, and reaching new markets through the use of new technologies, tools, partners, and marketing through new platforms. Risk and Compliance functions may not be aware of all of the marketing strategies, tools, and technologies their institutions use, but the CFPB’s new focus indicates they need to be. Existing risk management processes may need modification or enhancement just to identify the digital marketers a bank or financial institution uses. From a vendor management perspective, some of these marketers may be viewed not just as third parties but fourth parties or beyond.
Where to start
Here are five practical steps that bank and financial institution risk and compliance leaders can take now to help ensure compliance with the new CFPB digital marketing interpretive rule:
First, build an inventory of your institution’s digital marketing partners. Talk to your line of business leaders to learn about their advertising and marketing plans, who they partner with, and what platforms they use. Your inventory of digital partners should include enough information to understand the depth, breadth, and scope of their operations in service to your institution.
Second, use the inventory to understand and mitigate potential risks, and establish appropriate routines for monitoring, sampling and testing your digital marketing partners’ marketing and advertising copy and methods to verify compliance with the CFPB’s requirements.
Third, enhance your third-party risk management (TPRM) programs and practices. If you run a TPRM function, here are some of the questions you should begin to ask in light of the CFPB’s new requirements:
Can my institution assess its digital marketers’ understanding of fair lending and Unfair Deceptive Abusive Acts and Practices (UDAAP) risk and do we have appropriate controls in place?
Do we need to revisit our contracts and service level agreements to account for the new CFPB rule?
Have we identified the entire universe of relevant parties, including any fourth or fifth parties, that our digital marketers use?
Fourth, develop and provide training to your business lines and marketing personnel to ensure they understand the new rule as well as the program enhancements and controls your institution is instituting to ensure compliance with it.
Finally, engage in the service provider due diligence process by creating on-boarding checklists that surface and address potential compliance concerns.