Blog » 2016 » August » CFPB Exam Readiness: Conducting Effective Preparatory Risk Assessments

Posted on Aug 31, 2016 1:42pm PDT

Upon receiving notice of an upcoming Consumer Financial Protection Bureau (CFPB) audit, we often recommend that organizations perform an independent risk assessment on high-risk areas as soon as possible. In this context, high-risk functions are those with increased risk of consumer harm – some examples include debt collections, credit reporting, foreclosure, or judgmental underwriting. The purpose of the risk assessment is to find gaps and determine how to address them prior to the exam. We have found effective risk assessments for exam readiness meet the following criteria:

1) They are initiated quickly

2) They are completed independently

3) They are done thoroughly


Beginning a targeted risk assessment process as soon as possible upon notice of a CFPB exam is more important than one might think. While there are the obvious benefits of having more time to address any potential gaps, a less obvious perk is that there’s an increased likelihood that you are able to implement changes within the CFPB’s examination period (i.e. the time period in which information and data for the exam are requested). The advantage is that you are now able to tell the story via your responses that you identified X Gap, implemented Y Solution, and saw Z Benefit. This powerful narrative shows a regulator that you were proactive and executed upon an identified gap, as opposed to simply identifying the gap and developing a plan.


Independence cannot be overlooked when preparing for an exam. Independence does not necessarily mean you need to hire third party consultants to conduct each assessment, but it does mean that the business line should have some distance from those conducting the assessment. The reason for this is human nature – it is simply too easy for the owner of the function to be a little less persistent, curious, and rigorous during a risk assessment – which could lead to missed gap identification. While almost always sub-conscious, those who are close to the operation are more likely to have pre-conceived notions that “all is well,” which can create additional inherent risk when conducting a non-independent risk assessment in advance of a critical audit.


We often see risk assessments fall short here. Risk assessments need to be deep – and go to the regulatory-element level (i.e. testable elements) to ensure full compliance is addressed through policies, procedures, process maps and monitoring and validation. For example, a risk assessment is not effective if it concludes that an organization is compliant with ECOA because an ECOA policy is in place. Alternatively, a risk assessment might be effective if it concludes that an organization is compliant with ECOA’s adverse action requirement within the credit line increase process because a policy is in place, a procedure outlines how notices are systematically sent, a reconciliation report (which is validated to be accurate) is monitored daily to identify (and act upon) letters that were not sent, and a random sample of letters are reviewed periodically to ensure the information sent is accurate.

Conclusion: Upfront Preparation Reduces Backend Costs

While conducting a risk assessment in advance of an exam can be costly and time-consuming, we have found it is much less costly and time-consuming than dealing with large-scale remediation efforts against tight timelines following an audit. As CFPB exams remain a relatively “new” concept, those prepared can be positioned for success – which translates to reduced costs and fewer distractions.