The Office of Inspector General (OIG) for the CFPB and Fed has issued a report that found the CFPB can improve its practices related to examination workpaper documentation.  This report follows another OIG report issued last month that found the CFPB could improve the effectiveness of its Examiner Commissioning and On-the-Job Training Programs.

The report provides the results of an evaluation conducted by the OIG to assess the CFPB’s guidance and practices, including training and quality reviews, to promote effective and consistent examination workpaper documentation.  The OIG reviewed documentation in each of the CFPB’s four regions for compliance with the CFPB’s Supervision and Examination Manual and other policies applicable to examinations.

The OIG’s findings included the following:

  • The CFPB’s approach was to grant examination employees in each region open access to examination workpaper documentation and supporting material.  That approach resulted in certain employees having access to materials with confidential supervisory information and personally identifiable information when they did not appear to have a business need to know such information, thereby creating an opportunity for insider abuse.
  • A lack of information disposal guidelines limited the CFPB’s ability to protect sensitive information and a lack of a consistent process for limiting access rights limited the effectiveness of self-reporting of potential information security incidents.
  • Documentation of supervisory review of workpapers by the Examiner in Charge and Field Manager did not fully comply with Examination Manual standards.  As a result, the CFPB could not be assured that all workpapers that support findings and conclusions had been reviewed and approved, which could affect the credibility of examination results.
  • The CFPB did not have formal training for examiners on workpaper practices.
  • The CFPB had not established an ongoing quality control review process for examination workpapers to evaluate whether workpapers met the requirements in the Examination Manual.

The report includes the OIG’s recommendations for addressing its findings and the CFPB’s responses to the recommendations.


The Office of Inspector General (OIG) for the CFPB and Fed has issued a report on the results of its evaluation of the effectiveness of the CFPB’s Examiner Commissioning Program (ECP) and On-the-Job Training (OJT) Program.  In conducting the evaluation, the OIG assessed the design, implementation, and execution of the two programs. The OIG found that the effectiveness of both programs could be improved.

The CFPB implemented the ECP in October 2014 and, according to the report, has described the ECP as “critical” for its supervision program and the professional development of its examiners.  Although the OIG found that the CFPB had taken some steps to enhance the ECP, it identified several shortcomings.  The OIG found the following:

  • Due to management’s workforce needs and advancement incentives, some examiners appeared to proceed through certain components of the ECP before being fully prepared. In addition, certain controls established by the CFPB to manage examiners’ progression through the ECP might be ineffective.
  • Some examiners did not appear to receive adequate training and developmental opportunities or exposure to certain CFPB internal processes before proceeding to certain components of the ECP.
  • The CFPB did not have a formal method to evaluate and update the ECP.
  • The CFPB did not consistently communicate ECP requirements to prospective employees, including the starting point for the 5-year requirement for completing the ECP.

The CFPB’s OJT program is intended to be a standardized program that ensures examiners are trained uniformly across all regions.  In the program, an OJT trainer is expected to work with an examiner on an examination, provide mentoring, discuss the  CFPB’s Supervision and Examination Manual, and oversee the examiner’s completion of assigned modules. The OIG found that CFPB regions had not consistently implemented the OJT program and examiners may not have understood the requirements, expectations, and purpose of the OJT.

The report makes a series of recommendations for addressing the OIG’s findings and enhancing the effectiveness of the ECP and OJT program.  In the CFPB’s response to the OIG’s draft report, which is included with the report, the CFPB states that it agrees with the OIG’s recommendations and outlines its plans for implementing the recommendations.


Since our last blog post about the Office of Inspector General’s work plan for the CFPB, the work plan has been updated as of July 1, 2017 to add one new planned project.

The newly-added project is an “Evaluation of the Office of Consumer Response’s Efforts to Share Complaint Data Within the CFPB.”  The plan states that the Office of Consumer Response is responsible for sharing complaint data with internal stakeholders to help the CFPB’s supervisory, enforcement and rulemaking activities.  It adds that “the successful use of complaint data can help the CFPB understand the problems consumers are experiencing in the financial marketplace and identify and stop unfair practices before they become major issues.”

The OIG evaluation will examine the extent to which Consumer Response is achieving its objective to share useful complaint data and analysis with internal stakeholders, and Consumer Responses controls over access and distribution of shared complaint data.



The Office of Inspector General for the Fed and CFPB has completed a report setting forth its findings from an audit in which it evaluated “selected security controls for protecting the [CFPB’s] website from compromise.”  Instead of releasing the full report, the OIG only released an executive summary, stating that “given the sensitivity of our information security work, our reports in this area generally are restricted.”

In the executive summary, the OIG stated that while the CFPB “has taken a number of positive steps to secure its website, several control deficiencies need to be mitigated to protect the website from compromise. Those deficiencies have to do with configuration management, system and information integrity, and contingency planning.  If not addressed, these deficiencies could adversely affect the confidentiality, integrity, and availability of [the website] and the information it contains.”

The OIG indicated that its report included eight recommendations to strengthen the website’s security and that it also identified additional risks needing attention that relate to system and communication protection, audit and accountability, identification and authentication, system and information integrity, and configuration management.  The OIG stated that although the CFPB recognized these risks before the OIG’s audit, it included them in the report because “they had not been remediated as of the end of our field work.”

The Office of Inspector General for the Fed and CFPB recently issued an audit report entitled “The CFPB Can Strengthen Contract Award Controls and Administrative Processes.”  The objective of the OIG’s audit was to assess the CFPB’s compliance with applicable laws, regulations and CFPB policies and procedures related to contract solicitation, selection and award processes, as well as the effectiveness of the CFPB’s associated internal controls.

While finding the CFPB to be generally compliant, the OIG found occasions on which reviews and approvals were overlooked or not documented as required by regulation or CFPB policy.  Among its other findings was that the CFPB could improve the documentation used to support price reasonableness determinations for sole-source contracts (i.e. contracts where there is other than a full and open competition).

The OIG’s work plan updated as of April 1, 2017 includes the following initiated projects in which the OIG will evaluate:

  • the CFPB Enforcement Office’s processes for protecting confidential information obtained through the use of the CFPB’s enforcement powers, such as information received in response to a CID (completion expected second quarter 2017)
  • the CFPB’s compliance with the requirements for issuing CIDs including those in the Dodd-Frank Act (completion expected third quarter 2017)  (Last week, the D.C. Circuit affirmed the district court’s denial of the CFPB’s petition to enforce a CID because the CFPB had not complied with the Dodd-Frank requirements.)
  • the effectiveness of the CFPB’s management of examiner commissioning and training (completion expected third quarter 2017)

Planned projects described in the work plan include (1) an evaluation of the effectiveness of the Division of Supervision, Enforcement, and Fair Lending in monitoring and ensuring that supervised entities take timely action to correct deficiencies identified in examinations, (2) an evaluation of the risk assessment framework used by the CFPB to prioritize examinations, and (3) a review of the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and personally identifiable information and applied appropriate information security controls and protection over the data to mitigate those risks.



The Office of Inspector General for the Fed and CFPB has issued a report on the results of an evaluation it conducted to determine whether the CFPB effectively mitigates the risk of potential conflicts of interest associated with using vendors to support fair lending supervision and enforcement.  In addition to performing fair lending analysis internally, the CFPB contracts with outside vendors to conduct fair lending enforcement analysis and expert witness services.  The OIG focused its evaluation on the CFPB’s management of one fair lending enforcement vendor’s potential conflicts of interest after the CFPB had awarded a contract to that vendor.

The CFPB’s contracts for fair lending analysis require the vendor, before performing work on a new task order, to provide a detailed written disclosure of all actual conflicts, potential conflicts, or matters that may present the appearance of a conflict under the federal regulation that guides the acquisition of goods and services by executive agencies.  (Although the CFPB takes the position that it is not required to follow this regulation because it is an independent regulatory agency, it has made a policy decision to follow the regulation for its procurements.)  The contracts also require the vendor to provide a detailed written plan explaining the steps it will take to avoid or mitigate such conflicts.

For the vendor contract it evaluated, the OIG found that the CFPB did not obtain conflict of interest disclosures or mitigation plans in conjunction with each task order.  (It noted that two task orders did not identify the companies the vendor would analyze for fair lending compliance.)  The OIG attributed the lapse in documentation to inconsistent enforcement of conflict of interest contractual provisions, inconsistent task order requirements, and a lack of clear roles and responsibilities for enforcing contract provisions.  It commented that this weakness could expose the CFPB to reputational and operational risk if a potential conflict of interest is not identified or mitigated before the vendor begins performing work that presents an actual conflict or an appearance of a conflict.  The OIG noted, however, that it did not identify any actual conflicts of interest between the vendor and the companies it analyzed.

The report contains a series of recommendations for how the CFPB can strengthen its controls for identifying and avoiding potential conflicts of interest, including ensuring that vendors comply with existing documentation requirements.  The OIG also recommended that the CFPB evaluate the potential costs and benefits of performing more fair lending analysis internally.



The Office of Inspector General for the Fed and CFPB has issued a report on the results of its audit of the CFPB’s process for identifying victims eligible to receive compensation from the Consumer Financial Civil Penalty Fund (CPF).

Section 1017 of the Dodd-Frank Act requires the CFPB to deposit in the CPF the civil penalties it collects in enforcement actions.  The funds are first to be used to compensate consumers who do not receive full compensation from the defendants who allegedly harmed them.  If funds remain after the CFPB has provided full compensation to all eligible victims or if payments to victims are impracticable because victims cannot be located or it is otherwise impracticable to pay victims, the CFPB can use the funds for consumer education and financial literacy programs.

The report discusses the victim identification process and the roles of  the CFPB’s Office of Enforcement, Office of the Chief Financial Officer (OCFO), and Office of Technology and Innovation (T&I).  It also discusses the role of a third-party vendor whose responsibilities include identifying eligible victims and disbursing payments.

The OIG found that while the CPF victim identification process was generally effective and efficient, the OCFO had not documented the roles and responsibilities of T&I in the process.  The OIG notes that the process “is data dependent and in some instances requires the involvement of T&I to produce preliminary lists of eligible victims.”  Accordingly, the OIG suggested that the OCFO update its procedures to document T&I’s roles and responsibilities.

In July 2014, Government Accountability Office issued a report on the results of its review of the CPF.  The review had been requested by a House member.

I am delighted to be writing my first blog post for the CFPB Monitor as a new member of Ballard Spahr’s Consumer Financial Services Group.  Before joining the Group, I served as an investigator in the CFPB’s Consumer Response Division which is responsible for maintaining the CFPB’s Consumer Complaint Database.

In a new report on internal controls governing accuracy in the Database, the Office of Inspector General (OIG) for the Federal Reserve found a number of ways that the CFPB’s management of the Database could be improved.  The OIG recommended a number of changes to policies and data controls, including increased monitoring of company responses, improved transparency of procedures for consumers filing disputes and companies filing late responses and a number of mechanisms for ensuring accurate uploading of information to the Database.  The study made particular note of the potential for consumer and industry confusion where there is a disconnect between Consumer Response’s public guidance and its internal procedures.  However, much of the study was conducted prior to substantial changes in the management of the Database, with many changes having since been implemented.

In a letter accompanying the report, the Acting Assistant Director of Consumer Response agreed with the OIG’s recommendations and noted that major changes in technology and procedure have been made and are ongoing.

The OIG report draws attention to the efforts being undertaken by Consumer Response to manage the growing volume of complaints, which have nearly tripled since the study was conducted. Industry can expect an increased focus on the quality of responses to consumer complaints, the handling of untimely company responses, and the breadth of information released through the Database.  The addition of consumer narratives may also present additional challenges that were outside the scope of the OIG’s review.

On November 17, 2015, I will be participating in a webinar with other Ballard Spahr attorneys, “Coping with Consumer Complaints and CFPB Expectations,” from 12:00-1:00 p.m. ET.  The registration form is available here.

In a new report on the CFPB’s hiring processes, the Office of Inspector General (OIG) for the Fed and CFPB found that the CFPB’s Office of Human Capital (OHC) did not always follow established hiring controls.  For example, the OIG found that not all job analysis forms had evidence of managerial  approval.  According to the OIG, such forms are used by the OHC to document the qualifications needed for a position and the analysis informs how the OHC develops its assessment criteria for each position.  The OIG stated that “[w]ithout an appropriately validated and approved job analysis form, the OHC cannot be certain that the knowledge, skills, and abilities essential to a position are identified and considered during the recruitment and selection process.”   The OIG also found instances where sign-on bonuses were not appropriately documented.

While the report discusses several CFPB initiatives to improve internal controls for recruitment and selection, the OIG stated that notwithstanding such improvements, it identified areas in which enhanced controls could assist the OHC in achieving its recruitment and selection goals.  Among the OIG’s recommendations was for the OHC to enhance its monitoring activities for assessing whether internal controls for recruitment and selection are designed and operating effectively.

In a letter accompanying the report, the CFPB’s Chief Human Capital Officer agreed with the OIG’s recommendations and described the steps being taken by the CFPB to address such recommendations.

Since our last blog post about the OIG’s work plan, the work plan has been updated as of August 7, 2015 to add four new projects.  A newly added ongoing project is a “Security Control Review of the CFPB’s SQL Environment.”  (An SQL environment is a database management system.)  The OIG’s specific audit objective is to evaluate the adequacy of certain control techniques designed to protect data within the system from unauthorized access, modification, destruction, or disclosure.  The audit has a first quarter 2016 estimated completion date.

New planned projects are:

  • Evaluation of the CFPB’s Risk Assessment Framework for Prioritizing Examination Activities.  The evaluation will assess the CFPB Division of Supervision, Enforcement, and Fair Lending’s risk assessment framework and methodology for prioritizing its examination activities at its supervised institutions.
  • Risk Assessment of the CFPB’s Purchase Card Program. The assessment will identify and analyze the risks of illegal, improper, or erroneous purchases and payments.
  • Audit of the CFPB’s Privacy Data and Personally Identifiable Information (PII) Program.  The OIG  will review the extent to which the CFPB has assessed the risks associated with the collection, maintenance, storage, and disposal of privacy data and PII and applied appropriate information security controls and protection over the data to mitigate those risks.  The audit will focus on (1) CFPB systems that house PII, (2) access to PII,
    (3) disposal and destruction mechanisms, (4) the handling of privacy incidents, (5) privacy training, and (6) National Institute of Standards and Technology privacy controls.

Missing from the updated work plan is an audit of the CFPB’s pay and compensation program which had previously been listed as a planned project.