Heightened oversight by regulatory bodies combined with demands for greater transparency and consumer fairness is compelling financial services companies to reinforce and, in some cases, entirely rethink their internal control mechanisms. At the heart of their fortification efforts is the need to better integrate the actions of those designing, developing, implementing and selling services and to ensure oversight of their execution. For in this age of ever-increasing scrutiny, the road to operational excellence in financial services requires internal controls that reach into every corner of the organization.

The Era of Scrutiny

The 2007–08 financial crisis ushered in an era of regulatory scrutiny for financial institutions unseen since the Great Depression. In the last year alone, U.S. regulators imposed more than $6.4 billion in penalties and restitutions on financial services firms, and there is every expectation that such intense scrutiny and enforcement will continue.

zoom icon

Internal controls do more than ensure that financial services organizations comply with industry regulations, however; they are key to mitigating a whole host of risks and to providing customers with exceptional product and service offerings. Indeed, the fairness, transparency and security that internal controls enable can even be leveraged as a selling point. In other words, internal controls are critical to the success of financial services organizations overall.

But much in the way that the real value of tools and techniques aimed at improving operational performance and management—from Six Sigma to Lean principles—isn’t realized until the underlying principles and corresponding processes are embedded within the business’s line functions, internal controls must also be embedded in order to be truly effective.

zoom icon

The model for operational excellence can be divided into four quadrants: policies and processes; systems and tools; the organization and its people; and finally, data and insights.

zoom icon

How JPMorgan, Ally Bank and Multiple Card Issuers’ Internal Controls Broke Down

To illustrate the criticality of implementing a program for achieving operational excellence that addresses the four quadrants, we have identified recent examples in which financial institutions suffered a breakdown of internal controls—and the steep price they subsequently had to pay.

JPMorgan’s “London Whale”

In 2012, JPMorgan incurred estimated trading losses of at least $6.2 billion on derivatives transactions out of its London office due to actions taken by a trader nicknamed the “London Whale”; it was subsequently determined that the firm had violated securities laws and withheld information related to the trades. JPMorgan was forced to pay $920 million in regulatory penalties as well as costs associated with litigation proceedings and remediation efforts and to deal with the resulting damage to the firm’s culture and reputation.

The U.S. Senate’s report on the incident indicated that JPMorgan had weak risk management and that “risk limit breaches were routinely disregarded” to the point that “from January 1 through April 30, 2012, Chief Investment Office (CIO) risk limits and advisories were breached more than 330 times.” The CIO never documented the purpose of the Synthetic Credit Portfolio (SCP) team responsible for the incident, nor did the team itself have processes and protocols in place to deal with it. JPMorgan did have an established policy around valuation practices, but the CIO deviated from it, allowing the SCP team to show modest daily losses instead of the significant losses that were in fact being realized.

JPMorgan’s losses could have been minimized and made more transparent if the firm’s risk management, hedging practices and escalation procedures were more appropriately documented, standardized and enforced. Its change management practices also appeared to have been inadequate; a new risk model had been implemented without thorough testing, resulting in flawed calculations, which understated the overall risk for months. Furthermore, SCP did not apply concentration limits used by other JPMorgan teams to monitor and restrict exposures. According to the Senate report, “[T]here were no limits by size, asset type or risk factor for the Synthetic Credit Portfolio; indeed there were no limits of any kind specific to the Synthetic Credit Portfolio.” Concentration limits would have escalated the knowledge of SCP’s trading activity to other parts of the firm, ostensibly allowing it to take actions that would have prevented the trading losses.

The CIO risk management team did not consider themselves independent from the firm’s risk takers and, as a result, were not empowered to provide critique or escalate their concerns. Moreover, the CIO Risk Committee consisted largely of CIO management; in fact, none of the risk committee members were from outside the team, which made it especially hard for them to objectively review and opine on its strategies. They also met infrequently, were without an official charter or membership directory, and did not appear to escalate accumulating losses or risk limit breaches related to the London Whale incident to senior management of the firm in time.

The risk control breakdowns in JPMorgan’s London Whale incident are summarized in Figure 4.

zoom icon

Ally Bank’s Fair Lending Violation

Indirect auto lenders and auto finance companies are facing heightened and ongoing scrutiny of dealer compensation practices. To that end, in December 2013, the Consumer Financial Protection Bureau and the U.S. Department of Justice issued a consent order against Ally Bank and its parent company, Ally Financial Inc., after Ally’s dealer compensation practices were found to have had a disparate impact on certain minority borrowers; the $98 million in settlement payments represented the first and largest joint fair lending action in the indirect auto lending arena.

Ally’s policy allowed dealer discretion with regard to the markup of the interest rate set by Ally, which was based on the loan terms and the credit risk of the individual borrower. Part of the markup was then used to compensate the dealer for arranging financing, a practice which, while not unusual, can create an incentive for the dealer to charge higher interest rates, thereby posing fair lending risks. And while the allegation that Ally’s actions resulted in disparate impact is not meant to suggest that Ally intentionally discriminated against any borrowers, it does allege that the implementation of the markup policy without proper controls resulted in certain minority borrowers paying more for credit.

In addition to monetary damages, the settlement terms of the order required Ally to adopt and implement a compliance plan aimed at ensuring fair lending practices in the dealer pricing program. Among the controls mandated by the order:

  • “Establish a dealer compensation policy that limits the maximum spread between the buy rate and the contract rate up to no more than the spread that the Company currently permits”
  • “Provide regular notices to dealers explaining their fair lending obligations under the ECOA”
  • “Establish quarterly and annual dealer-level and portfolio-wide analysis of markups based on the Agencies’ statistical methodology”
  • “Take prompt corrective action with respect to dealers identified in any dealer-level quarterly analysis, to include prohibition on a dealer’s ability to mark up the buy rate or termination of the dealer relationship”

Ally Bank’s fair lending incident can be attributed to several risk control breakdowns, as depicted in Figure 5.

zoom icon

Multiple Card Issuers Engaged in Deceptive Credit Card Practices

The Consumer Financial Protection Bureau (CFPB) has the authority to take action against institutions engaging in unfair, deceptive or abusive practices. With this authority, the agency has forced card issuers to pay millions of dollars in restitution to customers over incidents that can be largely attributed to poor design, lack of training and process errors.

The CFPB announced its first public enforcement action against Capital One Bank, for deceptive marketing tactics, in July 2012. As part of the action, the CFPB ordered a change to how “add-on” products such as payment protection and credit monitoring were used as part of the issuer’s marketing program. It also called for a refund of approximately $140 million to 2 million customers and an additional $25 million penalty.

The CFPB found that Capital One’s vendors had pressured or misled consumers with low credit scores or low limits into paying for payment protection and credit monitoring products when they called to activate their new cards. Sales tactics used by representatives were found to have sometimes led consumers to believe that the products would improve their credit scores and help them increase the credit limit on their Capital One credit card. Customers were not always told that enrollment in the programs was optional, and they sometimes believed it was free. Other problems were identified as well, including sales of the products to ineligible unemployed and disabled customers who were later denied benefits and the enrollment of customers without their consent. Many consumers also had difficulty canceling enrollment when they called to do so.

The CFPB’s second enforcement action was announced in September 2012. Like Capital One, Discover was ordered to change its marketing of add-on products and to seek the approval of the CFPB and the FDIC for its compliance plan. It was also ordered to pay $200 million, plus $14 million in penalties, split evenly between the U.S. Treasury and the CFPB, for restitution to approximately 3.5 million customers. The action was taken after the CFPB, in an investigation originally started by the FDIC, found that Discover had been deceptive about the price of certain add-on products, had sold the products without customers’ knowledge and had misled customers about their eligibility for the products.

The third action, against American Express, followed an investigation started by the FDIC and the Utah Department of Financial Institutions. In October 2012, an enforcement order mandated that American Express end illegal card practices; repay $85 million to approximately 250,000 customers; and pay $27.5 million in civil penalties to the CFPB, the FDIC, the Federal Reserve and the Office of the Comptroller of the Currency (OCC) for violation of consumer protection laws after the CFPB found it did not deliver a promised program sign-up bonus to customers of $300 each. The agency also found that Amex charged illegally high late-payment fees, violated fair lending laws by using age to differentiate credit ratings, failed to fully report customer disputes to credit bureaus and did not report payments of old debt to the credit bureaus after telling customers that such payments would improve their credit scores.

In September 2013, the CFPB continued its crackdown, ordering JPMorgan to refund $309 million to approximately 2.1 million credit card customers. A separately issued order required the firm to pay an additional $60 million in civil money penalties after the CFPB and OCC found it had engaged in unfair billing practices for certain credit card add-on products by charging customers for credit monitoring services they did not receive.

Shortly after, in December, the CFPB ordered GE Capital Bank and its subsidiary, CareCredit, to refund up to $34.1 million to about 1 million customers who were victims of deceptive credit card enrollment tactics at doctors’ and dentists’ offices around the country. Consumers had signed up for what they believed was an interest-free promotion without understanding that interest accruing at a rate of 26.99% would kick in if the balance was not paid at the end of the promotional period, the result of poorly trained representatives who failed to properly explain the promotion’s terms. In addition, some consumers did not receive copies of the actual CareCredit agreements.

And as the year drew to a close, the CFPB ordered American Express to pay $59.5 million—with federal regulators imposing an additional $16.2 million in fines—for illegal credit card practices such as unfair billing tactics and deceptive marketing of add-on products, which impacted more than 335,000 consumers. Specifically, some consumers were misled about the fees associated with payment protection products and the amounts and length of payment coverage extended under the “Account Protector” payment protection product. American Express was also found, during telemarketing sales calls for its Lost Wallet product, to have not adequately explained to customers in Puerto Rico how to access product benefits. Moreover, uniform Spanish-language scripts were not provided for the telemarketers making those calls, and the subsequent written materials sent to consumers were in English instead of their native Spanish.

The enforcement actions against these credit card issuers resulted from risk control breakdowns that could have been prevented. These breakdowns are highlighted in Figure 6.

zoom icon

Risk Mitigation Components

The control breakdowns highlighted in the illustrative cases were not the result of bad intent or human error, but poor design and inadequate planning.

And while better oversight, greater engagement of subject matter experts and enhanced training would have reduced the risk that such breakdowns would occur, unless risk controls had been embedded—from design through execution and delivery—the breakdowns would not have been avoided.

Embedding controls is no easy task, as it involves complex products and processes as well as elements within and outside of the institution’s jurisdiction. But they are needed nonetheless in order to effectively anticipate, detect and resolve issues in a timely manner. With that in mind, a model for operational excellence must encompass risk controls, including mitigation components, such as those illustrated in Figure 7.

zoom icon

Road to Achieving Operational Excellence

Kurt Salmon employs a set of best practices, meth- odologies and toolkits to lead our clients on the path to operational excellence. Creating a business model and program that addresses the four quadrants highlighted in this paper is just one step toward achieving operational excellence. A roadmap is also required to encompass priorities that should be addressed on the path to operational excellence. Elements of this roadmap should include:

  1. A framework for embedding risk controls with an organization structure and cross-functional interaction model to support it
  2. A governance structure to review, approve and monitor risks and decision-making processes
  3. Information repository to make policies, procedures and business intelligence accessible
  4. Analytic capabilities to drive scenario building and stress testing
  5. A robust change management program supported by ongoing communication and training to help the institution implement change while at the same time educating, motivating and engaging employees so that they will support the transformation

Financial services firms have entered into a period of unprecedented oversight on the part of regulatory bodies, along with ever-increasing demands from consumers for fair and transparent practices and products. In order to achieve operational excellence in this era of scrutiny—and avoid the steep penalties associated with a failure to comply—financial services organizations need a model consisting of four equally important quadrants and to ensure that internal controls are deeply embedded into each and every one of them.

zoom icon

31 January 2014