Fair Lending Audit – Seeing the Forest for the Trees

Articles By Liza Warner
Liza Warner
Partner

As published in ABA Bank Compliance (now ABA Risk and Compliance), May/June 2020

Fair lending is a key area of regulatory scrutiny, and one that garners a lot of public attention. Fair lending compliance risk arises with the first customer interaction in the marketing and sale of loan products, and it continues throughout the entire loan process. Financial Institutions (FIs) must proactively manage fair lending risk exposure, and it’s important to assess how well lending operations, practices, and service delivery align with its risk appetite for culture, conduct, and compliance risk—including fair lending risk.

Embedding fair lending principles into day-to-day activities is necessary for a strong compliance culture, and monitoring the bank’s conduct or how it shows commitment, will help uphold that culture.

For banks large and small, fair lending risk management proves challenging because the requirements and principles touch all aspects of the lending process and require attention not to just the trees—the technical regulatory details, processes, systems, and data, but to the forest—the attitudes, behaviors, and actions of its employees. How does everything work together to ensure the customer outcome and experience is fair? Fair lending risk is not always evident in a loan file or an audit checklist. One of the best ways to gain a clear and objective understanding of your fair lending compliance risk is through a fair lending audit. The fair lending audit process must focus beyond the technicalities, and internal audit must see the forest for the trees.

Assessment of the Fair Lending Compliance Management System

The three lines of defense—business, compliance risk management, and internal audit—all play key roles in the governance process. The fair lending culture must be inherent in the business lines and support functions (first line). The compliance department (second line) administers the fair lending program and advises the first line. Internal audit (third line) provides the independent, objective assessment of whether the fair lending compliance management system and risk culture is operating as management, the Board of Directors, and regulators expect.

Providing an independent, objective and holistic assessment of the fair lending compliance management system sounds easier than it is. Fair lending expertise within the industry and within internal audit functions continues to evolve. An internal audit of fair lending is more than what some see as the traditional verification of adequate segregation of duties, existence of dual controls, or tests of compliance with technical regulatory components. To stay true to its mandate, internal audit must consider the full fair lending compliance management system. Internal audit should provide assurance of whether the bank is accomplishing its objectives of effective fair lending risk management by assessing technical compliance and identification of the risk of overt and comparative disparate treatment, and potential disparate impact. The audit should include evaluation of the fair lending risk assessment; processes for identification and mitigation of marketing, credit, pricing, and third-party vendor risk; lending policies and procedures; fair lending training; fair lending monitoring and testing activities; complaint management; and board of directors and management oversight.

Assessment of loan level compliance with the Equal Credit Opportunity (ECOA), Fair Housing (FHA), Home Mortgage Disclosure Acts (HMDA), and the Community Reinvestment Act (CRA) is defined within the three lines of defense at most FIs. The technical elements are usually straight forward and performance can be readily assessed against a specific regulatory requirement. Determining whether loan products and services are sold, granted, and serviced fairly, and that no protected class under ECOA and the FHA is discriminated against, however, is more complicated.

In a bank with a mature fair lending compliance management system, the distribution of responsibilities is clearly delineated between the three lines of defense. The first line is responsible for day-to-day compliance, culture, and conduct. The second line is advising, monitoring, and conducting self-tests including statistical and regression analysis, as appropriate. And, the third line is focused on independent assessment of the entire program. Many banks are still evolving the fair lending compliance management system and the three lines are not as distinct, and at times are downright blurred. Internal audit functions at some banks, for example, may take on monitoring and testing activities that typically fall within the purview of the compliance department. In part, this is because finding and hiring personnel with the requisite fair lending expertise is difficult, especially for smaller banks where resources are limited, and the pool of potential candidates is small. As a result, banks are sometimes forced to learn and evolve as they go or seek assistance from consulting firms and law firms.

Understanding the Requirements

Today, there are many fair lending educational options offered through the American Bankers Association, other industry trade associations, and law firms. The Interagency Fair Lending Examination Procedures (Interagency Procedures), set forth by the Federal Financial Institutions Examination Council, are also a good starting point. They provide the expectations related to managing, measuring, and addressing fair lending risk and are a good reference for making sure internal audit coverage meets key stakeholder and regulatory expectations. Starting with definitions, ECOA makes it unlawful for “any creditor to discriminate against any applicant with respect to any aspect of a credit transaction: (1) on the basis of race, color, religion, national origin, sex or marital status, or age (provided the applicant has the capacity to contract); (2) because all or part of the applicant’s income derives from any public assistance program; or (3) because the applicant has in good faith exercised any right under the Consumer Credit Protection Act.” Similarly, the FHA prohibits discrimination in all aspects of residential real-estate related transactions based on race, color, national origin, religion, sex, familial status (defined as children under the age of 18 living with a parent or legal custodian, pregnant women, and people securing customer of children under 18) and handicap.

Fair Lending Internal Audit Program

The internal audit program should examine how the bank proves that it has not engaged, knowingly or unknowingly, in disparate treatment of protected consumers or that policies and practices do not result in disparate impact based on the prohibited bases outlined above. A comprehensive understanding of the bank’s products, services, and operations should prompt specific areas for review. The list below is not a complete fair lending audit program. Beyond the traditional technical compliance requirements of ECOA, consider the following questions.

Fair lending program, policies and procedures:

  • Is the fair lending program documented and does it address scope, responsibilities, reporting, and corrective action requirements?
  • Are procedures sufficiently detailed and designed to ensure consistent outcomes and prevent discrimination on a prohibited basis?
  • Are policies and procedures communicated and readily available to applicable personnel?

Fair lending risk assessment:

  • Does the risk assessment align with the discrimination risk factors outlined in the Interagency Procedures?
  • Does it include all lending products and services—mortgage, consumer, small business, and commercial?
  • Does it include the lending cycle: marketing, pre-application, application, underwriting, pricing, closing, and servicing?
  • Does it include a high-level analysis of data to help identify areas of risk?
  • Does it consider the bank’s assessment areas and other geographies where applications are taken, and loans originated?

Marketing & advertising:

  • Does the marketing policy address fair lending risks?
  • Are marketing materials, including for new products, reviewed for prohibited basis factors or implied prohibited basis?
  • Do product offerings vary by geographic area or delivery channel (in-person, online, etc.)? If so, how is management assured that variances do not negatively impact borrowers on a prohibited basis?
  • Are media selections reviewed to ensure campaigns reach all areas of the target communities?
  • Are pre-screened solicitations reviewed by compliance and legal to ensure prohibited basis factors are not considered?
  • Are validations performed on marketing models to ensure criteria used do not present fair lending risk?
  • Is website content and presentation reviewed prior to going live?
  • Are marketing materials provided in a language other than English? If so, is subsequent documentation provided in the same foreign language?
  • Is a social media policy in place addressing acceptable use and required content approval? Are sites monitored for potential discriminatory issues?

Credit/underwriting:

  • Do lending procedures provide the appropriate level of guidance to ensure consistent treatment and levels of assistance for all customers?
  • Are special purpose credit programs (affordable housing, down payment assistance, etc.) reviewed to ensure fair lending risks are identified?
  • Are underwriting decisions based on specific, objective, and defined criteria and are they consistently documented, including any exceptions?
  • Is the bank using alternative data and/or artificial intelligence in the underwriting process? Are outcomes assessed for potential unfair treatment of protected borrowers?
  • Is validation of credit models performed and does the validation address fair lending?
  • How are exceptions to underwriting criteria handled? Does a formal exception policy exist outlining when an exception can be granted, compensating factors, and approvals required?
  • If working with third parties including appraisers, lead aggregators, or third-party originators (brokers and correspondent lenders), is monitoring performed to assess fair lending risk?

Pricing:

  • Does the pricing policy address terms, conditions, frequency of changes, approval and communication of changes, responsibilities for loan pricing (centralized pricing desk), etc.?
  • Does loan pricing vary based on geography or delivery channel? Is there a business justification for the difference?
  • Are brokers and other third-party originators monitored for pricing discretion and exceptions?
  • Is there a policy for pricing exceptions? Are exceptions and the reason for the exceptions tracked and analyzed to determine if borrowers are treated differently on a prohibited basis?
  • Have limits on exceptions been set? Are limits reasonable? At what point do the number of exceptions call for a change in policy?
  • Are any employees or third parties compensated based on a component of pricing (rate, term, etc.)? If so, this could present a risk of steering applicants to particular loan products.

Servicing & collections:

  • Are procedures detailed and clear related to prompt crediting of payments, escrow requirements, payoffs, collateral releases, private mortgage insurance requirements, credit line increases, payment programs, etc.?
  • Are practices consistent and objective around loss mitigation efforts, bankruptcy, and foreclosure?

Management of lending-related third parties/vendors:

  • Is compliance with fair lending laws, regulations, policies, and procedures incorporated into third-party contracts?
  • Is the third party required to conduct fair lending training for their employees?
  • Are periodic audits performed of the third party to ensure compliance with fair lending requirements?
  • Are complaints related to the third-party services reviewed for trends and potential fair lending issues?
  • Are compensation arrangements reviewed to ensure they do not create unintended incentives that could result in fair lending issues?

Fair lending training:

  • Does fair lending training cover fair lending laws and regulations and specific applicability to job responsibilities?
  • Are all employees involved in the lending process in the first, second, and third lines of defense, starting with the receptionist to the internal auditors, to senior management and the Board of Directors, required to take annual fair lending training? How are exceptions handled?
  • Are new employees trained within a reasonable period of their start date (typically 30 days)?
  • Are training records and results of required tests kept supporting the training program?

Complaint management:

  • Does the bank have a formal complaint policy? Does it address complaints received by the bank directly, through its third-party partners, and through regulatory agencies?
  • Are complaints risk-ranked and are discrimination complaints rated as high risk?
  • Is root cause analysis of complaints performed to determine whether policies, procedures, or practices need enhancement?
  • How are complaints alleging discrimination identified and addressed? Are they escalated to compliance and legal departments?
  • Are complaints, including those alleging discrimination, reported to the Board of Directors?

Board of Directors and management oversight:

  • Are periodic reports made to the management and the board of directors on fair lending issues?
  • Has the board received enough information to exercise their oversight responsibilities and do they understand the level of fair lending risk in the bank’s products, services, and business lines?
  • Is the report and discussion sufficiently documented in the meeting minutes?

Fair lending monitoring and testing activities:

  • Has a formal monitoring process been established? Is it executed on schedule? Does the scope include all lending products?
  • Are exceptions/overrides monitored for reasonableness and potential unequal outcomes?
  • Are issues and corrective action plans tracked to completion?
  • Are monitoring results reported to management and Board of Directors?
  • Is self-testing performed to identify potential areas of disparate treatment and impact?

The Interagency Fair Lending Examination Procedures outline discrimination methods under the ECOA and FHA.

  • Overt Evidence of Disparate Treatment—when a lender openly discriminates on a prohibited basis.
  • Comparative Evidence of Disparate Treatment—when a lender treats a credit applicant differently based on one of the prohibited bases. It does not require any showing that the treatment was motivated by prejudice or a conscious intention to discriminate against a person beyond the difference in treatment itself.
  • Redlining—a form of illegal disparate treatment where a lender provides unequal access to credit because of the prohibited characteristic(s) of the residents of the area where the credit applicant resides or will reside, or where the mortgage property is located.
  • Steering—guiding applicants toward a specific product or feature based on a prohibited basis rather than on an applicant’s needs or other legitimate factors, regardless of financial outcome.
  • Evidence of Disparate Impact—when a lender applies a racially or otherwise neutral policy or practice equally to all credit applicants, but the policy or practice disproportionately excludes or burdens certain persons on a prohibited basis.

Self-testing

To fully understand fair lending performance a bank needs to analyze its data. Responsibility for this analysis, or self-testing, varies by bank and depends on where the available resources and expertise lie within the bank. In many cases, the compliance department (second line) takes the lead. There are also banks, both large and small, where internal audit (third line) performs or oversees the self-testing. While no requirements preclude internal audit from taking charge of self-testing, if they do, the bank should consider the consequences. It loses the effective challenge that internal audit provides, and it will operate with one less line of defense. Internal audit’s independence and objectivity would be compromised because they will be involved with the business lines and compliance functions in administering the fair lending program. Additionally, regulators and other key stakeholders are privy to internal audit’s reports. The bank should consider how it wants to manage self-test results. The Commentary to ECOA’s implementing regulation (Regulation B, Section 1002.1–Incentives for Self-Testing and Self-Correction), provides guidance on this matter.

The distinction between self-evaluation and self-testing is an important one. The fair lending regulations and the Interagency Procedures define a self-evaluation as an assessment process that does not create any new data or factual information but uses data readily available in application and loan files and other records used in the credit transaction. Self-evaluations include procedure reviews and technical compliance testing, the results of which are reported through the compliance monitoring and internal audit process.

A self-test is defined as, “Any program, practice, or study that is designed and specifically used to assess the bank’s compliance with ECOA and FHA. It creates data or factual information that is not otherwise available and cannot be derived from loan, application or other records related to credit transactions.” Self-tests typically include statistical and regression analyses utilizing CRA assessment data, branch and loan production office locations, HMDA data, CRA small business data, and loan system data and is a key component of the fair lending CMS. Self-tests should complement qualitative analysis and focus on the areas of highest fair lending risk in underwriting, pricing, levels of assistance, redlining, and steering. The regulators also use this same data to determine the focal point of their examination.

Self-tests help a bank understand whether elevated fair lending risk is present and where changes are needed in the business to improve fair lending performance. Conducting self-tests within the compliance department is prevalent in mature fair lending programs that have the expertise and resources required. In its advisory role, compliance works with the business lines to improve fair lending compliance and performance. If requirements under ECOA Section 1002.15 (Incentives for Self-Testing and Self-Correction) are followed, voluntary self-tests can be privileged. Consulting with legal counsel to determine whether self-tests should be conducted under attorney-client privilege or work-product privilege is always a good idea.

Fair lending compliance is complex. Internal audit, as the final line of defense, plays a critical role in the fair lending governance structure. Auditing for technical compliance with fair lending and other related regulations and testing loan data integrity is imperative. Internal audit’s holistic review of the fair lending program and the effective challenge they will provide will help ensure the bank sees the forest for the trees.

Speaking Engagements

View All

Courses and Guides

View All

Announcements

View All

White Papers

View All