When Compliance Backfires
Regulatory burden is real. And it inhibits what a business can do. Sometimes banks bring it on themselves. This is certainly the case with overdraft protection. Banks ignored the warnings of their regulators and jumped on the overdraft fee income wagon - ears shut and hands out.
Regulatory burden sometimes happens for other reasons. The FACT Act is certainly not the result of anything that the banking industry did. Instead, most of the new requirements are the result of the bad acts of others, most notably identity thieves.
To respond to this urgent problem, Congress has turned to credit reporting agencies and to the financial services industry. The FACT Act puts into place, in record time, a complex series of controls, information reporting, research and investigation, and consumer information and education programs. And guess who has to do most of the work?
As with OFAC and the anti-money laundering programs, financial institutions have been chosen as the key players.
This is not to say that the credit reporting industry isn't shouldering a significant share of the load. They have a lot to do. But what they have been assigned is not much more than they should be doing anyway. Their primary new responsibilities come down to ensuring accuracy of information. Since that is what they purport to sell, setting accuracy requirements shouldn't be too much of a shocker for that industry. The burden certainly seems fair.
And then there are the responsibilities that fall on the Federal Trade Commission to educate and provide information to consumers. Arguably, this is a good use of taxpayers' money and the FTC also has a proven successful track record at producing good consumer education materials.
But the new burdens for financial institutions are quite different. The load placed on financial institutions is definitely burdensome. There are notices to consumers when adverse information is reported to credit bureaus. There are investigation responsibilities when a consumer alleges an error in their report. There are identity confirmation requirements that parallel CIP. And there are requirements to monitor accounts for early catches of activity that may indicate or lead to identity theft.
But here's the catch: much of this new burden can be dodged simply by not reporting credit. If you don't report credit, you don't have to send customers notices of adverse information reported and you don't have to investigate errors in reported information. You would still have to deal with identity theft flags and active duty flags. But you could dodge about half of the burden by the simple act of becoming a non-reporter.
Then what happens? What happens when a significant number of financial institutions become non-reporters of credit information is that the credit information system loses value - and then it falls apart. If that happens, we have two significant problems. First, safety and soundness becomes an issue because lenders will face more difficulties in evaluating creditworthiness of applicants. Second, the complex system set up to prevent and correct identity theft falls apart.These are not minor considerations. In fact, the cost and difficulty of compliance may be the undoing of the act and all the good intentions behind it. Why? Because the authors of the legislation focused their attention on the problem and how to solve it (using someone else's time, effort and resources) but failed to take into account the cost.
The cost is likely to be massive: new systems, new procedures, and new liabilities. The only way that institutions have to minimize this new burden is to act in a way that will cause the grand plan to fail. Legislators should think about this when they think up apparent solutions.
Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 6, 6/04