Comments to us from more than one attorney have described what we're doing as a federal audit insurance policy. We're not an insurance policy but the thought is worth mentioning. So our service is not insurance - we don't sell insurance. Most worthy of mention is that the Bureau, in their Consent Orders, expressly forbids using insurer funds to pay a civil money penalty. This exclusion is not mentioned in regard to the primary fine (the big amounts for restitution, redress, etc. - the actual harm to the consumers). These awards go up to nine figures (that's hundreds of million$). And these amounts are not appropriate for insurance coverage as these are simply refunds as redress to consumers injured by illegal actions. In the alternative, these amounts are shown by the CFPB to have occurred willfully and intentionally AND as was mentioned to us by a top CFPB defense attorney, no law firm could afford such insurance in any case. Civil money penalties (CMP) commonly range from 10% to 20% of the larger redress amounts and occasionally run closer to 50%. And we've now seen 100% in civil penalties, even a $100 million CMP where there was no injury to consumers (Wells Fargo Bank).
All of this notwithstanding, insurance is generally meant to protect against outside, unknown risks that sneak up on you. By now we can safely say most law firms are aware of the CFPB, watchful to some extent, and expectant of increasingly enhanced auditing, fines, penalties, etc.
What we're hearing and reading makes up our Predictions List for future consideration:
What we WOULD say at Compliance Umbrella is that the feeling a law firm enjoys after joining the Compliance Umbrella team is a little like the deep breath you can take after putting an insurance policy into effect; so the insurance policy metaphor makes some sense.
Will using the software at Compliance Umbrella result in compliance? Only if - and there are three or four "ifs". There's a front-end task list and a back-end task list and vendors/clients in the middle. But nobody is considered to be compliant by the Bureau without a fully populated Compliance Management System (CMS). And if a firm purchases a "CMS" that describes itself as a well-designed repository for all your compliance documentation, that is not a CMS - it's an empty document repository.
A proper description would be that such a product is a formatted template into which one could load CMS content, procedures, training, a complaint database.
What is meant by the front-end task list and the back-end task list? First, prior to using the CMS on a daily basis, the intention, dedication, mission statement and approval of the CMS must be considered and documented by upper management, Board, principal partners, etc. And they need to show this on a continuing basis in meeting minutes, etc. Then the back-end will consist of monitoring, followup, identification and resolution of issues and complaints, again by management and documented.
Are there secrets to getting this done without wasting time, money, adding resources, etc.? We think so; here are a few: