In this episode of The Consumer Finance Podcast, Troutman Pepper Partners Chris Willis and Matthew Orso discuss lessons learned from bank internal investigations.
In this episode of The Consumer Finance Podcast, Troutman Pepper Partners Chris Willis and Matthew Orso discuss lessons learned from bank internal investigations. They explore the trigger points that give rise to these investigations, provide useful advice for banks regarding their investigations, discuss how to avoid common issues, and suggest remedial measures to prevent issues from repeating.
The Consumer Finance Podcast: Bank Investigations and Enforcement Actions: Lessons Learned
Host: Chris Willis
Guest: Matthew Orso
Date aired: October 26, 2023
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Group, and I'm happy you've joined us today to hear about lessons learned from bank investigations and the enforcement actions that can sometimes follow them. But before we jump into that topic, let me remind you to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com, where we cover the entirety of the financial services industry and of course, ConsumerFinancialServicesLawMonitor.com, where we cover everything going on in the world of consumer finance. And don't forget about our other podcasts. We have a bumper crop of them. We have the FCRA Focus, all about credit reporting. We have Unauthorized Access, which is our privacy and data security podcast, The Crypto Exchange about all things crypto, and our newest podcast Payments Pros, which is all about the payments industry. So those are all available on all popular podcast platforms. And speaking of those platforms, if you like this podcast, let us know. Leave us a review on the podcast platform of your choice and let us know how we're doing.
So as I said, today we're going to be talking about lessons learned from bank investigations and enforcement actions, and to help me out with that, I've got my partner Matt Orso. Matt's in our Charlotte office and is in our white collar group, but has a massive background in doing internal investigations into a variety of very sensitive compliance and enforcement issues for large financial institutions, and he's here today to share his experience and give everybody some tips about things to do and things to avoid when these internal investigations have to happen. So Matt, thanks for being on the podcast and sharing your knowledge with us today.
Matt Orso:
Thanks, Chris for having me. Really appreciate it.
Chris Willis:
As I said, in introducing you, I know you have extensive experience leading investigations for banks when something's gone in the ditch and they have to figure out what happened and why. Let's just start off by letting you tell the listeners what are some of the typical trigger points that give rise to these investigations? Why are we doing them in the first place?
Matt Orso:
Sure, Chris. I think about it as different buckets of types of behavior or instances that tend to come up that give rise to these larger scale or sensitive investigations. Certainly anything that involves customer harm usually will trigger an investigation, and so that's one big bucket of all kinds of different types of activity. Another category of these types of investigations will involve employee misconduct, employees doing something against policy code violation. Maybe that's something that is creating customer harm. Another type is non-employee related. It's purely external fraud, but it's coming from the outside and coming into the financial institution and impacting things in some way.
An example of that would be a Ponzi scheme that's being operated and it's using a bank's accounts to further that scheme that will often require an investigation as to what occurred and how that occurred. Finally, often investigations come up when you identify some type of gap in compliance with a regulation. Maybe there's nothing specifically that triggers it other than somebody notices that, hey, we're doing this thing the wrong way and the regulators might really care about it, and so we need to investigate it, figure out how that happened and how we can fix it. That's kind of how I would bucket the items that give rise to investigations.
Chris Willis:
And I have to tell you my personal favorite of the trigger points for internal investigations is the whistleblower report, either from a former or current employee. That always seems to get everybody's attention.
Matt Orso:
Absolutely. The ethics line of financial institutions is a fertile ground for the beginning of investigations.
Chris Willis:
Well, it sounds Matt, like an investigation can arise out of a lot of different sources, but what are some of the things you've learned over your years of doing these investigations that might be helpful to our listeners regarding their internal investigations?
Matt Orso:
It's an overarching theme. I really think the first thing to think about when conducting an investigation is that someday someone else might be looking at what you did. Whether that's a regulator, whether it's maybe a judge or a jury, it should be conducted keeping in mind that someone else may well be looking at this somewhere down the line. And so that dictates, I think, how we frame an investigation, the things that we communicate and how we proceed. And then getting to some key points to keep in mind, things that I've learned from conducting pretty large-scale investigations in the past.
I think one that has come up multiple times is around information aggregation. This is pretty key to compliance and to identifying patterns of employee misconduct. That's something that I've found over the years in looking back at investigations and what might have been done differently, how things might've gotten caught more quickly and addressed. A lot of times issues get investigated and they look like they're one-off type issues, like isolated incidents, but in actuality, you have a repeat fact pattern where the larger pattern of that behavior is not detected, but it's going on in maybe other parts of a bank or other geographies. It often gets missed because that similar case just gets handled by a different investigator maybe or is in a different line of business. Either way, if these patterns get missed, it can cause a lot bigger issues like regulatory scrutiny, enforcement, litigation, and those types of risks.
Chris Willis:
Well, sure, and I think it's obvious that if the bank does an investigation that fails to reveal something and they conclude that it's a one-off and everybody's very relieved about that, but then a regulator comes in later and says, "Oh, wait, there's more." Then I think the punitive consequences to the bank are likely to be a lot worse than if the bank had found it and remedied itself. Right?
Matt Orso:
Absolutely. Yeah, I think that's absolutely right.
Chris Willis:
Well, and the other thing too is you're talking about small numbers of incidents sometimes that may form a pattern over time. There are some issues that are so sensitive that even a small number of occurrences can give rise to significant liability for a bank or another financial institution. One example that springs to mind for me is service members Civil Relief Act. You don't have to screw many of those up to give rise to a multimillion-dollar enforcement action.
Matt Orso:
Yeah, there's no doubt about that. There are a myriad examples of very sensitive or serious singular violations that can lead to significant enforcement action or litigation.
Chris Willis:
So, we know it's important for banks to accurately assess and pick up these larger patterns of common issues that you were just talking about. What are some things that banks can do in the course of investigations to actually detect that stuff?
Matt Orso:
One thing that banks I think can do and I've seen them do, is to have a dedicated intake team for investigations where there's a specific person or maybe a group of people who their job is to identify these patterns of common investigation fact patterns. I think the size of a financial institution often dictates what can be done here. It's a lot easier to spot trends when you're only looking at a few allegations of misconduct a week as opposed to maybe hundreds or maybe even thousands depending on your size. And so while manual review in this way can really help, it certainly has its limitations. I've been thinking a lot about the development of AI and its use in industry, and I know that's a hot topic right now. What I'm excited about in this way is I think tools could be implemented to assist in this way in tracking and trying to aggregate similar investigation case types.
I think it could go even further. I think it could be used to track and to compare lifecycles of investigation cases, including all the facets of case outcomes to help assign risk levels and escalation paths. When you take a case at the intake stage, for example, you might see that this specific case type based on our information 90% of the time ends up in an enforcement action. That's a serious risk, and so you might handle that case differently than this other case type that 95% of the time it only results in an oral warning for an employee. And so I think the more information and data that can be gleaned through different tools of aggregation, the better financial institutions can approach it, the outset of investigation with the right path in mind, staff it the right way. Maybe it needs to be led by legal versus by non-legal investigators. All kinds of different considerations.
Chris Willis:
We've talked for a few minutes about doing the fact-finding part of the investigation correctly and finding what the actual facts are as a regulator might find them later so that we don't have any unpleasant surprises in our next regulatory exam or in an enforcement investigation, but that's only one part of the investigation cycle, right Matt? There are other things that have to go right in order for an investigation to be successful for a bank or another financial institution. What are some of the other high-level lessons about things that need to go right, that you'd like to share with the audience?
Matt Orso:
Sure. I'll talk about a couple of things. I'll talk about escalation of the issues or escalation paths, and I'll also talk about remediation. First in terms of what I'll call escalation paths. This would be how an issue, once it gets identified, gets escalated to the right people so that they can make the right decisions on whether to investigate it and how to investigate it. If escalation doesn't happen, then investigation doesn't happen typically. Many times I've seen that issues get identified, but they're either not escalated or they're escalated to the wrong person or the wrong level of management, the wrong group with the type of expertise that's needed to assess the issue, and then as a result, they get mishandled. When this happens, as you can imagine, problems tend to get worse. More customers might end up being harmed. You can certainly have regulators that are displeased to find out that it wasn't properly escalated and addressed.
I'll give an example, I guess. That might be helpful to kind of explain it. You could have under-staffing at a location of a financial institution, which causes significant delays, let's say, in deposits for customers. You've got under-staffing deposits are delayed. Customers don't have their money in their accounts within a reasonable time after they present financial instruments and it becomes an issue, there's a backlog. If this doesn't get escalated to the right group that appreciates the regulatory issues, which are inherent to that scenario, which is that there's a Reg CC problem with timeliness of funds availability, then that can be a problem. If it gets handled more from an operational level, we think we can staff this place up within the next month or two and we'll get back caught up, something like that. That's a very different outcome than properly identifying and escalating to the legal group or to the compliance group that are going to appreciate that issue. I think in the end, escalation is only as good as the person or the group that you escalate it to, Chris. I mean, the lesson is make sure there's a clear path, getting that key information to the people in the right positions who know what to do with it. So that's escalation. Another aspect of what I've learned of how to effectively address and successfully handle investigations is kind of on the backend at the end of an investigation, and that involves remediation. When you identify that something went wrong, the natural and important next step to take is to figure out how can we fix this and how can we make sure that it doesn't happen again? Often after a large-scale investigation, remediation or remedial measures are necessary to try to prevent something from repeating itself. When you try to prevent employee behavior from repeating itself, sometimes employee training manuals are updated or certain trainings are created.
This can be helpful, but I like to think about it in terms of how effective is a remedial measure, and I think of it in terms of a hierarchy. Where they can be implemented, system controls I think are the most effective way, at least to curb employee misconduct, where you've got a system that prevents a certain bad behavior from happening, then that eliminates the possibility that that misconduct will occur again. So, system controls I think are the most effective way to completely curb if we're talking about a misconduct investigation, to curb misconduct. Next in that hierarchy, I think of system alerts. It's a trigger that when something happens in a system, it fires off an alert to somebody. It says, "Hey, this thing happened again. Take some action. Do something about it." That can be an effective way to stop behavior right after it's happened.
It doesn't curb it from happening, but it also provides a quick response to it, assuming you've got someone who receives that information and actually does something with it. And the final piece of it, I think of that hierarchy is monitoring or testing. It's not immediate alerts, but it's some type of a testing program or surveillance program that looks backwards at data, at information, at systems, to identify whether there are data sets that are consistent with this bad behavior that's occurred in the past. Again, that's lower on the hierarchy because it's happening sometimes a month later, sometimes 60-day review. It's not this immediate alert, and it's not system control. Training is always important. That's the human element of it. That's educating employees on how to act and how to follow policies and procedures. But those three items I think can be very effective when remediating issues.
Chris Willis:
And it seems to me, Matt, what you've done is you've taken these elements, remediation controls, real-time alerts and monitoring, after the fact monitoring, and testing, and employee training, those five things, and the goal here as I always think about it, is to put together a result of the investigation that explains to the regulator what happened, why it happened, who it affected, but then also wrap it up in a neat package that shows that there's nothing more the regulator needs to do to fix the problem. The financial institutions got it covered. They've remediated the people who were impacted. They've figured out what caused it, and they're going to take action to prevent it, and they're going to monitor to make sure it doesn't happen again.
When you put all that together for a regulator, hopefully the reaction of the regulator is, "Okay, this is all taken care of and I don't need to do anything else. I don't need to take out my big baseball bat and start hitting people with it." Whereas fail to do those things and leave the regulator with an unsolved problem or a partially solved problem. I feel like that's when the baseball bat comes out. What do you think?
Matt Orso:
Yeah, I think that's generally true, Chris. Something that regulators often will want as a part of that whole package is some type of a statement of who's at fault, who's accountable, and are you taking any action in that regard, but yet avoiding the baseball bat is definitely a goal.
Chris Willis:
Matt, I think this has been a fascinating discussion and it's really been wonderful to have you on the podcast today, and I'm sure that our listeners have really appreciated your insights and advice, and thanks of course to our listeners for listening into today's episode as well. Don't forget to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com, and hit the subscribe button on both of them so that you can get all of our updates covering the whole of the financial services industry. And while you're at it, why don't you go ahead and visit us at Troutman.com and add yourself to our Consumer Financial Services email list. That way you can get notices of our webinars as well as the client alerts that we tend to send out from time to time. And of course, stay tuned for a great new episode of this podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.