Staying Compliant While Teleworking During COVID-19
As we continue to react to the COVID-19 pandemic, financial services companies with consumer-facing operations have seen a sudden and substantial increase in the number of employees who are working remotely. This, in turn, brings with it unique compliance challenges, including (1) avoiding potential UDAAP violations; and (2) licensing requirements.
UDAAP Challenges
It is especially critical to identify and manage potential UDAAP (unfair, deceptive, or abusive acts or practices) risks:
- Establish protocols for ensuring compliance with telemarketing scripts, if employees at call centers are working remotely.
- Establish protocols to ensure that, given the increased use of personal telephones for work-related calls, employees continue to maintain regular record-keeping logs.
- Establish protocols to ensure that regular call monitoring and audits of calls continue, even in a remote teleworking environment.
- Establish a virtual way to remind employees of all necessary policies and procedures and to audit for compliance with these policies and procedures.
Addressing Licensing Concerns
We are continuing to check for guidance from state regulators, as more licensing agencies respond to the COVID-19 pandemic. But many states already have requirements that concern a new teleworking regime.
For example, certain states require that branches of licensed consumer lenders and other licensed financial services—such as money services businesses, loan servicers, and collection agencies, among others—be independently licensed, and the statutes could apply to loan originators or other employees working from home. Some states, including, for example, Alabama, Connecticut, Idaho, Massachusetts, Montana, Nebraska, New York, Oregon, and Washington, have already released guidance stating that a loan originator or other employee working from home does not necessitate a branch license, but regulators from these states have cautioned that restrictions apply, including but not limited to the following:
- The employee’s home should not be held out as a branch location.
- Employees should not meet with consumers at the employee’s home.
- Business records should not be kept at the employee’s home.
- The financial institution must continue to apply adequate compliance controls, including data security and protection of consumer information.
New York Department of Financial Services: Mandated COVID-19 Pandemic Response
Some states may also require proactive steps from licensed financial institutions.
For example, the New York Department of Financial Services (NYDFS) issued an industry letter on March 10 requiring that regulated institutions respond and describe how they plan to manage the risk of disruption to their services and operations.
Any entity licensed by the NYDFS must provide a response that includes, among other things, its plans for:
- Protecting consumers and employees;
- Ensuring business continuity;
- Protecting consumer data and ensuring adequate cybersecurity measures are in place;
- Assessing critical third-party service providers and suppliers; and
- Overseeing and managing the institution’s response to COVID-19.