You’re a new Compliance Officer and you run the Consumer Regulatory Compliance department of a small-to-midsized financial institution in the U.S. You’ve recently inherited some findings about the institution’s Complaints Management Program. This came about because the auditor or examiner requested a full listing of the comments received from the institution’s “Contact Us” section of the website, the institution’s social media pages, as well as the results of satisfaction surveys.  The finding notes that the institution received numerous complaints during the year that were not handled as complaints.  The finding cites the current Complaints Management Program as being in need of improvement, starting with the Complaints Management Policy.

“Fair enough,” you think to yourself, as you review the Complaints Management Policy.

You notice that the definition of a complaint set forth in the old Policy didn’t match the definition set forth by the CFPB a few years ago, and that’s “submissions that express dissatisfaction with, or communicate suspicion of wrongful conduct by, an identifiable entity related to a consumer’s personal experience with a financial product or service.” https://files.consumerfinance.gov/f/documents/cfpb_rfi_consumer-complaints-inquiries_042018.pdf

As a matter of fact, the old Policy mentions that expressions of confusion are simply inquiries.

You make the required change.

You then notice that Consumer Complaints can be worked and closed out by front line staff, without adding them to the institution’s Master Complaint Log. That is less than ideal because if the consumer leaves the institution and complains to the regulator, the institution has no record of how they handled the initial complaint at the institution.

You make the required change.

You notice that the tracking log has good elements:

1. The venue via which the complaint was received (in person, via telephone, etc.) You specifically add in the following too as examples: “the institution’s “Contact Us” section of the website, the institution’s social media pages, as well as the results of satisfaction surveys.”  Why?  Because the exclusion of these is what led to the finding to begin with.
2. The source of the complaint (from the customer, from the Better Business Bureau, from a Regulator). If from a Regulator, specify which.
3. The name and other biographical info of the customer who is making the complaint.
4. The date the complaint was made.
5. The account associated with the complaint.
6. Short description of the complaint, meaning the general topic
7. Long description of the complaint.

But the log was missing a field to track the following:

1. Did customer previously complain about the same issue, if yes, when.
2. If complaint was received from the Better Business Bureau or from a Regulator, had the customer previously complained directly at the institution? If yes, enter prior complaint # and date.  (Note, this is a critical field, as it shows that a customer complained directly to the institution and didn’t receive satisfaction.)
3. What regulation does the complaint likely involve?
4. Is there UDAAP exposure? (this is either a yes/no, or a checkbox)
5. Is there Fair Lending exposure? (this is either a yes/no, or a checkbox)
6. Is there Privacy exposure? (this is either a yes/no, or a checkbox)
7. Function involved (such as mortgage lending, wire transfer), and sub-function if needed.

You make the required changes and submit a ticket to the IT department to get the fields in the database updated. You make a note to yourself to update the staff training materials, paying special attention to the fact that a complaint can be about a particular regulation and be a potential UDAAP issue or Fair Lending issue, or Privacy issue. That is why those three elements can be checked off in addition to another regulation. You had been in an institution previously that made the Compliance professional check off one or the other and it was frustrating and not workable.

You’re pleased with the section of the Policy that explains to readers why a robust Complaints Management Program is actually beneficial to the institution. The old Policy correctly notes that it enhances customer service, supports the institution’s mission, enhances the institution’s operations, reveals violations prior to auditors or examiners and provides the institution with an opportunity to take corrective action and mitigate consumer harm, and last, it helps to manage the institution’s reputation.   You’re also pleased with the training section.

However, you note that the escalation workflow described in the old Policy is weak.  Readers don’t know when to escalate a complaint or to whom. You modify the Policy to add in a process for escalating complaints to Level II and even Level III complaints, based on criteria, such as the involvement of UDAAP or Fair Lending, or the fact that the complaint arrived via a regulator. Again, you make a note to yourself to update training materials.

You also noticed the old Policy didn’t describe any type of QC process. For example, the auditors or examiners cited the finding to begin with because they reviewed the institution’s “Contact Us” section of the website, the institution’s social media pages, as well as the results of satisfaction surveys. You thought to yourself, “I’d better add in a step for the QC Analyst to go review those sources, too,” and you smile and say out loud, “I can beat them at their own game!”

You update the old Policy with a section on the QC process, including checking sources for complaints that were never captured to begin with – meaning a test for “completeness.”

You then notice that the old Policy doesn’t include information about data analytics, key risk indicators, key performance indicators or reporting to the Board or executive management. You make the required changes, but add a note in the margin to check with the head of risk management in terms of the type of reporting they would like to see.

Last, you notice the Policy is missing the section about complaints sent to vendors and third parties that are carrying out your institution’s activities – such as debit card processing or mortgage servicing. Your institution’s customers contact those third parties directly with their complaints, but your institution needs to be aware of them. First, you need to be aware of that definition of “complaint” that third-party is using. You can even require that they use your definition. Second, you need to ensure that the contract you have with this third-party requires them to report complaints to you in a timely manner, and you specify what “timely” means. You also specify in what manner the complaints come to your institution, and to whom. You insert the section about Complaints Sent to Third Parties, and immediately send the institution’s Vendor Management leader an email about reviewing the Vendor Management Program for this.

When you’re done, you will understand the source of the findings. You realize the changes to the Program are substantial and will involve changes to the complaints database and changes to training.

You quickly jump down to the version control section and summarize the changes you’ve made, along with a revision date.

In total you’ve invested three or four hours of your time updating the Complaints Management Policy.  This is time well spent because it forms the backbone of your Program, and immediately addresses part of the audit or exam finding. You also have a lot of following up to do with the IT department and the Vendor Manager leader, and this shows how interconnected Complaints Management is with other areas of the institution.