chevron-down Created with Sketch Beta.


Creating a Strong Regulatory Due Diligence Program

Jim Williams and Joy Tsai

Creating a Strong Regulatory Due Diligence Program
Photo by Camille Brodard on Unsplash

While the phrase “regulatory due diligence” sometimes strikes a mixture of dread and boredom across the legal profession, loan investors, bank partners, companies that utilize consumer-facing vendors, and others in the consumer financial services industry now rely on strong regulatory due diligence programs more than ever before. In recent years, regulators have closely scrutinized how different institutions in the consumer financial services market work with one another, as evidenced by several recent enforcement actions and supervisory highlights. An appropriately tailored regulatory due diligence program can reduce legal, regulatory, and reputation risk.  And perhaps most importantly to in-house lawyers, a strong regulatory due diligence program helps mitigate credit risk by minimizing the risk that a partner’s practices may unintentionally result in higher rates of loan default or, for loan investors, claims under applicable law such as the Holder Rule that can diminish prospective returns.  As two lawyers with extensive experience conducting regulatory diligence across asset classes, product/service types, company sizes, and geographies, we believe that there are a few key elements to designing a comprehensive regulatory diligence program that facilitates strong partnerships while protecting against regulatory and credit risk.


Asset-Class and Product or Service Structure

In addition to legal and regulatory expectations, two key determinations in scoping a regulatory diligence are (1) in what asset class(es) a prospective partner operates, and (2) what products or services a prospective partner offers.

Legal risk, reputational risk, regulatory issues, risk tolerance, and actual practices vary significantly across asset classes. Some asset classes present structural risk. For example, home improvement financing often involves a merchant or dealer engaged in consumer-facing activities including solicitation and application taking, such that the finance company may not have full oversight of the merchant or dealer’s conduct and representations made to the consumer.  This can present risk under the Federal Trade Commission's (“FTC”) Holder Rule, which can subject a subsequent purchaser, i.e., the finance company or loan purchaser, to claims and defenses that a borrower could assert against the seller of the goods or services, i.e., the merchant or dealer.  Solar financing, a growing area within the home improvement industry, can present additional risk under the Holder Rule given complex tax incentives and the potentially speculative nature of energy saving estimates, which may result in merchants or dealers engaging in high-pressure sales tactics and/or consumer misunderstanding over the value proposition of the solar equipment. Such dealer-related risks are not present for entities that solely extend unsecured personal loans.

On the other hand, certain asset classes are subject to more regulatory attention or changes in the underlying regulatory framework than others. Automobile financing has been the recent target of regulatory scrutiny, as the FTC issued a proposed Motor Vehicle Dealers Trade Regulation Rule that would impose additional disclosure requirements about vehicle cost and add-on products and services, as well as prohibitions against specific misrepresentations in automobile sales. Student loan servicers face a myriad of new state licensing and practice requirements that have only been imposed in recent years. Such new requirements present operational challenges for companies operating in these asset classes to stay abreast of and compliant with relevant law.

Meanwhile, the products and services offered by potential partners impact both the level of risk associated with those partners’ activities and the compliance considerations associated with them. For instance, collections activity can be associated with substantial reputational risk, so companies evaluating prospective collection agencies usually are mindful of these considerations and may decide to review not only a company’s compliance program, but also its communications with borrowers and collections practices. On the other hand, companies that merely provide lead generation services have historically been subject to less regulatory scrutiny and reputational risk, depending on their business model, though recently the CFPB has contemplated additional regulation for digital marketers who engage in certain activities for consumer financial services companies.  

Partner Company

In general, the more public- or consumer-facing a company is, the more reputational risk and regulatory scrutiny it attracts. Publicity can be due to factors like media reports, litigation or regulatory enforcement, political agendas, or even the nature of company leadership. It is often prudent to consider how the publicity a prospective partner has generated may impact how regulators or a court would view the company and what compliance concerns are likely to be especially significant for such companies.

Transaction Structure

The structure of a transaction impacts risk tolerance as well as relevant regulatory considerations.  An equity investment that involves change in ownership or control, which state law may define as a change of 10% or more, may require either regulatory preapproval or post-transaction notification filing depending on the licenses that the target holds. Meanwhile, forward flows in which loans are being purchased by an investor may involve higher levels of risk than warehouse lines where loans purchased by the warehouse borrower are simply pledged to the warehouse lender. While a default may result in foreclosure of the collateral for warehouse lines, a loan purchaser may also be subject to claims related to the underlying loans.

Risk Tolerance

All entities conducting regulatory diligence have different levels of risk tolerance. Companies that are extremely risk averse will want to do deeper diligence than companies that are willing to take on more risk. Similarly, companies that are extremely risk averse may avoid entire asset classes or categories of service providers, require considerable research before entering new asset classes, or exclude investments in certain jurisdictions with known aggressive regulators. They also generally prefer to perform due diligence in-house or engage outside counsel as opposed to or in concert with using other service providers or relying on general market willingness to work with a particular company.

Gathering and Reviewing Information

Initial Diligence Call

One of the most important parts of the regulatory diligence process is the “kick-off call.” Typically, the regulatory or compliance kick off call is a 30-minute or one-hour subset of a longer, business-focused kick off call for a new prospective partnership that can last anywhere from four hours to a full day. During the non-regulatory portions of this call, the prospective partner typically discusses its general business strategy, leadership, operations, underwriting, servicing, or collections capabilities, financial status, and performance with respect to its given industry. The regulatory portion of the call typically includes an overview of the prospective partner’s compliance department, compliance management system, consumer complaint management, risk management and quality control, and any litigation or regulatory enforcement the company has faced. Often, this portion of the call also includes topics specific to the company’s operations or industry. For instance, loan originators in the indirect auto, solar, and home improvement industries may discuss how they manage risk with respect to merchants, auto dealers, or contractors/installers, while private student lenders may discuss the types of schools they partner with and the types of factors they consider in loan underwriting.

Initial Documentation Questionnaire

After the initial compliance call, there is generally a desire to assess primary source documentation. At this stage, the company performing the diligence typically requests from prospective partners information and documents related to their licensing, compliance management system, core business practices, complaint management, vendor management, internal audit, quality control, and risk management, and litigation. Specifically, items that may be requested for a regulatory diligence often include:  organizational and structural documents; the company’s state licenses and general approach to licensing; compliance management program documentation, including training, compliance policies and procedures, and process for reviews and monitoring; consumer-facing disclosures and documentation such as marketing materials, the application flow, credit agreements, and servicing and collections communications; underwriting guidelines; and materials related to litigation and enforcement actions against the company.

While many of the requests for documentation will be the same across asset classes and prospective partner types, core business documentation often varies significantly. For instance, a company conducting diligence on a prospective loan originator may request items such as marketing materials, a copy of the originator’s application flow, underwriting guidelines, a list of origination-related fees, whether the originator also offers ancillary products, fair lending controls, and customer service scripting. Conversely, a company conducting diligence on a lead generator may emphasize requests for marketing materials, website copy, and data privacy practices. In all cases, diligence reviews cover items that could result in assignee or direct liability.

Upon receipt of documents and information, the company conducting the diligence will typically review all material documents and keep a running tracker of issues that arise through the process. Once the review is complete, the issues list is culled to only those issues that might raise material regulatory compliance concerns.

Supplemental Calls and Requests

A careful review of the documents and information received in response to the initial diligence request is likely to yield specific questions for the partner company. Depending on the nature of the questions—typically, whether they require additional primary source documentation or would be easier to discuss via call—an additional request list or call may be warranted. This stage of diligence is typically used to close out certain findings that may be ameliorated through further discussion. For instance, consumer finance companies often have unique interpretations of state licensing requirements. As a result, the review of a prospective partner’s licensing often yields additional questions for the company performing the diligence, and those questions are often best solved through a short phone call regarding the prospective partner’s licensing program. After this supplemental call, the diligence tracker is generally updated and issues are further culled to only those that are most material.

Documenting the Diligence

Companies often want to ensure that each regulatory review is documented. There are various means of accomplishing this ranging from bullet-style emails to large-scale issue trackers to full diligence memoranda. In general, more specific diligence reports may be warranted where there is increased potential reputational risk or there are significant findings. Diligence reports also tend to take the form of formal written memoranda when prepared by outside counsel. However, preparing long-form diligence reports is time consuming, may divert resources from other compliance priorities, makes such reports harder to read (particularly for business stakeholders), and may ultimately lead to legal and regulatory risk to the extent such reports are not privileged or may be shared with regulators during an examination.

Solving Issues Identified in the Diligence

For the prospective partner, the benefit of being subject to regulatory diligence is that it may help the partner identify gaps in its compliance program, risk management, or operations. The company conducting the diligence may share diligence findings with their prospective partner to mitigate any material issues that were identified. However, companies should be careful how they share diligence findings. While it may be tempting to share an internal diligence report directly with a diligence target, doing so may constitute providing legal advice to the diligence target—particularly when the report was prepared or sent by in-house lawyers or outside counsel. Moreover, even when prepared by attorneys, such reports may lose their status as privileged if shared with diligence targets. However, merely sharing a list of high-level issues with the target may be inefficient and cause the partner to guess at uplifts. A middle-ground approach may be to provide a matrix of specific required compliance uplifts with related deadlines to the target company. This approach generally functions as a project plan through which the diligence target will resolve all material issues identified during the diligence within a set timeframe. Whichever form the final product takes, the results of the due diligence could affect the willingness of the counterparty to undertake a transaction, the structure of the transaction, or the terms and conditions of the transaction, including such Items as price, closing and performance conditions, scope of Indemnification, and term.

Recurring Reviews

Depending on the depth of the partnerships and the target company’s risk profile, many institutions conduct recurring reviews.  An annual regulatory “refresh” or “bringdown” review is common for forward-flow arrangements, as well as for rapidly expanding target companies that introduce additional products and services to consumers or that enter new markets, which could involve new regulatory considerations. Such reviews are also common when the company conducting the diligence wants to expand its relationship with an existing partner. In general, these reviews follow roughly the same format as an initial regulatory diligence except that diligence request lists are limited to material changes to information and documents since the date of the initial diligence or specific documents related to new programs or products, and recurring reviews usually do not require a full diligence memorandum unless the target has undergone substantial changes or is entering a new asset class.


“Regulatory due diligence” might sound tedious, but it is a particularly important component of a compliance management system for financial institutions, fintech companies, and others who rely on partnerships to facilitate their everyday business goals. For diligence targets, being subject to a regulatory diligence also provides the opportunity to spot and seek to solve potential issues and bring their compliance program up to “best practice” standards. 

This article was prepared by the Business Law Section's Consumer Financial Services Committee.