PwC Discusses OCC’s Scrutiny of Bank Sales Practices

U.S. regulators, led by the Office of the Comptroller of the Currency (OCC), are starting to examine sales practices at large and mid-size banks. They will likely first focus on whether banks have opened accounts for customers without consent as recently highlighted in press reports. Examiners will consider deposit accounts, credit cards, and other unsecured lines of credit, which can generate customer fees or impact credit scores. Many banks have been actively preparing for these exams, and several are far along in conducting their own self assessments (with a couple recently announcing preliminary results).

Beyond this historical inquiry, regulators will be equally forward looking. Even if few accounts are found to have been opened without consent, regulators will still expect to see that banks have an enterprise-wide sales practices risk management program in place to broadly ensure that sales practices which could harm customers are prevented in the future. In addition to accounting for practices that lead to fraudulently opened accounts, examiners will likely expect the sales practices risk management program to consider misleading statements made to encourage customers to consent to a new product or service, or forcing customers to accept products or services they do not want in order to obtain one they do (i.e., bundling).

The OCC will rely on its broad authority to assess banks’ safety and soundness to review banks’ sales practices, and the Consumer Financial Protection Bureau (CFPB) will rely on its authority to prevent unfair, deceptive, or abusive acts or practices (UDAAP). The Federal Reserve will likely conduct its own examinations as well. All regulators will expect the sales practices risk management program to be incorporated into the bank’s overall risk management and compliance frameworks.

The regulators will hold the Board of Directors accountable given its responsibilities for overseeing that the bank’s revenue-generating strategies (e.g., sales targets) are in line with the bank’s risk appetite. The Chief Risk Officer should have ultimate responsibility over the enterprise-wide sales practices risk management program and should report to the Board’s risk committee regarding the program.

Quality data and analytics will be especially important for all three lines of defense to effectively oversee sales practices, starting with complaints by customers and internal whistle blowers. A major challenge is that even in institutions where systems exist to capture such metrics, this data is often siloed (e.g., by business or functional line) or is inaccessible by senior business or risk managers, so it cannot be meaningfully analyzed.

Furthermore, expectations around sales culture at banks will only rise. Regulators will, at a minimum, expect the following: a tone at the top that makes revenue-generation secondary to complying with customer protection laws and their underlying principles; compensation and other incentive plans that do not encourage illegal activity or other harmful behaviors; and employee rewards and punishments to reinforce a positive culture message throughout the organization.

Finally, this increased focus on sales practices will force banks to alter their revenue generation strategies. For some, this change will call for moving from a product-push cross selling strategy to one based on specific assessments of customers’ needs. For others, it will hasten their transition away from the retail branch network to more digital engagement with customers.

This A closer look offers our view of (a) supervisory expectations for the enterprise-wide sales practices risk management program and overall risk governance,
(b) possible enhancements to improve culture, and
(c) implications for future business strategy.

What risk management framework do the regulators expect?

Many banks recognize that managing their operational risk (i.e., risks resulting from people, processes, and systems) is not only important to regulators but is also good business strategy. First, harmful sales practices such as fraudulently opening accounts expose the bank to significant reputational damage and legal concerns. Such exposure can take a significant bite out of future revenues as customers flee and plaintiffs demand monetary penalties.

Second, un-managed operational risks pose significant challenges to strategic planning. If past revenues are based on unsustainable conduct, they cannot be counted on to continue into the future. As a result, they give a false representation to management of the underlying strength of business activities, impairing management’s ability to make correct choices about effective strategies going forward.

In order to satisfy regulators and allow for strategic risk management, we set forth below our view toward a robust risk management framework that includes an enterprise-wide sales practice risk management program, incorporation of the program into the bank’s three lines of defense, and Board oversight.

Enterprise-wide sales practices risk management program

Regulators will expect banks to have established a data driven, unified, and well documented enterprise-wide sales practice risk management program that pays special attention to sales targets and employee incentives.

Data driven

At a minimum, regulators will want (and the Board should demand) the bank to identify and monitor key risk indicators (KRIs) across business and functional lines. These KRIs should at least include employee surveys, complaints by customers and internal whistle blowers (including to internal ethics hotlines), and results of internal investigations. The OCC highlighted these indicators in its recent consent order with Wells Fargo.

Customer and whistle blower complaints are likely to be the initial point of regulatory focus because they are leading indicators of potentially systemic harmful practices. Therefore, banks should have enterprise-wide policies, procedures and processes for reviewing, tracking and evaluating complaints, and for escalating issues to senior managers. Furthermore, complaint systems should be searchable, allowing for mining of key words in order to identify possibly systemic conduct and to categorize conduct into risk levels. Potential fraudulent opening of accounts, for instance, would likely be at the highest risk level and could be revealed by customer complaint terms such as “unaware,” “did not know,” or “without permission.” Eventually this process can be automated and supplemented with artificial intelligence to better identify and categorize issues.

For institutions whose incentive programs increase the possibility of risky sales practices, regulatory expectations will also include an appropriately designed surveillance system that can identify and issue alerts for accounts exhibiting suspicious patterns.[1] Such suspicious patterns would include a second and third checking product opened within 10 days of each other, or a sudden increase in new accounts at the end of a review period (e.g., at the end of the month). The behavioral scenarios driving the surveillance system should be aligned with the institution’s risk assessment of its sales practices, and should be revised over time in response to emerging risks identified through complaints or information from the human resources department.

Finally, suspicious activity should be independently investigated (by, e.g., contacting the customer) and any corrective actions taken – including customer remediation and disciplining employees. The results of these investigations should be summarized by branch, region, and business line (at a minimum) for senior management and the Board, and can be used as important Key Performance Indicators (KPIs) of the institution’s sales integrity.


Disparate data sources that can help identify risks around sales practice should be unified in order to provide a complete 360 degree view of customers’ accounts, services, communications, and employee interactions. We suggest starting by augmenting base customer/transaction/employee interaction data with customer complaint data from various channels within the bank (e.g., complaints to call centers, websites, and branches) and from external sources such as the CFPB’s customer complaint database. These complaints should them be combined with additional risk information generated by employees including whistleblower complaints, ethics hotline information, exit interview data, and termination reasons. Finally, data from fraud detection programs should be integrated, particularly in light of the CFPB’s recent focus on the centralization of fraud programs and incorporating such programs into overall risk management.[2]

Achieving this unification of data requires overcoming the following challenges, which we commonly see at banks:

  • Multiple legacy systems that cannot communicate or that capture data in incongruent ways.
  • Functional lines that operate independently and do not share information.
  • Lack of engagement by senior management.

Well documented

The enterprise-wide sales practices risk management program should be well documented, starting with a corporate values statement and extending to policies and procedures for reporting and escalating sales practice concerns to senior management and the Board. Regulators will particularly want to see documentation of employee performance rating processes (including sales targets) and other employee incentives such as gifts, accolades, or promotions. They will expect regular review of these factors and written risk assessments when such processes change.

Other documented policies and procedures to prioritize include those for:

  • Monitoring sales practices at each business line.
  • Obtaining customer consent (and retaining evidence of consent) for opening new accounts.
  • Assessing customer harm and remediation when employees are terminated for harmful sales practices.

Regulators will expect banks to have training programs in place to support adherence to these policy and procedures. As a result, expect exams to eventually include employee interviews and walk-throughs of procedures.

Three lines of defense

The OCC and Federal Reserve have long expected that the business lines’ risk management controls be distinct from the second-line risk management function and from the third-line internal audit function.[3] Two years ago the OCC finalized guidance further clarifying this expectation and giving itself more authority to use enforcement remedies.[4]

While banks have made progress in meeting these expectations, many banks still have work to do. In particular, institutions still face challenges in the first line taking ownership of risk taking, in clearly delineating the first line and second lines of defense, and in executing an enterprise-wide build out of the second line of defense. These challenges have resulted in matters requiring attention (MRAs) being issued by the OCC in areas such as:

  • First line accountability and monitoring of risk activities consistent with established risk appetite.
  • Ability of second line to influence and credibly challenge first line decisions.
  • Ability of both first and second line units to be proactive and effective in mitigating problems.

Upcoming exams will expect that the enterprise-wide sales practices risk management program be placed within the bank’s overall risk management framework and adhere to the expectations for all three lines of defense. The key concern for the first line of defense will be making sure that its sales targets and incentives do not encourage harmful behavior. More generally, the first line must assess how the businesses interface with customers by monitoring KPIs and establishing risk controls.

The second line must be independent from the first line; have the authority to monitor, influence, and credibly challenge the businesses; and be involved early in key decisions. The OCC’s consent order with Wells Fargo highlighted the importance of the second-line risk management function, explicitly calling for written policies and procedures to ensure that second line of defense have requisite authority and status with the bank. It also called for written policies and procedures for reporting risky behavior to a specified risk manager who is independent of the business line where the risky behavior took place.

Furthermore, the consent order mandated that policies and procedures provide the third line of defense with an enterprise view of sales practices and that the complaint systems for customers and whistle blowers are subject to third-line monitoring and testing. Banks should require their internal audit functions to provide a written opinion of these areas on a regular basis to evidence their review.

Board oversight

Regulators expect the Board of Directors to be accountable for the bank’s risk management frameworks. Although they do not expect the Board to be responsible for day-to-day managerial duties, regulators do expect the Board to oversee that the bank’s revenue-generating strategies (e.g., sales targets) are in line with the bank’s risk appetite, and to pay particular attention to strategic, operational, compliance, and reputational risk.

Boards will therefore have to gain a full understanding of the sales practices at their banks and understand how the resultant risks are being managed. This responsibility includes reviewing and overseeing implementation of the bank’s enterprise-wide sales practices risk management program. Emphasis from the OCC’s guidance from September 2014 further calls for the Board to review and approve the bank’s overall risk governance framework and assess whether the enterprise-wide sales practices risk management program is sufficiently integrated into the overall framework.

The OCC also released this past July a revised corporate and risk governance handbook that set forth clearer expectations for Boards. It emphasized increased Board engagement by seeking more explanation from management, requesting and reviewing meeting minutes, reviewing and approving policies, and providing effective challenge and independent judgment.

As a result, Boards should seek reports from senior management regarding sales practices and ensure that at least the risk committee is hearing directly from the CRO.[5] Furthermore, as part of its oversight, the Board should review KRIs related to sales practices and ask qualitative questions to supplement KRIs.

Future regulatory action

We expect exams by the CFPB, Federal Reserve, and others to follow those conducted by the OCC. The purview of these exams will likely go beyond sales practices in the bank to include retail activities of associated broker-dealers or asset managers. A few organizations have already begun self assessments of sales practices at
these entities.

The standard for sales practices at broker-dealers and asset managers is higher than those that apply to banks. Asset managers who perform services for a fee (i.e., registered investment advisors) are subject to a “best interest” standard, while financial advisors at broker-dealers are subject to a lower “suitability” standard. However, the Department of Labor (DOL) issued a final rule this year that raises the bar on any financial advisor, including those at broker-dealers, who advises retirement accounts (e.g., IRAs) to the standard of registered investment advisors.[6]

We believe that if exams find systemic harmful sales practices at banks, then the regulatory standards for banks’ sales practices will become more stringent. Depending on the extent of regulatory findings, standards for bankers could rise toward those for financial advisors.

Culture and compensation

Fully addressing sales practices that harm customers calls for more than a strong risk management framework. No matter how robust the framework is, employees and middle managers will maintain some discretion to take actions that are not being monitored or managed for customer appropriateness. How employees behave in these instances depends on the bank’s culture.

A bank’s culture should, therefore, promote employee behavior that emphasizes following the rules – and the principles underlying the rules – even at the expense of short term revenue-generation. We say “short term” because we believe a strong culture would result in higher profits over the long run by building better customer relationships, enhancing the bank’s brand, and minimizing reputational, compliance and legal risks.

Tone at the top is often cited as an important way to achieve this goal. Employees must see that senior management and the Board are truly concerned about improving culture. Setting the right tone goes beyond merely publishing corporate value statements or punishing cases of clear wrongdoing such as fraudulently opened accounts. Rather, senior management and the Board should seek to embed the right incentives throughout the organization in order to consistently reinforce the idea of providing customers with products they want and can afford.[7]

Conform “tone at the top” with “tone in the middle”

Middle management’s actions are paramount in the eyes of employees. They often serve as the messenger for the tone at the top, and can help instill positive incentives and reinforce good behavior while discouraging rationalization of potentially harmful conduct. At a minimum, middle managers should avoid undermining corporate values statements by over-emphasizing sales generation or setting unreasonable sales targets. Going further, managers should punish bad actors for rule violations, and serve as a role model to other employees by speaking out against conduct that could lead to customer mistreatment (and reward employees who similarly speak out).

Additionally, middle managers themselves should be subject to the same scrutiny and expectations they hold their direct reports to. One of the strongest indicators of an unhealthy culture is when middle management has been found to turn a blind eye toward, or reward, behavior such as bundling products against customers’ wishes or making misleading statements to incent customers to accept new products or services.


Compensation serves as the bank’s strongest lever to set culture and influence behavior. Given the importance and effect of compensation, banks should start reviewing employees and middle managers for bonuses (and promotion or other rewards) by using criteria that go beyond revenue generation. Performance reviews could also consider whether employees or managers adhere to the policies and procedures of the sales practices risk management program and to associated KRIs and risk limits. They could also include new metrics that include customers’ feedback about the service the employees provide or whether customers believe they got a useful product that they could afford.

Such compensation assessments would go beyond the compensation rule that was proposed by US regulators earlier this year. The assessments would apply throughout the organization (not just to “senior executive officers” and “significant risk takers” as the rule calls for) and could reward employees (not just restrict compensation). Nevertheless, once finalized, the rule will play an important role in setting the tone at the top, which regulators hope will serve as a good starting point for setting the right incentives throughout the organization. The rule’s most important feature in this regard is its call for clawing back senior employees’ entire bonuses if the employee commits fraud or engages in other misconduct that results in significant financial or reputational harm to the bank.[8] Given commentary made by Senators and Congressman during recent hearings, there may be extensive pressure on regulators to use this provision.

Future business strategy

Although cross selling can be a benefit to the customer when used to offer products which represent good financial options, the new spotlight on cross selling, and desired improvements to risk management and culture, will force many banks to consider altering their business models. In response, several banks are deciding to move away from product-push cross selling to a more needs-based strategy. Others are accelerating their transition away from retail branches and call centers to more digital engagement with customers.

From product-push to needs-based selling

A needs-based approach to cross selling means knowing more about the customer, understanding their long term financial plan, and helping them understand which products they need at different stages of life. In the branches and call centers, obtaining this information will require more time spent speaking with and researching customers in order to understand their goals and financial circumstances. Retail banks can learn from practices within their wealth management business where similar analogs exist.

A needs-based model will call on banks to train their employees in new skills. Ability to sell will likely become less important compared with an ability to fully understand the banks’ products and apply them to different customers’ circumstances. Employees will need to have the dialogue and relationship necessary to uncover customer needs and how products help. It is a fundamental shift from today’s approach of product selling in most banks.

These new challenges will force banks to rethink their performance metrics such as product-per-client targets or revenue growth. Going forward, we see a shift from product-focused metrics to more customer-oriented metrics like customer satisfaction, lifetime value of customer, and overall engagement with the bank. These metrics exist at banks today, but they have not been fully deployed to measure market success and P&L impact. Performance metrics will also have to reflect KRIs in order to create a balanced scorecard for the future.

Digital and omnichannel

The banks that are most likely to succeed in this new environment will be those that view pressure on cross selling and the move to needs-based selling as an opportunity to improve their customer-centric digital and analytics capabilities. We have found that the main thing that concerns bankers, after heightened regulatory scrutiny, is their disjointed IT infrastructure which limits their ability to translate customer service to sales.

Banks have the opportunity to address both with respect to their sales practices. Information technology should not only be improved in order to better manage sales practices operational risk, but should also be leveraged to support banks’ efforts to better know their customers in order to provide them products they really need. As younger, more digitally savvy, customers grow older and gain wealth, profitable customers can more readily be reached through digital channels. Digitization will also allow for more automation of risk controls and real-time flagging of KRI breaches as more transactions are performed free of human intervention and error.

Effective digital selling calls for understanding customers and their needs through analysis of customer data, and offering products and services that specifically respond to identified needs. The goal is to create a seamless customer journey from the initial mouse click through the final transaction, with full integration of digital delivery channels. This can only be achieved by bringing together the customer, analytics, and digital in a unified way, as depicted below.


However, this customer-centric model runs counter to the operating structure of most traditional banking institutions. Under the existing operating structures, different business lines work in isolation, with little focus on the end-to-end customer experience across product and functional silos. To overcome this challenge, the overall responsibility for the customer journey should be concentrated under one authority, and the bank should dedicate adequate human and capital resources.

Furthermore, banks should prioritize certain efforts in order to begin to realize the benefits of this transition early on. For example, institutions can prioritize website/app testing and optimization in order to relieve the most pressing (and relatively easy to resolve) customer pain points, such as requiring “wet” signatures vs e-signatures, application processes that do not allow customers to save their work (and do not allow banks to return applications to gain more information), counterintuitive web structures, or mobile-based applications that do not work on multiple platforms. Deciding exactly where to start should be guided by banks’ current digital interaction with customers. Customer clicks on various points within a webpage should be tracked to eliminate confusing design elements. Additionally, webpage-level statistics such as loading speed and compatibility with major browsers should be analyzed to weed out outdated media content and address browser-specific issues. The goal is to create a device-agnostic, scalable website that delivers a smooth user experience regardless of the customers’ chose method of access (e.g., small mobile screen sizes, older operating systems, or narrower connection bandwidth).


[1] For more on surveillance systems, see PwC’s Financial crimes observer, AML monitoring: New York regulator gets prescriptive
(July 2016).

[2] For more information on the CFPB’s view of fraud programs, see PwC’s Financial crimes observer, Protecting elderly customers: CFPB and FINRA step in (May 2016).

[3] The “three lines of defense” are a well-known risk governance concept. The first line of defense is part of the business unit and is responsible for managing the risks of its activity. The second line consists of independent risk management functions, separate from the first line, that have responsibility for identifying, measuring, monitoring, or controlling aggregate risk. Finally, the third line of defense – internal audit – provides independent assessment and assurance on the entire risk framework.

[4] See PwC’s Regulatory briefs, Risk governance: Banks back to school (September 2014) and Risk governance: OCC codifies risk standards, paving the way for increased enforcement actions (February 2014).

[5] For more information, see PwC’s A closer look, Board governance: Higher expectations, but better practices? (January 2016).

[6] See PwC’s First take, Ten key points from the DOL’s fiduciary duty rule (April 2016). The SEC is considering a similar rulemaking that would apply to financial advisors beyond those advising retirement accounts.

[7] For more information on improving culture, see PwC’s A closer look, Bank culture: It’s about more than bad apples (November 2015).

[8] For the largest banks, the rule also mandates that at least 50% of bonuses be deferred for at least four years. Most of the largest institutions already defer bonuses for three or four year periods. See PwC’s First take, Five key points from US regulators’ bonus compensation proposal (April 2016).

This post comes to us from PwC. It is based on the firm’s October 2016 “A Closer Look — Sales practices: OCC exams and beyond,” available here.