A REPORT TO THE ARIZONA LEGISLATURE Performance Audit Division Performance Audit and Sunset Review Arizona Department of Financial Institutions August • 2013 REPORT NO. 13-05 Debra K. Davenport Auditor General The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the operations of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits of school districts, state agencies, and the programs they administer. The Joint Legislative Audit Committee Senator Chester Crandell, Chair Representative John Allen, Vice Chair Senator Judy Burges Senator Rich Crandall Senator Steve Gallardo Senator Katie Hobbs Senator Andy Biggs (ex officio) Representative Paul Boyer Representative Andrea Dalessandro Representative Martin Quezada Representative Kelly Townsend Representative Andy Tobin (ex officio) Audit Staff Dale Chapman, Director Dot Reinhard, Shan Hays, Manager Manager and and Contact Contact Person Person Anne Hunter, Derek Barber,Team TeamLeader Leader StevenClark Cathy Meyeroff Mike Devine Copies of the Auditor General’s reports are free. You may request them by contacting us at: Office of the Auditor General 2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333 Additionally, many of our reports can be found in electronic format at: www.azauditor.gov STATE OF ARIZONA OFFICE OF THE DEBRA K. DAVENPORT, CPA AUDITOR GENERAL MELANIE M. CHESNEY AUDITOR GENERAL DEPUTY AUDITOR GENERAL August 29, 2013 Members of the Arizona Legislature The Honorable Janice K. Brewer, Governor Mr. Lauren W. Kingry, Superintendent Arizona Department of Financial Institutions Transmitted herewith is a report of the Auditor General, A Performance Audit and Sunset Review of the Arizona Department of Financial Institutions (Department). This report is in response to an October 26, 2010, resolution of the Joint Legislative Audit Committee. The performance audit was conducted as part of the sunset review process prescribed in Arizona Revised Statutes §41-2951 et seq. I am also transmitting within this report a copy of the Report Highlights for this audit to provide a quick summary for your convenience. As outlined in its response, the Department agrees with all of the findings and plans to implement all of the recommendations. My staff and I will be pleased to discuss or clarify items in the report. Sincerely, Debbie Davenport Auditor General Attachment 2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051 Arizona Department of Financial Institutions REPORT HIGHLIGHTS PERFORMANCE AUDIT Our Conclusion The Arizona Department of Financial Institutions (Department) partners with federal examiners to examine financial institutions, such as banks and credit unions, and has primary responsibility for examining financial enterprises, such as collection agencies and mortgage brokers. These examinations are designed to protect consumers and ensure sound business operations. Although the Department has established policies and procedures for effectively examining financial institutions, as of April 2013, the Department had a backlog of 197 statutorily required financial enterprise examinations. In order to address the backlog, the Department should spend less time examining enterprises that comply with the law and spend more time examining noncompliant or high-risk enterprises. The Department should also improve its complaint handling by enhancing its policies and procedures and establishing complaintprocessing time frames. In addition, the Department should ensure that the fees it charges match its costs. 2013 August • Report No. 13-05 Department should enhance its examination strategy Department has a backlog of enterprise examinations—The Department’s financial enterprise examination program aligns with national best practices, which includes using established examination procedures and standard checklists, and identifying licensee risk. After an examination, the Department assigns a number to the licensee’s risk of complying with the law—a 1 representing the lowest risk, i.e., no major areas of concern, and a 5 representing the highest, i.e., critical problems threaten the existence of the business. Although it uses these best practices, the Department was behind on 197 required examinations as of April 2013. Department should revise its examination approach—Although statute requires financial enterprise examinations at scheduled intervals, the Department can determine the scope of the examinations. However, the Department rarely varies from a full-scope examination when conducting on-site reviews, even when the Department knows the licensee has a low-risk rating. According to best practices, agencies should avoid burdening businesses with unnecessary compliance costs, such as those incurred by examinations. The Department could lighten the burden by reducing the scope of on-site examinations for its low-risk licensees. To help reduce the number of on-site exams, the Department has implemented an “e-exam,” which is a self-assessment of compliance with state laws and rules for enterprises rated as a 1 or 2 risk. In practice, the Department intended to make the e-exam available only to low-risk enterprises that had a previous examination, and an enterprise cannot have two e-exams in a row. However, we found that the Department authorized the e-exam for other than low-risk enterprises and for enterprises the Department had not yet examined. Department should update its risk assessment process—The Department has used its post-examination risk assessment tool for about 20 years, and it needs updating. The Department does not use a uniform set of criteria for assessing risk, but assigns risk factors to particular license types based on different criteria. The difference in criteria means that the Department cannot compare the risk across all license types, thereby limiting the Department’s ability to prioritize examinations across all license types. In addition, most of the risk categories carry the same weight. For example, a licensee’s level of preparation for the examination is weighted the same as the number of violations found regardless of the seriousness of the violations. The Department should also enhance the process it uses to identify risks early. For example, the Department should consider comparing licensees’ financial performance to peers’, or the potential harm that some licensees’ products may have on financially vulnerable consumers. Department should improve its follow-up process—The Department follows up with some licensees to ensure violations found during an examination have been addressed, but its process for doing so does not always ensure that serious problems are addressed. Although conducting extensive followup on all violations would not be a good use of the Department’s time, it should enhance its follow-up practices to better ensure serious violations do not persist between examinations, which can be several years apart. Recommendations The Department should enhance its existing processes for assessing licensees’ risks, both before and after an examination. In addition, the Department should develop and implement policies and procedures for: Varying the scope of examinations; Determining when to administer an e-exam; and Determining when to conduct followup and what level of followup is appropriate. • • • Department should enhance its complaint-handling process Complaint-handling process has several weaknesses—The Department receives about 860 complaints a year, and most complaints involve financial enterprises. Although the Department quickly resolved most of the complaints it received between January 1, 2010 and October 10, 2012, we found that some complaints took more than a year to resolve or had been open and unresolved for more than a year. Additionally, either the Department had not investigated or had not sufficiently investigated some complaints. Similarly, unlicensed financial enterprises are supposed to be tracked by the Department by putting the entities on a “watch list.” However, the Department does not consistently place unlicensed entities on this list. These complaint-handling weaknesses could impact consumer protection. For example, a complaint about unlicensed financing at a car dealership was not investigated until a second complaint was received 6 months later. The Department closed the complaint a month after the second complaint was received when it found the car dealer had vacated the location. Recommendations The Department should: Enhance its complaint-handling policies and procedures to address weaknesses and to ensure complaints are investigated in a timely manner. Enhance its supervisory review process to include a review of the status of ongoing investigations and investigation sufficiency. • • Department should establish a structured approach to set fees The Department collects fees that pay for its programs. However, most fees have not been reviewed or changed since 1994 or earlier and likely do not match up with the Department’s current costs. For example, in fiscal year 2013, assessment fees on industry assets of approximately $970,000 covered the estimated $946,000 in costs to regulate banks and credit unions, but did not cover any of the Department’s administration and information technology costs, which totaled approximately $716,000. The Legislature established the Arizona State Agency Fee Commission (Commission) to review agencies’ fees and their impact on regulated industries and consumers, and agency budgets, and the Commission recommended that the State General Fund should not benefit from fees. However, the Department’s fee structure benefited the State General Fund by $29.5 million between fiscal years 2003 and 2013. Recommendations The Department should: Assess the efficiency of its operations to ensure costs are as low as possible, while considering service quality. Develop a method to determine its costs, including direct and indirect costs. Use these costs to analyze its fees and determine appropriate fees to charge. • • • Arizona Department of Financial Institutions A copy of the full report is available at: www.azauditor.gov Contact person: Dot Reinhard (602) 553-0333 REPORT HIGHLIGHTS PERFORMANCE AUDIT August 2013 • Report No. 13-05 TABLE OF CONTENTS Introduction Finding 1: Department should enhance its financial enterprise examination strategy Department conducts examinations to protect consumers and ensure sound business operations 1 9 9 Department’s backlog of statutory examinations may continue to grow 10 Department should revise its financial enterprise examination approach 13 Department should update its risk assessment process 16 Department should improve its follow-up process 18 Recommendations 19 Finding 2: Department should enhance its complaint-handling process 21 Department investigates complaints against financial institutions and enterprises 21 Department’s complaint-handling process has several weaknesses 23 Department should enhance its complaint-handling policies and procedures and improve its supervisory review process 26 Department should establish procedures to ensure complete and accurate investigative information 28 Recommendations 29 continued Office of the Auditor General page i TABLE OF CONTENTS Finding 3: Department should establish a structured approach to set appropriate fees 31 Department collects various fees 31 Commission’s 2012 report identified fee disparities and recommended Department align fees with costs 33 Department should evaluate costs and propose changes to its fees, if appropriate 36 Recommendations 39 Sunset Factors 41 Appendix A: Fund descriptions a-1 Appendix B: Methodology b-1 Agency Response Tables 1 Active licensees by type, number, and examination requirement As of October 10, 2012 2 2 Schedule of revenues, expenditures, and changes in fund balance Fiscal years 2010 through 2013 (Unaudited) 8 Compliance rate of statutory examinations for financial enterprises As of October 10, 2012 12 3 continued State of Arizona page ii TABLE OF CONTENTS Tables (Continued) 4 Fees for each financial institution or enterprise by type of fee As of February 12, 2013 32 5 Excess of revenues over expenditures deposited into the State General Fund Fiscal years 2003 through 2013 (Unaudited) 35 6 Statutory requirements to disclose licensee information 48 7 Comparison of eight states’ licensing and examination requirements to license types regulated by the Department As of May 2013 52 8 Fund revenues and expenditures Fiscal year 2013 (Unaudited) a-1 Figures 1 E-exams used as first exam As of October 10, 2012 15 2 Complaints by license type received from January 1, 2010 through October 10, 2012 (Unaudited) 22 Complaint-processing time January 1, 2010 through October 10, 2012 (Unaudited) 25 Mississippi Joint Legislative Committee on Performance Evaluation and Expenditure Review structured fee-setting process developed for state government 38 3 4 concluded Office of the Auditor General page iii Department enforces state laws ensuring INTRODUCTION consumer safety and sound business Scope and Objectives operations The Office of the Auditor General has conducted a performance audit and sunset review of the Arizona Department of Financial Institutions (Department) pursuant to an October 26, 2010, resolution of the Joint Legislative Audit Committee. This audit was conducted as part of the sunset review process prescribed in Arizona Revised Statutes (A.R.S.) §41-2951 et seq. This performance audit and sunset review focused on (1) the Department’s processes for examining financial enterprises; (2) the Department’s handling of consumer complaints; and (3) the Department’s licensing, examination, and other fees. The report also includes responses to the statutory sunset factors. The Arizona Department of Financial Institutions, formerly known as the State Banking Department, was established in 1973. The Department’s mission is to license, examine, and supervise financial institutions and enterprises in compliance with state laws that are designed to protect consumers, prevent financial crime, and help ensure sound business operations. In 2004, A.R.S. §6-110 was amended to change the Department’s name from the State Banking Department to the Arizona Department of Financial Institutions. Although this statutory revision did not change which entities the Department regulated, the name change better represents the Department’s broad regulatory authority and responsibility for both financial institutions, such as banks and credit unions, as well as financial enterprises, such as consumer lenders, mortgage brokers, and sales finance companies. Department regulation includes licensing and conducting examinations The Department’s regulation of Arizona’s financial institutions and enterprises, which includes 19 distinct license types (see Table 1, page 2), encompasses several components. First, both financial institutions and enterprises must be chartered or licensed to conduct business in Arizona. Second, to ensure Arizona-licensed financial institutions and financial enterprises follow laws designed to protect consumers from harm and ensure the soundness of business operations, the Department conducts safety and soundness and compliance examinations. In addition, the Department’s oversight processes include complaint handling and taking enforcement actions, such as suspending a license, when violations are found. These regulatory activities are discussed in further detail below: Department issues licenses—To conduct business in the State, financial businesses must obtain a license from the Department. The Department groups its license types into two categories: (1) financial institutions, and (2) financial enterprises. The licensing process requires completion of a written application along with accompanying documentation to show compliance with all statutory licensing requirements. For example, money transmitters must show a minimum net worth of $100,000 to be eligible for a department license, and the Department has instituted a licensing procedure to review the applicant’s audited financial statements to verify that the applicant meets Office of the Auditor General page 1 Table 1: Active licensees by type, number, and examination requirement As of October 10, 20121 License type2 Financial institutions Bank Credit union Trust company/division Savings and loan associations Total financial institutions Financial enterprises Advance fee loan broker Collection agency Commercial mortgage banker Commercial mortgage broker Consumer lender3 Debt management company Escrow agent Loan originator Money transmitter Mortgage banker Mortgage broker Motor vehicle dealer Premium finance company Pre-need funeral trust4 Sales finance company Total financial enterprises Active licenses 18 20 3 0 41 41 710 12 48 33 37 103 5,227 69 284 350 617 34 25 459 8,049 Examination requirement (years) 2 2 1 2 5 5 5 5 5 5 2 5 None 5 5 None 3 3 None 1 Auditors’ review of licensing data revealed gaps in the license numbers, which increase the risk that the licensing data is not complete (see Appendix B, on page b-2, for additional information related to the licensing data). 2 A.R.S. §6-912 requires federally chartered savings banks that sponsor one or more loan originators to register with the Department as a registered exempt person, but these entities are not subject to licensure or examination by the Department. As of June 2013, State Farm Bank was the only company registered under this title. 3 Although A.R.S. §6-101(7) includes consumer lenders in the financial institution definition, the Department groups consumer lenders with financial enterprises. 4 In accordance with an intergovernmental agreement with the Arizona Board of Funeral Directors and Embalmers, the Department examines but does not license pre-need funeral trusts. Source: Auditor General staff analysis of licensing information obtained from the Department’s database as of October 10, 2012. the requirement.1 Additionally, some company officers undergo a background check before the Department issues a license, and most licensees must pay both an application fee and a licensing fee to complete the initial licensing process (see Finding 3, pages 31 through 39, for more information about the Department’s fees). Financial enterprise licensees must renew their license annually, which requires them to submit supporting documentation, such as financial statements, and to disclose any regulatory actions 1 A.R.S. §6-1205.01(A) State of Arizona page 2 taken by other states against the licensee since last renewing its license. Additionally, the Department’s licensing division monitors financial enterprises’ financial measures, such as solvency, and reviews financial statements, which licensees must periodically submit to the Department, for most of its licensees. The Department also monitors financial institutions’ financial measures, such as the net income of credit unions. These activities help support its mission of ensuring that licensees’ business operations are financially sound. For example, A.R.S. §6-608 requires consumer lenders to submit a report of their business and operations each year, in a form prescribed by the Department’s superintendent. As illustrated in Table 1 (see page 2), as of October 2012, there were 41 active financial institutions including 18 state-chartered banks, 20 state-chartered credit unions, and 3 trust companies. There were also more than 8,000 active financial enterprises licensed as of October 2012. (See Sunset Factor 2, page 42, for more information on the Department’s licensing process.) Department conducts examinations of licensees—The Department’s regulatory processes include examinations of both financial institutions and financial enterprises. Specifically: • Department shares financial institution regulatory responsibilities with federal regulators—The Department coordinates its examinations of banks and credit unions with the federal insurers responsible for these institutions, including the Federal Deposit Insurance Corporation and the National Credit Union Administration. Statute allows the Department to coordinate its examinations of financial institutions with any authorized federal regulator and to accept the examination report by a federal regulatory authority in lieu of the examination required by statute.1 According to the Department, in 2012, it accepted two federal examinations in lieu of conducting its own examinations for banks and credit unions. However, although statute permits acceptance of federal examination reports in lieu of its own, the Department reported that this practice is considered the least favorable alternative for state examinations of financial institutions. Specifically, according to the Department, its financial institution examiners’ familiarity with state statutes and the local business environment are beneficial to state-chartered banks and credit unions since the federal regulators have a primary focus to protect federal insurance funds and may not consider the best actions needed to promote the safety and soundness of local institutions. The Department’s examination policies and procedures include steps to review licensees’ financial reports to help determine the scope of examination and to evaluate credit risk, which includes an assessment of whether a licensee’s credit risk policies are current and are being followed. The Department’s examination procedures include use of examination software provided by federal regulators that assist in collecting and analyzing information to assess credit and strategic risks. Further, the Department’s financial institutions’ examination programs are nationally accredited. Specifically, the Department holds active accreditations with the Conference of State Bank Supervisors (CSBS) and the National Association of State Credit Union Supervisors 1 A.R.S. §6-128(A) Office of the Auditor General page 3 (NASCUS).1 These accreditations signify that the Department’s financial institution examination program meets certain quality standards set by these groups, such as the ability to conduct timely examinations of state-chartered banks and credit unions. To achieve and maintain accreditation through these independent organizations, the Department undergoes a periodic review of its bank and credit union examination programs by teams from these organizations. For example, the CSBS’ accreditation process includes both a self-evaluation and independent review of the Department’s compliance with the CSBS standards (see textbox). According to the Department, the CSBS accreditation demonstrates the Department’s commitment to accreditation goals, including the capability to promote safe and sound banking with a minimum of regulatory burden. CSBS standards for state bank accreditation The Department must: • • Have the legal authority to charter, examine, supervise, and regulate all state-chartered banks. • Maintain adequate, qualified staff so that the State independently conducts at least half of all examinations or spends half of its examination hours on joint investigations. • • Maintain a policy that requires examinations at specific frequencies based on risk. Demonstrate the capability to conduct timely safety and soundness examinations of statechartered banks. Have adequate statutory authority, including authority to take formal enforcement action(s). Source: Auditor General staff summary of the CSBS’ Bank Accreditation Program Manual. As shown in Table 1 (see page 2), Arizona statute requires the Department to examine banks and credit unions every 2 years. However, according to the Department, it attempts to meet a minimum examination cycle of 18 months for banks and credit unions based on the risk of the institution, but staffing shortages limit its ability to participate on all federal examinations. The Department reported that it completed 36 financial institution examinations in fiscal year 2012. • Department examines licensed financial enterprises—As discussed in Finding 1 (see pages 9 through 20), the Department examines licensed financial enterprises to ensure they comply with laws designed to protect consumers, prevent crime, and ensure the soundness of Arizona business. Arizona law establishes an examination frequency for all of the financial enterprise licensees the Department regulates, with the exception of money transmitters, motor vehicle dealers, and sales finance companies. According to the Department’s examination data, in fiscal year 2012, the Department completed 1,073 on-site and electronic enterprise examinations (see textbox on page 5), of which 1,046 were required by statute. 1 The CSBS has a primary goal of maintaining the state system as the charter of choice for community, multi-state, international, and de novo financial institutions. NASCUS, which was formed in 1965, has a mission to enhance state credit union supervision and advocate for a safe and sound credit union system. State of Arizona page 4 Although statute does not establish an examination Electronic examination frequency for money transmitters, motor vehicle dealers, or sales finance companies, the Department In 2011, the Department began using an reported that it works to conduct examinations of electronic examination, which allows these enterprises as resources permit. Specifically, licensees to self-assess their compliance the Department receives monies from the Attorney and report this assessment electronically General’s Anti-Racketeering Revolving Fund to help to the Department. As of October 2012, pay for the cost of two department examiners who, these examinations had been administered according to the Department, primarily examine to only collection agencies, mortgage brokers and bankers, and loan originators. money transmitters. However, the Department reported that these examiners also inspect sales Source: Auditor General staff analysis of department documentation. finance companies and motor vehicle dealers, as time and resources permit. The Department’s other financial enterprise examiners are primarily funded through an hourly examination fee.1 All of the Department’s examinations result in a report that is provided to the licensee, and when the Department identifies violations, the licensee is required to develop a corrective action plan. If the violations are severe, the Department may choose to take enforcement action against a licensee, which could include civil monetary penalties or license revocation. In 2010, the federal Dodd-Frank Wall Street Reform and Consumer Protection Act authorized the federal Consumer Financial Protection Bureau (CFPB) to supervise certain nonbank entities, including debt collectors, mortgage originators, and mortgage bankers. According to the Department, as of May 2013, the CFPB had reported completing only three examinations of the Department’s licensees. As previously mentioned, state law allows the Department to accept a federal examination in lieu of conducting its own. However, according to the Department, the CFPB’s examination focus targets compliance with federal law, and as such, it would not substitute CFPB’s examinations for its own examinations, which focus on compliance with state law. Department investigates complaints and administers enforcement actions—The Department’s regulatory processes also include investigating complaints filed against licensees and taking enforcement actions when licensees have violated law. Specifically: • Department investigates complaints—The Department receives and investigates complaints against licensees. In fiscal year 2012, the Department received 993 complaints and resolved 695 complaints. The Department also works with licensees and complainants to resolve complaints, and takes administrative enforcement actions when violations are identified. In addition, the Department investigates complaints filed against individuals or companies suspected of engaging in unlicensed activities (see Finding 2, pages 21 through 30, for more information on complaint handling). • Department takes enforcement actions, as appropriate—If the Department discovers violations during the licensing, examination, or complaint-handling processes, it has various 1 A.R.S. §6-125(B) requires the Department to assess an examination fee not to exceed $65 per hour for each examiner assigned to an enterprise examination ordered by the superintendent. Office of the Auditor General page 5 enforcement actions it can take. For example, the Department can issue cease-and-desist orders combined with civil monetary penalties when violations of statute are identified (see textbox). According to the Department, during fiscal year 2012, it issued 88 supervisory orders, including orders imposing a total of more than $1.3 million in civil monetary penalties, cease-and-desist orders, and summary suspension orders. Department enforcement action options: • • • • • Cease-and-desist orders Consent orders Civil monetary penalties Summary license suspension License suspension/ revocation Source: Organization and staffing Auditor General staff analysis of A.R.S. Titles 6 & 41, and Arizona Administrative Code, Title 20, Ch. 4. The Department is overseen by a Superintendent who is appointed by the Governor. The Superintendent is charged with supervising and examining all financial institutions and enterprises the Department licenses. During fiscal year 2013, the Department was authorized 58.1 full-time equivalent (FTE) positions, but according to the Department, it had the resources to fund only 48 of these positions, 3 of which were vacant as of March 2013. To administer its responsibilities, the Department is organized into one office and five divisions, as described below: State of Arizona page 6 • Office of the Superintendent (3 filled FTE, 1 vacancy)—The Office of the Superintendent oversees all other department divisions and is responsible for carrying out all duties imposed by statute. • Administration (5 filled FTE)—The Administration Division is responsible for the Department’s general accounting, financial reporting, budgeting, strategic planning, human resources, and procurement functions. In addition, this division oversees the preparation of the Department’s annual budget. • Information Technology (IT) (2 filled FTE)—This division provides technical support and services to all areas of the Department. For example, the division administers the Department’s database, known as the Banking Department Information System, and provides network support and other IT services to all department employees. • Financial Enterprises, including Consumer Affairs (14 filled FTE)—This division is responsible for examining and supervising the financial enterprises the Department licenses, and works with the Attorney General’s Office to enforce compliance with the law through various types of enforcement actions. In addition, this Division houses the Department’s Consumer Affairs Division, which processes consumer inquiries and complaints. • Financial Institutions (10 filled FTE, 1 vacancy)—This division is responsible for ensuring safety for consumers and operational soundness for all Arizona state-chartered financial institutions, including banks, credit unions, and trust companies. The division conducts financial institution examinations. According to the Department, this division also handles chartering applications for financial institutions, licensing maintenance, such as processing branch applications, and performing monitoring activities of financial institutions. • Licensing (11 filled FTE, 1 vacancy)—This division is responsible for processing and reviewing financial enterprise license and renewal applications and ensuring that applicants meet the statutory requirements for licensure. In addition, this division works with each of the licensed entities to maintain licensing requirements, including reviewing statutorily required filings of financial statements, changes in surety bonds, and changes in the licensed entity’s officers. Budget As shown in Table 2 (see page 8), the Department received between approximately $7.9 million and $9.9 million annually in gross revenues during fiscal years 2010 through 2013. The Department’s revenues are deposited into one of six funds (see Appendix A, Table 8, pages a-1 through a-2, for more information on department funds) and consist of license and application fees, assessment fees on industry assets, examination fees, Mortgage Recovery Fund contributions, and fines, forfeitures, and penalties (see Finding 3, pages 31 through 39, for additional information about the fees the Department assesses and collects).1 During fiscal years 2010 through 2013, the Department received an annual appropriation from the State General Fund to pay for its expenditures that are not paid for by fees generated under specific statutes. For example, the Department is required to deposit all loan originator license fees into the Financial Services Fund. Statute allows the Department to use the Financial Services Fund to cover its supervision and regulation expenditures for loan originators. Except for the revenues that the Department is statutorily required to deposit in different funds, it is required to deposit all other revenues into the State General Fund. The difference between its State General Fund appropriation and revenue deposits creates a net remittance to the State General Fund, indicating that revenues deposited by the Department exceeded appropriations. During fiscal years 2010 through 2013, the Department annually deposited into the State General Fund between approximately $1.5 and $1.8 million more than its expenditures of State General Fund monies. As shown in Table 2, the Department’s expenditures ranged from between approximately $5 million and $5.4 million annually for fiscal years 2010 through 2013. Over one-half of these expenditures were for personal services and related benefits, and approximately one-third were for obtaining professional and outside services. In addition, the Department was required to transfer to the State General Fund more than a total of $3.8 million during fiscal years 2010 through 2012. This transfer included a total of more than $2.3 million in transfers from the Arizona Escrow Recovery Fund in fiscal years 2010 through 2012, and more than $1 million in transfers from the Financial Services Fund in fiscal year 2012.2 The remaining amount was transferred from other department funds. 1 A.R.S. §6-991.10 requires loan originators to pay a fee, in addition to their licensing fee, to the Mortgage Recovery Fund, which is intended to benefit any person aggrieved by any act, representation, transaction, or conduct of a licensed loan originator that violates statute or rule. 2 Laws 2011, Ch. 51, §3 repealed the Arizona Escrow Recovery Fund. Office of the Auditor General page 7 Table 2: Schedule of revenues, expenditures, and changes in fund balance Fiscal years 2010 through 2013 (Unaudited) Revenues Licenses and fees 2010 2011 2012 2013 $ 4,421,374 $ 4,590,032 $ 4,197,531 $ 5,118,550 1,108,991 1,023,563 963,498 1,014,776 368,430 329,870 511,412 595,485 7,361 8,469 1,422 5,726 1,302,140 1,103,741 686,622 2,348,528 347,880 1,173,162 1,163,644 380,304 212,900 362,500 309,350 377,950 207,179 156,310 34,276 120,415 25,329 74,010 18,406 64,411 9,122 Sales of goods and services: Assessment fees on industry assets Examination fees Other Fines, forfeitures, and penalties Sale of receivership assets 1 2 Contributions: Mortgage Recovery Fund Arizona Escrow Recovery Fund Intergovernmental Other Gross revenues Remittances to the State General Fund Net revenues Expenditures and transfers Personal services and related benefits Professional and outside services 3 8,121,999 (1,668,682) 8,840,063 (1,620,832) 7,941,288 (1,557,202) 9,928,006 (1,815,783) 6,453,317 7,219,231 6,384,086 8,112,223 2,974,003 2,499,183 2,798,704 3,028,290 1,935,057 1,805,355 1,726,602 1,631,215 29,386 35,323 57,135 69,878 499,561 152 481,710 137,845 411,775 22,156 426,789 210,466 5,438,159 1,966,800 4,959,416 360,500 5,016,372 1,473,894 5,366,638 7,404,959 5,319,916 6,490,266 5,366,638 (951,642) 3,317,703 1,899,315 2,366,061 (106,180) 4,265,376 2,745,585 4,159,196 Travel Other operating Equipment Total expenditures Transfers to the State General Fund Total expenditures and transfers Net change in fund balance Fund balance, beginning of year Fund balance, end of year5 4 77,037 9,650 $ 2,366,061 $ 4,265,376 $ 4,159,196 $ 6,904,781 1 Amount consists of revenues deposited into the Department’s Receivership Revolving Fund from the sale of assets of firms under receivership as required by A.R.S. §6-135.01. 2 Amount consists of contributions to the Mortgage Recovery Fund and Arizona Escrow Recovery Fund as permitted by statute. The monies in the Mortgage Recovery Fund benefit any person aggrieved by any act, representation, transaction, or conduct of a licensed loan originator that violates statute or rule. Prior to July 20, 2011, the Arizona Escrow Recovery Fund was used to pay claims against escrow agents; however, it was repealed by Laws 2011, Ch. 51, §3. According to the Department, the Arizona Escrow Recovery Fund had only been used minimally to pay claims and had not been used in the last 12 years. 3 Amount consists of the excess of revenues deposited into the State General Fund over expenditures made from those revenues in the State General Fund. The Department is required by the General Appropriations Act to set fees to ensure that monies deposited in the State General Fund will equal or exceed its expenditures from the State General Fund. 4 For fiscal years 2010 through 2012, these amounts consisted of transfers to the State General Fund in accordance with Laws 2009, Ch. 11, §110 and 5th S.S., Ch. 1, §2; Laws 2010, 7th S.S., Ch. 1, §§113 and 148 and Laws 2011, Ch. 24, §§108, 129, and 138, to provide support for state agencies. In addition, the fiscal year 2012 amount consists of approximately $445,100 that was transferred to the State General Fund in accordance with Laws 2011, Ch. 51, §3, which repealed the Arizona Escrow Recovery Fund and required the remaining monies in that fund be transferred to the State General Fund. 5 Nearly $900,000 and $1.3 million is included in fiscal year 2012 and 2013 ending fund balances, respectively, for the Mortgage Recovery Fund that is statutorily restricted to pay for losses arising out of mortgage transactions. Source: Auditor General staff analysis of the Arizona Financial Information System (AFIS) Accounting Event Transaction File and the AFIS Management Information System Status of General Ledger-Trial Balance screen for fiscal years 2010 through 2013. State of Arizona page 8 FINDING 1 The Arizona Department of Financial Institutions (Department) should revise its financial enterprise examination strategy to place greater emphasis on high-risk financial enterprises and take steps to improve its risk assessment processes. The Department conducts examinations to ensure that financial enterprises comply with laws designed to protect consumers, prevent financial crimes, and ensure sound business operations. However, as of April 2013, the Department was experiencing a growing backlog of past-due examinations due in part to an increasing number of licensees. Therefore, the Department should adopt a more flexible examination strategy that would enable it to spend less time on compliant financial enterprises and more time with noncompliant or highrisk financial enterprises. Additionally, the Department should improve its risk assessment processes to help ensure it effectively determines an entity’s risk for noncompliance and need for examination. Finally, the Department should revise its follow-up process to better ensure serious violations are corrected following an examination. Department should enhance its financial enterprise examination strategy Department conducts examinations to protect consumers and ensure sound business operations Arizona Revised Statutes (A.R.S.) §6-121 authorizes the Department to conduct examinations of all the financial enterprises it licenses and supervises (see textbox). These examinations are designed to test a licensee’s compliance with laws that are intended to: Types of financial enterprises licensed by Department Financial enterprises include collection agencies, escrow agents, loan originators, and 12 other license types. Financial enterprises do not include banks, credit unions, or trust companies. • Protect consumers—To Source: Auditor General staff analysis of the Department’s 2012-2015 Strategic ensure citizens are protected Plan. from financial loss, and not subject to deceptive, unfair, abusive, or discriminatory practices, the Department examines licensees’ compliance with statutes designed to protect consumers. For example, A.R.S. §6-611, which pertains to licensed consumer lenders, prohibits licensees from knowingly advertising false, misleading, or deceptive representations regarding lending rates or terms for a consumer lender loan. The Department has designed its examination procedures to detect such acts. Additionally, the Department’s examinations of consumer lenders’ compliance with laws and regulations are important because according to a 2010 survey conducted by the Federal Reserve Board, approximately 75 percent of U.S. families report having some form of debt.1 • Prevent crime—The Department examines licensees’ compliance with laws designed to prevent financial crimes. For example, A.R.S. §6-1241(A) (2) establishes requirements for money transmitters to report suspicious transactions that have no apparent lawful purpose. The Department’s procedures for examining money transmitters include steps to ensure money transmitters have properly reported suspicious transactions. • Ensure sound business operations—The Department’s financial enterprise examinations also determine whether enterprises comply with 1 Bricker, J., Kennickell, A.B., Moore, K.B., Sabelhaus, J., Ackerman, R.A., Argento, R. et al. (2012). Changes in U.S. family finances from 2007 to 2010: Evidence from the Survey of Consumer Finances. Federal Reserve Bulletin, 98(2), 1-80. The Federal Reserve Bulletin is a publication of the Board of Governors of the Federal Reserve System (Federal Reserve Board). Office of the Auditor General page 9 statutes designed to promote financially sound business operations. For example, A.R.S. §6-817(A)(14) requires escrow agents to authorize each financial institution with which it has deposited trust or fiduciary funds to notify the Department of any overdraft or check returned for insufficient funds. Similarly, A.R.S. §6-943(3)(b) requires mortgage bankers to maintain a net worth of not less than $100,000 at all times. The Department’s examination procedures involve a review of these requirements. As illustrated in Table 1 (see page 2), statute requires the Department to examine most financial enterprises at least once every 5 years, and some more frequently. Statute does not require examination for three financial enterprise types: (1) money transmitters, (2) motor vehicle dealers, and (3) sales finance companies (including title lenders).1 However, as statutorily allowed, the Department periodically conducts examinations of these financial enterprises, with two full-time equivalent (FTE) positions assigned to examining only these license types (see Introduction, page 5, for more information on the staff assigned to perform these examinations). Department’s backlog of statutory examinations may continue to grow Although the Department is required to complete financial enterprise examinations within statutory time frames (see Table 1, page 2) and it has established an examination program that aligns with national best practices in several ways, it has fallen behind on its statutorily required examinations. In addition, as of April 2013, the Department’s backlog of statutory examinations was growing, and was at risk to further increase since the number of licensees requiring an examination had increased. This places the Department at further risk of noncompliance with statute and impacts the Department’s ability to identify and mitigate consumer risks posed by financial enterprises. Department’s enterprise examination program aligns with national best practices in several ways—According to the National State Auditors Association (NSAA), regulatory agencies should develop a systematic process for monitoring regulated entities’ activities to ensure they are following applicable requirements and that the public is adequately protected.2 Many of the Department’s examination practices align with national best practices for performing examinations. Specifically, the Department: • Established formal examination policies and procedures—These policies and procedures provide examination staff with guidance on how to conduct examinations and ensure these examinations adhere to all statutory and regulatory requirements. • Identifies licensee risk—The Department has developed risk assessment worksheets for each financial enterprise license category. Based on information gathered during an examination, the Department uses these worksheets to calculate a licensee’s residual risk, or 1 A.R.S. §6-122(D) 2 National State Auditors Association. (2004). Best practices in carrying out a state regulatory program: A National State Auditors Association best practices document. Lexington, KY: Author. State of Arizona page 10 the risk of noncompliance that remains after an examination. The result is a numerical risk rating (see textbox). Specifically, the worksheets score a licensee’s performance across several risk categories that are then compiled into an overall risk rating score. Common risk factors considered in the worksheets include the number of violations found, the quality of management and controls, and an enterprise’s financial solvency. The Department uses these ratings to schedule the next examination. Risk rating definitions: 1 2 3 4 5 No major areas of concern Minor problems found, additional supervision not necessary Problems exist, further supervision necessary Critical problems exist that could result in closure or license revocation Critical problems exist, company most likely out of business in 1 year • Uses standardized examination checklists—The Department’s examination checklists act as a tool for its staff to ensure they review each financial enterprise’s compliance with all statutory and regulatory requirements. • Documents examination results in a formal report—All examinations, whether on-site or conducted electronically, result in a written report that discusses the licensee’s compliance with and any violations of applicable statutes and regulations, as well as the corrective actions needed when violations are found. • Provides licensees with examination results—Examination reports are provided to the licensee. These reports specify whether a corrective action plan from the licensee is required to address violations noted during the examination. Source: Auditor General staff analysis of department risk-rating information. Auditors also conducted a review of the Department’s escrow agency compliance examination materials and found that the Department has incorporated all the statutory requirements for an escrow agency into its examination materials.1 In addition, the Department indicated that changes to legislation are monitored by the Department’s Attorney General representative and legislative liaison, and the Department revises its procedures accordingly to ensure they reflect the most current laws and regulations. Department is behind on its statutorily required examinations—Although the Department’s financial enterprise examination practices align with national best practices in several ways, it is not completing all examinations within the statutorily required time frames. Specifically, as shown in Table 3 (see page 12), as of October 2012, the Department had a backlog of 167 examinations with a median value of nearly 1 year past due. For example, 11 of the 21, or 52 percent, of the debt management company examinations were past due for an average of 450 days, while 10 of the 11, or 91 percent, of the commercial mortgage bankers examinations were an average of 755 days past due. Finally, of the 167 licensees whose examinations were past due, 68, or 41 percent, of the licensees had never been examined. The remaining 99 licensees, or 59 percent, had been previously examined at least once. According to the Department, this backlog is due in part to a reduction in its enterprise examination staff in fiscal year 2010. 1 Analysis of the Department’s examination data revealed that the Escrow Agent license type has the highest average risk rating compared to all other enterprises the Department examines. Thus, auditors reviewed the Department’s examination materials for this license type. Office of the Auditor General page 11 Table 3: Compliance rate of statutory examinations for financial enterprises As of October 10, 2012 License type Collection agency Commercial mortgage banker Consumer lender Debt management company Escrow agent Mortgage banker Mortgage broker Premium finance company Pre-need funeral trust Total Active licenses1 370 11 9 21 82 152 242 26 20 Examinations past due 19 10 4 11 15 50 31 26 1 933 167 Average days past due 120 755 227 450 55 819 270 773 399 Compliance rate percentage 95% 9 56 48 82 67 87 0 95 1 Although the number of active enterprise licensees was more than 8,000 as of October 2012, only 933 of these had been licensed long enough to require an examination. Source: Auditor General staff analysis of licensing information obtained from the Department’s database as of October 10, 2012. Department’s backlog of statutory examinations may continue to grow—As of April 2013, the Department was also faced with a growing backlog of past-due financial enterprise examinations as a result of the increased numbers of licensees that require an examination. Specifically, between October 2012 and April 2013, the Department’s backlog of past-due statutory examinations grew from 167 to 197, an increase of about 18 percent. This backlog was at risk of increasing further because the Department experienced an increased population of licensed entities or persons requiring a statutory examination. For example, in January 2010, the Department began licensing loan originators in response to state legislation requiring loan originators to be licensed and examined every 5 years. As of October 2012, the Department licensed more than 5,000 loan originators, over half of which will require their first examination by the end of 2015 should their licenses remain active through this period. This new license type more than doubles the Department’s financial enterprise examination workload. However, the Department reported that as of July 2013, its backlog of enterprise examinations decreased to 146. Department’s inability to examine all licensees compromises its mission—As previously indicated, the Department’s financial enterprise examinations are designed to test licensee compliance with statutes designed to protect consumers from financial harm and to help ensure sound business operations. However, the Department’s backlog of examinations impacts its ability to adequately fulfill its mission. Although most of the Department’s enterprise examinations find only minor problems and violations, they can also identify serious problems that affect Arizona consumers. For example, the Department completed an examination of a consumer lender in fiscal year 2012 and found that this consumer lender was not licensed to conduct business in Arizona, and had been contracting and receiving finance charges in excess of the finance charges permitted by statute. The Department assessed a civil money penalty of $50,000 against the consumer lender for these violations. State of Arizona page 12 Additionally, although auditors found that the Department’s compliance with required inspection frequencies varied by license type, some licensees may pose a greater risk to Arizona consumers than others. For example, mortgage licensees, such as mortgage bankers and brokers, extend the highest average loans to consumers with the longest lending terms, and therefore, may pose a greater risk to consumers if lending terms are misleading. However, as shown in Table 3 (see page 12), as of October 2012, the Department had only examined 67 percent of mortgage bankers and 87 percent of mortgage brokers that were active and licensed long enough to require an examination. Examinations of 50 mortgage bankers and 31 mortgage brokers were past due, on average, 819 and 270 days, respectively. Department should revise its financial enterprise examination approach The Department can reduce its examination backlog by focusing its full-scope examinations on riskier financial enterprises and limiting the scope of its examinations for low-risk enterprises. Although the Department identifies the compliance risk a financial enterprise poses, it has rarely varied the scope of its on-site, full-scope examination, even for low-risk financial enterprises. As a result, the Department should develop and implement policies and procedures for varying the scope of its examinations based on its assessment of a financial enterprise’s compliance risk. In addition, the Department has established an electronic examination (e-exam) in an effort to reduce its backlog for some license types, but should develop and implement formal policies to ensure the e-exam is always appropriately administered. Finally, the Department should more effectively prioritize examinations based on assessed risk by ensuring low-risk licensees are not examined sooner than is needed, while ensuring high-risk licensees receive more timely re-examination. Department should vary the scope of a financial enterprise’s on-site examination based on its assessed risk—The Department’s backlog and increased licensee population demonstrate a need for a more flexible examination strategy. Although statute requires a department examination of most licensees at scheduled intervals (see Table 1, page 2), the superintendent determines the scope of the examinations. Additionally, as previously mentioned, the Department already assesses a licensee’s compliance risk to help determine how soon the licensee should again be examined. However, when the Department conducts on-site examinations, it rarely varies from a full-scope examination, even of low-risk enterprises. Specifically, between January 1, 2010 and October 10, 2012, the Department completed 396 on-site, fullscope examinations, and of these, 105, or approximately 27 percent, were administered to enterprises already known to present no material compliance deficiencies based on previous examination results. In addition, 97 of the 105 entities continued to demonstrate a high degree of compliance in their most recent examinations as evidenced by the Department assigning a 1 or 2 risk rating following their examinations. Overall, more than 92 percent of the 396 on-site examinations conducted during this time period resulted in a risk rating of a 1 or 2. Office of the Auditor General page 13 According to best practices, regulatory agencies should avoid subjecting individuals or businesses that demonstrate good compliance to unnecessary compliance costs.1 Because most of the Department’s licensees demonstrate a high degree of compliance and examinations are costly to the Department and licensees, the Department should develop and implement policies and procedures for varying the scope of its on-site examinations based on the financial enterprise’s assessed risk. These policies and procedures should identify the types of limited examinations that department staff could perform and the risk ratings that would qualify for the limited-scope examinations. The federal Consumer Financial Protection Bureau (CFPB) uses a risk assessment process as a means of developing a scope for examinations.2 For example, for a financial enterprise that has an assessed risk rating of a 1 or a 2, the Department could limit the scope of its examinations to reviewing only the highest-risk areas for a financial enterprise as opposed to conducting a full-scope examination. Department should strengthen its electronic examinations process—In February 2011, the Department implemented an e-exam for use with lower-risk financial enterprises to help reduce its backlog of past-due examinations. The e-exam was developed with the assistance of the Attorney General’s Office, and the Department conducted a pilot using the e-exam on four enterprise types: collection agencies, loan originators, mortgage bankers, and mortgage brokers. The Department collectively considered these financial enterprises to be lower risk. In contrast to a full-scope, on-site examination, the e-exam is administered electronically by e-mail. The e-exam allows licensees to self-assess their compliance with state laws and regulations. It does not include a file review requirement or additional verification of assertions made by the licensee unless the licensee self-reports noncompliance. According to the Department, although it has not yet developed a formal written policy on when it is appropriate to use an e-exam, the Department indicated that in practice, it was using the pilot e-exam as follows: • Only for licensees who have received a previous examination, and the resulting risk rating was no greater than a 2. • On a staggered basis with the on-site examination. For example, a licensee would not be eligible to receive two consecutive e-exams. However, based on a file review of 12 randomly selected e-exams completed between May 2011 and April 2012, and subsequent review of the Department’s examination data, auditors found that the Department did not always use the e-exam as intended. Specifically: • E-exam not always administered to low-risk enterprises—Auditors’ review of the 12 randomly selected e-exam files found two instances where the Department used the e-exam on higher-risk financial enterprises based on the companies’ risk ratings. Specifically, e-exams were administered to a mortgage broker and a collection agency, both of which had an assessed risk rating of 3. Auditors also evaluated the Department’s examination data and identified 4 additional licensees that received an e-exam even though these licensees had a risk rating of 3. 1 Better Regulation Office, New South Wales. (2008). Risk-based compliance. Sydney, NSW: Author. 2 Consumer Financial Protection Bureau. (2012). CFPB supervision and examination manual (Version 2). Washington, DC: Author. State of Arizona page 14 • E-exam used for enterprises with no prior examination—Auditors’ review of Figure 1: E-exams used as first exam As of October 10, 2012 the 12 randomly selected e-exams found that the Department administered 803 Total e-exams 4 of the 12 e-exams to financial enterprises that had not received a 36 Mortgage 15 Collection previous examination. Additionally, bankers agencies based on a review of the Department’s 55 Mortgage examination data, auditors found that brokers contrary to the Department’s stated policy, the e-exam was administered to 803 licensees that had never received a prior exam and for which the Department had not assessed the licensees’ risks (see Figure 1). Most of the e-exams that were used on enterprises with no prior examination were for loan originators. 697 Loan According to the Department, the originators e-exams were administered to loan originators as a first examination only Source: Auditor General staff analysis of department enterprise examination data as of October 10, 2012. when the mortgage banker or broker they worked for had received a previous examination by the Department that resulted in a risk rating of no greater than 2. The Department also reported that this strategy increased its efficiency in conducting examinations of this license type. The e-exam is a viable option for helping reduce the Department’s backlog and compliant licensees’ regulatory costs if administered appropriately and only to low-risk enterprises. Therefore, since the Department has gained experience in administering the e-exam, and to ensure that its e-exams are being used as intended, the Department should develop and implement written policies and procedures on when it is appropriate to use e-exams, such as only to low-risk licensees as determined by their assessed risk rating, or as a first examination to low-risk license groups based on historical averages of risk ratings. For example, auditors’ analysis of the Department’s examination data revealed that commercial mortgage bankers and consumer lenders average close to a risk rating of 1 as a licensing category. Additionally, since the e-exam is relatively new, the Department should periodically re-assess whether it is effective in detecting violations when compared to an on-site examination. For example, the Department could compare the average number of violations the e-exam detects compared to the average number of violations detected by the on-site examination and make adjustments as needed. Once the Department establishes formal procedures for its e-exams, it should consider extending the e-exam to other appropriate license types to assist in reducing its backlog. Department should effectively prioritize examinations—The Department does not always prioritize examinations effectively. Specifically, from January 1, 2008 through October 10, 2012, the Department conducted 755 examinations on enterprises that were previously assessed as low risk, and of these, 70 examinations, or approximately 9 percent, were conducted more than Office of the Auditor General page 15 a full year ahead of the statutory schedule. During the same period, the Department completed 66 examinations on high-risk licensees, and of these, 36, approximately 55 percent, were past due. In addition, as indicated on page 11, as of October 10, 2012, the Department had a backlog of 99 enterprise examinations where the licensee had previously been examined, and of these past-due exams, 14 of them, or approximately 14 percent, were assessed as high risk. For example, one mortgage banker licensee received a previous examination risk rating of 4 with 17 noted violations, but had not been examined for almost 6 years as of October 2012. According to the CFPB, which also conducts compliance examinations of financial enterprises, examination resources should be focused on institutions and their product lines that pose the greatest risk to consumers.1 Therefore, the Department should better prioritize the scheduling of financial enterprise examinations to ensure that low-risk licensees are not examined sooner than is needed, while high-risk licensees receive more timely re-examination. Department should update its risk assessment process The Department should enhance its post-examination risk assessment tool and more effectively incorporate licensee risks, such as the type of financial products offered, into its risk assessment considerations. Specifically, to enhance the effectiveness of its post-examination risk ratings, the Department needs to make changes to the tools and procedures it uses to calculate postexamination risk ratings. In addition, to help ensure it focuses its limited resources on the highest-risk enterprises, the Department should expand its pre-examination risk assessment processes. By making these adjustments, the Department can better meet its statutory requirements to examine licensees at required frequencies while ensuring that limited examination resources are targeted to high-risk entities. Department’s post-examination risk assessment tool needs improvement— According to the Department, its post-examination risk assessment strategy has been in place for about 20 years. Best practice suggests that risk assessment processes should be refreshed periodically to reflect changes in the operating environment.2 As previously mentioned, the Department uses risk-rating worksheets based on examination findings to calculate the residual compliance risk or the risk of noncompliance that remains after an examination. The Department then uses the risk rating to help inform the timing of the next examination. Although using a risk-rating tool is considered a best practice, based on a review of 35 randomly selected examinations completed between fiscal years 2006 through 2013, auditors noted the following weaknesses related to the Department’s risk-rating worksheets: • Post-examination risk-rating worksheets are not uniform—Although the compliance risk factors evaluated by the Department are similar for many of the Department’s license types, post-examination risk-rating worksheets for some license types omit relevant risk factors. For example, the post-examination risk-rating worksheet for consumer lenders is limited to three 1 Consumer Financial Protection Bureau. (2013). CFPB strategic plan FY 2013–FY 2017. Washington, DC: Author. 2 Deloitte & Touche LLP, Patchin, C., & Mark Carey. (2012). Risk assessment in practice. Durham, NC: Committee of Sponsoring Organizations of the Treadway Commission. State of Arizona page 16 risk factors, while the post-examination risk-rating worksheet for mortgage brokers measures eight risk factors, including an evaluation of management and controls, which would be a common risk factor for noncompliance regardless of license type. According to the Department, the differences in post-examination risk-rating worksheets prevent them from comparing risk ratings across license types. However, ensuring that the post-examination riskrating worksheets for all license types have enough of the same relevant risk factors would enable the Department to prioritize examination resources across license types rather than limiting the prioritization to licensees within a given license category. According to the CFPB, using a uniform set of criteria rather than industry-specific criteria to assign a consumer compliance rating will help to direct the CFPB’s examination resources in an efficient and consistent manner.1 • Some risk factors unduly influence the overall risk rating—The Department does not assign different weights to the risk factors it considers when assessing a licensee’s compliance risk for most of its licensees, even though these factors vary in their impact on a licensee’s risk. For example, the risk factors that the Department uses to assess a mortgage banker’s risk all carry the same weight, including factors regarding the licensee’s level of preparation for the examination and the number of statutory violations found during the examination. In addition, the worksheets do not factor in the seriousness of the violations found during an examination. Since there are so many factors available to offset problems found, a licensee could potentially have multiple serious violations and still receive a risk rating of 2, which signifies that only minor problems were found, as long as the licensee rates well in categories such as solvency and record-keeping (see case example in textbox). According to the CFPB, when assessing an entity’s compliance rating, all relevant factors must be evaluated and weighed. Case example—The Department performed an examination of a mortgage banker, and found that the company had poor management and controls, as well as multiple serious violations, including fraud. The Department characterized the violations as “severe” and issued a ceaseand-desist order with civil monetary penalties. However, in calculating the risk rating, these violations were offset by the licensee’s average net worth, good recordkeeping, and preparation level for the examination, resulting in an overall risk rating of 2. By the Department’s definition, a 2 indicates no material deficiencies were found during the examination. Source: Auditor General staff analysis of department examination case files. To better align its financial enterprise examination risk-rating system with best practices and ensure a more effective risk rating that will help direct limited examination resources to the highest-risk licensees, the Department should revise its risk-rating worksheets to ensure risk can be compared across license types. In revising its risk-rating worksheets, the Department should ensure: • Common risk factors, such as management and controls, are included in all worksheets; • All risk-rating worksheets consider the seriousness of potential violations; and • Risk factors are appropriately weighed. Department should enhance its pre-examination risk assessment procedures— The Department should also enhance the procedures it uses to assess an enterprise’s risk prior 1 Consumer Financial Protection Bureau. (2012). CFPB supervision and examination manual (Version 2). Washington, DC: Author. Office of the Auditor General page 17 to an examination. Doing so would help guide the scope of its examinations and help the Department prioritize its limited examination resources on the riskiest financial enterprises. Similarly, the CFPB conducts a risk assessment that evaluates the risks an entity poses before ever conducting an examination. This information is then used to guide the scope of the CFPB examination. Specifically, the CFPB’s assessment of an entity’s risk includes an evaluation of whether the entity’s profitability is dependent on penalty fees, which benefit the company but are detrimental to the consumer, and whether products are targeted at vulnerable populations, among several other risk factors. In addition, the CFPB focuses on larger market participants based on revenue rather than attempting to examine all enterprises, which helps the CFPB to prioritize its examination resources on the largest companies. Finally, the CFPB leverages its complaints data to identify a company or industries that appear to pose a heightened consumer risk. According to the Department, it reviews information from consumer complaints, and financial reports submitted to the Department by licensees to identify pre-examination risks and make a determination of how many examiners will be required to conduct the examination. Similar to the CFPB, the Department should consider additional factors when assessing an enterprise’s risks prior to an examination. In enhancing its process, the Department should consider: • Expanding the use of existing financial reports that are already submitted by most of its licensees to assess the size and financial performance of licensees compared to their peers. This would enable the Department to better identify those enterprises that conduct the highest volume of transactions with Arizona residents or those whose financial performance compares negatively to comparable financial enterprises. The Department similarly considers such information prior to conducting state-chartered bank and credit union examinations. • Identifying financial products that pose the most financial harm to Arizona consumers. For example, the Department licenses auto title lenders under the sales finance company license type, but there is no statute directing an examination for this license type. However, these financial enterprises are authorized to assess interest of up to 204 percent per year on loans collateralized by debtors’ auto titles, which may be a financial product that poses potential harm to financially vulnerable consumers.1 Yet, since there is no statutory requirement to examine these financial enterprises, the Department had conducted examinations on only 13 percent of this type of license as of October 2012. Department should improve its follow-up process Although the Department follows up on violations identified during an examination, its process for doing so does not always ensure that serious problems are adequately addressed in a timely manner. Several years can elapse between examinations, and some violations, if left uncorrected, can negatively impact Arizona consumers or the financial soundness of an enterprise. According to the NSAA, regulatory agencies should track violations found and ensure that corrective actions 1 A.R.S. §44-291(G) allows secondary motor vehicle financiers to charge a maximum interest rate of 17 percent per month on the principal amount of a loan of $500 or less, or up to 204 percent annually. State of Arizona page 18 taken are appropriate, including conducting re-inspections as needed.1 As previously mentioned, the Department issues an examination report to licensees following each examination, which in part requires licensees to respond in writing with a corrective action plan to address any identified violations that could not be corrected during the examination. However, verification that violations have been corrected is generally limited to a review of the licensee’s response letter or e-mail outlining its corrective action plan. Auditors’ review of 30 randomly selected examinations completed between fiscal years 2006 and 2013 of licensees that were still active as of October 2012 confirmed that the Department does not typically verify that licensees take corrective action to address violations. Specifically, auditors found that 17 of the 30 examinations identified violations, but the Department followed up on only 2 of these examinations to verify that the licensee had addressed the violations. Additionally, the Department did not follow up on some serious violations. For example, following an examination of a mortgage broker, the Department assigned a risk rating of 4 to this licensee, citing numerous failures of the licensee to properly investigate the backgrounds of its employees. The Department’s internal policies suggest that when a mortgage broker receives a risk rating of 4, it should be re-examined within one year because the problems identified are so critical that license revocation may be warranted. However, the Department did not follow up to verify that the licensee corrected its violations, and did not re-examine the enterprise until 4 years later, when the Department found that many of the violations were not corrected. Although conducting extensive verification or re-examination on all violations noted during an exam would not be a good use of the Department’s limited resources, it should enhance its follow-up practices by developing and implementing written policies and procedures for conducting followups, including when verification of corrective action or re-examination may be necessary. Specifically, the Department’s procedures should identify what types of violations should be followed up on, what level of verification is required, and the time frame for when it should verify that the licensee has corrected the violation. In doing so, the Department can limit the necessity for a full-scope follow-up examination, which may reduce constraints to examination resources, enabling it to focus on greater examination priorities. Recommendations: 1.1 The Department should develop and implement written policies and procedures for varying the scope of its examinations based on the financial enterprise’s assessed risk. These policies and procedures should identify the types of limited examinations that department staff could perform and the risk ratings that would qualify for the limited examinations. 1.2 To improve the e-exam program, the Department should: a. Develop and implement written policies and procedures on when it is appropriate to use e-exams; 1 National State Auditors Association. (2004). Best practices in carrying out a state regulatory program: A National State Auditors Association best practices document. Lexington, KY: Author. Office of the Auditor General page 19 b. Periodically assess whether, when appropriately applied, the e-exam is still effective in detecting violations when compared to the on-site examination; and, c. Once formal policies and procedures are established, consider extending the e-exam to other license types to assist in reducing its backlog. 1.3 The Department should better prioritize the scheduling of financial enterprise examinations to ensure that low-risk licensees are not examined sooner than is needed, while high-risk licensees receive more timely re-examination. 1.4 The Department should revise its post-examination risk-rating worksheets to ensure risk can be compared across license types. In revising its risk-rating worksheets, the Department should ensure that: • Common risk factors, such as management and controls, are included in all worksheets; • All risk-rating worksheets consider the seriousness of the potential violations; and • Risk factors are appropriately weighed. 1.5 The Department should enhance its processes for identifying risks prior to an examination, and in doing so, should consider: • Expanding the use of existing financial reports that are already submitted by most of its licensees to assess the size and financial performance of licensees compared to their peers; and • Identifying financial products that pose the most financial harm to Arizona consumers. 1.6 The Department should develop and implement written policies and procedures for conducting followups, including when verification of corrective action or re-examination may be necessary. The Department’s procedures should identify what types of violations should be followed up on, what level of verification is required, and the time frame for when it should verify that licensees have corrected violations. State of Arizona page 20 FINDING 2 The Arizona Department of Financial Institutions (Department) should take several steps to ensure that complaints are appropriately processed in a timely manner. The Department is authorized to investigate complaints to determine whether statutory violations have occurred, and it received an average of approximately 860 complaints per year between calendar years 2010 through 2012. However, the Department’s complaint-handling process has several weaknesses, including inadequate and untimely complaint investigations, which could affect its ability to protect Arizona consumers and help ensure the soundness of its licensees’ business operations. To ensure that complaints are effectively processed, the Department should enhance and/or develop and implement policies and procedures regarding its complainthandling process, including establishing complaint investigation procedures and complaint-processing time frames. In addition, the Department should enhance its supervisory review process for its complainthandling function. Finally, the Department should establish procedures for ensuring the completeness and accuracy of investigative information in its case management system. Department should enhance its complainthandling process Department investigates complaints against financial institutions and enterprises The Department is authorized to conduct investigations of complaints against licensees, as well as unlicensed entities that may be engaging in activities that require a department license. Investigating complaints against financial institutions and enterprises is a critical component of the Department’s regulatory activities and helps to ensure that citizens are protected from financial loss and are not subject to deceptive, unfair, abusive, or discriminatory practices. The Department receives complaints from consumers and federal and state agencies, such as the Arizona Attorney General’s Office, and may open its own complaints. For example, if an applicant indicates on the license application that it has engaged in activities for which it should be licensed, the Department will open an unlicensed activity complaint. Additionally, department staff may open a complaint based on observations made in the field. For example, according to department staff, if they notice that a car dealership is offering in-house financing, they may verify that the entity is licensed with the Department as a sales finance company and, if it is not, will open a complaint regarding the unlicensed activity. The Department received approximately 2,400 complaints from January 1, 2010 through October 10, 2012, or an average of approximately 860 complaints each calendar year.1 Most of the complaints received involved financial enterprises and, in particular, collection agencies, mortgage bankers/brokers, and sales finance companies (see textbox and Figure 2 on page 22). Common issues conveyed in these complaints concerned disputed debts, including allegations such as a collection agency attempting to collect a debt that does not belong to the complainant, or loan modifications, including allegations that a business took too long to process a loan modification.2 Typical complaint outcomes included the Department resolving the complaint, either by providing educational services to consumers to help them better understand financial agreements they have entered into or through dismissal of the complaint as a 1 Auditors received the Department’s complaint data in October 2012; thus a complete year’s worth of data for calendar year 2012 was not available. 2 Harassment on the part of a collection agency is prohibited by Arizona Administrative Code R20-4-1511. Delays within the control of a mortgage banker are prohibited by Arizona Revised Statutes (A.R.S.) §6-909(E). Office of the Auditor General page 21 License types most commonly complained against License type Description Collection agency Any individual or business that directly or indirectly solicits claims for collection or collects claims owed, due or asserted to be owed or due to a third party. Mortgage banker/broker Any individual or business that, for compensation or in the expectation of compensation, either directly or indirectly makes, negotiates, or offers to make or negotiate a mortgage loan. Sales finance company Any individual or business that is engaged, in whole or in part, in the business of purchasing retail installment contracts from one or more retail sellers. This license is also required of any person or business engaged, in whole or in part, in the business of creating or holding motor vehicle retail installment contracts exceeding a total aggregate outstanding indebtedness of $50,000. This license also includes any company commonly known as a title lender that allows consumers to borrow money based on the equity in their automobiles. Source: Auditor General staff analysis of A.R.S. §§32-1001, 6-941, 6-901, and 44-281; and analysis of information obtained from the Department’s Web site. Figure 2: Complaints by license type received from January 1, 2010 through October 10, 2012 (Unaudited) 2,377 Total complaints 94 Banks/credit unions 4% 891 Collection agencies 37% 114 Unlicensed entities 5% 188 Sales finance companies 8% 407 Other 1 17% 683 Mortgage bankers/brokers 29% 1 “Other” consists of complaints against escrow agents, motor vehicle dealers, money transmitters, consumer lenders, debt management companies, loan originators, deferred presentment companies, commercial mortgage bankers/brokers, advance fee loan brokers, and premium finance companies. Source: State of Arizona page 22 Auditor General staff analysis of the 2,377 complaints the Department received between January 1, 2010 and October 10, 2012. result of the Department’s investigation finding that no violation occurred, or closing the complaint because there was insufficient evidence to support its merits’.1 Department’s complaint-handling process has several weaknesses The Department’s complaint-handling process has several weaknesses, including inadequate and untimely complaint investigations, which could affect its ability to protect Arizona consumers and help ensure the soundness of its licensees’ business operations. Specifically, auditors’ review of complaint data identified several complaints for which the Department’s investigation was insufficient, or for which no investigation was conducted at all. In addition, the Department has not consistently tracked suspected unlicensed entities that are discovered as a result of complaint investigations, but for which the Department does not have enough information to pursue the case. Furthermore, the Department takes a long time to investigate some cases. Some complaints are not investigated or are inadequately investigated—The Department did not investigate or thoroughly investigate some complaints. Based on a random sample of 25 complaints, auditors identified 2 complaints that the Department insufficiently investigated to determine whether the allegations could be substantiated.2 For example, in one complaint alleging harassment by a collection agency, the Department identified that the collection agency, which was located in California, was not licensed in Arizona as required. Although the collection agency ceased its efforts to collect from the complainant, the Department did not conduct any further investigation into the unlicensed activity it uncovered, such as requiring the collection agency to submit records related to its collection activities against Arizona residents for the Department’s review.3 Further, the Department did not pursue any enforcement action against the collection agency, such as issuing a cease-and-desist order to curtail any additional unlicensed activity. In addition, the Department could not find 2 of the complaint files in auditors’ sample. The Department’s complaint files contain important investigation details, such as the allegations involved in the complaint, correspondence with licensees and complainants, and evidence gathered during the course of an investigation. However, because these complaint files are missing, auditors could not determine the extent of the Department’s complaint investigation activities for these 2 complaints. Auditors also compared the Department’s May 2012 complaint intake data to information in its case management system and found that 2 complaints related to unlicensed activity of the 78 total complaints received during that month had not been entered into the case management system and were never investigated.4 The Department’s complaint intake data is used to track incoming 1 Although auditors found some inaccurate information in the Department’s complaint data, auditors determined that the data was generally reliable for the purpose of gaining a general understanding of the typical complaint bases and outcomes (see pages 28 through 29 for further discussion of the problems identified with the Department’s data). 2 Auditors selected 25 of the 2,158 complaints that were received and closed between January 1, 2010 and October 10, 2012 (see Appendix B, pages b-1 through b-3, for more information on sample selection). 3 The Department requested that the collection agency provide records related to any collection activities against Arizona residents. The collection agency verbally indicated it had not performed any collection activities against any other Arizona residents, but it did not provide the requested information, and the Department did not follow up with the agency to confirm its statements. 4 According to department documents, the Department received a total of 102 complaints in May 2012; however, 24 of these complaints were outside of the Department’s jurisdiction, and were forwarded to other agencies. Office of the Auditor General page 23 complaints and assign them to an investigator, who then enters the complaint information into the case management system. The Department’s case management system is used to record information about licensed financial institutions and enterprises including complaint investigation information such as the basis for a complaint, investigators’ notes describing the investigative steps taken, and the final outcome of an investigation. Although the Department reported that it has a process for reconciling complaint information between its intake data and its case management system, the errors auditors discovered indicate that this process is not always effective in ensuring that complaints received are ultimately investigated. Insufficient tracking of unlicensed entities—Auditors found that department staff did not consistently track entities for which a suspicion of unlicensed activity existed. As part of its complaint-handling function, the Department investigates complaints related to potential unlicensed activity. If investigative activities, such as attempting to contact the unlicensed entity, have proven fruitless, the Department’s practice is to document these entities on its unlicensed entity tracking mechanism, known as the “Watch List.” The Watch List is reviewed by department staff when evaluating new license applications to help ensure that applicants do not have a history of unlicensed activity and is also used by examination staff when conducting examinations to ensure that any previously identified suspicious activity is addressed and that appropriate enforcement action is taken against unlicensed activity. However, the Department has not consistently placed potentially unlicensed entities on its Watch List. Specifically, 12 of the 25 sampled complaint investigations that auditors reviewed involved unlicensed activity. Although the Department was either unable to contact the entity or failed to substantiate the unlicensed activity in at least 3 of the 12 complaints, it did not include the entities involved on the Watch List.1 Some complaints take a long time to resolve—Although the Department resolves many complaints quickly, some take more than a year to resolve or have been open and unresolved for more than a year.2 Auditors analyzed data for the 2,143 complaint investigations closed between January 1, 2010 and October 10, 2012, and found that the Department completed 1,811, or approximately 85 percent, of the investigations within 6 months of receiving the referral (see Figure 3, page 25).3,4 However, the remaining 332 investigations took more than 6 months to complete, with 111 of these cases, or 5 percent, taking a year or longer to resolve. Auditors also analyzed data for 219 complaints that were open as of October 10, 2012, and found that some complaints had been open for a long time. Specifically, 78 of the 219 complaints, or 36 percent, had been open and unresolved for 6 months or longer. According to the Department, some cases may remain open for a long period of time because of the Department’s need to prioritize complaints involving more egregious allegations or because the Department is pursuing administrative action to address a complaint in conjunction with the Arizona Attorney General’s Office. 1 The Department was unable to locate the case files for 2 of the 12 complaints alleging unlicensed activity. Thus, auditors were unable to evaluate the Department’s investigation and assess whether the entities involved should have been placed on the Watch List. 2 As discussed above, auditors found that some complaints are not investigated, or are inadequately investigated. As such, the timeliness information presented may not reflect the time it takes for the Department to conduct complete and thorough investigations. 3 Auditors found that although information in the Department’s database indicated that 2,158 complaints were investigated and closed between January 1, 2010 and October 10, 2012, 15 of these complaints contained errors in key date fields that prohibited auditors from assessing the timeliness of complaint-handling and were therefore excluded from auditors’ analysis of closed cases. 4 Auditors’ analysis of the Department’s complaint-handling timeliness included the entire life-cycle of a complaint, from initial receipt through final resolution, including taking disciplinary action against the licensee when appropriate. State of Arizona page 24 Figure 3: Complaint-processing time January 1, 2010 through October 10, 2012 (Unaudited) 2,143 Total complaints 221 in 181 days to 1 year 10% 211 in 121 to 180 days 10% 111 in > 1 year 5% 954 in 0 to 60 days 45% 646 in 61 to 120 days 30% Source: Auditor General staff analysis of 2,143 complaints closed between January 1, 2010 and October 10, 2012. Weaknesses in complaint handling may affect public protection—Weaknesses in the Department’s complaint-handling function could impact its ability to adequately protect the public. Specifically, by failing to conduct thorough complaint investigations, the Department may not identify and then require entities to correct statutory violations and may not take appropriate disciplinary action. Because statute directs the Department to conduct examinations of most licensed financial enterprises once every 5 years, identifying and correcting problems through complaint investigations is a critical avenue for protecting Arizona residents and helping to ensure the soundness of business’ operations between inspections. Further, if investigative activities are unsuccessful in locating entities suspected of engaging in unlicensed activity, the Department’s only means of documenting and attempting to track these entities is through its mechanism for tracking unlicensed entities, the Watch List. By not using the Watch List consistently, the Department risks its ability to identify and investigate these entities should they come to the Department’s attention in the future. In addition, when complaint cases are not investigated in a timely manner, leads may grow cold or an entity may go out of business before an investigation is conducted, which may have allowed more Arizona consumers to be harmed and prevented the Department from disciplining businesses engaging in improper activities. For example, 1 of the 25 sampled complaint investigations that auditors reviewed involved an investigation into alleged unlicensed financing activity on the part of a car dealership that was initiated as the result of 2 separate consumer complaints. However, department staff reported that the investigation was not started until receipt of the second complaint, which occurred almost 6 months after receipt of the first complaint, and Office of the Auditor General page 25 the Department closed the complaint a month later after finding that the dealership had vacated the location named in the complaint. Department should enhance its complaint-handling policies and procedures and improve its supervisory review process To enhance its complaint-handling process, the Department needs to make changes in two areas. First, to ensure that all complaints are investigated thoroughly and in a timely manner, the Department should develop more comprehensive complaint investigation policies and procedures and establish reasonable goals for completing complaint investigations in a timely manner. Second, to ensure that investigators are following its policies and procedures, the Department should enhance its supervisory review process over its complaint-handling function given its available resources. Department should enhance its complaint-handling policies and procedures— The Department should enhance its complaint-handling policies and procedures to ensure that department staff adequately process all complaints in a consistent and timely manner. The Department’s complaint-handling policies and procedures are incomplete. For example, the policies are largely silent on the specific steps needed to conduct an adequate and successful complaint investigation, including how to use the Watch List to track entities that may have engaged in unlicensed activity. Internal control standards indicate that policies and procedures help ensure that management’s directives are carried out.1 Although department staff reported that the Department’s complainthandling practices have been institutionalized, incomplete policies and procedures do not ensure that all department staff responsible for investigating and resolving complaints do so in a consistent, adequate, and timely manner. Therefore, the Department should develop and implement more comprehensive complaint-handling policies and procedures. In doing so, the Department may find it useful to refer to its examination procedures as a model because these procedures provide a detailed, step-by-step description of the examination process. Specifically, the Department should: • Standardize complaint investigation steps—The Department should revise its policies and procedures to include investigative steps common to complaint investigations. According to department staff, every complaint investigation is unique, but every investigation involves some common elements, such as comparing the facts of the case to statutes to determine whether a law has been violated. Other important common steps should be described as well, such as requesting a response to the complaint from the entity who is the subject of the complaint; interviewing the complainant, licensee, and other applicable witnesses; obtaining all relevant documentation; and obtaining additional information from the complainant when necessary. 1 United States General Accounting Office. (1999). Standards for internal control in the federal government [GAO/AIMD-00-21.3.1]. Washington, DC: Author. State of Arizona page 26 • Establish criteria for documenting suspected unlicensed activity on the Watch List—The Department needs to define the criteria in its written policies for when entities should be placed on its Watch List. For example, according to its stated practice, entities should be added to the Watch List if the Department receives a complaint about unlicensed activity, but it is unable to substantiate the complaint or its investigative efforts have been unsuccessful in locating the entity. This practice and any other appropriate criteria should be reflected in its policies. • Establish and track time frames for resolving complaints—The Department should establish overall time frames for resolving complaints, including opening, investigating, and resolving the complaint, and specific time frames for completing the various steps of its complaint-handling process, including time frames for investigative activities. Once it has established these time frames, the Department should then develop and implement policies and procedures for tracking the progress of its complaint-handling against these time frames. Although the Department included a goal of completing complaint investigations within 35 days in its fiscal year 2014-2018 strategic plan, this goal does not consider relevant parts of the process, such as the time it takes for licensees or complainants to respond to requests for information. Some of the timeliness problems identified by auditors illustrate the importance of tracking the entire time it takes to investigate and resolve a complaint to ensure that complaints are investigated as quickly and efficiently as possible. For example, for one complaint auditors reviewed, the investigator requested that the licensee furnish a response to the complaint within 10 days; however, the licensee failed to respond, and the investigator did not follow up until 7 months later. Auditors did not identify any specific best practices for complaint resolution time frames related to financial institution and enterprise complaints. However, based on auditors’ analysis of complaints data and discussions with department management, a 90-day time frame for completing most complaint investigations may be an appropriate goal. Finally, the Department should analyze its complaint-handling data to assist in determining appropriate timeliness goals for resolving complaints, and use the data to identify specific time frames for completing the various steps of its complaint-handling process. Department should improve its supervisory review process—The Department should also enhance its review process for evaluating the adequacy and timely handling of complaint investigations. Although the Department reported that it has a supervisory review process for reviewing complaint investigations to ensure they are progressing in a timely manner, the problems with inadequate and untimely complaint investigations identified by auditors highlight a need for the Department to enhance its oversight. Established internal control standards identify ongoing monitoring as a key component of a strong internal control structure, providing reasonable assurance that an organization is operating effectively and efficiently.1 As such, the Department should develop and implement policies and procedures that establish a supervisory review process for its complaint-handling function that is feasible given its available resources, including documenting the results of these supervisory reviews in its complaint case files. This supervisory review process should include: 1 United States General Accounting Office. (1999). Standards for internal control in the federal government [GAO/AIMD-00-21.3.1]. Washington, DC: Author. Office of the Auditor General page 27 • Periodic verification that complaints received are entered into the case management system—Although the Department reported that it has a reconciliation process to ensure that all complaints received are entered into the case management system and investigated, the results of such reconciliations are not being documented, and the Department has not developed written procedures describing the process. Further, the problems identified during this audit highlight the need for enhancements to the process. Therefore, to ensure that all complaints within the Department’s jurisdiction are investigated, the Department should enhance its supervisory review process to include a formal process for verifying that all complaints received that are within its jurisdiction are entered into the case management system for investigation. • Periodic review of ongoing investigations—Although the Department reported that it has a process to periodically review the timeliness of complaint investigations, this process is not documented in formal policies, and the problems auditors identified indicate that enhancements are necessary. Therefore, to ensure that complaints are investigated in a timely manner, the Department should develop and implement written policies and procedures that direct the periodic review of the timeliness of complaint investigations, require these reviews and associated decisions to be documented, and for any cases that have been open for a long time, include guidelines on whether they should be further investigated or closed. In addition, the Department should develop and implement performance measures to ensure that investigators adhere to the Department’s investigative time frames, once these time frames have been established. • Review of investigation sufficiency—To ensure that the Department adequately investigates all complaints, including investigations into potential unlicensed activity, the Department should enhance its supervisory review process to ensure that its investigative policies and procedures are being followed, including reviewing the steps taken to investigate a complaint. If the Department identifies entities for which a suspicion of unlicensed activity exists, this process should also ensure that these entities are included on the Department’s Watch List. Department should establish procedures to ensure complete and accurate investigative information The Department should establish procedures for ensuring the completeness and accuracy of its investigative information. Complete and accurate information is important for various case management functions, including providing complete and accurate information to the public. Auditors’ review of a sample of 25 complaints revealed several discrepancies in the way complaint cases are characterized in the Department’s case management system when compared to hard copy case file documentation. Specifically, auditors identified 9 instances in which department staff used inaccurate case status designations to represent the basis of a complaint or the final outcome of an investigation, or failed to assign a final outcome status. For example, auditors identified one complaint that indicated concerns with potential unlicensed activity, but that was mistakenly recorded as a disputed debt in the case management system. In another example, the Department issued a cease-and-desist order and assessed a civil monetary penalty of $10,000 against a licensee to State of Arizona page 28 resolve a complaint, but the case management system inaccurately reflected this complaint as successfully resolved without any enforcement action. In addition, auditors identified 6 cases for which the investigator failed to assign a final outcome status at all. In fact, auditors’ analysis of final outcome statuses for all 2,158 complaints received and closed between January 1, 2010 and October 10, 2012, determined that 10 percent of these cases had no final outcome status recorded in the case management system.1 A lack of complete and accurate case management information impacts the Department’s ability to accurately assess licensees’ history with the Department and provide complete and accurate information to the public. For example, the Department uses data from its case management system when responding to public information requests. If the information related to the final outcomes of complaint investigations is entered incorrectly or not at all, this could result in inaccurate reporting of enforcement actions taken against licensees’ operating within the State when providing complaint information to the public. In fact, as discussed in Sunset Factor 5 (see pages 46 through 49), auditors found that errors in the case management system hinder the Department’s ability to provide a complete and accurate listing of enforcement actions in response to a public information request. The Department should take two steps to address the inaccurate and incomplete complaint information in its case management system. First, it should update its complaint-handling policies and procedures to include specific definitions for each of its case status designations. According to department staff, the errors auditors identified in case status designations, including those related to the final outcome of a complaint investigation, are common and are due to data entry errors on the part of the investigators, as well as confusion as to the appropriate use of some ambiguous case status designations. Second, the Department should develop and implement policies and procedures that require a risk-based review of data entry based on its available resources to ensure that complaint information, including case status designations, is clearly and accurately documented in the case management system. Recommendations: 2.1 The Department should enhance its complaint-handling policies and procedures to ensure that department staff consistently and adequately process all complaints in a timely manner. Specifically, the Department should: a. Standardize complaint investigation steps and include these steps in its policies and procedures; b. Establish criteria for documenting suspected unlicensed activity on the Watch List; c. Establish and track time frames for resolving complaints, which should include the entire complaint-handling process of opening, investigating, and resolving the complaint, and 1 For the cases in which investigators failed to enter a final outcome status in the case management system, auditors found that staff had failed to change the default status of “N/A” to a status appropriately describing the resolution of the complaints. According to staff, “N/A” should never be the final outcome of a complaint investigation. Office of the Auditor General page 29 specific time frames for completing the various steps of its complaint-handling procedures; and d. Analyze its complaint-handling data to assist in determining appropriate timeliness goals for resolving complaints, and use the data to identify the specific time frames for completing the various steps of its complaint-handling process. 2.2 The Department should improve its oversight of its complaint-handling function by enhancing its supervisory review process to evaluate the adequacy and timely handling of complaint investigations in a way that is feasible given its available resources, and should document the results of these supervisory reviews in its complaint case files. Specifically, the Department should develop and implement written policies and procedures that require the following: a. Verification that all complaints received that are within its jurisdiction are entered into the case management system for investigation; b. Periodic review of complaint investigations to ensure that these investigations are progressing in a timely manner, documenting these reviews and any associated decisions, and for any cases that have been open for a long time, guidelines on whether they should be further investigated or closed; and c. Review of investigation sufficiency to ensure that the Department’s investigative policies and procedures are being followed, including reviewing the steps taken to investigate a complaint and ensuring that identified entities are placed in the Watch List. 2.3 The Department should develop and implement performance measures to ensure that investigators adhere to the Department’s investigative time frames, once these time frames have been established. 2.4 To help ensure the completeness and accuracy of complaint information in its case management system, the Department should: State of Arizona page 30 a. Update its complaint-handling policies and procedures to include specific definitions for each of its case status designations, including those related to the final outcome of a complaint investigation; and b. Develop and implement policies and procedures that require a risk-based review of data entry based on its available resources, including a review of the accuracy of case status designations recorded in the case management system. FINDING 3 The Arizona Department of Financial Institutions (Department) should develop or adopt a structured approach to evaluate the various fees it collects and better align these fees with its costs for providing the associated services. The Department collects over 100 fees, many of which were established before 1988. The Arizona State Agency Fee Commission (Commission) reviewed the Department’s fee structure and recommended the Department’s fees be set to match its costs. To implement this recommendation, the Department should take steps to evaluate its current costs and propose legislative or rule changes that would better align its fees with department funding needs, if appropriate. Department should establish a structured approach to set appropriate fees Department collects various fees To regulate financial institutions and enterprises, the Department is statutorily required to collect over 100 fees. These fees primarily fall into four categories— licensing fees, assessment fees on industry assets, examination fees, and Mortgage Recovery Fund contributions (see textbox). For example, as shown in Table 4 (see page 32), the Department collects licensing fees ranging from $25 to $10,000, plus an additional $25 to $500 for some financial institutions’ or enterprises’ individual branches, for processing new and renewal applications; and charges $65 an hour for financial enterprise examinations. Statute establishes or caps the amount for all fees, except for assessment fees on industry assets, license fees for loan originators, Mortgage Recovery Fund contributions, and all fees for a registered exempt person.1 Fee amounts not established by statute are established by the Department in rules or its policies. Types of fees collected by the Department Licensing fees—A fee assessed for various activities, including processing new and renewal applications, for the different financial institutions and enterprises the Department regulates. These fees are used to support the Department’s regulatory activities. Assessment fees on industry assets—A fee assessed on the total assets of statechartered banks and credit unions. These fees help support the Department’s supervisory activities for banks and credit unions, including conducting examinations. Examination fees—An hourly fee assessed for all financial enterprise examinations the Department conducts. Mortgage Recovery Fund contributions—A $100 fee assessed on licensed loan originators who do not alternatively post a surety bond. The fee is used to support a minimum $2 million fund balance in the Mortgage Recovery Fund. As discussed in Table 8, page a-1, these fees can only be used to pay for losses related to mortgage transactions. Source: Auditor General staff analysis of applicable statutes, administrative rules, 2012 Arizona State Agency Fee Commission Report, and a listing of department fees obtained from the Governor’s Office of Strategic Planning and Budgeting. 1 Arizona Revised Statutes (A.R.S.) 6-991.10 requires loan originators to pay a fee, in addition to their licensing fee, to the Mortgage Recovery Fund (A.R.S. §6-991.09), which is intended to benefit any person aggrieved by any act, representation, transaction, or conduct of a licensed loan originator that violates statute or rule (see Table 8, pages a-1 through a-2, for additional information on the Mortgage Recovery Fund). Office of the Auditor General page 31 Table 4: Fees for each financial institution or enterprise by type of fee As of February 12, 2013 Financial institution/enterprise1 Financial institutions: Bank Credit union Trust company Savings and loan associations Application Licensing2 License/Renewal Other Assessment Examination $10,000 $1,000 to $5,000 for various changes such as making amendments and adding branches Based on assets $65 per hour3 $100 $250 to $1,000 for various changes such as establishing a branch or converting from a federal charter Based on assets $65 per hour3 $5,000 + $500 per branch $1,000 + $250 per branch $65 per hour $1,000 to $5,000 for various changes such as establishing a branch or converting from a federal charter $10,000 Based on assets $65 per hour3 Financial enterprises: Advance fee loan broker Collection agency Commercial mortgage banker Commercial mortgage broker Consumer lender Debt management company Escrow agent Loan originator Money transmitter Mortgage banker Mortgage broker Motor vehicle dealer Premium finance company Pre-need funeral trust Sales finance company $50 $1,500 + $500 per branch $1,500 + $500 per branch $25 $250 to change active $600 + $200 per manager branch $1,250 + $250 per $250 to change branch responsible individual $250 or $500 $250 to change $800 + $250 per (depending on size) + responsible individual branch $200 per branch or to inactive status $1,500 + $500 per $1,000 + $200 per branch branch $800 + $250 per $500+ $200 per branch branch $1,500 + $500 per $1,000 + $250 per branch branch $50 to $150 to transfer license or change to $350 $150 inactive status $25 to $2,500 for $1,500 + $25 (up to $500 + $25 (up to various changes, maximum $4,500) per maximum $2,500) per including acquiring branch/ authorized branch/ authorized control and applying for delegate delegate a branch office $750 or $1,250 $250 to change $1,500 + $500 per (depending on size) + responsible individual branch $250 per branch $250 to change $250 or $500 responsible individual $800 + $250 per (depending on size) + or to inactive status and branch $200 per branch $50 test fee $300 $150 $300 $800 + $250 per branch $500 + $200 per branch $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour $65 per hour 1 The Department also charges a $300 application, $150 registration/renewal, and $250 change fee for registered exempt persons. A.R.S. §6-912 requires federally chartered savings banks that sponsor one or more loan originators to register with the Department as a registered exempt person, but these entities are not subject to licensure or examination by the Department. As of June 2013, State Farm Bank was the only company registered under this title. 2 The Department also charges $50 to change addresses, $100 to obtain a duplicate license, and $250 for a name change. These fees are not included in the table. In addition, the table does not include late fees or other miscellaneous fees such as publication fees or fees for maintaining offices outside of Arizona. Finally, the table does not include a $100 fee charged to loan originators for the Mortgage Recovery Fund. 3 In accordance with A.R.S. §6-125, the Department may charge up to $65 per hour for any enterprise or trust company examination, and any examination that is in addition to the regular examination for all other financial Institutions. Source: Auditor General staff analysis of A.R.S. §§6-125, 6-126, 6-908, 6-912, 6-991.03, 6-991.10, and 6-1304, and a listing of department fees obtained from the Governor’s Office of Strategic Planning and Budgeting. State of Arizona page 32 All fees, except loan originator licensing and Mortgage Recovery Fund fees, are deposited into the State General Fund in accordance with statutes. Loan originator licensing fees are deposited into the Financial Services Fund and mortgage recovery fund fees are deposited into the Mortgage Recovery Fund, as required by statute. During fiscal year 2012, the Department deposited approximately $4.3 million into the State General Fund, nearly $1.5 million into the Financial Services Fund, and nearly $316,000 into the Mortgage Recovery Fund from the fees it collected. Commission’s 2012 report identified fee disparities and recommended Department align fees with costs The Commission’s 2012 report identified disparities in the Department’s fees and recommended the Department align its fees with its costs. The Commission, which was established in 2011 to review Arizona state agency fees, reviewed the Department’s fees along with the fees of several other agencies and issued a report on its review in December 2012. Regarding the Department, the Commission identified a large disparity in the financial support generated by fees for two of the Department’s programs. Many of the Department’s fees were established several years ago, which may have contributed to this disparity. As a result of its findings, the Commission made several recommendations, including recommending that the Department’s fees be aligned with its costs. Commission established to review Arizona state agency fees—The Commission (see textbox) was established by A.R.S. §41-1008.01 to review fees assessed by all Arizona state agencies, unless an agency is specifically exempted from review, at least once every 5-year period, beginning October 1, 2011, or whenever the Commission deems necessary.1 The Commission is also charged with issuing an annual, comprehensive report regarding the state agencies and associated fees it has reviewed. The report is required to include: Commission composition • Six gubernatorial appointees—four from the private sector and two state agency executives. • Six legislative appointees—three from the Senate and three from the House of Representatives. • Director of the Governor’s Office of Strategic Planning and Budgeting. Source: Auditor General staff analysis of A.R.S. §41-1008.01. • An inventory of fees assessed by each of the reviewed agencies; • An analysis of methods used by agencies to set fees; • An analysis of the effects that fees currently have on regulated industries, businesses, or consumer groups for each agency; • An analysis of the long-term sustainability of the regulated program; 1 The Commission does not review any state agency whose executive is an elected official, the Arizona Supreme Court, Arizona Court of Appeals, or 90/10 agencies that were specifically exempted by the Commission’s bylaws. Office of the Auditor General page 33 • An analysis of the effects of recent budget reductions and fund transfers on agencies and their fee funds; and • Any recommendations related to its review. In accordance with these requirements, the Commission conducted its first review during calendar year 2012 and issued a December 2012 report on the results of its review. In addition to a review and analysis of the Department’s fees, the December 2012 report includes a review and analysis of the fees assessed by the Arizona State Land Department, the Arizona Department of Weights and Measures, and the Arizona Department of Environmental Quality. Commission identified a large disparity in the financial support provided to the Department and an overall benefit to the State General Fund—The Department’s fees and funding structure created a disparity in financial support for department programs that also resulted in a benefit to the State General Fund of nearly $29.5 million from fiscal years 2003 through 2013. As reported by the Commission, two of the Department’s programs are supported by fee revenue.1 One of the programs is responsible for licensing entities, investigating complaints, and educating the public. This program is primarily funded by licensing fees, and according to the Commission, program revenues exceeded its expenditures by an estimated $3.1 million in fiscal year 2012. In contrast, according to the Commission, another department program is estimated to have cost approximately $31,000 more to operate than the fee revenue it generated during fiscal year 2012.2 This program examines licensed entities, conducts financial analysis of licensees, and takes enforcement actions, and is primarily funded by examination fees, bank and credit union assessment fees, and civil monetary penalties. The Commission also reported that the disparity between the Department’s fees and operating costs and the Department’s current funding structure resulted in a net surplus that benefitted the State General Fund. Specifically, as shown in Table 5 (see page 35), the Department deposited more than $4.7 million into the State General Fund during fiscal year 2013; however, it spent only approximately $2.9 million. Consequently, the State General Fund received in excess of $1.8 million, indicating a mismatch between the fees collected and the related expenditures. As shown in Table 5, the surplus of revenues that the Department has deposited into the State General Fund totals approximately $29.5 million between fiscal years 2003 and 2013. Department’s fees that were established several years ago may contribute to the disparity—As reported by the Commission, most of the Department’s fees were last changed or first established prior to 1994. Auditors found that many fees were last changed or first established in statute even before 1988. For example, as shown in Table 4 (see page 32), statute established mortgage brokers’ application fees at $800 plus an additional $250 for each branch. These fee amounts were established prior to 1988. In addition, the Commission reported that the method used to establish the Department’s fees was not readily available and the Department was similarly unable to provide auditors the methodology. 1 The Department also has a program that administers and ultimately liquidates all court-ordered receiverships. This program does not receive fee revenue. 2 According to the Commission, this program is also funded by civil monetary penalties, which are unpredictable. The Commission reported that without the use of these monies, the program would have had a $700,000 negative fund balance in fiscal year 2012. State of Arizona page 34 Table 5: Excess of revenues over expenditures deposited into the State General Fund Fiscal years 2003 through 2013 (Unaudited) Fiscal year 2003 Revenues $ 5,481,942 Expenditures Amount remitted to the State General Fund $ $ 2,710,009 2,771,933 2004 5,895,952 2,722,576 3,173,376 2005 6,741,754 2,858,097 3,883,657 2006 7,437,692 3,312,190 4,125,502 2007 2008 8,171,513 3,666,498 4,505,015 6,102,918 3,882,742 2,220,176 2009 5,435,509 3,304,602 2,130,907 2010 4,638,879 2,970,197 1,668,682 2011 2012 4,415,720 2,794,887 1,620,833 4,302,284 4,768,184 2,745,082 2,952,401 1,557,202 1,815,783 $ 63,392,347 $ 33,919,281 $ 29,473,066 2013 Source: Auditor General staff analysis of the Arizona Financial Information System’s Accounting Event Transaction File for fiscal years 2003 through 2013. Because most fees have not been reviewed since before 1994, they likely do not match up to the Department’s costs and may contribute to the Department’s funding disparity. For example, the Department indicated that its assessment fees on industry assets have not changed since at least fiscal year 2001 and do not appear to be sufficient to cover all relevant department expenditures for regulating banks and credit unions. Specifically, the estimated fiscal year 2013 assessment fee revenue was approximately $970,000, and the Department’s fiscal year 2013 costs for regulating the banking and credit union industry in Arizona totaled an estimated $946,000. However, the Department’s costs do not include any allocation of administrative salaries for the Department’s Superintendent’s Office, Administrative Division, or Information Technology Division, which are estimated to total approximately $716,000. Therefore, if the Department would have allocated a portion of its administrative salary expenditures to its regulatory costs, it is likely that the assessment fee revenue was insufficient to cover the Department’s costs since the unallocated costs likely totaled more than the $24,000 difference between the regulation costs and assessment revenues. In addition, the assessment fees charged to banks are on average about 70 percent less than the fees the Office of the Comptroller of the Currency (OCC) charges for regulating federal banks.1 1 A.R.S. §6-125(E) requires the Department to consider the OCC assessment amounts when determining its annual assessment fees for banks. The OCC is a federal agency whose primary mission is to charter, regulate, and supervise all national banks and federal savings associations, and it also supervises federal branches and agencies of foreign banks. Office of the Auditor General page 35 Similarly, the assessment fee charged to credit unions is on average about 60 percent less than the fees the National Credit Union Administration (NCUA) charges for regulating credit unions.1 Commission made several recommendations—Based on its review and analysis of the fees assessed by all four state agencies, the Commission made several general recommendations, some of which apply to the Department’s fees. In addition, it made specific recommendations for the Department’s fees. Specifically: • General recommendations—The Commission established several general recommendations that it uses to assist in its review of state agency fees that can likewise be considered by the Department when establishing and/or revising its fees. Some of these recommendations apply to the Department. Specifically, the Commission recommended that: (1) the State General Fund should not benefit from program fees, (2) agencies should limit the use of fees from one program to pay for the costs of another program, (3) fees should reflect the cost of the services provided, and (4) agencies should continue to undergo a systematic review of their fees by the Commission every 5 years as required by statute. • Specific recommendations—The Commission made one specific recommendation regarding the Department’s fees. Specifically, the Commission recommended that the Department’s fees be set to generate enough revenue to meet the Department’s expenditure needs.2 Department should evaluate costs and propose changes to its fees, if appropriate In response to the Commission’s recommendations, the Department should take steps to evaluate its costs and propose legislative or rule changes that would better align its fees with department funding needs, if appropriate. In evaluating its costs and fees, the Department should develop or adopt a structured approach. Mississippi’s Joint Legislative Committee on Performance Evaluation and Expenditure Review (PEER) developed an approach for evaluating and setting fees that may assist the Department.3 PEER’s approach consists of a decision model for establishing or increasing government fees, called the Theory of Fee Setting in Government, as well as guidance on implementing new fees.4 Similarly, the U.S. Government Accountability Office (GAO) issued a design guide for federal user fees that offers similar suggestions for setting fees.5 1 A.R.S. §6-125(E) requires the Department to consider the NCUA assessment amounts when determining its annual assessment fees for credit unions. The NCUA is a federal agency that regulates, charters, and supervises federal credit unions. 2 The Department would need to seek legislative approval to change any fee amount that is statutorily established. 3 Joint Legislative Committee on Performance Evaluation and Expenditure Review (2002). State agency fees: FY 2001 collections and potential new fee revenues. Jackson, MS: Author. 4 According to PEER, the approach was based on a review of academic literature, economics theory, and policies and procedures from various states and the United States and Canadian governments. 5 U.S. General Accountability Office. (2008). Federal user fees: A design guide (GAO-08-386SP). Washington, DC: Author. State of Arizona page 36 Figure 4 (see page 38) summarizes key concepts from PEER’s approach. The approach the Department takes should include the following: • Assessing efficiency of operations—The Department should assess the efficiency of its operations to ensure costs are as low as possible while considering service quality, and document the results of its assessment. As the Department assesses the efficiency of its operations, it should seek to minimize costs where possible. • Developing a method to determine costs—The Department should develop and implement a method for determining department costs, including both direct and indirect costs, relevant to the fees it charges and create policies and procedures for using this method. In developing this method, the Department should consider cost allocation principles provided by the U.S. Office of Management and Budget.1 For example, the Department should use the Office of Management and Budget guidelines to help it determine the best method for allocating indirect costs. In addition, although the Department tracks revenues and some costs by licensee category (e.g., collection agency, mortgage broker, etc.), it does not have an established method for determining payroll costs, its largest cost, by licensee category. Consequently, in developing its method for determining department costs, the Department should also establish an allocation methodology for assigning direct payroll costs to licensee category within its already existing accounting system. This would help the Department determine its costs more quickly and help ensure consistency when analyzing its costs to determine funding needs. • Analyzing costs by licensee category to evaluate fee amounts—After the Department has established its approach to determine costs and has begun to appropriately track costs, it should use these costs to analyze its fees and determine the appropriate fees to charge. This would also allow the Department to determine if it is following the general recommendations made by the Commission such as eliminating the benefit to the State General Fund and limiting the use of fees from one program to pay for other programs. To ensure the Department’s fees continue to align with its costs, the Department should ensure that it regularly re-evaluates its fees. Specifically, the Department should include in its policies and procedures a time frame for periodically reevaluating its fees. For example, the GAO recommends fees be assessed biennially, while the Commission is required to review state agencies’ fees at least once in a 5-year period. When warranted and based on its cost and fee assessment, the Department should propose legislative changes to its statutorily established fee amounts or make appropriate rule changes to revise its fees. For example, if the Department determines that its mortgage broker licensing fees need to be revised, it should work with the Legislature to propose legislation revising these fees. The Department should also consider the effect that proposed fee changes may have on the affected financial institutions and enterprises and obtain their input when reviewing the fees. 1 See Office of Management and Budget Circular A-87. Office of the Auditor General page 37 Figure 4: Mississippi Joint Legislative Committee on Performance Evaluation and Expenditure Review structured fee-setting process developed for state government Determine whether fees or taxes should fund the service Who benefits from the service: individuals, the public, or both? x Fees should finance services that benefit individuals. x Taxes should finance services that benefit the public. x When both individuals and the public benefit from a service, financing can come from both fees and taxes. Identify and analyze legal issues x x Are fees limited by statute? If so, is legislation required to change them? Should administrative rules be revised? Identify the fees’ purpose x x x Should fees cover the cost of providing the service? Should fees be set to influence behavior? Should fees be set to encourage compliance with program regulation and goals? Assess factors influencing fee amount x x x x x What effect will fees have on those who pay them? What effect will fees have on annual revenue? What do similar states charge for the service? Will the public accept the fees’ necessity? Is the Department subsidizing other government operations? Determine appropriate methodology for setting fees x x x x Determine if there is a comprehensive cost accounting system. Seek to reduce costs as much as possible. Measure direct and indirect costs of the time staff spends in service activities. Determine economic impact on regulated entities. Implement fees x x x Obtain amended legislation and regulation as needed. Prepare those who pay fees for changes by providing advance notice and explaining the purpose and reasoning of new fees. Train staff to answer questions regarding the new fees. Periodically assess revenue, costs, and program outcomes to update fee amounts Source: State of Arizona page 38 Auditor General staff analysis of fee-setting model included in State agency fees: FY 2001 collections and potential new fee revenues report prepared by the Mississippi Joint Legislative Committee on Performance Evaluation and Expenditure Review. Recommendations: 3.1 To ensure its fees more fully reflect its costs, the Department should develop a structured approach to evaluate current fees and propose legislative or rule changes that would more closely align its fees with department funding needs. In developing this approach, the Department should do the following: a. Assess the efficiency of its operations to ensure costs are as low as possible while considering service quality, and document the results of its assessment. As the Department assesses the efficiency of its operations, it should continue seeking to minimize costs where possible. b. Develop and implement a method for estimating department costs, including both direct and indirect costs, and create policies and procedures for using this method. c. Establish an allocation methodology for assigning direct payroll costs to licensee category within its currently established accounting system. d. After the method is developed and costs are appropriately tracked, the Department should use the costs to analyze its fee structure and determine the appropriate fees to charge. e. Include in its policies and procedures a time frame by which it will reevaluate its fees to ensure its fees continue to align with its costs. 3.2 When warranted and based on its cost and fee assessment, the Department should propose legislative changes to its statutorily established fee amounts or make appropriate rule changes to revise its fees. 3.3 The Department should consider the effect that the proposed fee changes may have on the affected financial institutions and enterprises and obtain their input when reviewing the fees. Office of the Auditor General page 39 State of Arizona page 40 SUNSET FACTORS In accordance with Arizona Revised Statutes (A.R.S.) §41-2954, the Legislature should consider the following factors in determining whether the Arizona Department of Financial Institutions (Department) should be continued or terminated. Sunset factor analysis 1. The objective and purpose in establishing the Department and the extent to which the objective and purpose are met by private enterprises in other states. The Arizona Department of Financial Institutions (Department), formerly known as the State Banking Department, was established in 1973. The Department’s mission is to license, examine, and supervise financial institutions and enterprises, in compliance with state laws that are designed to protect consumers, prevent financial crime, and help ensure sound business operations. In 2004, statutes were amended to change the Department’s name from the State Banking Department to the Department of Financial Institutions. The intent was to better represent the Department’s regulatory authority and responsibility for both financial institutions, such as banks and credit unions, as well as financial enterprises, such as consumer lenders, sales finance companies, and mortgage brokers (see Table 1, page 2, for a listing of regulated entities). This analysis includes recommendations for the Department to improve some of its cash-handling and fixed assets procedures (see Sunset Factor 2, page 45); enhance public information reporting (see Sunset Factor 5, pages 46 through 49); and improve its administration of future information technology system contracts (see Sunset Factor 12, pages 53 through 55). According to the Conference of State Bank Supervisors’ Web site, 46 states have a banking regulatory department similar to the Department that examines state chartered banks. In addition, the National Association of Consumer Credit Administrators’ Web site reports state agency membership from 49 states, which primarily license and regulate nondepository institutions such as finance companies, mortgage companies, and other similar types of industries. Auditors did not identify any states that met the Department’s objective or purpose through private enterprises. Specifically, auditors conducted a survey of eight states and found that all eight states had agencies responsible for regulating financial institutions and most of the same financial enterprises the Department regulates.1 For example, the New Mexico Department of Financial Institutions regulates banks, credit unions, collection agencies, and at least nine additional financial enterprises, similar to the Department. 2. The extent to which the Department has met its statutory objective and purpose and the efficiency with which it has operated. The Department has generally met its statutory objective and purpose, but needs improvement in some areas. Some examples in which the Department has efficiently met its objectives and purposes include: 1 The survey included California, Colorado, Kansas, Nevada, New Mexico, Oklahoma, Texas, and Utah. Office of the Auditor General page 41 • Timely issuing of licenses to qualified applicants—The Department generally issues licenses in a timely manner, and its licensing processes mirror best practices. Because the Department’s licensing applicants cannot operate their businesses until they receive a license, it is critical that the Department issue licenses to qualified applicants in a timely manner. The Department has established a process to help ensure it issues licenses to qualified applicants that meet requirements established in statutes. In addition, Arizona Administrative Code (AAC) R20-4-107, Table A, requires the Department to complete its overall review of licensing applications and notify applicants of the Department’s decision to approve, conditionally approve, or deny applications within time frames specified in Table A. For example, AAC R20-4-107, Table A, requires the Department to notify a collection agency license applicant of its decision within 45 days. The Department has established various procedures and tools to help ensure it makes licensing decisions within required time frames. The Department’s licensing data indicates that it received 2,833 applications between July 1, 2011 and October 1, 2012, and failed to complete only 1 of these licensing application reviews within the required time frames.1 In this single instance, consistent with A.R.S. §41-1077(A), the Department refunded the license applicant’s application fee because it did not complete its review within the required time frames. The Department’s licensing review process is also consistent with best practices. According to the National State Auditors Association (NSAA), agencies should develop a systematic and fair process for issuing both new and renewal licenses to only qualified applicants.2 Similar to NSAA licensing best practices, the Department requires applicants to submit an initial application or renewal form along with supporting documents to demonstrate qualifications, reviews documentation submitted to ensure that all statutory and rule requirements for licensure are met, actively monitors the processing of applications, and maintains a record of all applications and supporting documents. Auditors reviewed five different types of financial enterprise licenses issued between fiscal years 2008 and 2012 and found that the Department issued these licenses to qualified applicants. The Department used checklists to ensure that licensing requirements were both met by the applicant and verified by the Department’s licensing personnel prior to approval. Additionally, auditors determined that the Department issued licenses within the required time frames for four of the five licenses reviewed. Auditors found that the Department appropriately refunded the fifth applicant in accordance with A.R.S. §411077(A). • Department has established adequate policies and practices to guide the effective examination of financial institutions—The Department is statutorily required to conduct examinations of financial institutions.3 As discussed in the Introduction (see pages 3 1 Auditors’ review of licensing data revealed gaps in the license numbers, which increase the risk that the licensing data is not complete (see Appendix B, page b-2, for additional information related to the licensing data). 2 National State Auditors Association. (2004). Best practices in carrying out a state regulatory program: A National State Auditors Association best practices document. Lexington, KY: Author. 3 Financial institutions are defined by A.R.S. §6-101(8) as banks, trust companies, savings and loan associations, credit unions, consumer lenders, international banking facilities, and financial institution holding companies (see Table 1, page 2, for more information regarding financial institutions). State of Arizona page 42 through 4), the Department has been accredited by the Conference of State Bank Supervisors and National Association of State Credit Union Supervisors, which conduct independent reviews of bank and credit union supervisory programs, to ensure that its examination programs meet certain quality standards, including the ability to examine these financial institutions adequately and at the required frequency. In addition, the Department coordinates its examinations of banks and credit unions with its federal counterparts that regulate the same institutions—the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA). For example, the Department jointly conducts credit union examinations with the NCUA, which provides department examiners with examination software that includes checklists to help assess credit union compliance with applicable laws and regulations. • Appropriate enforcement actions taken when violations are identified—Auditors found that the Department administers appropriate enforcement actions when it identifies statutory violations. According to the NSAA, regulatory agencies should establish an enforcement process that ensures a graduated and equitable system of sanctions, including an appeals process and a process to make information about disciplinary actions taken readily available to the public.1 The Department’s enforcement process includes progressive sanctions when repeat violations are identified, provides for an appeals process through informal settlement conferences or a formal hearing before the Office of Administrative Hearings, and makes information regarding some of the disciplinary actions taken against licensees available to the public through its Web site or through a records request process (see Sunset Factor 5, pages 46 through 49, for more information on the Department’s provision of public information). Auditors’ review of five enforcement cases found that the Department took enforcement action when violations of statute were found, and that it took progressive enforcement actions when repeat violations were found. For example, the Department conducted examinations of a money transmitter and found repeat violations. The Department assessed cease-and-desist orders with civil monetary penalties of $24,000 after its first examination in 2002. In 2009, after its fourth examination of the money transmitter found continued repeat violations, the Department issued a cease-and-desist order with a civil monetary penalty of $2 million. However, the audit found that the Department can better meet its statutory objectives by: • Taking steps to enhance its financial enterprise examination processes—Although the Department has established various policies and procedures for conducting its financial enterprise examinations, it needs to take several steps to address its backlog of past-due examinations. The Department’s financial enterprise examinations are designed to test licensee compliance with laws that are intended to protect consumers, prevent crime, and ensure sound business operations. The examination program includes several best 1 National State Auditors Association. (2004). Best practices in carrying out a state regulatory program: A National State Auditors Association best practices document. Lexington, KY: Author. Office of the Auditor General page 43 practices, such as the establishment of formal policies and procedures to guide examination staff through compliance examinations. However, as discussed in Finding 1 (see pages 9 through 20), as of April 2013, the Department was experiencing a growing backlog of statutorily required examinations. Statute requires that the Department examine most financial enterprises at least once every 5 years, yet as of October 2012, the Department had a backlog of 167 past-due examinations. Additionally, from October 2012 through April 2013, this backlog increased from 167 to 197 past-due examinations. However, the Department reported that as of July 2013, its backlog of enterprise examinations decreased to 146. Several factors have contributed to the Department’s backlog, including conducting full-scope rather than limited-scope examinations of compliant licensees, a growing number of licensees requiring examination, and ineffective examination prioritization. According to the Department, this backlog is also due to a reduction in its enterprise examination staff in fiscal year 2010. The Department should revise its examinations approach by taking several key steps. First, the Department should develop and implement written policies and procedures for varying the scope of its examinations based on the financial enterprise’s assessed risk. Next, although the Department began administering an electronic examination (e-exam) to some licensees to ease its examinations workload, it has not always used the e-exam as intended. It should develop and implement written policies and procedures on when it is appropriate to use e-exams. In addition, the Department should ensure licensees are not examined sooner than is needed, while high-risk licensees should receive more timely re-examination. The Department should also revise its post-examination risk-rating process to ensure risk can be compared across license types, and that common risk factors are considered for all license types, and should enhance its methods for identifying risks prior to conducting an examination using existing information, such as financial performance reports already submitted to the Department by most licensees to assess the size and financial performance of licensees compared to their peers. Finally, the Department needs to develop and implement written policies and procedures for conducting a followup after an examination to better ensure serious violations are corrected by licensees. State of Arizona page 44 • Improving its investigation of complaints—The Department does not sufficiently investigate or process some complaints in a timely manner, and it does not accurately record all complaint investigative information in its database. As discussed in Finding 2 (see pages 21 through 30), to ensure that complaints are adequately processed in a consistent and timely manner, the Department needs to enhance its complaint-handling policies and procedures, including establishing complaint-handling time frames. In addition, the Department should enhance its supervisory review process based on its available resources to better evaluate the adequacy and timely handling of complaint investigations. Finally, the Department should establish procedures for ensuring the completeness and accuracy of investigative information in its case management system. • Establishing a structured approach to fee setting—The Department is statutorily required to collect over 100 fees from financial institutions and enterprises. Many of these fees were established before 1988. The Arizona State Agency Fee Commission (Commission) issued a report assessing the Department’s fees in December 2012 and identified a disparity in financial support for the Department’s programs that resulted in a benefit to the State General Fund. For example, the Department deposited over $1.8 million more in revenues to the State General Fund in fiscal year 2013 than it spent. The Commission recommended that the Department’s fees be set to generate enough revenue to meet the Department’s expenditure needs.1 In response to the Commission’s recommendations, the Department should take steps to evaluate its current costs and fees and propose legislative or rule changes that would better align its fees with department funding needs, if appropriate. In evaluating its fees, the Department should develop or adopt a structured approach that involves: (1) assessing the efficiency of its operations, and seeking to minimize costs where possible, (2) developing a method to determine costs, including one that identifies both direct and indirect costs, and (3) using these costs to analyze its fee structure and determine the appropriate fees to charge. When warranted and based on its cost and fee assessment, the Department should then propose legislative changes to its statutorily established fee amounts or make appropriate rule changes to revise its fees (see Finding 3, pages 31 through 39). • Improving policies and practices over cash-handling and fixed assets—According to a July 2013 procedural review conducted by the Office of the Auditor General, the Department’s cash receipt responsibilities were not adequately separated, and mailed payments were not opened and recorded in the presence of two employees in accordance with the State of Arizona Accounting Manual.2 In addition, the procedural review found that the Department did not perform an annual physical inventory over fixed assets and did not always maintain capital asset disposal documentation. To improve its policies and practices in these areas, the Department should implement the following recommendations: ◦ Separate cash receipts responsibilities to ensure that one employee collects receipts and a different employee records the receipts in the accounting records; ◦ Require two employees to open the mail and record mail receipts; ◦ Require checks received to be locked in a safe prior to deposit; ◦ Conduct a complete physical inventory of all capital assets at least annually and update the State’s Fixed Asset System for any corrections needed based on the results of the inventory; and ◦ Maintain all supporting documentation for disposed capital assets and update the State’s Fixed Asset System within 5 working days of the disposal. 1 The Department would need to seek legislative approval to change any fee amount that is statutorily established. 2 Procedural review of the Arizona Department of Financial Institutions as of February 28, 2013; issued July 17, 2013. Office of the Auditor General page 45 3. The extent to which the Department serves the entire State rather than specific interests. The Department serves consumers and businesses throughout the State by ensuring that licensed financial institutions and enterprises are qualified to conduct business in the State. It does so through the following regulatory functions: • Licensing—The Department licenses 19 different financial institution and enterprise types. Licensed financial enterprises operate throughout the State, and are sometimes located outside Arizona, but must obtain a license to conduct business with Arizona citizens. For example, collection agencies must obtain a license from the Department if they collect debts from debtors who reside in Arizona, regardless of where the company is located.1 • Examination—As discussed in Finding 1 (see pages 9 through 20), the Department conducts compliance examinations of financial enterprises. Since financial enterprises are located throughout Arizona or outside of the State, the Department must travel to conduct some of its compliance examinations. An evaluation of examination files found that the Department conducts examinations of both in-state and out-of-state licensees. • Complaint Handling—As discussed in Finding 2 (see pages 21 through 30), the Department has established a complaint-handling function designed to protect the public from misleading or unlawful practices by state-regulated financial institutions or enterprises, regardless of where in the State the complainants are located. Additionally, the Department investigates complaints filed against individuals or companies suspected of engaging in unlicensed activities. The Department also provides consumers with information through its Web site regarding licensed institutions and enterprises, including when the business first received its license and when its license expires. In addition, the Department publishes some of the enforcement actions it takes against licensees, such as license suspensions and ceaseand-desist orders, and makes additional information available about licensees through public records requests (see Sunset Factor 5, page 46 through 49, for more information related to the Department’s handling of public records). 4. The extent to which rules adopted by the Department are consistent with the legislative mandate. General Counsel for the Office of the Auditor General has analyzed the Department’s rulemaking statutes and believes that the Department’s rules are consistent with its legislative mandate. 5. The extent to which the Department has encouraged input from the public before adopting its rules and the extent to which it has informed the public as to its actions and their expected impact on the public. The Department involves the public in its rule-making process and provides regulatory information to consumers and licensees on its Web site. Specifically: 1 A.R.S. §32-1021(D)(1). State of Arizona page 46 • Department involves the public in its rule-making—The Department has encouraged input from the public and stakeholders before adopting its rules. For example, in October 2012, the Department revised its rules regarding the regulation of the mortgage industry, and appropriately followed the directives of A.R.S. §41-1022 by filing a Notice of Proposed Rulemaking with the Arizona Secretary of State’s Office and subsequently holding a 30-day public comment period before submitting a Notice of Final Rulemaking to the Governor’s Regulatory Review Council for approval. • Department provides regulatory information on its Web site—The Department includes a listing of active licensees who are able to do business in Arizona on its Web site, which includes information such as the company name and address, as well as license number and expiration date. In addition, as directed by A.R.S. §41-1091.01, the Department’s Web site provides links to the location of all of the Department’s rules as well as links to all substantive policy statements. Further, the Department uses its Web site to inform the public of the Department’s activities and to educate its licensees on important industry updates and best practices for complying with regulation. For example, the Department’s Web site contains links to recent press releases informing the public about the Department’s activities, as well as Regulatory Bulletins meant to assist licensees with maintaining compliance and alerting them to industry trends and changes relevant to department regulation. However, the Department can enhance its public information reporting in three areas. Specifically: • Department should formalize its process for deciding when it will provide financial enterprise information to the public—Statutes prescribe scenarios where the Department may or may not disclose information about licensees, including records that licensees have submitted to the Department or actions the Department has taken against licensees. Although A.R.S. §6-129.01 (see Table 6, page 48) gives the Department some discretion in deciding whether to release financial enterprise information to the public, it has not developed any written policies or procedures outlining how it determines whether or not to release information to the public. Without policies and procedures, the Department lacks a guided process to ensure it makes consistent and appropriate decisions regarding the information it provides to the public. Therefore, the Department should develop and implement written policies and procedures to guide the determination of whether or not to provide information to the public, including factors that should be considered when doing so. • Department should ensure that it can provide the public with a complete and accurate listing of its enforcement actions—Although the Department has discretion regarding enforcement action information it will provide to the public, it would not have the capability to generate a complete and accurate listing of enforcement actions if it intends to fulfill a request for this information. This type of information can help the public make informed decisions about whether to use the services of a regulated entity. However, according to department staff, the Department is unable to automatically generate such a listing using Office of the Auditor General page 47 Table 6: Statutory requirements to disclose licensee information Disclosure information Records relating to financial institutions and enterprises1,2 Records relating to financial enterprises3 Cease-and-desist orders due to unlicensed activity Statutory requirement A.R.S. §6-129(A)—Except as otherwise provided by this title, the records of the Department relating to financial institutions shall not be public documents nor open for inspection by the public. A.R.S. §6-129(C)—The superintendent may disclose, for financial institutions or enterprises, whether a person is licensed and the license status, final decisions, such as suspensions or revocations of licenses, or the result of a complaint or investigation to the complainant. A.R.S. §6-129.01—All papers, documents, reports, etc. filed with the Department by an enterprise shall be open to public inspection, except the director may withhold these items from public inspection for such time as he considers necessary to protect the public welfare or welfare of the enterprise A.R.S. §6-137(G)—An order of this type shall be open to public inspection 1 Financial institutions are defined by A.R.S. §6-101(8) as banks, trust companies, savings and loan associations, credit unions, consumer lenders, international banking facilities, and financial institution holding companies; see Table 1, page 2, for more information regarding financial institutions. 2 Financial enterprises are defined by A.R.S. §6-101(6) as any person under the jurisdiction of the department other than a financial institution; see Table 1, page 2, for more information regarding financial enterprises. 3 Notwithstanding A.R.S. §6-129.01, which was enacted in 1983, the Department believes that the records of both financial institutions and enterprises, with certain exceptions, are not public. Source: Auditor General staff analysis of A.R.S. §§6-129, 6-129.01, and 6-137(G). its database, primarily because department staff do not always flag actions as “final.”1 Instead, staff must compile such a listing manually and identify the final action taken by relying on related information in the database, such as the date the most recent correspondence was sent to the licensee. To evaluate the Department’s ability to produce a complete and accurate listing of enforcement actions, auditors requested a public listing of all cease-and-desist orders issued between January 1, 2011 and January 3, 2013, and compared the listing to the Department’s database. This review identified seven errors, five of which were caused by 1 The Department tracks each step of the disciplinary process, including issuance of an initial proposed consent agreement, granting of an informal settlement conference, and issuance of a final order, which can create confusion about which action was the final action taken. Although the Department’s database contains a field meant to indicate which action is the final action taken, auditors found that this field was not always accurate. State of Arizona page 48 the Department’s inaccurate identification of completed actions. The remaining two cases were appropriately flagged in the system as final actions, but due to the manual process of compiling the listing, were inadvertently omitted. Therefore, to ensure it can provide the public with complete and accurate information, the Department should establish and implement a supervisory review process based on its available resources to ensure that information in the database related to the final action taken on a case is complete and accurate. This recommendation could be implemented in conjunction with recommendation 2.4 in Finding 2 (see page 30). • 6. Department should provide a clear disclosure on its Web site that its listing of enforcement actions is not complete—The Department’s Web site provides the public access to listings of some of the enforcement actions taken against licensees, such as suspensions and cease-and-desist orders. Although the Department is required to make some of its enforcement actions available for public inspection, such as cease-and-desist orders regarding unlicensed activity, statute does not require it to publish this information on its Web site. However, the Department’s practice of publishing some of the names of businesses that have breached regulations is considered a best practice.1 Yet, the Web site does not include a full disclosure to the public that the enforcement actions included on its Web site are not complete. Therefore, the Department should include a public disclosure on its Web site that its listings of enforcement actions are not complete. The extent to which the Department has been able to investigate and resolve complaints that are within its jurisdiction. The Department is authorized to conduct investigations into complaints against licensees, as well as unlicensed entities that may be engaging in activities that require licensure. Should the Department identify statutory violations, it also has various disciplinary options at its disposal, including the ability to issue cease-and-desist orders, impose civil monetary penalties, and suspend/revoke licenses. However, as discussed in Finding 2 (see pages 21 through 30), the Department inadequately investigated some complaints, resolved some complaints in an untimely manner, and failed to accurately and completely document some investigative information in its database. 7. The extent to which the Attorney General or any other applicable agency of state government has the authority to prosecute actions under the enabling legislation. The Arizona Attorney General is the Department’s attorney according to A.R.S. §41-192, and as such, has authority to prosecute actions under the Department’s enabling legislation. The Attorney General also acts as the Department’s representative at administrative hearings conducted for granting, denying, or suspending licenses; or administering disciplinary actions against licensees. To help ensure the Department’s legal needs are met, it has established an Interagency Service Agreement with the Attorney General, which provides department funding for five positions within the Attorney General’s Office. Specifically, under this agreement, the Department funds two full-time attorneys, two legal assistants, and one legal secretary to assist 1 National State Auditors Association. (2004). Best practices in carrying out a state regulatory program: A National State Auditors Association best practices document. Lexington, KY: Author. Office of the Auditor General page 49 with the Department’s legal matters such as providing representation at informal settlement conferences and administrative hearings. Between July 1, 2012 and March 31, 2013, the Attorney General’s Office assisted with 81 department cases, and helped generate more than $1 million in civil monetary penalties on behalf of the Department from settlements and administrative actions taken against licensees. 8. The extent to which the Department has addressed deficiencies in its enabling statutes that prevent it from fulfilling its statutory mandate. According to the Department, it has worked closely with the regulated industry and the Legislature on legislation impacting the state’s financial institutions and enterprises since 2008. These efforts include the following: 9. • Laws 2008, Ch. 310—This legislation established A.R.S. §6-991 et seq, which regulates loan originators. A.R.S. §6-991.03 requires loan originators to obtain a license from the Department beginning January 1, 2010. In addition, A.R.S. §6-991.07 requires the Department to administer a qualifying test to a loan originator applicant, which the applicant must pass before the Department can issue a license. These statutory changes were made in response to the then-pending federal Secure and Fair Enforcement for Mortgage Licensing Act, which was enacted on July 30, 2008. This federal legislation required state licensing of all residential loan originators as a means of increasing accountability and consumer protections over loan originators. • Laws 2010, Ch. 263, §4—This legislation amended A.R.S. §6-510 to require credit unions to notify the Department at least 30 days before an automated teller machine (ATM) is established at locations other than its place of business. Prior to this change, credit unions were required to seek department approval to establish an ATM. According to department management, this statutory revision allowed the Department to continue monitoring credit union ATMs while reducing the burden of submitting a formal request for the establishment of an ATM. • Laws 2012, Ch. 36—This legislation amended A.R.S. §6-991.05 to require the superintendent to deny a license application or suspend or revoke a loan originator’s license if the applicant or licensee has been convicted or pled guilty to a misdemeanor if it involved an act of fraud, dishonesty, or breach of trust or money laundering at any time preceding the date of application. Additionally, the superintendent is required to deny a loan originator’s license application or suspend or revoke the license if the superintendent finds that the applicant has been convicted or pled guilty to a felony in the 7-year period immediately preceding the date of the application or at any time preceding the date of the application if the felony involved an act of fraud, dishonesty, or a breach of trust or money laundering. The extent to which changes are necessary in the laws of the Department to adequately comply with the factors listed in the sunset law. This performance audit did not identify any needed changes to the Department’s statutes. State of Arizona page 50 10. The extent to which the termination of the Department would significantly affect the public health, safety, or welfare. Terminating the Department would have a detrimental effect on the public’s safety and welfare. The Department regulates financial institutions and enterprises, including banks, credit unions, mortgage and consumer lenders, and money transmitters (see Table 1, page 2, for a listing of all the regulated entities). Some of the industries the Department regulates offer services that impact low-income residents. For example, title lenders are statutorily allowed to charge up to 204 percent annual interest on loans collateralized by the titles of consumers’ automobiles. According to the Center for Responsible Lending, car title loans share many of payday loans’ predatory lending features, including triple-digit interest rates.1 If the Department were eliminated, financial institutions such as state-chartered banks and credit unions would continue to receive federal oversight from federal agencies such as the Federal Deposit Insurance Corporation and National Credit Union Administration, as required under federal law.2 However, some financial enterprises, such as escrow agents and money transmitters, would not receive regular oversight from other jurisdictions. The Consumer Financial Protection Bureau (CFPB), a federal agency, provides some regulation, including examination, over enterprises such as mortgage lenders and servicers, debt collectors, and short-term, small-dollar lenders. However, as of May 2013, the CFPB reported having completed only 3 examinations of the Department’s 8,049 licensed financial enterprises, according to the Department. 11. The extent to which the level of regulation exercised by the Department compares to other states and is appropriate and whether less or more stringent levels of regulation would be appropriate. The audit found that the level of regulation the Department exercises is generally similar to that in other states and appears appropriate. Auditors reviewed the Web sites of similar regulatory agencies in eight states to determine if each state licensed and examined the same financial institutions and enterprises as the Department. Auditors’ review found that the Department’s level of regulation is somewhat more extensive and encompasses more industries than the eight reviewed states.3 Table 7 (see page 52), lists all the financial institutions and enterprises the Department licenses and examines, and illustrates the differences in the eight reviewed states. However, auditors found that when an industry was regulated in the reviewed states, the form of regulation was similar to that of the Department. Specifically: • Licensing—All eight states required licensing of most of the same industries the Department licenses. Auditors found small differences in the types of industries that were 1 Fox, J.A., Feltner, T., Davis, D., & King, U. (2013). Driven to disaster: Car-title lending and its impact on consumers. Durham, NC: Center for Responsible Lending. 2 12 USC 1820(d) and 12 USC 1784(a) 3 The review included California, Colorado, Kansas, Nevada, New Mexico, Oklahoma, Texas, and Utah. Office of the Auditor General page 51 Table 7: Comparison of eight states’ licensing and examination requirements to license types regulated by the Department1 As of May 2013 License type Bank Credit union Trust company/division Advanced fee loan broker Collection agency Mortgage banker (commercial and noncommercial) Mortgage broker (commercial and noncommercial) Consumer lender Debt management company Escrow agency Loan originator Money transmitter Motor vehicle dealer Premium finance company Pre-need funeral trust Sales finance company States with a licensing requirement 8 8 8 0 5 States with an examination requirement 8 8 8 0 2 6 6 8 8 6 5 8 8 8 5 7 7 8 8 4 5 6 7 5 3 5 4 1 The eight states compared were California, Colorado, Kansas, Nevada, New Mexico, Oklahoma, Texas, and Utah. Source: Auditor General staff analysis of licensing and examination requirements in eight states. not licensed. For example, in Colorado, there is no licensing requirement for advanced fee loan brokers. The Department licenses and examines advanced fee loan brokers, which are defined by A.R.S. §6-1301(2) as any person who, for an advance fee or in the expectation of an advance fee, either directly or indirectly makes or procures or attempts to make or procure a loan of money or extension of credit. This practice is specifically prohibited in Colorado. • Examination—All eight states offered some level of examination for most of the industries they license. For example, all states surveyed have an examination requirement for banks and credit unions. In addition, all states examine mortgage brokers and consumer lenders, and most states examine loan originators and money transmitters. The audit did not identify areas where less or more stringent levels of regulation would be appropriate. State of Arizona page 52 12. The extent to which the Department has used private contractors in the performance of its duties as compared to other states and how more effective use of private contractors could be accomplished. The Department uses private contractors in the performance of its duties. For example, between July 1, 2009 and June 30, 2012, the Department contracted with financial investigators to assist with examinations and investigations. Expenditures for these contracts exceeded $2 million during this time. On November 1, 2012, the Department awarded contracts to ten vendors to assist in the examination or investigation of entities licensed by the Department. According to the Department, these contractors will be used to augment examination staff for both financial institution and financial enterprise examinations, reducing the need for the Department to hire additional full-time examiners. In addition, the Department hires temporary workers to augment licensing staff to assist in the processing of licensing applications during peak times of the year. Specifically, the Department spent almost $40,000 on temporary staff between July 1, 2010 and June 30, 2012. Auditors contacted representatives from eight agencies in three western states to compare their use of contracts to the Department’s use and to determine if the Department could expand its use of private contractors.1 Auditors did not identify any areas where the Department should consider using additional private contractors. However, some states used contracts similar to the Department. For example, the Colorado Division of Insurance contracts with private examiners to help conduct examinations that occur outside of the state. Finally, auditors reviewed a department information technology (IT) system contract and determined that the Department should improve its administration of future IT system contracts. In June 2009, the Department and the Government Information Technology Agency (GITA) entered into a contract with NICUSA, Inc. to procure CAVU Corporation’s (CAVU) electronic licensing system.2,3 According to department management, their existing database is outdated and unsupported. The CAVU system was anticipated to benefit the agency because it would interface with the Nationwide Mortgage Licensing System (NMLS) and eliminate the need for department personnel to re-enter duplicate information from the NMLS regarding licensed loan originators into the Department’s database. In addition, the CAVU system was anticipated to allow department licensees to process their license applications and renewal applications online rather than through a paper-based application, resulting in cost savings. The Department completed a Project Investment Justification (PIJ—see textbox), which indicated the following: • Project Investment Justification—The PIJ document provides the agency a standardized method to report new or enhanced IT projects and investments. The document is structured to report meaningful business and technical requirements, value to the public, costs, scope, risks and information on the agency’s management and technical skills. Source: Information from ASET’s Web site as of June 24, 2013. The Department had the highest technical competency needed to implement the project, and no additional costs were anticipated to deliver benefits; 1 These states were Colorado, Nevada, and New Mexico. 2 In April 2010, CAVU Corporation was acquired by Iron Data. 3 As of 2011, GITA merged with two other large technology groups and is now known as the Arizona Strategic Enterprise Technology (ASET) Office, which is part of the Arizona Department of Administration. Office of the Auditor General page 53 • Management had already documented core business processes, all data conversion and data entry tasks needed for implementation had been defined, and data flows were well understood and documented; and • All existing technology was compatible with the proposed system. In addition, the original contract required the Department to pay the full cost of implementing the electronic licensing system before work commenced. The cost totaled $251,000, which the Department paid in June 2009. The original contract included an estimated implementation time frame of 6 months. However, according to the Department, the implementation was delayed when department management determined that internal business processes were not well documented, data conversion tasks were not well understood, and its existing system lacked proper compatibility with the proposed system in contrast to what was stated in the PIJ. Consequently, the Department entered into an Interagency Service Agreement with GITA in June 2011, costing the Department $100,000 for various services including vendor management, system requirements development, and project management. In November 2011, a revised statement of work was created that more clearly defined vendor and agency responsibilities and established an estimated implementation time frame of 6 months. Yet, according to department management, the concerns surrounding data conversion and business documentation processes persisted, and the contracting parties were unable to implement the electronic licensing system. Department management, in consultation with ASET, has since determined it would be most advantageous to pursue alternatives to the CAVU software and as of July 2013, is in the process of developing a new request for proposal to procure a different system. In doing so, the Department should work with the State Procurement Office and ASET to ensure that future contracts to procure IT systems protect the State’s financial resources. For example: State of Arizona page 54 • The Department should ensure that future PIJs include adequate assessments of the new systems’ suitability for the Department’s needs, including compatibility with the Department’s present database, to ensure data conversion is successful and that system requirements are clearly defined within the scope of work. • In addition, the Department should develop and implement a formal system development lifecycle (SDLC) methodology. An effective SDLC is important to help better ensure the success of project implementation. An SDLC is a conceptual model used in project management that describes the stages involved in an information system development project, from an initial feasibility study through maintenance of the completed application. In general, an SDLC methodology provides for a number of steps encompassing system planning, analysis, selection, design, testing, implementation, and maintenance. It helps ensure that the right people are involved in designing and selecting the system, and that the system meets the business needs of the organization implementing it. • The Department should ensure future IT procurement contracts include provisions for phased payments rather than lump-sum payments prior to work commencing. In addition, the Department should closely monitor contractor performance and progress toward meeting milestones to ensure projects progress according to agreed-upon contract terms. Office of the Auditor General page 55 ( ) Fund revenues and expenditures1 Fiscal year 2013 (Unaudited) A.R.S. §6-991.03 establishes the collection of a payment into this fund if a licensee does not establish a bond to meet the statutory requirements. The Department is required to establish the fee amount to support a minimum $2 million fund balance. In fiscal year 2013, the Department collected nearly $387,000 in fees and interest. Mortgage Recovery Fund—This fund was established by A.R.S. §6-991.09 to benefit any person aggrieved by any act, representation, transaction, or conduct of a licensed loan originator that violates applicable laws or rules. The Department is permitted to use monies in this fund to pay for a loss that is a direct out-of-pocket loss to an aggrieved person arising out of a mortgage transaction, including reasonable attorney fees and court costs. The fund's liability is capped at $250,000 for each transaction and $500,000 for each license. The Department can also use up to $50,000 annually to pay for public awareness of the fund. No expenditures from this fund were recorded in fiscal year 2013. The Department collects a loan originator fee that is The Department is permitted to pay for the supervision deposited into this fund. In fiscal year 2013, nearly $2.1 and regulation of loan originators from this fund. During million in fees was collected. fiscal year 2013, the Department spent approximately $758,000, with approximately 71 percent used for personal services and employee-related expenditures and 13 percent used to acquire professional and outside services. During fiscal year 2012, the Department also transferred approximately $1 million from this fund to the State General Fund as required by Laws 2011, Ch. 24, §§ 108, 129, and 138, to provide adequate support and maintenance for other state agencies. Financial Services Fund—Established by A.R.S. §6991.21, this fund is allowed to pay for the supervision and regulation of loan originators. The Department receives an annual appropriation from the State General Fund to pay for any expenditures not paid through statutorily established department receipts; therefore, it can spend only up to the amount appropriated. During fiscal year 2013, the Department spent nearly $3 million in State General Fund monies. Expenditures Unless specifically excluded in other statutes, all fees, charges, and assessments received by the Department pursuant to A.R.S. §§35-146 and 147 must be remitted to the State General Fund. In fiscal year 2013, the Department collected and remitted approximately $4.8 million to the State General Fund. Revenues State General Fund—This fund accounts for the State General Fund monies appropriated to the Department and is the depositing fund for all receipts that are statutorily required to be remitted to the State General Fund. Fund name and description Table 8: $ 1,280,283 3,917,665 Fund Balance June 30, 2013 APPENDIX A Fund descriptions Office of the Auditor General page a-1 page State of Arizona a-2 Fund revenues and expenditures1 Fiscal year 2013 (Unaudited) The Department is required to deposit monies awarded and received as fees and costs in receiverships in which the Department was the receiver and any monies transferred from the Banking Revolving Fund. During fiscal year 2013, approximately $380,000 of receivership monies were deposited into this fund and approximately $239,000 was transferred from the Banking Revolving Fund. The Department receives reimbursements from the Attorney General's Office for its examination of moneytransmitting organizations to provide information leading to the criminal conviction of fraudulent organizations. During fiscal year 2013, the Department received approximately $77,000 in reimbursements. Receivership Fund—Established by A.R.S. §6-135.01, this fund can be used to pay any costs incurred by the Department arising out of the administration of a receivership in which the Department is the receiver. Intergovernmental Agreement Fund—As permitted by A.R.S. §35-142(E), the Department established this fund to account for expenditures and related reimbursements from the Attorney General's Office for the Department's examination of money-transmitting organizations related to criminal cases in cooperation with the Attorney General's Office. The Department expends monies for its examination of money-transmitting organizations in cooperation with the Attorney General's Office. During fiscal year 2013, the Department spent approximately $76,000 on these examinations. The Department is permitted to use monies in this fund to pay for receivership administration. During fiscal year 2013, the Department spent approximately $1 million, primarily to acquire professional and outside services. The Department is permitted to use monies in this fund to pay for investigative proceedings. During fiscal year 2013, the Department spent nearly $627,000, with approximately 85 percent used to acquire professional and outside services. In addition, the Department is required to transfer any unencumbered monies in excess of $200,000 into the Department's Receivership Fund. Consequently, the Department transferred approximately $239,000 from this fund to the Department's Receivership Fund during fiscal year 2013. Fund uses 1,539 37,587 1,667,707 Fund Balance June 30, 2013 Source: Auditor General staff analysis of the FY 2013 Baseline Book, Arizona Revised Statutes pertaining to the Department’s funds, AFIS Accounting Event Transaction File for fiscal year 2012, and the AFIS Management Information System Status of General Ledger-Trial Balance screen for fiscal year 2013. 1 The table does not include the Arizona Escrow Recovery Fund because it was repealed by Laws 2011, Ch. 51, and the remaining funds were transferred to the State General Fund. The Department is required to deposit into this fund any investigative costs, attorney fees, or civil penalties recovered for the State by the Attorney General or the Department as a result of actions brought pursuant to the applicable statutes, whether by final judgment, settlement, or otherwise. In fiscal year 2013, the Department deposited approximately $2.2 million into this fund. Revenue sources Banking Revolving Fund—Established by A.R.S. §6135, this fund can be used to pay for the Department's and Attorney General's investigative proceedings or for purposes of instituting and prosecuting civil actions pursuant to the applicable statutes. Fund name and description Table 8: APPENDIX B This appendix provides information on the methods auditors used to meet the audit objectives. This performance audit was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Methodology Auditors used various methods to study the issues in this report. These methods included reviewing statutes, administrative rules, policies and procedures, department records, and best practice studies related to complaint handling, risk-based examinations, and other regulatory practices; interviewing department staff and management and soliciting input from stakeholders; and reviewing information from the Department’s Web site and information system. In addition, auditors used the following specific methods to meet its audit objectives: • To determine if the Department’s financial enterprise examination processes adequately adhered to statutorily required examination frequencies and effectively targeted the highest-risk financial enterprises, auditors reviewed enterprise examination written policies to gain an understanding of the enterprise examination processes; evaluated examination data to determine if it could be used to draw valid descriptive information, such as number and type of examinations completed, as well as risk ratings assigned, and determined the data to be valid for auditors’ use; analyzed enterprise examination data to determine compliance rates and other descriptive information about the Department’s enterprise examination practices; and reviewed a random sample of 35 examinations out of 3,671 completed between fiscal years 2006 and 2013 to both validate examinations data and gain an understanding of the Department’s examination procedures, follow-up processes, and the methods for assessing licensee risk.1 Auditors also reviewed the National State Auditors Association (NSAA) Best Practices in Carrying Out a State Regulatory Program, the United States Consumer Financial Protection Bureau’s Supervision and Examination Manual and FY 2013-2017 Strategic Plan, and the New South Wales, Australia, Better Regulation Office’s RiskBased Compliance study.2,3,4 • To determine whether the Department appropriately resolved complaints in a timely manner, auditors reviewed a random sample of 25 complaints out of 2,158 that were closed between July 1, 2009 and October 10, 2012. Auditors also analyzed data from the Department’s complaint database to determine if it could be used to draw valid descriptive information, such as the number of complaints received and resolved and the type of licenses receiving complaints, and determined the data to be valid for The Auditor General and staff express appreciation to the Arizona Department of Financial Institutions (Department), Superintendent, and staff for their cooperation and assistance throughout the audit. 1 The random sample included 30 examinations for licensees that were active as of October 10, 2012, and 5 examinations for licensees that were no longer active as of October 10, 2012. 2 National State Auditors Association. (2004). Best practices in carrying out a state regulatory program: A National State Auditors Association best practices document. Lexington, KY: Author. 3 Consumer Financial Protection Bureau. (2012). CFPB supervision and examination manual (Version 2). Washington, DC: Author. 4 Better Regulation Office, New South Wales. (2008). Risk-based compliance. Sydney, NSW: Author. Office of the Auditor General page b-1 auditors’ use. In addition, auditors assessed the Department’s timeliness in resolving the 2,143 complaints that were closed between January 1, 2010 and October 10, 2012, and 219 complaints that were open as of October 10, 2012.1 Finally, auditors reviewed the United States Government Accountability Office’s Standards for Internal Control in the Federal Government.2 • To assess the appropriateness of the Department’s fees and fee structure, auditors reviewed applicable Arizona Financial Information System (AFIS) data from fiscal years 2003 through 2013, a 2012 study with recommendations completed by the Arizona State Agency Fee Commission, and three reports on best practices for fee setting in government agencies.3,4,5,6 • To obtain information for the Introduction section of the report, auditors compiled and analyzed unaudited information from the AFIS Accounting Event Transaction File for fiscal years 2010 through 2013, and the AFIS Management Information System Status of General Ledger-Trial Balance screen for fiscal years 2010 through 2013. In addition, auditors reviewed the Department’s organizational chart, reviewed professional associations’ Web sites, and reviewed department data regarding the number of licenses by license type. • To obtain information used in the sunset factors, auditors reviewed two professional organizations’ Web sites that provided information regarding the regulation of financial institutions for most states as of June 2013. Additionally, to compare the Department’s level of regulation over licensed entities, auditors reviewed Web sites for similar regulatory agencies of eight states to determine whether these states licensed and examined the same industries as the Department.7 To determine whether the Department issues licenses to qualified applicants in a timely manner, auditors obtained, validated, and analyzed licensing data and found the data to be valid for audit use; reviewed a sample of five license applications representing five different license types, including a debt management company, collection agency, money transmitter, motor vehicle dealer, and escrow agent, which were issued between fiscal years 2008 and 2012; and observed the licensing process.8,9 To gain an understanding of the types of enforcement actions the Department takes, auditors reviewed the NSAA Best Practices in Carrying Out a State Regulatory Program and reviewed a judgmental sample of five cases for which the Department took enforcement actions between July 2002 and July 2012. Auditors 1 Auditors found that although information in the Department’s database indicated that 2,158 complaints were investigated and closed between January 1, 2010 and October 10, 2012, 15 of these complaints contained errors in key date fields that prohibited auditors from assessing the timeliness of complaint handling and were therefore excluded from auditors’ analysis of closed cases. 2 United States General Accounting Office. (1999). Standards for internal control in the federal government (GAO/AIMD-00-21.3.1). Washington, DC: Author. 3 Arizona State Agency Fee Commission. (2012). Arizona State Agency Fee Commission report. Phoenix, AZ: Author. 4 Joint Legislative Committee on Performance Evaluation and Expenditure Review (2002). State agency fees: FY 2001 collections and potential new fee revenues. Jackson, MS: Author. 5 U.S. General Accountability Office. (2008). Federal User Fees: A design guide (GAO-08-386SP). Washington, DC: Author. 6 U.S. Office of Management and Budget (2004) OMB Circular A 87. Washington, DC: Author. 7 The states were California, Colorado, Kansas, Nevada, New Mexico, Oklahoma, Texas, and Utah. 8 Auditors selected five different license types to ensure that the Department’s procedures followed statutory licensing requirements regardless of license type. 9 Auditors’ review of licensing data for applications received between January 1, 2008 and October 10, 2012, revealed that almost 12 percent had been deleted from the system, which places the licensing data and licensing counts at risk for being incomplete. According to the Department, records are deleted because the database allows for duplicate records to be created for the same licensee, and the Department deletes duplicate records when they are identified. Auditors determined that although the number of missing license numbers is significant, the impact to the auditors’ conclusions related to the licensing data is immaterial. State of Arizona page b-2 also evaluated the Department’s enforcement data to determine if it could be used to draw valid descriptive information, such as number of enforcement actions of a specific type generated in a year, but found that the data was not structured in such a way that would lend to a reliable assessment. Auditors also contacted staff from agencies that regulate financial institutions and enterprises in three states to obtain information about their use of private contractors.1 Auditors also reviewed contract expenditures found in AFIS for fiscal years 2010 through 2012 and related contracts retrieved from the Arizona Department of Administration, including a recent contract for a new e-licensing system originally entered into in fiscal year 2009. Finally, to determine if the Department was able to produce a complete and accurate listing of cease-anddesist orders, auditors compared a department listing of all cease-and-desist orders issued between January 1, 2011 and January 3, 2013, and compared it to information in the Department’s database. • Auditors’ work on internal controls included reviewing the Department’s policies and procedures for examination, complaint handling, and other policies, as well as reviewing tools the Department uses to ensure licensing applications are complete and that all examination steps are followed. Auditors also reviewed the Office of the Auditor General’s July 2013 procedural review of the Department’s internal controls related to cash receipts, cash disbursements, payroll, journal entries, transfers, and capital assets.2 In addition, as mentioned above, auditors conducted data validation work to assess the reliability of the Department’s examination, complaints, licensing, and enforcement data. Through this validation work, auditors found that the Department’s examination, complaints, and licensing data were valid and reliable to produce descriptive information and draw audit conclusions, but that enforcement data was limited in its ability to produce accurate and reliable results. Auditors’ conclusions on these internal controls are reported in Findings 1 and 2, as well as throughout the Sunset Factors. 1 The states were Colorado, Nevada, and New Mexico. 2 Procedural review of the Arizona Department of Financial Institutions as of February 28, 2013, issued July 17, 2013. Office of the Auditor General page b-3 AGENCY RESPONSE Performance Audit Division reports issued within the last 24 months 11-07 10-05 10-06 10-07 11-08 10-08 11-09 10-L1 11-10 10-09 11-01 11-11 11-12 11-02 11-03 11-13 11-04 11-14 11-05 12-01 11-06 12-02 Department Arizona Department of Corrections— of Housing Board Oversight of Chiropractic of Security Operations Examiners Department Arizona Department of Corrections— of Agriculture—Sunset Sunset Factors Factors Department Arizona Department of Corrections— of Veterans’ Prison Population Growth Services—Veterans’ Donations Office and Military of Pest Family Management— Relief Funds Arizona Regulation Department of Veterans’ Arizona ServicesSports and Arizona and Tourism Veterans’ Authority Service Advisory Commission— Department Sunset Factors of Public Safety— Arizona FollowupBoard on Specific of Regents— Recommendations Tuition Setting for Arizona from Previous Universities Audits and Sunset Arizona Factors Board of Regents— Arizona Sunset Factors State Board of Nursing Arizona Department Department of Fire, Building of Veterans’ and Services—Fiduciary Life Safety Program Arizona Game Medicaland Board Fish Pinal Commission County Heritage Transportation Fund Arizona Excise Tax Health Care Cost Arizona Containment Department System— of Veterans’ Services—Veteran Coordination of Benefits Home Arizona Health Care Cost Containment System—Medicaid Eligibility Determination 11-07 12-03 12-04 11-08 12-05 11-09 12-06 11-10 11-11 12-07 11-12 13-01 11-13 13-02 11-14 13-03 12-01 13-04 Arizona Board Department of of Corrections— Behavioral Oversight Health Examiners of Security Operations Department Arizona StateofParks Corrections— Board Arizona Sunset Factors State Schools for the Arizona Deaf andDepartment the Blind of Veterans’ Arizona Services—Veterans’ Health Care Donations and Military Cost Containment Family Relief Funds Arizona System—Medicaid DepartmentFraud of Veterans’ and Services Abuse Prevention, and Arizona Detection, Veterans’ Service Advisory Investigation, andCommission— Recovery Sunset Factors Processes Arizona Health Board of Care Regents— Cost Tuition SettingSystem—Sunset Containment for Arizona Universities Factors Arizona Board Department of of Environmental Regents— Sunset Factors Quality—Compliance Department Managementof Fire, Building and Arizona Life Safety Board of Appraisal Arizona State GameBoard and Fish of Physical Commission Heritage Fund Therapy Registrar Arizona Health of Contractors Care Cost Containment System— Coordination of Benefits Future Performance Audit Division reports Department of Environmental Corrections – Oversight Quality—Underground of Security Operations Storage Tanks Financial Responsibility Arizona State Board of Pharmacy