Best Practices

NAFSA has developed these Best Practices for use of all NAFSA Members in their businesses to help ensure consumer protection, quality service, and positive customer and industry interactions during the life of the loan.  These Best Practices apply to all stages of the loan, including marketing, origination, servicing, collecting, and ongoing data privacy. NAFSA Members should ensure that their lenders, affiliates, and third-party service providers and vendors adhere to the Best Practices.  

In order to maintain membership with NAFSA, a Member should comply with these Best Practices.  


The following Lending Best Practices outline the requirements NAFSA members should follow when creating and servicing consumer products. Because of these Best Practices, consumers can trust NAFSA members to honor their rights, protect their privacy, treat them fairly and constantly strive to offer them innovative alternative financial products. A tribal financial service company should:

  • Operate as a legitimate tribal business; that is owned and operated by, and benefiting a federally-recognized sovereign nation.
  • Ensure all consumers are afforded the same protections by following the principles detailed in federal financial services laws to the extent that they are applicable and honor tribal sovereignty. Laws to be used as guidance are:
    • Truth in Lending Act: United States federal law aimed at promoting the informed use of consumer credit by requiring standardized terms and cost disclosure and other regulations that emphasize and protect consumer rights.
    • Military Lending Act: United States federal law that limits the way short-term loans, vehicle title loans, and refund anticipation loans can be offered to military personnel and their families.
    • Equal Credit Opportunity Act: United States federal law that makes it unlawful for any creditor to discriminate against any applicant, with respect to any aspect of a credit transaction, on the basis of race, color, religion, national origin, sex, marital status, or age (provided the applicant has the capacity to contract); on the basis that all or part of the applicant’s income derives from a public assistance program; or on the basis that the applicant has in good faith exercised any right under the Consumer Credit Protection Act.
    • Fair and Accurate Credit Transactions Act of 2003: United States federal law requiring the secure disposal of consumer information. Additionally, it allows consumers to request and obtain a free credit report once every 12 months and includes other provisions to protect against identity theft.
    • Fair Debt Collection Practices Act: United States federal law with the goal of eliminating unfair, deceptive, and abusive debt collection. The Act created guidelines for debt collectors and specifies the rights of consumers repaying debt.
    • Electronic Fund Transfer Act: United States federal law that established the rights and liabilities of consumers and the responsibilities of all parties in electronic funds transfer activities.
    • Gramm-Leach-Bliley Act: United States federal law that includes the Financial Privacy Rule governing the collection and disclosure of consumers’ personal financial information and the Safeguards Rule requires all financial institutions maintain safeguards to protect consumer information.
    • Federal Trade Commission Act: United States federal law that promotes consumer protection and the elimination and prevention of what regulators perceive to be anti-competitive business practices.
    • Telephone Consumer Protection Act: United States federal law that sets parameters by which companies may solicit consumers over the telephone through hours restrictions, “do not call” lists, and limitations on voice recordings.
    • Bank Secrecy Act/Anti-Money Laundering: United States federal law that creates a set of internal controls to protect financial institutions against money laundering and criminal activity.
    • Fair Credit Reporting Act: United States federal law promotes accuracy, fairness, and privacy of information in consumer credit reporting.
    • CAN-SPAM: United States federal law that sets parameters for commercial emails by limiting false and misleading headers, deceptive subject lines, and requiring an opt-out process.
  • Demonstrate the positive economic development impact tribal financial service providers can have on sovereign nations through social giving, education, employment and increased opportunity, both on and off reservation lands.
  • Promote financial literacy tools and resources for consumers when possible.
  • Constantly work with consumer advocates to provide the highest quality product to the American public.
  • Always treat consumers with respect. Never garnish wages or engage in abusive collection practices.


Advertising and Marketing Best Practices

NAFSA’s goal is to enhance the consumer experience and promote the industry’s reputation by establishing cohesive standards that ensure quality services, advertising, and marketing. The Advertising & Marketing Best Practices are intended to provide Members, their Affiliates and any third party advertising a Member’s products or generating leads for a Member with guidance regarding basic legal and ethical requirements for the promotion of lending products.

It is NAFSA’s position that illegal, deceptive, or misleading communications negatively impact the industry as a whole and the customer experience.

By following these Best Practices we can ensure each Customer has the tools and information to make the decision best for their personal needs.

Actually Available Credit

For any advertisement of consumer credit, including a short-term loan, the advertisement should be accurate and only offer credit terms that are actually available. For example, if a Lender only makes Loans up to a dollar value of $1,000, then neither it nor any Affiliate advertising on the Lender’s behalf can advertise Loans in dollar values in excess of that threshold. The Lender also should make accurate representations regarding any repayment options that may be available to the Consumer.

Lead Generators and other third-party entities that advertise Loans for multiple Lenders should also ensure that their advertisements describe Loan terms that are actually available from a participating Lender. [Again, if none of the Lenders working with a Lead Generator offer Loans in excess of $1,000, then that Lead Generator should not advertise that product.]

Additionally, advertisements should accurately inform consumers regarding when credit will become available. Typically, this means that advertisements should reflect that funding will be available to the consumer the “next day.” Representations regarding funding in “one hour” or “same day” should [typically] not be made since Lenders will not be able to provide access to funding that quickly.  Similarly, representations about funding should avoid words like “cash” and refer instead to “funding,” in order to more accurately state how customers will receive the proceeds of their loans.

Finally, if a Lender will engage in a credit check before offering credit, then the advertisement should state that the Lender will perform a credit check. It is acceptable to advertise that Loans are available for consumers with varying degrees of creditworthiness, provided that the Consumer is made aware that the Lender will conduct a credit check. Note that a credit check can be offered by any entity that is a credit reporting bureau as defined under the Fair Credit Reporting Act, which definition is not limited to the “big three” credit bureaus (TransUnion, Experian, and Equifax). Accordingly, advertisements should include a disclosure that Lenders will run credit checks via specialized credit bureaus. Advertisements should not include the phrase “No Credit Checks.”

Trigger Terms

To comply with the federal Truth in Lending Act, Lenders and their Affiliates must ensure that all advertisements contain all applicable disclosures. Thus, if an advertisement for a Loan contains a “trigger term,” then the advertisement also should contain certain required disclosures.

The trigger terms for closed-end loans under TILA are:

  • The amount or percentage of any down payment.
  • The number of payments or period or repayment.
  • The amount of any payment.
  • The amount of any finance charge.

Examples of trigger terms in advertisements include:

  • Borrow now for just $10 per $100!
  • Only [x]% interest!
  • Get money now, pay back over the next 12 weeks!

Any advertisement that includes a trigger term must provide the following disclosures:

  • The amount or percentage of the down payment.
  • The terms of repayment.
  • The annual percentage rate using that term.
  • If the rate may be increased after consummation, the fact of that increase must be disclosed.

Different trigger terms and disclosures apply for Loans structured as open-end loans. If a Lender offers open-end loans, then to comply with TILA it must provide the relevant disclosures in its advertisements for that product.

Loan Terms

NAFSA recommends that advertisements inform consumers about the terms of credit available.

Accordingly, the following topics should be addressed in all advertisements:

  • Implications of Late Payments. Consumers should be made aware that making late payments could result in late fees as well as collection activities. As such, advertisements for credit should contain the following, or substantially similar, disclaimer: “Late payments of loans may result in additional fees or collection activities, or both.”
  • Implications of Non‐Payment. Consumers also should be made aware that non-payment of a loan could result in collection activities. Accordingly, advertisements should provide the following, or a similar, warning: “Non-payment of credit could result in collection activities.”
  • Sustained Use. Consumers should be discouraged from sustained use of Loans, and advertisements should inform consumers that: “Loans should be used for short-term financial needs only, not as a long-term financial solution. Individuals with credit difficulties should seek credit counseling.”
  • Compliance with Applicable Law. Each advertisement should assure consumers that NAFSA Members comply with all applicable federal law to qualify for Membership in NAFSA.

Telemarketing Compliance

Federal and state law regulates the actions of telemarketers. As such, NAFSA Members should comply with applicable provisions of the Telephone Consumer Protection Act (“TCPA”), Federal Communications Commission rules implementing the TCPA, the Federal Trade Commission’s Telemarketing Sales Rule, and other federal and state laws governing telemarketing. Without limiting the foregoing compliance requirement, Members who are telemarketers should:

  • Abide by applicable federal and state rules requiring the use of federal, state, and in-house “Do Not Call” lists;
  • Only solicit between the hours of 8 a.m. to 9 p.m., consumer’s local time (or as otherwise specified under more restrictive state law);
  • Provide their name, the name of the person or entity on whose behalf the call is being made, and a telephone number or address at which that person or entity may be contacted;
  • Not make solicitation calls to residences with artificial voices or recordings except as permitted by law;
  • Abide by Federal Communications Commission rules for calling cell phones;
  • Not send any unsolicited faxes;
  • Not set up remotely created payment options with customers via telephone call; and
  • Comply with other requirements as specified by applicable law.

Internet/E-Mail Marketing

All marketing e-mails sent by an Advertiser should be fully compliant with the CAN-SPAM Act of 2003, Federal Trade Commission and Federal Communications Commission rules implementing CAN-SPAM, and applicable state laws. Although the federal CAN-SPAM Act preempts many aspects of state anti-spam laws, it does not generally preempt state laws that prohibit fraud or deception in email marketing practices.

All “commercial” messages sent by an Advertiser are subject to CAN-SPAM. CAN-SPAM defines a “commercial” email to include any message that has the primary purpose of advertising or promoting a commercial product or service, including content on an Internet web site operated for a commercial purpose.

There is no exemption for commercial messages sent to persons with whom the sender of the message has an existing business relationship. Members should consult legal counsel if you are unsure about whether a particular type of email message is subject to CAN-SPAM requirements.

CAN-SPAM compliance requirements are as follows:

  • Do not use false headers. “Header” information includes source code, destination code, routing information and other information related to the transmission of the message.
  • Do not use a deceptive or misleading “from” line.
  • Include a relevant, non-misleading “subject” line that accurately describes the contents of the message.
  • Include a postal address for the “sender” of the message. “Sender” refers to the party whose products or services are promoted in the message.
  • Include a visible and functional “unsubscribe” mechanism that allows the recipient to request not to receive future commercial message from the “sender” of the message.
  • Honor all opt-out requests within 10 days of receipt.
  • Prior to sending an email campaign, “scrub” the distribution list against any list(s) of individuals who previously requested not to receive commercial messages from the “sender.”
  • Advertiser opt-out lists may be used only for CAN-SPAM compliance purposes and may not be shared with or transferred to any third party for any purpose.
  • Advertisers are responsible for ensuring that their own practices as well as the practices of their Lead Generators, and other third parties, are in compliance with the CAN-SPAM requirements, which includes the proper use and management of opt-out lists.
  • All advertisements made on the Internet must provide for a phone number and physical address for the person responsible for the advertisement (the Website owner).

Publication of Terms and Conditions

Members who engage in advertising and/or marketing, or who use Affiliates to advertise or market on their behalf, should post on their websites clear and conspicuous terms and conditions that describe the services provided by the Member. No text, graphics, or other marketing materials used by the Affiliate should contradict any aspect of the terms and conditions. An Affiliate who is NOT also a Lender should also conspicuously state that:

  • It does not actually provide short-term loans but refers Consumers to Lenders who may provide such loans.
  • It will share Application information provided by the Consumer with one or more Lenders.
  • It cannot guarantee that it will match a Consumer with a Lender, or that the Consumer’s Application will be approved by a Lender.
  • It cannot guarantee the amount of funds that may be extended to the Consumer if any Lender approves the Consumer’s Application.
  • The Lender may perform a credit check. Consumers should be informed that Lenders may perform a credit check or otherwise verify the Consumer’s social security number or other information.
Loan Application, Agreement, and Origination Best Practices

Loan Application & Agreement

Members will ensure that they do not make credit decisions based on sex, race, color, national origin, religion, marital status, age, or the fact that an applicant received public assistance or the fact that the applicant has exercised any right under the Consumer Credit Protection Act. The loan application must be consistent with this practice.

Members must clearly and accurately disclose loan terms in conformance with the Truth in Lending Act. For closed-end loans, these disclosures include the Annual Percentage Rate, finance charges imposed, the amount financed, the total number of payments, and the date and amount of each payment. These disclosures must be segregated from the rest of the agreement in a “TILA Box.” Members must also disclose any security interest the Lender takes from a consumer in relation to their loan, prepayment penalties (if any), and any additional fees or charges that may be incurred such as late fees.

Members must also ensure that they receive adequate authorization for an electronic funds transfers requested to or from a consumer.  These authorizations should be obtained in conformance with the Electronic Funds Transfer Act and the NACHA guidelines. For one-time debits, a notice in the loan agreement about the debit amount and date of withdrawal is sufficient. Recurring debits require an authorization in writing and signed or similarly authenticated by the consumer that meets the following criteria:

  • Authorization can be electronic;
  • Authorization must be retained and a copy provided to borrower when requested;
  • Authorization must include the five essential elements defined by NACHA rules; and
  • Authorization must include:
    • A statement on consumer and Lender liability for unauthorized transfers;
    • A statement explaining the Lender’s error resolution process;
    • The telephone number and address for reporting unauthorized transfers;
    • A description of business days;
    • Any fees charged for ACH transfers;
    • The consumer’s right to received documentation;
    • The consumer’s right to stop payment;
    • A statement regarding when the Lender will provide a notice of varying amounts;
    • A confidentiality statement; and
    • A statement that the consumer is not required to agree to recurring ACH debits for repayment.

Members must also determine whether credit is offered or extended to a covered borrower subject to the Military Lending Act by assessing borrower status via the Department of Defense’s MLA website or from a national credit reporting agency.

Any authorizations for communication via phone calls, text messages, or e-mails must be compliant with the Telephone Consumer Protection Act and CAN-SPAM Act.  Consents for marketing or advertising calls or text messages must be unambiguously consented to by the consumer.

If the agreement is signed electronically, it must include the required E-Sign Act disclosures, including:

  • Consumer’s right to have the electronic agreement provided in non-electronic form;
  • The transaction that the electronic signature applies to;
  • The procedures the consumer must follow to withdraw consent; and
  • How the consumer may request a paper copy of the agreement and any fee imposed.

Privacy Notice

Members must ensure that all Lenders provide consumers with a privacy notice that conforms to the template privacy notices found in Regulation P.  If the Lender shares a consumer’s nonpublic private information with non-affiliated parties or with affiliates for marketing purposes, it must give the consumers the ability to opt out of this type of sharing. Lenders should post these notices on their website and provide annual notices to customers.

Adverse Action Notices

Members must ensure that Lenders provide adverse action notices that conform to the requirements of the Equal Credit Opportunity Act and the Fair Credit Reporting Act.  These notices must be provided to an applicant within 30 days of denying or otherwise taking adverse action on a loan application.

The adverse action notice must include, in writing:

  • A notice of adverse action and a statement of the specific reasons for the adverse action (or, a notice that the customer may request these specific reasons from the Lender);
  • The name and address of the Lender; and
  • A statement of the provisions of Section 701(a) of the Equal Credit Opportunity Act;
  • The name and address of the agency administering compliance for the Lender.

If the adverse action was taken based on a credit score or other information found in a credit report, the Lender must also provide the name and address of the credit reporting agency that it received its information from, and a statement that the consumer reporting agency did not make the decision to take adverse action and cannot provide the consumer with the specific reasons

Dispute Resolution

Members must ensure that the Lender accurately discloses the availability and mechanism for consumer disputes set forth in tribal law to ensure the fair and orderly resolution of consumer disputes.

Payments Best Practices

Provision of Electronic Funds Transfers

Lenders should provide consumers an alternative to ACH debiting. These alternatives should be provided both when the customer is current and in collection stages. Such alternatives may include paper check, debit card, money order, or other means.  Any authorization for recurring ACH debits should include a statement that the customer is not required to agree to ACH debits in order to be approved for a loan.

All customers should have the right to rescind the loan so long as the customer returns the funds within 24 hours of the rescission.

Lenders should not use RCCs and RCPOs in their normal course of business unless formally requested and proper consumer authorization has been secured

Electronic Funds Transfer Authorizations

All authorizations for recurring debits should be secured in accordance with NACHA rules, the Electronic Funds Transfer Act and Regulation E. This should include securing authorization for recurring debits in writing and signed or similarly authenticated by the consumer:

  • Authorization can be electronic;
  • Authorization must be retained and a copy provided to borrower when requested;
  • Authorization must include the five essential elements defined by NACHA rules; and
  • Authorization must include:
    • A statement on consumer and Lender liability for unauthorized transfers;
    • A statement explaining the Lender’s error resolution process;
    • The telephone number and address for reporting unauthorized transfers;
    • A Description of business days;
    • Any fees charged for ACH transfers;
    • The consumer’s right to received documentation;
    • The consumer’s right to stop payment;
    • A statement regarding when the Lender will provide a notice of varying amounts;
    • A confidentiality statement; and
    • A statement that the consumer is not required to agree to recurring ACH debits for repayment.

Lenders should not ACH debit a consumer unless they have a valid authorization with the proper ABA and account information. Lenders should not use new bank account information that the merchant sourced from the marketplace on the consumer, or in other words, Lenders should only debit consumers for the account listed on the valid authorization.

Payment Processing

Payment should be processed in accordance with the terms agreed to in the loan agreement.

Lenders, processors and their agents should develop and maintain timely postings of returns information.

Lenders should follow all NACHA presentment rules – one original presentment plus only two re-presentments.

Lenders should not process multiple ACH debit attempts to an individual loan on the same effective date (No ACH Split Payments) unless expressly authorized by (expressly requested by) the customer.

Lenders should charge only one NSF fee per item.

Lenders should transfer PII data using TPS and TPP security protocols to ensure no inappropriate passing of data.

All parties should comply with the new NACHA Rule 2.3.4 which requires the ODFI to ensure that originators and third-party senders do not share account/routing numbers for the purpose of initiating debit entries that are not covered by the original authorization.

Lenders should provide their payment processors and the sponsoring ODFI signed payment authorizations for all R10 and R29 returns within 24 hours of the request for such documentation.

Lenders should provide Proof of Authorizations to be delivered to TPP within 24 business hours of the request.

Lenders should provide all Proof of Authorization for all unauthorized transactions are segregated and held, ready to be delivered to TPP within 4 business hours, upon request.

Collections Best Practices

Members should ensure that Lenders and all third-party vendors and service provides comply with the Collections Best Practices.  

Fair Debt Collections

Lenders and collections vendors must always communicate with consumers and third parties appropriately, including:

  • Communicating with consumers between 8 am and 9 pm only, consumer’s local time;
  • Communicating with a consumer at the place that is convenient for the consumer;
  • Avoiding communicating with a consumer at their place of employment when the employer prohibits such contact;
  • Communicating only with an attorney when a consumer has indicated that they are represented by an attorney, or;
  • Avoiding communicating with third parties without express consent of the consumer.

Lenders and collections vendors must not engage in harassing acts, including:

  • The use or threat of use of violence or other criminal means to harm the physical person, reputation, or property of any person;
  • The use of obscene or profane language or language the natural consequence of which is to abuse the hearer or reader;
  • The publication of a list of consumers who allegedly refuse to pay debts;
  • The advertisement for sale of any debt to coerce payment of the debt;
  • Causing a telephone to ring or engaging any person in telephone conversation repeatedly or continuously with the intent to annoy, abuse, or harass any person at the called number; or
  • The placement of telephone calls without meaningful disclosure of the caller’s identity.

Lenders and collections vendors must not engage in false or misleading acts, including:

    • The false representation of or implication that the debt collector is vouched for, bonded by, or affiliated with the United States or any State, including the use of any badge, uniform, or facsimile thereof;
    • The false representation of the character, amount, or legal status of any debt, or any services rendered or compensation which may be lawfully received by any debt collector for the collections of a debt;
    • The false representation or implication that any individual is an attorney or that any communication is from an attorney;
    • The representation or implication that nonpayment of any debt will result in the arrest or imprisonment of any person or the seizure, garnishment, attachment, or sale of any property or wages of any person unless such action is lawful and Lender intends to take such action
    • The threat to take action that cannot legally be taken or that is not intended to be taken;
    • The false representation or implication that a sale, referral, or other transfer of any interest in a debt shall cause the consumer to lose any claim or defense to payment of the debt or become subject to any practice prohibited by the FDCPA;
    • The false representation or implication that the consumer committed a crime or other conduct in order to disgrace the consumer;
    • Communicating or threatening to communicate to any person credit information which is known or which should be known to be false, including the failure to communicate that a disputed debt is disputed;
    • The use or distribution of any written communication which simulates or is falsely represented to be a document authorized, issued, or approved by any court, official, or agency of the United States or any State, or which creates a false impression as to its source, authorization, or approval;
    • The use of any false representation or deceptive means to collect or attempt to collect any debt or to obtain information concerning a consumer;
    • The failure to disclose in the initial written communication with the consumer and, in addition, if the initial communication with the consumer is oral, in that initial oral communication, that Lender is attempting to collect a debt and that any information obtained will be used for that purpose, and the failure to disclose in subsequent communications that the communication is from Lender;
    • The false representation or implication that accounts have been turned over to innocent purchasers of value;
    • The false representation or implication that documents are legal process;
    • The use of any business, company, or organization name other than the true name of Lender’s business, company, or organization;
    • The false representation or implication that documents are not legal process forms or do not require action by the consumer; or
  • The false representation or implication that Lender is operated or is employed by a consumer reporting agency.

Lenders and collections vendors must not engage in unfair acts, including:

  • The collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law;
  • The acceptance by Lender from any person of a check or other payment instrument postdated by more than five days unless such person is notified in writing of Lender’s intent to deposit such check or instrument not more than ten nor less than three business days prior to such deposit;
  • The solicitation by Lender of any postdated check or other postdated payment instrument for the purpose of threatening or instituting criminal prosecution;
  • Depositing or threatening to deposit any postdated check or other postdated payment instrument prior to the date on such check or instrument;
  • Causing charges to be made to any person for communications by concealment of the true purpose of the communication (such charges include, but are not limited to, collect telephone calls or telegram fees);
  • Taking or threatening to take any nonjudicial action to effect dispossession or disablement of property if there is no present right to possession of the property claimed as collateral through an enforceable security interest, there is no present intention to take possession of the property, or the property is exempt by law from such dispossession or disablement;
  • Communicating with a consumer regarding a debt by post card; or
  • Using any language or symbol, other than Lender’s address, on any envelop when communicating with a consumer by use of the mails or by telegram, except that Lender may use its business name if such name does not indicate that Lender is in the debt collection business.

Debt Validation

Lenders and collections vendors must furnish written debt validation notices when requested, including the amount of debt, the creditor to whom the debt is owed, notice that the consumer has 30 days to dispute the debt, and notice that upon receipt of written dispute of debt a verification of debt will be sent.


Member must have policies and procedures in place that deal with the investigation and resolution of disputes as well as the detection of potential fraud.

Vendor Compliance Best Practices

Members should ensure that all third-party vendors or service providers working on behalf of a Lender have policies and procedures that comply with these Best Practices as well as applicable law and that those policies and procedures are generally followed in practice.  Members should engage in a due diligence process that is performed before entering into a relationship with any third-party vendor or service provider. This due diligence process may involve annual reviews of third-party vendors and services providers; examinations of the entity’s regulatory history; ongoing monitoring of screening, hiring, and training practices; and insurance of compliance with the Lender’s privacy policy.

Data Protection and Security Best Practices

Consumer Data Usage

Members should ensure that they:

  • Limit access to sensitive consumer data to only the employees that need it to execute essential functions of their jobs. Establish role-based access controls and implement system logging.
  • Use secure remote access methods. Create strong passwords and change regularly (at least every 90 days).
  • Dispose of sensitive data securely once it is no longer needed for business or legal reasons.
  • Limit 3rd party access to consumer data to the degree needed to provide the particular service.

Data Capture and Storage

Members guard consumer data under the following guidelines:

  • Consumer data should be stored in an encrypted, unreadable format.
  • Use secure connections only when collecting consumer information.
  • Develop network segmentation and apply firewalls.
  • Maintain an accurate inventory of control system devices and eliminate any exposure of this equipment to external networks. This can at least partially be achieved by not letting controlled network machines be accessible by machines on the business network or the internet. Make sure the servers are secure.
  • Maintain awareness of vulnerabilities and implement necessary patches and system updates.
  • Create measures for detecting compromises.

Data Security Planning

Members must:

  • Implement an employee cybersecurity training program. Involve executives in the program.
  • Develop a cybersecurity incident response plan.
Compliance Management System

Each Lender should develop and implement a Compliance Management System (“CMS”) for the purpose of ensuring compliance with all applicable laws and regulations through the establishment of policies and procedures, risk-assessments, controls, monitoring, responsiveness to areas identified for improvement, and effective training. An effective CMS designates responsible individuals and is designed to mitigate regulatory and reputational risk and maintain a high level of public confidence in each Lender. An effective CMS allows the lender to respond to changes in the legal and regulatory environment in a proactive manner.


Policy/Procedure Purpose Importance of Policy/Procedure Recommended Guidance
* Bank Secrecy Act
  • Compliance with Bank Secrecy Act/Anti-Money Laundering Act (BSA/AML) and related Department of the Treasury and Internal Revenue Service regulations
  • Detection, monitoring, and reporting of known and suspected incidents of money laundering, terrorist financing, and other financial crimes
  • Ensures compliance with certain federal laws and regulations
  • Sets out specific steps for identifying and monitoring for suspicious activities and customers, and for reporting these activities and customers
  • Sets out specific procedures for protecting company from fraudulent activity regarding money laundering, terrorist financing, and other financial crimes
  • FinCEN identification and reporting
  • Customer Identification Program
  • Suspicious or Criminal Activity Reporting
~ Collections
  • Process for debt collections and for referring past-due loans to third-party debt collection
  • Compliance with applicable federal (FDCPA, TCPA, UDAAP, TSR, FCRA, GLB, Reg P) and tribal laws
  • Ensures compliance with certain federal and tribal laws and regulations
  • Provides specific procedures for dealing with delinquent and/or bankrupt customers, for communicating with customers when trying to collect on a debt, and for referring debts to debt collectors
  • Customer contact
  • Verification of deceased customers
  • Customer bankruptcy procedures
  • Settlement offers
  • Sale of debt to third-party debt collector
~ Customer Identification
  • Compliance with BSA/AML and Section 326 of the Patriot Act
  • Procedures for identifying and verifying consumer’s identities
  • Ensure compliance with certain federal and tribal laws and regulations
  • Provides specific steps to help protect the company from fraudulent consumers and flag identity theft or suspicious behavior
  • Verification of identity
  • Minimum identification requirements
  • Flagging suspicious behavior
* Electronic Funds Transfer Act
  • Compliance with EFTA and Regulation E, and NACHA Rules
  • Procedures for disclosure, revocation, dispute resolution, and maintenance of electronic funds transfers, e.g. ACH processing.
  • Ensure compliance with certain federal and tribal laws and regulations
  • Sets out specific steps for providing electronic funds transfer disclosures, resolving disputes related to electronic funds transfers, and revocation or opting out of electronic funds transfers
  • Initial and annual disclosure requirements
  • Customer authorization
  • Revocation and stop payment
  • Dispute resolution
  • Non-sufficient funds
  • Varying amounts
  • Alternative Payment Options
* Fair Lending
  • Compliance with ECOA and FCRA
  • Commitment to the fair and equal service to all loan applicants
  • Ensure compliance with certain federal and tribal laws and regulations
  • Explains prohibited actions and discriminatory criteria during the loan application, marketing, and underwriting process
  • Discriminatory characteristics
  • Prohibited actions
  • Marketing decisions
  • Underwriting criteria
* Fair Credit Reporting Act/Fair and Accurate Extension of Credit Act
  • Compliance with FCRA and FACTA
  • Procedures for ensuring that consumer information is reporting in an accurate, timely, and complete manner when using consumer reports
  • Protection of confidential consumer information
  • Ensure compliance with certain federal and tribal laws and regulations
  • Provides steps for identifying and detecting fraud (including fraud alerts and active duty alerts), giving disclosures to consumer regarding consumer reports, and resolving disputes related to identity
  • Explains permissible purposes for obtaining consumer reports
  • Acceptable purposes for obtaining consumer reports
  • Identifying and detecting fraud (fraud alerts)
  • Prescreen notices for consumer reports
  • Dispute resolution
* Red Flag, Fraud, and Identity Theft Prevention
  • Compliance with FACTA, Red Flags Rule
  • Mitigation of losses to company and victims of identity theft
  • Ensure compliance with certain federal and tribal laws and regulations
  • Provides procedures for identifying identity theft risks, preventing and mitigation the risks of identity theft, protecting consumer information, and changes or updates to existing consumer protection programs
  • Identification of suspicious behavior and “red flags”
  • Fraud detection
  • Risk prevention and mitigation
  • Consumer information protection
  • Periodic program updates
~ Information Security
  • Compliance with the Gramm-Leach-Bliley Act and other applicable federal or tribal law
  • Protection of customers’ nonpublic information
  • Ensure compliance with certain federal and tribal laws and regulations
  • Provides controls and procedures designed the protect a customer’s nonpublic information
  • Written security program
  • Encryption technology
  • Physical security
  • Access Management
  • Network monitoring
  • Endpoint Protection
  • IP Address Whitelist
~ Marketing
  • Compliance with TILA, CAN-SPAM Act, ECOA, FCRA/FACTA, TCPA, and Dodd-Frank in the marketing and advertising context
  • Promotion of product and attraction of new customers with proper disclosures
  • Compliance with industry best practices (OLA, e.g.)
  • Ensure compliance with certain federal and tribal laws and regulations
  • Explains requirements for advertisements and emails that comply with TILA, CAN-SPAM, and UDAAP
  • TILA advertisement disclosures
  • CAN-SPAM email requirements
  • Unfair, deceptive, or abusive advertising
  • Do Not Call Lists
  • Autodialers/Robocalls
  • Automated Text Messages
* Office of Foreign Assets Control
  • Compliance with OFAC laws and regulations regarding certain foreign countries and foreign nationals
  • Ensure compliance with certain federal laws and regulations
  • Provides procedures for comparing applicants with the OFAC list during the application phase, and periodically monitoring of the list
  • Using OFAC’s “Specifically Designated Nationals and Blocked Persons” List
* Privacy
  • Compliance with Gramm-Leach-Bliley Act safeguarding provisions
  • Protection of customer’s nonpublic information
  • Ensure compliance with certain federal and tribal laws and regulations
  • Provides requirements for privacy notices and processes for customers to opt out of information-sharing
  • Privacy notices
  • Opt-out procedures for information-sharing
~ Record Retention
  • Compliance with record retention requirements of various federal and tribal laws and regulations
  • Ensure compliance with certain federal and tribal laws and regulations
  • Sets out procedures for retaining documents required by law or as a best practice
  • Physical vs. electronic documents
  • Retention of application documents, ACH authorizations, and call recordings
* Servicemembers Civil Relief Act and Military Lending Act
  • Compliance with SCRA and Military Lending Act
  • Proper handling of loans to members of the military
  • Ensure compliance with certain federal and tribal laws and regulations
  • Explains legal requirements when dealing with members of the military, including disclosures, protections, and prohibitions of certain actions
  • Identification of members of the military
  • SCRA and MLA protections for members of the military
* Truth-in-Lending Act
  • Compliance with TILA and Reg. Z
  • Provision of proper disclosures to consumers
  • Ensure compliance with certain federal and tribal laws and regulations
  • Outline proper disclosures in loan agreements, in conversation with consumers, and in advertising
  • TILA Box disclosures
  • Oral disclosures
  • Advertising
* Tribal Law
  • Compliance with tribal law and related tribal regulations
  • Ensure compliance with specific tribal laws and regulations
  • Outlines licensing, reporting and auditing, dispute resolution, and services provision requirements
  • Proper licensing
  • Required reports and auditing
  • Dispute resolution
  • Permissible consumer financial services
* Unfair, Deceptive, and Abusive Acts or Practices
  • Compliance with Dodd-Frank and related federal and tribal laws and regulations
  • Provision of company products and services that are not misleading, deceptive, unfair, or abusive
  • Ensure compliance with certain federal and tribal laws and regulations
  • Highlights advertising requirements and discouragement of consumers’ sustained use of short-term loan products
  • Sales, marketing, and advertising materials
  • Discouragement of sustained use
~ Underwriting
  • Compliance with federal and tribal laws and regulations in the underwriting context (such as ECOA, EFTA, FCRA, and TILA)
  • Ensure compliance with certain federal and tribal laws and regulations
  • Establishes minimum requirements for loan approval
  • Obtaining consumer reports
  • Establishes periodic testing for loan applications
  • Documentation and approval of underwriting processes
  • Underwriting criteria
  • Changes to underwriting processes and criteria



Vendor Oversight
  • Ensuring that prospective and approved vendors adhere to federal regulations and any other requirements
  • Establishes onboarding processes for vendors, such as security assessments and background checks, ongoing consistent reviews for compliance, and contract review
  • Onboarding
  • Regular and consistent review
  • Contract review
  • Licensing
  • Approval
  • Corrective Actions
~ Quality Assurance
  • Ensuring employees and contractors are complying with the compliance policies and related tribal and applicable federal laws
  • Establishes processes for monitoring employee’s compliance with policies and procedures
  • Monitoring
  • Feedback
~ Change Management
  • Ensuring that servicer recommendations and changes to compliance policies follow specific approval processes
  • Establishes specific process for servicer recommendations and changes to compliance policies
  • Establishes process for communicating changes in business operations and policies to be communicated to employees and vendors
  • Regular reviews of operations and compliance policies



Complaint/Inquiry Resolution
  • Ensuring that customer inquiries and complaint are processed, recorded, and responded to appropriately and pursuant to Tribal law
  • Establishes required disclosures regarding tribal consumer dispute resolution
  • Establishes processes for handling customer inquiries and complaints, including regulatory and attorney correspondence
  • Disclosures on consumer loan agreement, websites, and other consumer correspondence
  • Maintaining correspondence in loan management system and other databases


Pin It on Pinterest