Professional Documents
Culture Documents
Consumer Finance Standard 2018
Consumer Finance Standard 2018
CONSUMER FINANCE
Sustainability Accounting Standard
Prepared by the
Sustainability Accounting Standards Board
October 2018
About SASB
The SASB Foundation was founded in 2011 as a not-for-profit, independent standards-setting organization. The SASB
Foundation’s mission is to establish and maintain industry-specific standards that assist companies in disclosing financially
material, decision-useful sustainability information to investors.
The SASB Foundation operates in a governance structure similar to the structure adopted by other internationally
recognized bodies that set standards for disclosure to investors, including the Financial Accounting Standards Board
(FASB) and the International Accounting Standards Board (IASB). This structure includes a board of directors (“the
Foundation Board”) and a standards-setting board (“the Standards Board” or "the SASB"). The Standards Board
develops, issues, and maintains the SASB standards. The Foundation Board oversees the strategy, finances and operations
of the entire organization, and appoints the members of the Standards Board.
The Foundation Board is not involved in setting standards, but is responsible for overseeing the Standards Board’s
compliance with the organization’s due process requirements. As set out in the SASB Rules of Procedure, the SASB’s
standards-setting activities are transparent and follow careful due process, including extensive consultation with
companies, investors, and relevant experts.
The SASB Foundation is funded by a range of sources, including contributions from philanthropies, companies, and
individuals, as well as through the sale and licensing of publications, educational materials, and other products. The SASB
Foundation receives no government financing and is not affiliated with any governmental body, the FASB, the IASB, or
any other financial accounting standards-setting body.
The information, text, and graphics in this publication (the “Content”) are owned by The SASB Foundation. All rights reserved. The
Content may be used only for non-commercial, informational, or scholarly use, provided that all copyright and other proprietary notices
related to the Content are kept intact, and that no modifications are made to the Content. The Content may not be otherwise
disseminated, distributed, republished, reproduced, or modified without the prior written permission of The SASB Foundation. To request
permission, please contact us at info@sasb.org.
SASB standards are designed to identify a minimum set of sustainability issues most likely to impact the operating
performance or financial condition of the typical company in an industry, regardless of location. SASB standards are
designed to enable communications on corporate performance on industry-level sustainability issues in a cost-effective
and decision-useful manner using existing disclosure and reporting mechanisms.
Businesses can use the SASB standards to better identify, manage, and communicate to investors sustainability
information that is financially material. Use of the standards can benefit businesses by improving transparency, risk
management, and performance. SASB standards can help investors by encouraging reporting that is comparable,
consistent, and financially material, thereby enabling investors to make better investment and voting decisions.
1. Disclosure topics – A minimum set of industry-specific disclosure topics reasonably likely to constitute material
information, and a brief description of how management or mismanagement of each topic may affect value creation.
2. Accounting metrics – A set of quantitative and/or qualitative accounting metrics intended to measure performance
on each topic.
3. Technical protocols – Each accounting metric is accompanied by a technical protocol that provides guidance on
definitions, scope, implementation, compilation, and presentation, all of which are intended to constitute suitable criteria
for third-party assurance.
4. Activity metrics – A set of metrics that quantify the scale of a company’s business and are intended for use in
conjunction with accounting metrics to normalize data and facilitate comparison.
The SASB Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that guide the
Standards Board in its approach to setting standards for sustainability accounting. The SASB Rules of Procedure is focused
on the governance processes and practices for standards setting.
It is up to a company to determine the means by which it reports SASB information to investors. One benefit of using
SASB standards may be achieving regulatory compliance in some markets. Other investor communications using SASB
information could be sustainability reports, integrated reports, websites, or annual reports to shareholders. There is no
guarantee that SASB standards address all financially material sustainability risks or opportunities unique to a company’s
business model.
Industry Description
The Consumer Finance industry provides loans to consumers. The largest segment of the industry is comprised of
revolving credit loans through credit card products. Additional loan services include auto, micro lending, and student
loans. Some companies in the industry also provide consumer-to-consumer money transfers, money orders, prepaid debit
cards, and bill payment services. Industry performance is determined by consumer spending, rates of unemployment, per
capita GDP, income, and population growth. Recent shifts toward consumer protection and transparency have aligned
and will continue to align the interests of society with those of long-term investors. Companies that effectively manage
their social capital will therefore be better positioned to maximize their financial capital.
Note: The SASB Consumer Finance (FN-CF) Standard is limited to the abovementioned consumer finance services. A
separate SASB accounting standard addresses the sustainability issues for mortgage finance activities.
1
Legal Note: SASB standards are not intended to, and indeed cannot, replace any legal or regulatory requirements that may be
applicable to a reporting entity’s operations.
UNIT OF
TOPIC ACCOUNTING METRIC CATEGORY CODE
MEASURE
Reporting
(1) Average fees from add-on products, (2)
currency,
average APR, (3) average age of accounts, (4)
Percentage (%),
average number of trade lines, and (5) average
Quantitative Months, FN-CF-270a.3
annual fees for pre-paid products, for
Number,
Selling Practices customers with FICO scores above and below
Reporting
660
currency
2
Note to FN-CF-220a.1 – The entity shall describe its policies and procedures regarding the manner in which it discloses the use of
customer data for third party use to customers, including the nature of its opt-in policy.
3
Note to FN-CF-220a.2 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the
monetary losses.
4
Note to FN-CF-230a.1 – Disclosure shall include a description of corrective actions implemented in response to data breaches.
5
Note to FN-CF-270a.1 – The entity shall describe remuneration policies for covered employees, including the link to products sold, the
process for setting sale targets, and benefits/penalties associated with meeting/missing the targets.
6
Note to FN-CF-270a.2 – The entity shall discuss its strategy for minimizing the number of past due and nonaccrual loans in its
portfolio.
UNIT OF
ACTIVITY METRIC CATEGORY CODE
MEASURE
Number of (1) credit card accounts and (2) pre-paid debit card
Quantitative Number FN-CF-000.B
accounts
7
Note to FN-CF-270a.5 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the
monetary losses.
8
Note to FN-CF-000.A – For joint accounts, the entity shall include the number of customers whose personally identifiable information
(PII) it collects.
Accounting Metrics
1.1 Account holder information includes information that pertains to an account holder‘s attributes or actions,
including, but not limited to, account statements, transaction records, records of communications, content of
communications, demographic data, behavioral data, location data, and/or personally identifiable information
(PII).
1.1.1 Demographic data are defined as the quantifiable statistics that identify and distinguish a given
population. Examples of demographic data include gender, age, race/ethnicity, knowledge of
languages, disabilities, mobility, home ownership, and employment status.
1.1.2 Behavioral data are defined as the product of tracking, measuring, and recording individual behaviors
such as online browsing patterns, buying habits, brand preferences, and product usage patterns.
1.1.3 Location data are defined as data describing the physical location or movement patterns of an
individual, such as Global Positioning System (GPS) coordinates or other related data that would enable
identifying and tracking an individual‘s physical location.
1.1.4 PII is defined as any information about an individual that is maintained by an entity, including (1) any
information that can be used to distinguish or trace an individual’s identity, such as name, Social
Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2)
1.2 Secondary purpose is defined as the intentional use of data by the entity (i.e., not a breach of security) that is
outside the primary purpose for which the data was collected. Examples of secondary purposes include, but
are not limited to, selling targeted ads, improving the entity’s products or service offerings, and transferring
data or information to a third-party through sale, rental, or sharing.
1.3 Accounts that the entity cannot verify as belonging to the same individual shall be disclosed separately.
2 The scope of disclosure shall include the account holders whose information is used by the entity itself for secondary
purposes as well as the account holders whose information is provided to affiliates or non-affiliates and may be used
by those parties for secondary purposes.
2.1 Affiliate is defined as a third party that directly or indirectly controls, is controlled by, or is under common
control with the entity.
2.2 Non-affiliates are all third parties other than the entity and its affiliates.
Note to FN-CF-220a.1
1 The entity shall describe its policies and procedures regarding the manner in which it discloses the use of account
holders’ information for secondary purposes to account holders, including the nature of its opt-in policy.
1.1 Opt-in is defined as express affirmative consent required to use or share content.
2.1 The manner in which account holder consent is generally received with respect to the use of the account
holder’s information for secondary purposes.
2.1.1 The entity shall describe whether the consent is explicit, freely given, specific, informed, and/or
unambiguous.
2.2 The extent to which the information was disclosed to account holders regarding the use of the account
holders’ information for secondary purposes. This includes whether and how account holders are informed
about the specific data the entity intends to use for secondary purposes, the parties that have access to the
data, and the manner in which the data may be used.
3 The entity shall describe the regulatory environment related to account holder privacy in which it operates, including,
but not limited to, evolving regulations and risks related to regulatory compliance.
2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a
court, a regulator, an arbitrator, or otherwise.
3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement
or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period
as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement,
or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g.,
governmental, business, or individual).
4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense.
5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of
relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as:
5.1 The U.S. Federal Trade Commission’s Privacy and Gramm-Leach-Bliley Acts
Note to FN-CF-220a.2
1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred
prosecution agreement, or non-prosecution agreement) and context (e.g., fraud, disclosure to clients, or employee
compensation) of all monetary losses as a result of legal proceedings.
Accounting Metrics
1.1 Data breach is defined as the unauthorized movement or disclosure of sensitive information to a party, usually
outside the organization, that is not authorized to have or see the information. This definition is derived from
the U.S. National Initiative for Cybersecurity Careers and Studies (NICCS) glossary.
1.2 The scope of disclosure is limited to data breaches that resulted in a deviation from the entity’s expected
outcomes for confidentiality and/or integrity.
2 The entity shall disclose (2) the percentage of data breaches in which personally identifiable information (PII) was
subject to the data breach.
2.1 PII is defined as any information about an individual that is maintained by an entity, including (1) any
information that can be used to distinguish or trace an individual’s identity, such as name, Social Security
Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other
information that is linked or linkable to an individual, such as medical, educational, financial, and employment
information. This definition is derived from the U.S. Government Accountability Office’s Report to
Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information.
2.2 The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key
that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted
to plaintext.
2.3 The scope of disclosure is limited to breaches in which account holders were notified of the breach, either as
required by law or voluntarily by the entity.
3 The entity shall disclose (3) the total number of unique account holders who were affected by data breaches, which
includes all those whose personal data was compromised in a data breach.
3.1 Accounts that the entity cannot verify as belonging to the same account holder shall be disclosed separately.
4 The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal
investigation or until the law enforcement agency determines that such notification does not compromise the
investigation.
Note to FN-CF-230a.1
1 The entity shall describe the corrective actions taken in response to data breaches, such as changes in operations,
management, processes, products, business partners, training, or technology.
1.1 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may
provide further guidance on disclosures on the corrective actions taken in response to data breaches.
2 All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not
compromise the entity’s ability to maintain data privacy and security.
3 The entity may disclose its policy for disclosing data breaches to affected account holders in a timely manner.
FN-CF-230a.2. Card-related fraud losses from (1) card-not-present fraud and (2)
card-present and other fraud
1 The entity shall disclose the amount of card-related fraud losses it incurred during the reporting period.
2 The entity shall disclose card-related fraud losses as (1) card-not-present (CNP) and (2) card-present and other fraud
losses.
2.1 CNP fraud is characterized by the unauthorized use of a credit card number, the security code printed on the
card, and/or the cardholder's address details for a transaction in a non-face-to-face setting with a merchant.
CNP fraud includes that which is conducted online, through mail, or over the phone.
2.2 Card-present fraud is characterized by the unauthorized use of a physical credit card for a transaction in a
face-to-face setting with a merchant.
3 The entity shall calculate card-related fraud losses as the total value of account holder transactions refunded to
account holders (card holders) due to fraud.
4 The scope shall include losses from the unauthorized use of revolving consumer credit, debit, and pre-paid debit
cards, including instances of card-present fraud and instances of CNP fraud, where the entity is liable for losses (e.g.,
such as when a merchant is using a chargeback protection service).
5 The scope shall also include transactions determined to be fraudulent that the entity charged back to merchants
(and/or their acquiring banks), including those related to CNP fraudulent activity.
1.1 Vulnerability is defined as a weakness in an information system, system security procedures, internal controls,
and/or implementation that could be exploited.
1.2 Data security risk is defined as any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, or nations through an information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service.
2 The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including,
but not limited to, operational procedures, management processes, structure of products, selection of business
partners, employee training, and use of technology.
3 The entity shall discuss trends it has observed in type, frequency, and origination of attacks to its data security and
information systems.
4 The entity shall describe its policies and procedures for disclosing the events of breaches to its customers in a timely
manner.
5 The entity‘s disclosure shall include a discussion of data and system security efforts that relate to new and emerging
cyber threats and attack vectors facing the financial services industry.
5.1 Emerging cyber threats include, but are not limited to, cyber threats arising from the use of near-field
communication payment systems, mobile banking, and web-based banking.
6 The entity shall describe the regulatory environment in which it operates related to data security.
6.1 Discussion shall include, but is not limited to, data security policies and procedures that the entity adopted as a
result of regulatory compliance efforts or voluntarily as an industry best practice.
7 The entity shall describe the degree to which its approach is aligned with an external standard or framework and/or
legal or regulatory framework for managing data security, such as:
7.2 Framework for Improving Critical Infrastructure Cybersecurity , Version 1.1, April 16, 2018, National Institute
of Standards and Technology (NIST)
7.3 The New York State Department of Financial Services 23 NYCRR 500, “Cybersecurity Requirements for
Financial Services Companies”
7.4 The Office of the Comptroller of the Currency (OCC) Bulletin 2013-29, “Third-Party Relationships: Risk
Management Guidance,” October 30, 2013
8 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide
further guidance on disclosures on the entity’s approach to addressing data security risks and vulnerabilities.
9 All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself would not
compromise the entity‘s ability to maintain data privacy and security.
Accounting Metrics
1.2 Remuneration is fixed where all the conditions for its award and its amount:
1.2.1 Are based on predetermined criteria are non-discretionary reflecting the level of professional
experience and seniority of staff;
1.2.2 Are transparent with respect to the individual amount awarded to the individual staff member;
1.2.3 Are permanent, i.e., maintained over a period tied to the specific role and organizational
responsibilities;
1.2.4 Are non-revocable, i.e., the permanent amount is only changed via collective bargaining or following
renegotiation in line with national criteria on wage setting;
1.3 Covered employees are defined as individuals employed by the entity that are engaged in the activities of
directly selling products or services to customers or potential customers.
1.3.1 For the U.S. workforce, covered employees include those categorized by the entity in accordance with
the Equal Employment Opportunity Commission’s Employer Information EEO-1 report (EEO-1 Survey)
Instruction Booklet as: (1) Sales Workers and (2) First/Mid Offs & Mgrs. – Sales Managers.
1.3.2 For the non-U.S. workforce, covered employees include those categorized by the entity into categories
equivalent to (1) Sales Workers and (2) First/Mid Offs & Mgrs. – Sales Managers, though in accordance
with, and further facilitated by, any applicable local regulations, guidance, or generally accepted
definitions.
2 The entity shall calculate the percentage by dividing the aggregate amount of the variable remuneration linked to the
amount of products and services sold of the entity’s covered employees by the aggregate amount of the total
remuneration of the entity’s covered employees.
Note to FN-CF-270a.1
1 The disclosure shall include a discussion on how remuneration of covered employees relates to the terms and
conditions of the products and services, such as interest rates, up-front points, or fees.
2 The entity shall discuss how performance targets are set and what monetary and non-monetary benefits or penalties
are present for meeting or missing these targets.
3.1 The regulatory environment in which the entity operates regarding employee remuneration and whether it is
required to have certain remuneration policies in place; the entity shall discuss whether its remuneration
policies are the result of regulatory requirements or are adopted voluntarily as the industry best practice
3.2 The performance objectives for the institution, business areas, and staff
3.3 The methods for the measurement of performance, including the performance criteria
3.4 The structure of variable remuneration, including (where applicable) the instruments in which parts of the
variable remuneration are awarded
1.1 Pre-paid products include pre-paid accounts and cards, excluding checking accounts, share draft accounts, or
negotiable order of withdrawal (NOW) accounts.
2 The entity shall calculate the approval rate as the total number of applications approved from applicants in the FICO
category divided by the total number of applications received from applicants in the FICO category.
3 The scope of disclosure includes applications the entity approved or denied during the reporting period, regardless of
when the application was received.
Credit products
Pre-paid products
Note to FN-CF-270a.2
1 The entity shall discuss its short- and long-term strategy around managing performance of its portfolio of credit and
pre-paid products.
1.1 Discussion shall include, but be not limited to, the entity’s strategy for minimizing the number of past due and
nonaccrual loans in its portfolio.
FN-CF-270a.3. (1) Average fees from add-on products, (2) average APR, (3) average
age of accounts, (4) average number of trade lines, and (5) average annual fees for
pre-paid products, for customers with FICO scores above and below 660
1 The entity shall disclose (1) the average fees from add-on products for all customers, broken down by FICO scores
below or equal to 660, and above 660.
1.1 Add-on products include, but are not limited to, debt protection, identity theft protection, credit score
tracking, and other products that are supplementary to the credit provided by the card itself and are offered at
additional cost to consumers.
2 The entity shall disclose (2) the average Annual Percentage Rate (APR) for all customers, broken down by FICO scores
below or equal to 660, and above 660.
2.1 The entity shall calculate the average APR for all accounts assessed interest during the reporting period as the
annualized ratio of total finance charges to the total average daily balances, against which the finance charges
were assessed (excluding accounts for which no finance charges were assessed).
2.1.1 Definitions of finance charge and detailed calculation of APR are aligned with those in the Regulation Z
of the Truth in Lending Act.
3 The entity shall disclose (3) average age of accounts in months for all customers, broken down by FICO scores below
or equal to 660, and above 660.
3.1 The entity shall calculate the average age of accounts (in months) from the date that each active account was
opened until the close of the reporting period.
4 The entity shall disclose (4) the average number of trade lines for all customers, broken down by FICO scores below
or equal to 660, and above 660.
4.1 The entity shall calculate the average number of trade lines per customer as the total number of trade lines
held by customers in each FICO category divided by the total number of customers in the respective FICO
category.
5 The entity shall disclose (5) the average annual fees for pre-paid products for all customers, broken down by FICO
scores below or equal to 660, and above 660.
5.1 Pre-paid products include pre-paid accounts and cards, excluding checking accounts, share draft accounts, or
negotiable order of withdrawal (NOW) accounts.
5.2 The entity shall calculate the average annual fees for pre-paid products as the total amount of revenue
generated from pre-paid products from customers in the FICO category divided by the total number of the
entity’s customers in the FICO category.
Average APR
1.1 The scope of disclosure includes complaints filed through the CFPB’s Consumer Complaint Database.
2 The entity shall disclose (2) the percentage of complaints filed with the CFPB that resulted in monetary or non-
monetary relief.
2.1 Monetary relief and non-monetary relief are as disclosed by the CFPB.
2.2 The scope of disclosure includes complaints filed during the reporting period.
3 The entity shall disclose (3) the percentage of complaints filed with the CFPB that were disputed by consumers.
3.2 The scope of disclosure includes complaints filed during the reporting period.
4 The entity shall disclose (4) the percentage of complaints filed with the CFPB that resulted in investigation by the
CFPB.
4.2 The scope of disclosure includes complaints filed during the reporting period.
5 The scope of disclosure shall include the complaints filed regarding the following product categories specified by the
CFPB:
6 The scope of disclosure shall include, but is not limited to, the following issues specified by the CFPB:
7 The entity may provide breakdown by type of product, issue, and company response type referencing the CFPB data.
2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a
court, a regulator, an arbitrator, or otherwise.
3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement
or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period
as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement,
or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g.,
governmental, business, or individual).
5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of
relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as:
5.1 The U.S. Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act)
5.5 The U.S. Unfair, Deceptive and Abusive Acts and Practices (UDAAP)
Note to FN-CF-270a.5
1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred
prosecution agreement, or non-prosecution agreement) and context (e.g., fraud, disclosure to clients, or employee
compensation) of all monetary losses as a result of legal proceedings.
2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may
include, but is not limited to, specific changes in operations, management, processes, products, business partners,
training, or technology.
sasb.org