FINANCIALS SECTOR CONSUMER FINANCE Sustainability Accounting Standard Sustainable Industry Classification System® (SICS®) FN-CF Prepared by the Sustainability Accounting Standards Board October 2018 INDUSTRY STANDARD | VERSION 2018-10 © 2018 The SASB Foundation. All Rights Reserved. sasb.org CONSUMER FINANCE Sustainability Accounting Standard About SASB The SASB Foundation was founded in 2011 as a not-for-profit, independent standards-setting organization. The SASB Foundation’s mission is to establish and maintain industry-specific standards that assist companies in disclosing financially material, decision-useful sustainability information to investors. The SASB Foundation operates in a governance structure similar to the structure adopted by other internationally recognized bodies that set standards for disclosure to investors, including the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB). This structure includes a board of directors (“the Foundation Board”) and a standards-setting board (“the Standards Board” or "the SASB"). The Standards Board develops, issues, and maintains the SASB standards. The Foundation Board oversees the strategy, finances and operations of the entire organization, and appoints the members of the Standards Board. The Foundation Board is not involved in setting standards, but is responsible for overseeing the Standards Board’s compliance with the organization’s due process requirements. As set out in the SASB Rules of Procedure, the SASB’s standards-setting activities are transparent and follow careful due process, including extensive consultation with companies, investors, and relevant experts. The SASB Foundation is funded by a range of sources, including contributions from philanthropies, companies, and individuals, as well as through the sale and licensing of publications, educational materials, and other products. The SASB Foundation receives no government financing and is not affiliated with any governmental body, the FASB, the IASB, or any other financial accounting standards-setting body. SUSTAINABILITY ACCOUNTING STANDARDS BOARD 1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 info@sasb.org sasb.org The information, text, and graphics in this publication (the “Content”) are owned by The SASB Foundation. All rights reserved. The Content may be used only for non-commercial, informational, or scholarly use, provided that all copyright and other proprietary notices related to the Content are kept intact, and that no modifications are made to the Content. The Content may not be otherwise disseminated, distributed, republished, reproduced, or modified without the prior written permission of The SASB Foundation. To request permission, please contact us at info@sasb.org. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 2 Table of Contents Introduction....................................................................................................................................................................4 Purpose of SASB Standards.........................................................................................................................................4 Overview of SASB Standards.......................................................................................................................................4 Use of the Standards...................................................................................................................................................5 Industry Description.....................................................................................................................................................5 Sustainability Disclosure Topics & Accounting Metrics...............................................................................................6 Customer Privacy.........................................................................................................................................................8 Data Security.............................................................................................................................................................12 Selling Practices.........................................................................................................................................................16 SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 3 INTRODUCTION Purpose of SASB Standards The SASB’s use of the term “sustainability” refers to corporate activities that maintain or enhance the ability of the company to create value over the long term. Sustainability accounting reflects the governance and management of a company’s environmental and social impacts arising from production of goods and services, as well as its governance and management of the environmental and social capitals necessary to create long-term value. The SASB also refers to sustainability as “ESG” (environmental, social, and governance), though traditional corporate governance issues such as board composition are not included within the scope of the SASB’s standards-setting activities. SASB standards are designed to identify a minimum set of sustainability issues most likely to impact the operating performance or financial condition of the typical company in an industry, regardless of location. SASB standards are designed to enable communications on corporate performance on industry-level sustainability issues in a cost-effective and decision-useful manner using existing disclosure and reporting mechanisms. Businesses can use the SASB standards to better identify, manage, and communicate to investors sustainability information that is financially material. Use of the standards can benefit businesses by improving transparency, risk management, and performance. SASB standards can help investors by encouraging reporting that is comparable, consistent, and financially material, thereby enabling investors to make better investment and voting decisions. Overview of SASB Standards The SASB has developed a set of 77 industry-specific sustainability accounting standards (“SASB standards” or “industry standards”), categorized pursuant to SASB’s Sustainable Industry Classification System® (SICS®). Each SASB standard describes the industry that is the subject of the standard, including any assumptions about the predominant business model and industry segments that are included. SASB standards include: 1. Disclosure topics – A minimum set of industry-specific disclosure topics reasonably likely to constitute material information, and a brief description of how management or mismanagement of each topic may affect value creation. 2. Accounting metrics – A set of quantitative and/or qualitative accounting metrics intended to measure performance on each topic. 3. Technical protocols – Each accounting metric is accompanied by a technical protocol that provides guidance on definitions, scope, implementation, compilation, and presentation, all of which are intended to constitute suitable criteria for third-party assurance. 4. Activity metrics – A set of metrics that quantify the scale of a company’s business and are intended for use in conjunction with accounting metrics to normalize data and facilitate comparison. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 4 Furthermore, the SASB Standards Application Guidance establishes guidance applicable to the use of all industry standards and is considered part of the standards. Unless otherwise specified in the technical protocols contained in the industry standards, the guidance in the SASB Standards Application Guidance applies to the definitions, scope, implementation, compilation, and presentation of the metrics in the industry standards. The SASB Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that guide the Standards Board in its approach to setting standards for sustainability accounting. The SASB Rules of Procedure is focused on the governance processes and practices for standards setting. Use of the Standards SASB standards are intended for use in communications to investors regarding sustainability issues that are likely to impact corporate ability to create value over the long term. Use of SASB standards is voluntary. A company determines which standard(s) is relevant to the company, which disclosure topics are financially material to its business, and which associated metrics to report, taking relevant legal requirements into account1. In general, a company would use the SASB standard specific to its primary industry as identified in SICS® . However, companies with substantial business in multiple SICS® industries can consider reporting on these additional SASB industry standards. It is up to a company to determine the means by which it reports SASB information to investors. One benefit of using SASB standards may be achieving regulatory compliance in some markets. Other investor communications using SASB information could be sustainability reports, integrated reports, websites, or annual reports to shareholders. There is no guarantee that SASB standards address all financially material sustainability risks or opportunities unique to a company’s business model. Industry Description The Consumer Finance industry provides loans to consumers. The largest segment of the industry is comprised of revolving credit loans through credit card products. Additional loan services include auto, micro lending, and student loans. Some companies in the industry also provide consumer-to-consumer money transfers, money orders, prepaid debit cards, and bill payment services. Industry performance is determined by consumer spending, rates of unemployment, per capita GDP, income, and population growth. Recent shifts toward consumer protection and transparency have aligned and will continue to align the interests of society with those of long-term investors. Companies that effectively manage their social capital will therefore be better positioned to maximize their financial capital. Note: The SASB Consumer Finance (FN-CF) Standard is limited to the abovementioned consumer finance services. A separate SASB accounting standard addresses the sustainability issues for mortgage finance activities. 1 Legal Note: SASB standards are not intended to, and indeed cannot, replace any legal or regulatory requirements that may be applicable to a reporting entity’s operations. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 5 SUSTAINABILITY DISCLOSURE TOPICS & ACCOUNTING METRICS Table 1. Sustainability Disclosure Topics & Accounting Metrics UNIT OF TOPIC ACCOUNTING METRIC CATEGORY CODE MEASURE Number of account holders whose Quantitative Number FN-CF-220a.1 information is used for secondary purposes2 Customer Privacy Total amount of monetary losses as a result of Reporting legal proceedings associated with customer Quantitative FN-CF-220a.2 currency privacy3 (1) Number of data breaches, (2) percentage Number, involving personally identifiable information Quantitative FN-CF-230a.1 Percentage (%) (PII), (3) number of account holders affected4 Card-related fraud losses from (1) card-not- Data Security Reporting present fraud and (2) card-present and other Quantitative FN-CF-230a.2 currency fraud Description of approach to identifying and Discussion and n/a FN-CF-230a.3 addressing data security risks Analysis Percentage of total remuneration for covered employees that is variable and linked to the Quantitative Percentage (%) FN-CF-270a.1 amount of products and services sold5 Approval rate for (1) credit and (2) pre-paid products for applicants with FICO scores above Quantitative Percentage (%) FN-CF-270a.2 and below 6606 Reporting (1) Average fees from add-on products, (2) currency, average APR, (3) average age of accounts, (4) Percentage (%), average number of trade lines, and (5) average Quantitative Months, FN-CF-270a.3 annual fees for pre-paid products, for Number, Selling Practices customers with FICO scores above and below Reporting 660 currency (1) Number of complaints filed with the Consumer Financial Protection Bureau (CFPB), (2) percentage with monetary or non- Number, Quantitative FN-CF-270a.4 monetary relief, (3) percentage disputed by Percentage (%) consumer, (4) percentage that resulted in investigation by the CFPB Total amount of monetary losses as a result of Reporting legal proceedings associated with selling and Quantitative FN-CF-270a.5 currency servicing of products7 2 Note to FN-CF-220a.1 – The entity shall describe its policies and procedures regarding the manner in which it discloses the use of customer data for third party use to customers, including the nature of its opt-in policy. 3 Note to FN-CF-220a.2 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses. 4 Note to FN-CF-230a.1 – Disclosure shall include a description of corrective actions implemented in response to data breaches. 5 Note to FN-CF-270a.1 – The entity shall describe remuneration policies for covered employees, including the link to products sold, the process for setting sale targets, and benefits/penalties associated with meeting/missing the targets. 6 Note to FN-CF-270a.2 – The entity shall discuss its strategy for minimizing the number of past due and nonaccrual loans in its portfolio. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 6 Table 2. Activity Metrics UNIT OF ACTIVITY METRIC CATEGORY CODE MEASURE Number of unique consumers with an active (1) credit card Quantitative Number FN-CF-000.A account and (2) pre-paid debit card account8 Number of (1) credit card accounts and (2) pre-paid debit card Quantitative Number FN-CF-000.B accounts 7 Note to FN-CF-270a.5 – The entity shall briefly describe the nature, context, and any corrective actions taken as a result of the monetary losses. 8 Note to FN-CF-000.A – For joint accounts, the entity shall include the number of customers whose personally identifiable information (PII) it collects. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 7 Customer Privacy Topic Summary Consumer finance companies face risks and opportunities associated with their internal use of data supplied by customers for activities that are not the primary purpose for which the data were collected (for example, for use in targeted advertising and/or transfer to third parties). Ensuring the privacy of personally identifiable information (PII) and other data of account holders is an essential responsibility of companies in the Consumer Finance industry. To assess performance on this issue, investors would benefit from disclosure from companies on the number of account holders whose information is used for secondary purposes, and their policies and procedures around using such information, including the nature of their opt-in policies. Combined with information on legal or regulatory actions taken against the companies that are related to customer protection and privacy, such disclosure would be decision-useful to investors. Consumer finance companies that fail to manage performance in this area are susceptible to decreased revenues as a result of lost consumer confidence and churn, as well as to financial impacts stemming from legal exposures. Accounting Metrics FN-CF-220a.1. Number of account holders whose information is used for secondary purposes 1 The entity shall disclose the number of unique account holders whose information is used for secondary purposes. 1.1 Account holder information includes information that pertains to an account holder‘s attributes or actions, including, but not limited to, account statements, transaction records, records of communications, content of communications, demographic data, behavioral data, location data, and/or personally identifiable information (PII). 1.1.1 Demographic data are defined as the quantifiable statistics that identify and distinguish a given population. Examples of demographic data include gender, age, race/ethnicity, knowledge of languages, disabilities, mobility, home ownership, and employment status. 1.1.2 Behavioral data are defined as the product of tracking, measuring, and recording individual behaviors such as online browsing patterns, buying habits, brand preferences, and product usage patterns. 1.1.3 Location data are defined as data describing the physical location or movement patterns of an individual, such as Global Positioning System (GPS) coordinates or other related data that would enable identifying and tracking an individual‘s physical location. 1.1.4 PII is defined as any information about an individual that is maintained by an entity, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 8 any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. This definition is derived from the U.S. Government Accountability Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information. 1.2 Secondary purpose is defined as the intentional use of data by the entity (i.e., not a breach of security) that is outside the primary purpose for which the data was collected. Examples of secondary purposes include, but are not limited to, selling targeted ads, improving the entity’s products or service offerings, and transferring data or information to a third-party through sale, rental, or sharing. 1.3 Accounts that the entity cannot verify as belonging to the same individual shall be disclosed separately. 2 The scope of disclosure shall include the account holders whose information is used by the entity itself for secondary purposes as well as the account holders whose information is provided to affiliates or non-affiliates and may be used by those parties for secondary purposes. 2.1 Affiliate is defined as a third party that directly or indirectly controls, is controlled by, or is under common control with the entity. 2.2 Non-affiliates are all third parties other than the entity and its affiliates. Note to FN-CF-220a.1 1 The entity shall describe its policies and procedures regarding the manner in which it discloses the use of account holders’ information for secondary purposes to account holders, including the nature of its opt-in policy. 1.1 Opt-in is defined as express affirmative consent required to use or share content. 2 The scope of disclosure shall include: 2.1 The manner in which account holder consent is generally received with respect to the use of the account holder’s information for secondary purposes. 2.1.1 The entity shall describe whether the consent is explicit, freely given, specific, informed, and/or unambiguous. 2.2 The extent to which the information was disclosed to account holders regarding the use of the account holders’ information for secondary purposes. This includes whether and how account holders are informed about the specific data the entity intends to use for secondary purposes, the parties that have access to the data, and the manner in which the data may be used. 3 The entity shall describe the regulatory environment related to account holder privacy in which it operates, including, but not limited to, evolving regulations and risks related to regulatory compliance. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 9 3.1 Description may include, but is not limited to, customer privacy policies and procedures that the entity adopted as a result of regulatory compliance as well as policies and procedures that the entity adopted voluntarily as industry best practice. FN-CF-220a.2. Total amount of monetary losses as a result of legal proceedings associated with customer privacy 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with incidents relating to customer privacy. 2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a court, a regulator, an arbitrator, or otherwise. 3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). 4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: 5.1 The U.S. Federal Trade Commission’s Privacy and Gramm-Leach-Bliley Acts 5.2 The U.S. Federal Reserve Board’s Regulation P 5.3 The EU’s General Data Protection Regulation 5.4 Japan’s Personal Information Protection Act 5.5 Hong Kong’s Personal Data (Privacy) Ordinance 5.6 Australia’s Privacy Act Note to FN-CF-220a.2 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, or non-prosecution agreement) and context (e.g., fraud, disclosure to clients, or employee compensation) of all monetary losses as a result of legal proceedings. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 10 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 11 Data Security Topic Summary Companies in the Consumer Finance industry face risks and opportunities associated with how they manage the safety of data supplied to them by customers, in the context of external threats. Ensuring the security of customers’ PII is an essential responsibility of companies in the Consumer Finance industry. To assess performance on this issue, analysts would benefit from disclosure on efforts related to safeguarding data against emerging and continuously evolving cybersecurity threats and technologies, actual security breaches compromising customers’ personally identifiable information (PII), and credit and debit card fraud. Companies that fail to manage performance in this area are susceptible to decreased revenues as a result of decreased consumer confidence and churn. Furthermore, instances of data breaches may expose companies to costly and lengthy litigations and potential monetary losses. Accounting Metrics FN-CF-230a.1. (1) Number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of account holders affected 1 The entity shall calculate and disclose (1) the total number of data breaches identified during the reporting period. 1.1 Data breach is defined as the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information. This definition is derived from the U.S. National Initiative for Cybersecurity Careers and Studies (NICCS) glossary. 1.2 The scope of disclosure is limited to data breaches that resulted in a deviation from the entity’s expected outcomes for confidentiality and/or integrity. 2 The entity shall disclose (2) the percentage of data breaches in which personally identifiable information (PII) was subject to the data breach. 2.1 PII is defined as any information about an individual that is maintained by an entity, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. This definition is derived from the U.S. Government Accountability Office’s Report to Congressional Requesters, Alternatives Exist for Enhancing Protection of Personally Identifiable Information. 2.2 The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 12 2.2.1 Encryption is defined as the process of transforming plaintext into ciphertext. This definition is derived from the NICCS glossary. 2.3 The scope of disclosure is limited to breaches in which account holders were notified of the breach, either as required by law or voluntarily by the entity. 3 The entity shall disclose (3) the total number of unique account holders who were affected by data breaches, which includes all those whose personal data was compromised in a data breach. 3.1 Accounts that the entity cannot verify as belonging to the same account holder shall be disclosed separately. 4 The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation. Note to FN-CF-230a.1 1 The entity shall describe the corrective actions taken in response to data breaches, such as changes in operations, management, processes, products, business partners, training, or technology. 1.1 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide further guidance on disclosures on the corrective actions taken in response to data breaches. 2 All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself will not compromise the entity’s ability to maintain data privacy and security. 3 The entity may disclose its policy for disclosing data breaches to affected account holders in a timely manner. FN-CF-230a.2. Card-related fraud losses from (1) card-not-present fraud and (2) card-present and other fraud 1 The entity shall disclose the amount of card-related fraud losses it incurred during the reporting period. 2 The entity shall disclose card-related fraud losses as (1) card-not-present (CNP) and (2) card-present and other fraud losses. 2.1 CNP fraud is characterized by the unauthorized use of a credit card number, the security code printed on the card, and/or the cardholder's address details for a transaction in a non-face-to-face setting with a merchant. CNP fraud includes that which is conducted online, through mail, or over the phone. 2.2 Card-present fraud is characterized by the unauthorized use of a physical credit card for a transaction in a face-to-face setting with a merchant. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 13 2.3 “Other fraud" includes identify theft and any fraudulent transaction that cannot be classified as CNP fraud. 3 The entity shall calculate card-related fraud losses as the total value of account holder transactions refunded to account holders (card holders) due to fraud. 4 The scope shall include losses from the unauthorized use of revolving consumer credit, debit, and pre-paid debit cards, including instances of card-present fraud and instances of CNP fraud, where the entity is liable for losses (e.g., such as when a merchant is using a chargeback protection service). 5 The scope shall also include transactions determined to be fraudulent that the entity charged back to merchants (and/or their acquiring banks), including those related to CNP fraudulent activity. FN-CF-230a.3. Description of approach to identifying and addressing data security risks 1 The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. 1.1 Vulnerability is defined as a weakness in an information system, system security procedures, internal controls, and/or implementation that could be exploited. 1.2 Data security risk is defined as any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or nations through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. 2 The entity shall describe its approach to addressing data security risks and vulnerabilities it has identified, including, but not limited to, operational procedures, management processes, structure of products, selection of business partners, employee training, and use of technology. 3 The entity shall discuss trends it has observed in type, frequency, and origination of attacks to its data security and information systems. 4 The entity shall describe its policies and procedures for disclosing the events of breaches to its customers in a timely manner. 5 The entity‘s disclosure shall include a discussion of data and system security efforts that relate to new and emerging cyber threats and attack vectors facing the financial services industry. 5.1 Emerging cyber threats include, but are not limited to, cyber threats arising from the use of near-field communication payment systems, mobile banking, and web-based banking. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 14 5.2 Attack vectors include, but are not limited to, ransomware, loan stacking schemes, money mule schemes, and Remote Access Attacks. 6 The entity shall describe the regulatory environment in which it operates related to data security. 6.1 Discussion shall include, but is not limited to, data security policies and procedures that the entity adopted as a result of regulatory compliance efforts or voluntarily as an industry best practice. 7 The entity shall describe the degree to which its approach is aligned with an external standard or framework and/or legal or regulatory framework for managing data security, such as: 7.1 ISO/IEC 27001:2013—Information technology—Security techniques—Information security management systems—Requirements 7.2 Framework for Improving Critical Infrastructure Cybersecurity , Version 1.1, April 16, 2018, National Institute of Standards and Technology (NIST) 7.3 The New York State Department of Financial Services 23 NYCRR 500, “Cybersecurity Requirements for Financial Services Companies” 7.4 The Office of the Comptroller of the Currency (OCC) Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” October 30, 2013 8 The U.S. SEC’s Commission Statement and Guidance on Public Company Cybersecurity Disclosures may provide further guidance on disclosures on the entity’s approach to addressing data security risks and vulnerabilities. 9 All disclosure shall be sufficient such that it is specific to the risks the entity faces, but disclosure itself would not compromise the entity‘s ability to maintain data privacy and security. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 15 Selling Practices Topic Summary There are three key elements within the Selling Practices topic, performance of which can materially impact company operations and financial condition. First, company policies related to the structure of compensation and/or other incentives may unintentionally create the risk of selling products and services that are not in the best interest of clients. Secondly, a failure to provide transparent information to customers about primary and add-on products can increase the risk of being charged with using deceptive practices. And finally, depending on the characteristics of the portfolio of products sold, poor performance on the first two elements could result in a high concentration of risky products held by customers. Consumer finance companies are likely to continue to face increased scrutiny in the wake of high-profile incidents as regulators attempt to ensure transparency and enhanced disclosure. The disclosure of key characteristics of a lending portfolio, including average fees from add-on products, average age of accounts, average APR, average number of trade lines, and average annual fees for pre-paid transaction products will allow shareholders to determine which consumer finance companies are better positioned to protect long-term value rather than relying on short-term revenue generation practices. Ability to provide consumer finance products that are in the best interest of customers can help companies in the industry not only minimize risk exposure in the existent portfolio of products, but also build trust with new and existent customers, and expand their market share ensuring sustainable revenue growth. Accounting Metrics FN-CF-270a.1. Percentage of total remuneration for covered employees that is variable and linked to the amount of products and services sold 1 The entity shall disclose the percentage of total remuneration of its covered employees accrued during the reporting period that is variable. 1.1 Variable remuneration is defined as all remuneration which is not fixed. 1.2 Remuneration is fixed where all the conditions for its award and its amount: 1.2.1 Are based on predetermined criteria are non-discretionary reflecting the level of professional experience and seniority of staff; 1.2.2 Are transparent with respect to the individual amount awarded to the individual staff member; 1.2.3 Are permanent, i.e., maintained over a period tied to the specific role and organizational responsibilities; 1.2.4 Are non-revocable, i.e., the permanent amount is only changed via collective bargaining or following renegotiation in line with national criteria on wage setting; SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 16 1.2.5 Cannot be reduced, suspended, or canceled by the institution; 1.2.6 Do not provide incentives for risk assumption; and 1.2.7 Do not depend on performance. 1.3 Covered employees are defined as individuals employed by the entity that are engaged in the activities of directly selling products or services to customers or potential customers. 1.3.1 For the U.S. workforce, covered employees include those categorized by the entity in accordance with the Equal Employment Opportunity Commission’s Employer Information EEO-1 report (EEO-1 Survey) Instruction Booklet as: (1) Sales Workers and (2) First/Mid Offs & Mgrs. – Sales Managers. 1.3.2 For the non-U.S. workforce, covered employees include those categorized by the entity into categories equivalent to (1) Sales Workers and (2) First/Mid Offs & Mgrs. – Sales Managers, though in accordance with, and further facilitated by, any applicable local regulations, guidance, or generally accepted definitions. 2 The entity shall calculate the percentage by dividing the aggregate amount of the variable remuneration linked to the amount of products and services sold of the entity’s covered employees by the aggregate amount of the total remuneration of the entity’s covered employees. Note to FN-CF-270a.1 1 The disclosure shall include a discussion on how remuneration of covered employees relates to the terms and conditions of the products and services, such as interest rates, up-front points, or fees. 2 The entity shall discuss how performance targets are set and what monetary and non-monetary benefits or penalties are present for meeting or missing these targets. 3 The discussion shall include, but not be limited to: 3.1 The regulatory environment in which the entity operates regarding employee remuneration and whether it is required to have certain remuneration policies in place; the entity shall discuss whether its remuneration policies are the result of regulatory requirements or are adopted voluntarily as the industry best practice 3.2 The performance objectives for the institution, business areas, and staff 3.3 The methods for the measurement of performance, including the performance criteria 3.4 The structure of variable remuneration, including (where applicable) the instruments in which parts of the variable remuneration are awarded SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 17 FN-CF-270a.2. Approval rate for (1) credit and (2) pre-paid products for applicants with FICO scores above and below 660 1 The entity shall disclose the approval rate for its (1) credit and (2) pre-paid products for all applicants, each broken down by FICO scores below or equal to 660, and above 660. 1.1 Pre-paid products include pre-paid accounts and cards, excluding checking accounts, share draft accounts, or negotiable order of withdrawal (NOW) accounts. 2 The entity shall calculate the approval rate as the total number of applications approved from applicants in the FICO category divided by the total number of applications received from applicants in the FICO category. 3 The scope of disclosure includes applications the entity approved or denied during the reporting period, regardless of when the application was received. 4 The entity may summarize the disclosure in the following table: APPROVAL RATE FOR CUSTOMERS APPROVAL RATE FOR CUSTOMERS WITH FICO ≤ 660 WITH FICO > 660 Credit products Pre-paid products Note to FN-CF-270a.2 1 The entity shall discuss its short- and long-term strategy around managing performance of its portfolio of credit and pre-paid products. 1.1 Discussion shall include, but be not limited to, the entity’s strategy for minimizing the number of past due and nonaccrual loans in its portfolio. FN-CF-270a.3. (1) Average fees from add-on products, (2) average APR, (3) average age of accounts, (4) average number of trade lines, and (5) average annual fees for pre-paid products, for customers with FICO scores above and below 660 1 The entity shall disclose (1) the average fees from add-on products for all customers, broken down by FICO scores below or equal to 660, and above 660. 1.1 Add-on products include, but are not limited to, debt protection, identity theft protection, credit score tracking, and other products that are supplementary to the credit provided by the card itself and are offered at additional cost to consumers. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 18 1.2 The entity shall calculate the average fees from add-on products as the total amount of revenue generated from add-on products from customers in the FICO category divided by the total number of the entity’s customers in each respective FICO category. 2 The entity shall disclose (2) the average Annual Percentage Rate (APR) for all customers, broken down by FICO scores below or equal to 660, and above 660. 2.1 The entity shall calculate the average APR for all accounts assessed interest during the reporting period as the annualized ratio of total finance charges to the total average daily balances, against which the finance charges were assessed (excluding accounts for which no finance charges were assessed). 2.1.1 Definitions of finance charge and detailed calculation of APR are aligned with those in the Regulation Z of the Truth in Lending Act. 3 The entity shall disclose (3) average age of accounts in months for all customers, broken down by FICO scores below or equal to 660, and above 660. 3.1 The entity shall calculate the average age of accounts (in months) from the date that each active account was opened until the close of the reporting period. 4 The entity shall disclose (4) the average number of trade lines for all customers, broken down by FICO scores below or equal to 660, and above 660. 4.1 The entity shall calculate the average number of trade lines per customer as the total number of trade lines held by customers in each FICO category divided by the total number of customers in the respective FICO category. 5 The entity shall disclose (5) the average annual fees for pre-paid products for all customers, broken down by FICO scores below or equal to 660, and above 660. 5.1 Pre-paid products include pre-paid accounts and cards, excluding checking accounts, share draft accounts, or negotiable order of withdrawal (NOW) accounts. 5.2 The entity shall calculate the average annual fees for pre-paid products as the total amount of revenue generated from pre-paid products from customers in the FICO category divided by the total number of the entity’s customers in the FICO category. 6 The entity may summarize the disclosure in the following table: CUSTOMERS WITH FICO ≤ 660 CUSTOMERS WITH FICO > 660 Average fees from add-on products SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 19 CUSTOMERS WITH FICO ≤ 660 CUSTOMERS WITH FICO > 660 Average APR Average age of accounts Average number of trade lines Average annual fees for pre-paid products FN-CF-270a.4. (1) Number of complaints filed with the Consumer Financial Protection Bureau (CFPB), (2) percentage with monetary or non-monetary relief, (3) percentage disputed by consumer, (4) percentage that resulted in investigation by the CFPB 1 The entity shall disclose (1) the total number of complaints filed with the Consumer Financial Protection Bureau (CFPB) during the reporting period where the entity was a defendant in the complaint. 1.1 The scope of disclosure includes complaints filed through the CFPB’s Consumer Complaint Database. 2 The entity shall disclose (2) the percentage of complaints filed with the CFPB that resulted in monetary or non- monetary relief. 2.1 Monetary relief and non-monetary relief are as disclosed by the CFPB. 2.2 The scope of disclosure includes complaints filed during the reporting period. 3 The entity shall disclose (3) the percentage of complaints filed with the CFPB that were disputed by consumers. 3.1 Complaints disputed by consumers are as disclosed by the CFPB. 3.2 The scope of disclosure includes complaints filed during the reporting period. 4 The entity shall disclose (4) the percentage of complaints filed with the CFPB that resulted in investigation by the CFPB. 4.1 Complaints resulted in investigation by CFPB are as disclosed by the CFPB. 4.2 The scope of disclosure includes complaints filed during the reporting period. 5 The scope of disclosure shall include the complaints filed regarding the following product categories specified by the CFPB: SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 20 5.1 Credit Card or Prepaid Card 5.2 Student Loan Private 5.3 Vehicle Loan or Lease 5.4 Payday Loan, Title Loan, or Personal Loan 5.5 Money Transfer, Virtual Currency, or Money Service 6 The scope of disclosure shall include, but is not limited to, the following issues specified by the CFPB: 6.1 Selling Practices 6.2 Transparent Information 6.3 Adverting and Marketing 6.4 Fees and Interest 6.5 Add-on Products 6.6 Servicing the Account 6.7 Application Process 6.8 Closing the Account 7 The entity may provide breakdown by type of product, issue, and company response type referencing the CFPB data. FN-CF-270a.5. Total amount of monetary losses as a result of legal proceedings associated with selling and servicing of products 1 The entity shall disclose the total amount of monetary losses it incurred during the reporting period as a result of legal proceedings associated with selling and servicing of products. 2 The legal proceedings shall include any adjudicative proceeding in which the entity was involved, whether before a court, a regulator, an arbitrator, or otherwise. 3 The losses shall include all monetary liabilities to the opposing party or to others (whether as the result of settlement or verdict after trial or otherwise), including fines and other monetary liabilities incurred during the reporting period as a result of civil actions (e.g., civil judgments or settlements), regulatory proceedings (e.g., penalties, disgorgement, or restitution), and criminal actions (e.g., criminal judgment, penalties, or restitution) brought by any entity (e.g., governmental, business, or individual). SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 21 4 The scope of monetary losses shall exclude legal and other fees and expenses incurred by the entity in its defense. 5 The scope of disclosure shall include, but is not limited to, legal proceedings associated with the enforcement of relevant industry regulations promulgated by regional, national, state, and local regulatory authorities, such as: 5.1 The U.S. Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act) 5.2 The U.S. Fair Credit Reporting Act (FCRA) 5.3 The U.S. Equal Credit Opportunity Act (ECOA) 5.4 The U.S. Regulation Z - Truth in Lending Act (TILA) 5.5 The U.S. Unfair, Deceptive and Abusive Acts and Practices (UDAAP) 5.6 The U.S. Service members Civil Relief Act (SCRA) 5.7 The U.S. Telephone Consumer Protection Act (TCPA) 5.8 The EU Payment Services Directive 5.9 The EU Directive on Consumer Rights Note to FN-CF-270a.5 1 The entity shall briefly describe the nature (e.g., judgment or order issued after trial, settlement, guilty plea, deferred prosecution agreement, or non-prosecution agreement) and context (e.g., fraud, disclosure to clients, or employee compensation) of all monetary losses as a result of legal proceedings. 2 The entity shall describe any corrective actions it has implemented as a result of the legal proceedings. This may include, but is not limited to, specific changes in operations, management, processes, products, business partners, training, or technology. SUSTAINABILITY ACCOUNTING STANDARD | CONSUMER FINANCE | 22 SUSTAINABILITY ACCOUNTING STANDARDS BOARD 1045 Sansome Street, Suite 450 San Francisco, CA 94111 415.830.9220 info@sasb.org sasb.org