AuditOne LLC Q3 Compliance Advisory

AuditOne Advisory

From Bud Genovese, Chairman

Our firm’s Compliance Practice Director has written a timely Q3 Compliance Advisory. This issue covers Mobile Banking, an increasingly core banking feature that is changing the way financial institutions do business with customers every day. Notable Regulatory Enactments & News, changes On The Horizon, and Recent Enforcement Actions have also been included for your awareness. I hope you enjoy it, and please feel free to forward to other appropriate people in your financial institution. And remember, when you need up-to-date, industry-recognized risk management expertise for internal audit, credit review, and certified technology services, contact the best in the business… AuditOne. Thank you, –Bud


In layman’s terms, Mobile Banking is any type of banking or financial service that is provided through mobile devices such as phones, laptops and other wearables/mobile technology.  Mobile Banking features are now being used for everyday banking functions including account balances, transfers, deposits, wires, and bill payments.

The overall benefit?  Higher customer engagement and profitability are the more common benefits circulating to date:

  • “Our data shows customers who adopt mobile banking increase their balances on deposit, decrease their attrition and see their overall profitability rise very clearly. Compared over time to other customers who had identical profiles but did not go mobile when they did, they become more profitable.” Andres Wolberg-Stok, Global Mobile and Tablet Banking Director, Citi Consumer Banking; American Banker – Bank Technology
  • “The high levels of engagement engendered by digital banking translated into improved financial outcomes for banks, with online and mobile consumers proving 61% more profitable than offline customers, says Intuit.”  FinExtra
  • “For financial institutions, mobile banking creates efficiencies, cost savings, drives customer loyalty, engages new segments and offers real-time solutions. For consumers, mobile banking offers a consistent experience, improved speed of information and empowerment.” Nielsen

For financial institutions that may be contemplating the integration of Mobile Banking into existing operations, we recommend a formal integration effort. Ideally, the effort should include a Project Manager, Project Sponsor, and detailed Project Plan – with a cross of Technology, Operational, and Compliance resources to ensure both a seamless customer experience and compliance with applicable regulatory guidance.   Key processes and functionality to consider follow:

  1. Features
    • Deposits (Validation checks to prevent duplicate deposits; Email receipts with check images; transaction limits; immediate availability of funds; ability to take photo & deposit check)
    • Payments (Instant payment capability positions using Venmo/Paypal)
    • Collections (Accessing contacts on phone to add Payee)
    • Transaction limits
  2. Agreements/Terms & Conditions (including E Banking capabilities such as Security, E-Sign, Consent to access features on user’s phone, device shut off if lost/stolen, and Privacy)
  3. Authentication (device fingerprint/ user name & password for login)
  4. Account Opening forms/disclosures
  5. Information Security/Privacy (Data Sharing/Storage, Malware detection, Shared devices, Turn Off  capability if lost/stolen)
  6. Functionality (Chat, SMS, Biometrics, Push notifications)
  7. Marketing/Advertising
  8. Monitoring (returned emails)

While technology is attractive, it is of course not without regulation.  Below is a list of applicable guidance that should be considered when implementing Mobile Banking capabilities:

  • FFIEC – Internet Banking Authentication (2005 & 2011 supplement); Mobile Financial Services Risk Management (IT Exam Handbook, Appendix E, issued April 2016)
  • CFPB – Tips to Consumers when Using Mobile Devices (June 2013)
  • CFPB – Inquiry into Mobile Financial Services (RFI issued June 2014,
    Comments submitted Sept. 2014)
  • Telephone Consumer Protection Act requirements/FCC – TCPA Declaratory
    Ruling (July 2015)
  • Remittance Transfer Rule – provisions about disclosures made on a mobile
    device (See Regulation E §1005.31)
  • BSA/AML Implications (use of geo-location services to monitor for
    suspicious activity)/OFAC risks
  • NACHA Rules for Payment to Payment systems (P2P)
  • Americans With Disabilities Act (ADA): Department of Justice expects websites and mobile applications to be accessible to users with disabilities and will enforce compliance. DOJ Rules expected in 2017-2018; DOJ issued Supplemental Advanced Notice of Proposed Rule Making in May 2016
  • Web Content Accessibility Guidelines 2.0 (WCAG 2.0)
  • Web accessibility standards for federal government agencies (Section 508
    of the Rehabilitation Act)
  • FTC — .com Disclosures (Updated March 2013)
  • FTC – Mobile Privacy Disclosures (Feb. 2013)
  • CA Attorney General – Privacy on the Go (Jan. 2013)
  • Regulation Z – specific font size requirements for open end credit
    disclosures (Regulation Z §1026.6(b)(2)(i))
  • State Laws on Biometrics
  • Consumer concerns (NCLC Paper March 2016)
  • Privacy/GLBA
  • DOJ Rules – website and mobile accessibility (expected 2017-2018)

We recommend that clients consult legal counsel, as appropriate, for forms, disclosures and other areas with potential legal impact.


Military Lending ActThe Department of Defense (DOD) issued a final rule (amending the implementing regulations of the Military Lending Act of 2006 (MLA)) that “expands specific protections provided to service members and their families, and addresses a wider range of credit products than the DOD’s previous regulation.  The Final Rule extended MLA protections to much a wider range of credit products, including credit cards; modified the MAPR to include fees for credit-related ancillary products sold in connection with the credit transaction, finance charges associated with consumer credit, and certain application and participation fees. Also, for credit cards, the MAPR excludes certain fees if bona fide and reasonable; provided a safe harbor for creditors ascertaining whether a consumer is covered by the final rule’s protections; modified the existing prohibition on rolling over, renewing or refinancing consumer credit; and subjects creditors to civil liability and administrative enforcement for MLA violations. There are three primary differences between the MLA and the SCRA:


1)The MLA excludes loans secured by real estate and purchase-money loans, including a loan to finance the purchase of a vehicle.

2)The MLA  limits interest rates and fees to 36 percent MAPR (Military Annual Percentage Rate) whereas the  SCRA caps interest rate charges, including late fees and other transaction fees, at 6 percent.

3)The SCRA requires that disclosures be provided by mortgage servicers on mortgages at 45 days of delinquency. This disclosure must be provided in written format only whereas MLA requires the following disclosures both orally and in a written format the borrower can keep :

  • MAPR statement
  • Payment obligation descriptions
  • Other applicable Regulation Z disclosures.

FDIC-supervised institutions and other creditors were required to comply with the rule for new covered transactions beginning October 3, 2016. This includes compliance with Defense Department rule requiring independent determination of whether a consumer is a covered military member or a dependent of a military member effective October 3, 2016. A link to the issuance follows:


BSA/AML: Beneficial OwnershipFinCEN’s final rules under the Bank Secrecy Act requiring enhanced due diligence for identifying beneficial owners of legal entity customers becomes effective July 11, 2016.  The guidance is over 60 pages.  There will essentially be three new requirements that translate into an extension of our current CDD review.  Those requirements pertain to:


  1. How beneficial owners are identified and verified,
  2. How the nature and purpose of the customer relationship is ascertained; and,
  3. Ongoing monitoring to report any related suspicious transactions and maintain current customer risk profiles.

Covered financial institutions are required to comply in May 11, 2018.  A link to the issuance follows:


New Loan Application

Fannie Mae and Freddie Mac redesigned the Uniform Residential Loan Application in part as a result of new required data fields as a result of recently implemented HMDA requirements. A “Demographic Information Addendum” was also created to replace Section X of the existing URLA for use by institutions that are not prepared to use the new URLA on January 1, 2018.  On the current URLA, Section X will need to be crossed-out or otherwise deleted.  For forms and more information, visit the following webpage:

Lenders are not required to use the form until January 1, 2018 but have the option of using it earlier if preferred.


CRA Interagency Q&AThe OCC, FRB & FDIC (the Agencies) issued revised Interagency Questions and Answers Regarding Community Reinvestment Act.   The new guidance was issued to clarify 9 of the 10 proposed questions and answers (Q&A), revise four existing Q&As and adopt two new Q&As. Technical corrections were also made.  The changes became effective July 25, 2016. A link to the issuance follows:



HMDA Warning LettersOn October 27, 2016, the CFPB announced that it is issuing warning letters to 44 mortgage lenders and mortgage brokers stating that it “has information that appears to show that your company may not be in compliance with certain provisions of the Home Mortgage Disclosure Act (HMDA) and its implementing regulation, Regulation C.”:



CybersecurityOn October 25, 2016 FINCEN issued an Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime as a result of increased cyber-events and cyber-enabled crime. The advisory covers Reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs); Including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs; Collaborating between BSA/Anti-Money Laundering (AML) units and in-house cybersecurity units to identify suspicious activity; and Sharing information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime. A link to the issuance follows:
Regulation Z The FDIC has updated its technical assistance videos on the Ability-to-Repay and Qualified Mortgages (ATR/QM) Rule. A link to the issuance follows:



The CFPB is looking to amend TRID by April 2017.  The comment period ended October 18, 2016. Desired amendments follow:


  • Create a tolerance for the Total of Payments calculation to reduce exposure to extended rescission periods or private liability for minor inaccuracies in the Total of Payments.
  • Clarification on TRID applicability to construction loans leveraging a webinar provided by CFPB staff on March 1, 2016.
  • Technical fixes and clarifications to the Cash to Close and Projected Payments tables, escrow account disclosures, rounding provisions, and various other technical provisions.
  • Amend the scope of the TRID rule to clarify that it covers loans secured by cooperative units, regardless of whether the cooperative is treated as real property under State law.
  • Clarify how a creditor may provide separate Closing Disclosures to the consumer and the seller to address privacy issues.
  • Expand the exemption for down payment assistance and similar subordinate lien loans often made by housing finance agencies, non-profits, and similar entities.

Insurance Rules

As a result of the response to the initial request for comment, five federal regulatory agencies issued a second request for comment on the joint notice of proposed rulemaking to implement provisions of the Biggert-Waters Flood Insurance Reform Act (Biggert-Waters Act). The proposed rules includes provisions and establishes certain criteria surrounding the private flood insurance policies.   We encourage participation in this comment process as it will have a direct impact on existing loan closing related processes associated with flood insurance.



Servicing Rule

CFPB published the final Mortgage Servicing Rule on October 19, 2016.  The rule will go into effect October 19, 2017; the only exception is for the successor in interest and bankruptcy periodic statements provisions, which take effect April 19, 2018.  In summary, the new rule requires servicers to provide certain borrowers with foreclosure protections more than once over the life of the loan, clarifies borrower protections when the servicing of a loan is transferred and provides loan information to borrowers in bankruptcy.




Mega Bank – $180 million fine for various BSA violations.  Mega Bank is based in Taiwan.  Its New York foreign branch received a hefty fine for a series of purported AML violations.  If history serves itself, NY’s fine will likely prompt other regulatory bodies to apply more focus on this area during their reviews.  The citings are very strongly worded, and touch upon nearly every aspect of the end to end BSA control process.  There are also specific transactions that examiners connect to likely money laundering based on external legal and industry factors considered at the time. A link to the regulatory action follows for reference:

Wells Fargo: Hundreds of thousands of accounts secretly created by Wells Fargo Bank employees leads to $185 million CFPB fine.  A link to the regulatory action follows for reference:

Santandar Bank: CFPB orders the Bank to pay $10 million for illegal overdraft practices. A link to the regulatory action follows for reference:


A Guide to Incorporating Cybersecurity into Your Bank’s Information Security Program

By Kevin Tsuei, CISA, CISSP, AuditOne, LLC

A recent FIS 2016 Risk Practices Survey finds that 77% of bank executives and board members cited cybersecurity as their top concern. In accordance with this, various interagency guidance items have been released since last summer, including the Cybersecurity Assessment Tool (CAT), revision of the FFIEC IT handbooks, and other regulatory communications. In general, we have observed that financial institution managers have been trying to not only complete the Assessment but also to implement a wide range of action plans. While regulators have stated that the CAT will not be used as part of their examination procedures, they do expect institutions to go through the exercise of assessing their cybersecurity risks. This article aims to provide institutions with questions that are often asked by our clients:

What are regulators currently looking for as evidence of preparedness for cybersecurity risks?

As with all risk management processes, it always starts with a risk assessment; as such, management is expected to update its IT/IS risk assessment based on the current threat landscape, including ransomware, a current hot topic. In addition, ensure all critical systems are covered, such as SWIFT and FedLine which have been in the news due to the Bangladesh Central Bank heist. While regulators do not expect community banks to have a separate Cybersecurity Policy, they do expect banks to incorporate cybersecurity elements into the Information Security Program. We will cover some of the key elements below.

A few of our clients have created a separate Cybersecurity Committee, in addition to the IT Steering Committee. While we do not discourage this practice, most community banks simply do not possess the resources to do this. A separate committee would require a separate charter that details membership, responsibility, authority, and meeting frequency.  We do, however, recommend ensuring that the IT Steering Committee goes over cybersecurity topics such as highly visible cyber-events or regulatory alerts. In addition, if the institution has performed the voluntary FFIEC CAT, the results should be provided and discussed (e.g., any control weaknesses, plans to mitigate those weaknesses).

We also suggest that IT/IS training should incorporate cybersecurity topics. Many resources are available, including FFIEC’s own cybersecurity webpage: Having staff attuned to these risks can be a valuable first line of defense. One of our clients recently told us that they had found that one of the keys in getting the message across is to demonstrate how cybersecurity events can affect employees’ personal lives.

Another recommendation is to review the bank’s insurance for clauses covering employee fidelity, IT equipment and facilities, media reconstruction, extra expenses (including backup site expenses), E-banking activities, business interruption, valuable papers and records, errors and omissions, items in transit, and other possible risks.

If the bank relies heavily on its IT service provider, ensure the Information Security Officer (ISO) understands the pertinent cybersecurity risks (e.g., not being able to perform the CAT). In addition, ensure that the ISO has the appropriate authority to carry out responsibilities and that there are no conflicts of interest in his or her ability to make decisions in line with the bank’s risk appetite. Further, management should review the composition of the Incident Response team. Generally, it should include representation from senior executives, legal, public relations, information technology, and individuals responsible for liquidity and reputation risk, vendor management, fraud detection, and customer inquiries or complaints.

How do I manage my vendor and technology service provider risk as it relates to cybersecurity?

We recommend ensuring that the incident response plan testing using simulated security incidents/scenarios (such as ransomware) is conducted periodically as part of ongoing risk assessment and training for Incident Response Team members. Testing should incorporate third-party service providers for their cyber-resiliency. This allows management to test the Incident Response Plan and ensure that it corresponds with applicable disaster recovery plans. Regulators suggest that management have disaster recovery (DR) procedures to allow up to 72 hours without the core processing system. They have noted that most core processors have a service level agreement (SLA) of 72 hours’ downtime.

To understand your vendors’ cybersecurity threat intelligence and resilience (applicable to core processing and IT), we recommend that management verify for all key vendors the cybersecurity controls listed in this article (i.e., incident response testing, cybersecurity policies, threat intelligence and collaboration program, etc.).

What exactly is a Threat Intelligence and Collaboration Program, and how do I implement one?

Threat Intelligence and Collaboration Programs have been mentioned in several interagency guidance statements published in the last year or so.  Such programs are a relatively new control for community banks and generally have four main components: threat intelligence sources, who performs the monitoring and analysis, what is the response/mitigation plan, and information sharing. There are various sources for gathering threat intelligence. For example, external threat intelligence might include software vulnerability alerts from US-CERT and FS-ISAC red alerts. Internal threat intelligence might include information gathering from security monitoring, vulnerability assessment, and anomalies recognized once a baseline activity is established.

We have built a sample table below to demonstrate what a Threat Intelligence and Collaboration Program might look like for a community bank. Although the program might be more extensive depending on the size and complexity of the institution.




Monitor and analysis performed by



Response/Mitigation Plan



Information Sharing






IT personnel



Windows vulnerabilities: Contact patch management team for remediation



Third party software vulnerabilities: Patch performed by IT personnel


Other vulnerabilities: Contact security team for remediation


Quarterly IT/IS/Cybersecurity meeting



Quarterly Vulnerability Assessment



Management and IT personnel



Contact patch management and security team for remediation plan



Quarterly IT/IS/Cybersecurity meeting



Incident of suspected and actual breach



Management and IT personnel



Please refer to incident response plan



Please refer to incident response plan



Management can further customize their own program to include other actionable tasks to mitigate threats such as bank-wide alerts and training. We always recommend documenting these actionable items for both regulators and the Board of Directors to review.

We hope that this article is helpful to you in responding to rising regulatory expectations in this area. It will take time with continuous training, with regular communication and with experience gained from a range of security breach headlines for a cybersecurity culture to be well engrained.

Published in Western Independent Bankers Association’s Technology & Security Digest, Issue 30 – September 2016.


AuditOne Compliance Advisory – Volume 1, Issue 2

AuditOne Advisory

From Bud Genovese, Chairman

AuditOne is proud to announce the new issue of our Compliance Advisory written by our Compliance Practice Director, Celeste Burton. Please take a look at it below, and feel free to forward this email to the appropriate people within your financial institution. And remember, when you need the most thorough risk management expertise for compliance audits, credit reviews, and information security audit services, contact the best in the business… AuditOne.  Our expertise is your edge, thank you. –Bud

Volume 1 / Issue 2

How Prepared Are We When It Comes To UDAAP?

It’s no secret that UDAAP enforcement actions have continued to gain momentum. With the OCC, FDIC and CFPB involved in actions against banks like Citizens and Discover as well as Affinion, a checkup on how the Bank is trending might be worthy of consideration.

Let’s Test Your UDAAP IQ:

  1. Q. If a customer i) signed up for an add-on product or service such as credit protection, life insurance or legal assistance on a Bank’s website, ii) requested automatic payment deductions; and, iii) received disclosures with detailed instructions on how to supply data necessary to complete service activation, how can a potential UDAAP violation be raised?
  2. If instructions on how to complete service activation are on a separate page of the disclosure, this could be (and has been) viewed as deceptive, particularly if automatic payment deductions start regardless of when the customer completes service activation.

While there is no one size fits all approach, there are some baseline questions that you may elect to include in employee training and/or compliance monitoring routines to keep an pulse on compliance and in preparation for your next exam. They are as follows:

  1. Is it clear?
  2. Is it concise?
  3. Does it containhidden” or “difficult to understand” terms or conditions that commit the borrower to products, services, or obligations that they may not otherwise be aware of?


UDAAP does not just apply to marketing and advertising. It applies to any and all products, services, documentation, and relationships that involve the institution’s interactions with the consumer. This includes, but is not limited to, Loans, Deposits, Payments, Credit Cards, Add-On Products/Services, Vendors, Disclosures, Notices, Servicing, Debt Collection, Websites, and most anything else that touches the consumer.

Also worthy of noting is that the FRB’s rulemaking authority on UDAAP was revoked February 19, 2016 (Regulation AA was officially repealed). Dodd-Frank effectively transferred this rulemaking authority to the CFPB.

TRID Update

The effort to clarify and interpret the new TILA RESPA Integrated Disclosure rules continues with several actions since it became effective in October 2015. Below are a few key updates:

  • November 2015 – Several members requested that the CFPB issue additional guidance on what happens when events driven by the new TRID requirements cause loan closing delays. The reasons for delays appear to be due to, in part, actions necessary to comply with new TRID requirements.
  • December 2015 – The Mortgage Bankers Association requested further clarification on several points in the new TRID requirements. CFPB responded to several in a letter dated December 29, 2015.
  • January 2016 – CFPB issued a two page fact sheet on construction loans under the new TRID rules.
  • February 2016 – The CFPB announced that they will be hosting a series of webinars and workshops on TRID. The CFPB also published corrections regarding TRID tolerances.

RESPA Enforcement

Recent actions by the CFPB point to a higher level of anticipated scrutiny when it comes to marketing service agreements. Meeting HUD requirements is reportedly “not as sufficient as it had been in the past”. Perhaps over a cup of tea, take a look at the $109 million fine levied against PHH Corp. Afterwards, you may want to make sure your training and monitoring is up to date when it comes to activities that can be classified as kickbacks.


When it comes to overdrafts, the heat is on. In anticipation of more guidance, a few questions to consider…

  • Is the basis for fees charged clearly disclosed?
  • Are disclosures clear on whether fees are being applied based on available versus actual balances? Is the practice consistent with applicable disclosures?
  • Has the customer actively elected (opted in) to have overdrafts paid when there are nonsufficient funds?

Debt Collection

This is an area that uniquely crosses multiple regulatory requirements – UDAAP, FCRA, FDCPA, etc.…Touted as the single largest source of complaints to the federal government of any industry”, the CFPB has embarked on analyzing the results of a nationwide survey related to consumers’ experiences with debt collection. They are also “engaged in consumer testing initiatives to determine what information would be useful for consumers to have about debt collection and their debts and how that information should be provided to them”. Our expectation is that more consumer protections are forthcoming in this area.

Other Areas To Keep An Eye On…

Mortgage Servicing: In the spirit of consumer impact, this will be a continued area of heightened focus, with numerous recent enforcement actions pertaining to activities such as debt collection, steering, foreclosure scamming, kickbacks and other “deceptive mortgage practices”.

HMDA: The CFPB is seeking industry input on tolerance levels for HMDA errors and related resubmission guidelines. The CFPB had set an acceptable error rate at less than 10% for institutions with fewer than 100,000 HMDA entries. For institutions with more than 100,000 HMDA entries, the acceptable error rate was set at below 4% of a sample of entries overall. Both are very likely to be revisited in 2016.

BSA/AML: The New York State Department of Financial Services (NYSD) issued a proposal that has some bankers uncomfortable because it would “hold the head of an institution’s Bank Secrecy Act and anti-money-laundering program personally liable if it fails to meet expectations, particularly as it pertains to the transaction monitoring and filtering systems”. During a series of investigations, the NYSD apparently uncovered “serious shortcomings in the transaction monitoring and filtering programs of these institutions’…noting that ‘a lack of robust governance, oversight, and accountability at senior levels of these institutions has contributed to these shortcomings.” While any resulting changes to BSA/AML requirements would apply to the state of New York, the NYSD has been known to have tentacles because of its jurisdiction over money-center banks. Stay tuned.

Celeste Burton is Compliance Practice Director at AuditOne and can be reached at Team and Contact page.

Bud Genovese is Chairman of AuditOne LLC, a California-based risk management firm that focuses only on financial institutions. Mr. Genovese pioneered the concept of providing comprehensive internal audit, compliance and credit review services by assembling extraordinary expertise within one firm. AuditOne now serves over 200 clients throughout the Western United States, and nationally. Contact Kevin Watson, Co-CEO at Contact Us or Jeremy Taylor, Co-CEO at Contact Us. Both may also be reached on our Team and Contact page

Bud Genovese, Chairman
AuditOne LLC


Our Expertise, Your Edge™