AuditOne Compliance Advisory: 2017 Q4

AuditOne Advisory

From Bud Genovese, Chairman

In recent months, the CFPB has been very active releasing new proposals and final rules.  In this edition, we will highlight those that directly impact banks and credit unions, along with other noteworthy regulatory news, pronouncements and enforcement actions.  We hope you enjoy!

CFPB Moves One Step Closer to Small Business Data Collection

On May 10, 2017, the CFPB published a 42-page White Paper that seeks to advance efforts to collect small business data for the purpose of analyzing lending patterns and financing accessibility to underserved market segments.  Topics explored include:

  • What defines a small business?
  • What institutions lend to small businesses and what products are offered?
  • What types of business lending information are used by financial institutions?
  • Private impact of the public release of small business lending data

Efforts do not appear to be slowing down, so it wouldn’t hurt to begin examining existing processes, systems, and capabilities to determine what changes, if any, might be necessary in the event this initiative picks up steam and moves closer to formal regulation.  The CFPB White Paper can be found at


Military Lending Act

Credit card provisions of MLA became effective October 3, 2017. Key provisions include a 36 percent Military Annual Percentage (MAPR) cap, what fees can be excluded from the MAPR calculation and how the financial institution’s
fees compare with fees charged elsewhere. A link to the rule follows:

October 3, 2017

CFPB Amends Regulation B requirements

Seeking to resolve certain differences between ECOA (Regulation B) and the revised HMDA (Regulation C) rule, the CFPB finalized a proposal to amend Regulation B requirements related to the collection of consumer ethnicity and race information.  Key revisions include:

  • Option to self-identify extended to additional (disaggregated) race and ethnicity
  • Allows for collection of race and ethnicity data in certain cases where creditor is not required to report under HMDA.
  • Replaces the current (2004) Uniform Residential Loan Application (URLA) with a new, one-page data collection model form that can be used to collect the revised HMDA
    demographic data until the 2016 URLA prepared by Freddie Mac and Fannie Mae
    is implemented
  • Authorizes a financial institution that is subject to the requirement to report closed-end
    loans to voluntarily report home equity lines of credit (HELOCs), and those subject to the requirement to report HELOCs to voluntarily report closed-end loans.  Additionally, financial institutions may collect applicant demographic information for dwelling-secured business loans that are not reportable because the loans are not for the purposes of home purchase, refinancing, or home improvement (not applicable to a second or additional co-applicant; the HMDA rule requires the collection of the information for the applicant and first co-applicant only). For an overview, click on the
    following link:

September 21, 2017

Flood Program Suspension

The Federal Emergency Manage­ment Agency (FEMA) suspended the availability of flood
insurance in some markets because of noncompliance by local governments with
the floodplain management requirements of the program.  Although this puts
banks at risk if a property impacted by this suspension has a mortgage
against it, governments are allowed to prevent suspension or have it lifted
if they are able to provide required documentation demonstrating compliance
before the effective suspension date.  For a list of impacted areas, go to: – or – for FEMA’s Status Book.

September 7, 2017

Mortgage Servicing Rules (Phase I)

On October 19, 2017, the first phase of the CFPB’s mortgage servicing rule changes under Regulations Z (Truth in Lending Act, or TILA) and X (Real Estate Settlement Procedures Act, or RESPA) become effective. The provisions clarify and amend requirements for force-placed
insurance notices, policies and procedures, early intervention, and loss mitigation. 
Also included is an interim Fiduciary final rule with a request for comment that gives mortgage servicers a 10-day window to notify borrowers that have requested that communication
cease under federal debt collection law about their foreclosure options.  A
link follows:

October 19, 2017

Comments due November 15, 2017

Overdraft Disclosure Prototypes Released

To improve the current model form (A-9) that banks provide to consumers weighing
over­draft coverage, the CFPB released four Know Before You Owe overdraft disclosure
prototypes. The prototypes are designed to better explain a financial institution’s overdraft fees and the risks to consumers of opting in to over­draft coverage and fees for ATM and one-time debit card transactions. The CFPB is testing the prototypes as potential replacements for the current Regulation E disclosure form A-9, used to inform consumers of their financial
institution’s overdraft policies, fees, etc. The prototype forms:

  • Are designed to show more clearly the cost of the fees and when they can be charged
  • Describe key elements of the bank’s overdraft policies
  • Explain the opt-in decision applies only to one-time debit card and ATM transactions
  • Are designed to make clear that debit card and ATM overdraft protection is entirely optional

Important to note that as the CFPB tests the proposed prototypes, the current model
form (A-9) pro­vided in the 2010 rule continues to apply.  The current model
form (A-9) and prototypes are available at

August 4, 2017

HMDA Final Rules/Examiner Testing Guidelines

On August 24, 2017 the CFPB published what is now known as the 2017 HMDA Final
Rule.  The rules contain guidance on reporting Mortgage Loan Originator identifiers
for purchased loans: property location, income, temporary financing, and new
funds on certain existing credit.  The guidance also more clearly defines
“extension of credit” and “automated underwriting systems”; clarifies impact
of census tract reporting errors; clarifies that a loan secured by five or
more separate dwellings in more than one loan location is not a loan secured
by a multifamily dwelling; raises applicability thresholds for open end lines
of credit from 100 to 500 covered loans until January 1, 2020; and clarifies
certain aspects of data collection around race and ethnicity. 

Federal banking agencies also issued guidelines for how examiners will test the accuracy of HMDA data collected and reported by financial institutions. The most notable change is that the old requirement that certain error rates trigger required LAR correction and
resubmission has been replaced with new sample review size standards driven
by a financial institution’s mortgage lending activity volumes.  All regulatory
examiners will use the same testing guidelines, which will apply to HMDA data
collected in or after 2018. HMDA Transaction Testing Guidelines are available

August 24, 2017 – Final Rules

August 23, 2017- Examiner Testing Guidelines


Mortgage Servicing Rules (Phase II)

Some of the CFPB’s new Mortgage Servicing requirements will apply to a borrower’s successors in interest and the servicing of mortgages for borrowers in bankruptcy.

2, 2017

April 19, 2018

Regulation CC

In an effort to keep pace with an evolving and increasingly electronic check
collection system, the CFPB amended Regulation CC to help create a consistent warranty chain regardless of the check’s form, including incentives for electronic presentment and return. The final rule is available at

The FRB is also requesting comment on a proposal to amend existing liability
provisions to include a presumption that a substitute or electronic check was
altered instead of forged in certain cases of doubt. Comments are requested
within 60 days of publication in the Federal Register.  To review the
proposed rule, go to the following link:

26, 2017

July 1, 2018

Financial CHOICE ACT

Renaming and Rebranding the CFPB

The Financial Services Committee of the House of Representatives passed the
Financial CHOICE Act (the Act) amending many of the provisions of Dodd Frank – driven, in large part, by a desire to reform the Consumer Financial
Protection Bureau (CFPB), noting that the CFPB has not achieved its intended
purpose relative to availability and the cost of basic banking services and

The CFPB’s new name would be the Consumer Financial Opportunity Commission, and would become an independent agency outside the Federal Reserve with a new a dual purpose: the protection of consumers and the promotion of market competition.  The Act makes specific changes to Dodd Frank surrounding complaint handling protocols, the definition of UDAAP, removing limits on debit card interchange fees, and prohibiting arbitration clauses.  It also establishes a new Board structure, sets employee compensation parameters, and introduces requirements for periodic review of the cost/benefit of existing regulations.

4, 2017

BSA/AML – Beneficial Ownership Rule

Final rule on customer due diligence from the Financial Crimes Enforcement Network (FinCEN) that affects the way financial institutions determine beneficial owners of “legal entity” accounts.

11, 2016

May 18, 2018

*Please note that this list is not intended to be inclusive; its focus is on key regulatory and
legislative actions pertaining to banking that are deemed worthy of note.


AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, Co-CEO at: Contact Us or Kevin Watson, Co-CEO at: Contact Us and for information about all of our audit services see


AuditOne Advisory : How to comply with website ADA (section 508) as a financial institution

AuditOne Advisory

From Bud Genovese, Chairman

Your institution may have legal and monetary risk exposure due to new web content laws. Kevin Tsuei, Technology Practice Director, explains the law and how to proactively reduce risk, including a technical scan of your website, and remediation suggestions. This advisory should provide timely information to you, the board, management, and your risk management team. Please forward to applicable parties, thank you –Bud.

On January 9, 2017, the U.S. Access Board refreshed their accessibility requirements for websites, electronic documents, and software. This standard is often referred to as Section 508. One of the major changes involved adopting Web Content Accessibility Guidelines (WCAG) 2.0 Level A and Level AA criteria. These guidelines are maintained by World Wide Web Consortium (W3C), which is an international community (not a government regulated body). Their mission is stated on their website ( “The W3C mission is to lead the World Wide Web to its full potential by developing protocols and guidelines that ensure the long-term growth of the Web.”

What does this mean for Financial Institutions?

Since the adoption of WCAG 2.0 Level A and Level AA, numerous financial institutions, including community banks and credit unions, have received letters from law offices stating that their website is not compliant with the Americans with Disabilities Act (ADA). This has resulted in remediation and monetary compensation (through settlement or insurance claims) requirements. Note that the monetary compensation requirements have not been inexpensive; most institutions have a deductible in the five figures range.

To assist our clients with complying with the new Section 508 standards, we have developed an assessment product to not only scan institutions’ websites, but also to provide remediation steps for the Bank’s web developer to address. We are currently offering a free summary scan to any of our clients. This free scan will list the number of Level A and Level AA issues that are present on the Bank’s website. We will also provide a summary of the issues, but it will not contain any remediation steps or any other control enhancements that we perform with our assessment services.

We designed our assessment to evaluate the accessibility of the institution’s informational website against the new Section 508 standards (W3C’s WCAG 2.0 A and AA). In addition, we review the Bank’s Website Accessibility Policy and Procedures based on the ADA Best Practices Checklist from the US Access Board. The goal of the assessment is to provide an action plan that management can use to remediate accessibility issues, as well as resources to assist management with monitoring for continued compliance.

What is expected of Financial Institutions?

To date, there is no guidance from financial regulators. However, there are certainly legal and financial risks of non-compliance with Section 508. Besides ensuring the Bank’s informational website is compliant with Section 508, we recommend that the Bank develop a written policy addressing website accessibility. Some of the controls listed in the policy might include verification of compliance over new or changed contents, in-house and contractor training over this topic, periodic audit of its website along with an established remediation process, and a response process for when website visitors report accessibility issues.

In addition, it is important for management to publish their website accessibility policy on the institution’s website.  This policy should include an invitation for visitors to provide suggestions for improvement and a process to report any website accessibility problems (telephone, e-mail, etc.),

If you would like us to perform a free summary scan against the new Standard 508, please email Kevin Tsuei. Please be sure to provide your institution’s website URL.


AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, Co-CEO at Contact Us or Kevin Watson, Co-CEO at Contact Us and for information about all of our audit services see


AuditOne Advisory – Assessing Cloud and Technology Service Providers for Cybersecurity Preparedness and Resilience

AuditOne Advisory

From Bud Genovese, Chairman

As part of vendor management, we have seen a recent examiner focus into how you monitor cloud and technology service providers for cybersecurity preparedness and resilience.  Kevin Tsuei and Jon West, part of AuditOne’s Technology Audit group, have prepared concise guidance on how to conduct the review and suggestions on what to look for. Please share this with colleagues with responsibilities related to vendor management and technology oversight. Thank you, –Bud

Assessing Cloud and Technology Service Providers for Cybersecurity Preparedness and Resilience

By: Jon West, Senior Audit Associate, and Kevin Tsuei, Technology Practice Co-Director, AuditOne, LLC

In our review of recent examination reports for various of our firm’s clients, we noted some attention to a new topic: a requirement that vendor reviews include the vendor’s cybersecurity preparedness and resilience, incident response procedures, and awareness of emerging technologies. However, the question confronted by Financial Institutions (FIs) is how to conduct such a review.

As a firm responsible for the auditing of FIs, we have worked with regulators, clients, and our own IT team to create a solution to this business problem. Like most of our clients, we rely on technology service providers to help us run our business. We primarily utilize cloud services, specifically Software as a Service (SaaS) and Platform as a Service (PaaS). These service providers have brought with them many business benefits to AuditOne, primarily providing us with scalability and ease of deployment. We, like our clients, follow strict ongoing service provider monitoring practices using the necessary due diligence materials (i.e., financial statements, independent audits (e.g., SOC reports), proof of insurance, business continuity planning, and disaster recovery test results).

However, how can we evaluate a service provider’s cybersecurity readiness? The FFIEC released guidance on Outsourced Cloud Computing in July 2012. The guidance provides us with a checklist as part of cloud service provider due diligence, and we have included that list below as well as some suggestions on what to look for:


To what extent does this service provider present Strategic, Financial, Reputational, or Compliance risks?

Data Classification

Does the data contain NPPI information? Confidential information about the FI? Or does it contain only non-confidential information?


Expense of cloud providers can be significantly higher than hosting on-site if a certain amount of growth is experienced by your FI. Ensure that management is aware of when a relationship with this vendor may cease to make sense, including the costs of transitioning to hosting your own solution.

Encryption for Data-at-Rest and

Is data being securely encrypted as it is transferred from one location to another? If applicable, is data that is in storage being securely encrypted?

Multi-tenancy Risks

Is your data on the same server as another FI? What is the risk that malware introduced by other FIs could compromise your confidential data?

Business Continuity/ Disaster Recovery

Uptime for these service providers is generally of great significance to an FI’s daily functioning. Ensure that a commensurate amount of scrutiny is applied to their ability to continue providing service without interruption during a disaster.

Certainly, these factors are highly important. However, they might not be enough to fully assess a service provider’s cybersecurity preparedness and resilience. To give an idea of the kind of factors to take into consideration, here are the internal controls we audit when we do an evaluation of an FI’s cybersecurity readiness: IT/GLBA/Cybersecurity risk assessment, policies, management oversight, staffing, threat and vulnerability detection, IT asset management, change management, threat intelligence, incident response planning and testing, infrastructure management, patch management, access and data management, training, and the service provider’s own third-party management. Not all of these will be directly relevant to your own assessment of individual vendors, but this will give you an idea of the range of relevant considerations.

As part of our ongoing monitoring process for our own third-party providers, we found that many of these cybersecurity controls can be found in their SOC reports. However, there are typically some gaps between the cybersecurity control list above when compared to our service providers’ audit reporting. As a result, we will reach out to our service providers directly for additional information, and we’ve found them generally willing and able to provide additional security information (e.g., white-paper) to close this gap. Should this not be the case during your due diligence process, do be sure to retain documented evidence of your efforts, should your auditor or examiner request to verify your process.

It is noted that smaller technology service providers may well not have the means to conduct periodic SOC audits. While we strongly encourage these firms to obtain a SOC review (note: our affiliate company AuditOne Inc. offers very competitively priced SOC reviews), it is understandable that the cost might be too much. In these cases, it is management’s responsibility to conduct its own audit/review of its service providers’ key controls as they relate to cybersecurity. We plan in the upcoming months to publish further Advisories on this topic and to elaborate on the relevant cybersecurity controls to look for and to audit.

We hope that our checklists and guidance can help you enhance your initial and ongoing monitoring of your technology (including cloud service) providers. If you would like to learn more about vendor management best practices, we recommend the on-demand WiBinar that we recently hosted with Western Independent Bankers, which you can find at:

AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, and Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor at Contact Us orKevin Watson, Co-CEO at Contact Us and for information about all of our audit services see


AuditOne Advisory – CECL Pointers: What to Do Now, What You May Have Missed for Later

AuditOne Advisory

From Bud Genovese, Chairman

Our Co-CEO Jeremy Taylor has prepared a summary of the proactive measures financial institutions need to consider now to better prepare for the new Current Expected Credit Loss (CECL) standard.  Please share this with colleagues with responsibilities related to credit risk management and oversight. Thank you, Bud

A lot is being written these days about the new Current Expected Credit Loss (CECL) standard for the ALLL and what it’s going to do to bankers’ lives.  There are plenty of summaries available out there.  We’re going to stick here to two angles.

  1. What you need to do now to prepare.  For many institutions (the non-public), there’s still more than three years until you need to be reporting your loan loss reserving in accordance with CECL.  Which means temptation to postpone. But there are a couple of things all institutions should be doing right now to lay the groundwork, even if time can still be taken for other things (like considering alternative calculation methodologies, available vendor models). That’s because #2 below will require a lot of planning, to ensure you have those needs fully anticipated and ready to go.  Which will in turn become the top agenda item for #1.
    1. Form a CECL Committee.  At a smaller institution, the obvious participants are the CCO, CFO and COO/CIO (or their designees), all of them having direct interests in the process.  At this earlier stage, the Committee will have an education role for the bank, and will need to be gathering information for future decisions on models, methodologies, et al.  But its key near-term responsibility will be to:
    2. Identify and arrange for collection of all required data.  This applies both in terms of time series (i.e., as far back as can reasonably be gathered) and
      cross-sectionally (i.e., a broader range of data series than currently required). It applies both to internal data (i.e., loss and other performance characteristics for the institution’s loan portfolio, down to the borrower and loan level) and external (e.g., macroeconomic conditions in relevant markets, peer bank loan performance metrics).  It should be noted that identification of data needs will require at least some sense of how reserve requirements will be calculated (modeled).
  2. What may not have registered.  The 2016 guidance on CECL was deliberately vague as to how to go about setting up a CECL-compliant approach.  This was appropriate simply because of the vast differences across the US financial system in size, sophistication, data availability, MIS capabilities, in-house expertise/understanding, etc., etc.  But there are some key features or characteristics of CECL whose significance and implications may not have fully registered, that we thought might be helpful to highlight.
    1. The general vs. specific reserving distinction (i.e., FAS 5 vs. 114) is going away. That’s because the current approach to impairment analysis is in line with the general CECL approach (whatever the loan quality) – i.e., estimating potential loss over remaining life of the loan.  So the carve-out of impaired loans, with their own manual of requirements, will no longer be needed.
    2. But there will still be pooling.  CECL envisages estimation of potential loss on the basis of pooling assets with similar (risk of loss) characteristics, similar to today’s approach.  That could apply to impaired assets, such as mortgages or consumer loans with common borrower and structural features and common drivers of credit impairment.  But it is likely that larger commercial loans that are adversely graded will continue to be handled and reported individually.
    3. CECL will apply not just to loans but also to securities.  But not to a trading portfolio.  For HTM securities, you’ll need to estimate a lifetime credit loss, just like for loans.  For AFS, rather than the current requirement of
      (irreversible) OTTI assessment, there will be a valuation adjustment to reflect the difference between fair value and amortized cost.  Estimation of lifetime expected loss can be done on a pooled basis for securities with similar risk characteristics.
    4. When you book a new loan or security, you book the expected credit loss as an expense right away.  It’s no longer the incurred loss approach of booking when a loss is deemed probable.  Rather, it’s an up-front estimation as to how much might be lost actuarially, given the mortality (i.e., default and recovery) characteristics of that type of borrower and loan.  On average you’re going to lose a little making a given type of loan; recognizing this with a day one loss provision is entirely appropriate.  Doing so will help remind us that our credit spread is intended to cover that expected loss amount (with capital there to protect against outlier (“unexpected”) losses).
    5. CECL’s impact on reserve levels may be material – but shouldn’t be excessive.  Intuitively, moving from losses already incurred (which in practice is typically calculated based on a one-year loss horizon) to a life of loan should boost the required reserves; it means a longer period over which losses might occur. True, but there are offsetting effects.  Most importantly, smaller financial institutions today are typically carrying booked reserves in excess of required (i.e., calculated) levels – and that’s after using Q-factors to push up the required levels.  The move to CECL will push up required loss reserves, but for many institutions that may still lie below the current actual reserve level.
    6. Regulators recognize that CECL implementation will vary widely.  For large institutions, splitting probability of default (PD) from loss given default
      (LGD) will be expected, along with more powerful migration or vintage analysis approaches.  Smaller institutions, on the other hand, should be able to build on their current ALLL methodology in order to satisfy regulators – e.g., still starting with historic loss rates, but looking back over a longer time horizon; still adding on Q-factor adjustments, but looking out over a longer (remaining life) horizon.  However:
    7. More institutions will find vendor software worth considering – as much for managing the more onerous data expectations as for increases in complexity of calculations required.

We stand ready to assist, whether in an advisory capacity (through our sister company, Insight Risk Consulting) or for audit/validation of your methodology.  Please contact myself , or my co-CEO Kevin Watson, at Contact Us.

AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, and Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor at Contact Us or Kevin Watson, Co-CEO at Contact Us and for information about all of our audit services see


AuditOne Advisory: Examination Trends as of July 7, 2017

AuditOne Advisory

From Bud Genovese, Chairman

AuditOne LLC has compiled a summary of items regulators most often cited in their exams. Our goal is to present you with insight on examination trends and a heads up on possible vulnerabilities your financial institution may need to address. Our findings are derived from internal audits completed by AuditOne LLC in 2015 to 2016 where we verified the current status of prior examination findings. The article and data was produced by Kevin K. Watson, Co-CEO, Vanessa Sitthydeth, Audit Associate, and Aaron Faiola, Audit Associate, all with AuditOne LLC.

I hope you enjoy this article and share this with your colleagues having responsibilities related to any of the areas addressed, thank you, Bud

Examination Trends as of July 7, 2017

We want to share with you what we
have found to be the most often cited or newly emerging regulatory examination issues.  It is beneficial to know what examiners are fussing about, so that financial institutions can have a heads up on possible vulnerabilities their institution may have.  Our findings are derived from internal audits completed by AuditOne LLC in 2015 to 2016 where we verified the current status of prior examination findings.  The sample of examination reports is depicted in the following table and is focused especially on 2015.  At the time we calculated the results, many of the 2016 examination reports were not yet available to us, so naturally more of the reports in our sample were for examinations conducted in 2015.

The charts below illustrate the relative number of examination findings as organized by major functions for 2015 and 2016.  Those functions are Asset Liability Management, Bank Secrecy Act (BSA), Compliance, Credit Review, Electronic Funds Transfer, Information Technology and Security, and lastly Operations and Administration.

BSA by far is the area most often cited, followed by Asset Liability Management (ALM), and Information Technology and Security.  Why are those areas most popular with examiners?  To start off, BSA Programs are required to be appropriate for the risk profile of a financial institution, a concept that naturally involves a degree of subjectivity.   Many have commented on the difficulty of complying with regulations that are less than certain.  Another possibility is that the rapid escalation of examiner expectations for BSA have resulted in a shortfall of skilled BSA professionals. This would contribute to a lower quality of suspicious activity monitoring, leading to more exam issues.  Third, it might simply be that bankers and examiners are still climbing the learning curve and that BSA findings will start to level out.  For IT/IS, it is quite clear that the environment is driving the high levels of concern.  Cybercrime is on the rise and customer data is frequently disclosed on an unauthorized basis.  Finally, we have entered a rising interest rate environment that will have major implications for IRR,
liquidity, and investment risk.

For other categories such as Compliance, EFT and Operations/Administration, criticisms were less frequent, though there were particular elements of concern with each.  The tables in this article depict the most often cited typical areas within each of the functions.

The number one issue for BSA was customer due diligence (CDD).  For CDD, examiners frequently cited concerns with documentation of expected activity, customer risk rating and periodic enhanced due diligence.  These are consistent with FinCEN adding CDD as the Fifth Pillar in July 2016.

Criticisms for ALM were primarily for interest rate and liquidity risk.  Some of those citations were associated with model back testing, non-interest income scenarios, and liquidity stress test scenarios.  Examiners are concerned that much of the “surge” into banks of deposits since the economic downturn will flow back out of the banking system
when investment options with higher rates of return become available.  Also, there is concern that some FIs have taken on too much risk in their search for better yields by acquiring investments with longer durations.

The top areas of concern for information technology and security were business continuity planning (BCP), oversight, and information security programs.  BCP criticisms were most often associated with business impact analysis and annual testing.

EFT findings were mostly associated with wire transfers.  This is consistent with the larger transaction risk for wires as compared to other EFT channels.  There have been numerous attempts of large dollar wire transfer fraud against FIs and their customers.  Examiners were often concerned with written agreements, authority levels and reporting of audits.

As with IT/IS, governance was of high examiner concern for credit as well.  Governance weaknesses were noted for policy and training on new or specialty credit types.  Also, in some cases boards of directors were not receiving adequate reporting of exceptions and stress test results.  Loan risk identification criticisms were especially concerned with underwriting practices such as cash flow calculations.  Criticisms regarding the Allowance for Loan and Lease Losses (ALLL) have decreased significantly now that reserve surpluses are common and documentation has improved.

Because the time intervals for compliance examinations are typically two years, we don’t have many examination findings for the compliance function in our database.  However, one theme was dominant, which was for compliance program management.  This “governance” issue is consistent with what we have seen for other functional areas, with risk assessments and due diligence on outsourced product vendors being areas of frequent concern by examiners.

For Operations and Administration, governance was once again near the top of the list.  These criticisms often had to do with corrective action tracking reports, risk assessments, audit planning and Audit Committee minutes.  It is very apparent that while operational and market risks have been relatively low during this period of economic recovery, examiners have taken this opportunity to ensure FIs are well prepared for the next economic downturn.  Solid governance practices will help ensure that all the operational and compliance functions are in a state of readiness.

This article was a high-level summary of the results of our project with only selected examples of the examiner concerns.  If you would like a copy of our more detailed 90 page Power Point presentation, please contact Kevin Watson, Co-CEO at or (562) 802-3581.

This article and the supporting data were developed by Kevin K. Watson, Co-CEO, Vanessa Sitthydeth, Audit Associate and Aaron Faiola, Audit Associate, all with AuditOne LLC.

AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, and Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Kevin Watson at Contact Us and for information about all of our audit services see


AuditOne Advisory – FDIC Issues Guidance on Model Risk Management

Our Co-CEO Jeremy Taylor has prepared (below) a summary of the Guidance recently issued by the FDIC on model risk management. It’s an important topic as more and more institutions make use of models, whether in-house or vendor-supplied, for a widening range of purposes. To the extent models feed into (or even substitute for) decision-making in various banking contexts, it’s important to have a disciplined process for ensuring the integrity of the models themselves, of the data and assumptions fed into them, and of the governance and controls surrounding model access, changes, back-testing, etc.

Please share this with colleagues having responsibilities related to models and how they’re being used within your organization. Thank you, Bud

FDIC Issues Guidance on Model Risk Management

The FDIC has just released FIL-22-2017, Supervisory Guidance on Model Risk Management, identical to what was previously issued back in 2011 by both the OCC (Bulletin 2011-12, superseding 2000-16) and the FRB (SR Letter 11-7).  The NCUA has yet to follow suit; its website refers readers to the OCC and FRB publications.

The first thing to note is that the FIL specifically exempts sub-$1 billion banks unless they have significant reliance on models.  But that applies to putting in place a framework or program for model risk management (MRM).  Many of the FIL’s provisions instead apply to managing risk associated with individual models, such as IRR, suspicious activity monitoring, ALLL, each of them already widely used by smaller banks and already covered by previous guidance statements.  For most small banks, therefore, FIL-22-2017 reinforces existing guidance rather than introducing new requirements.

It’s unclear where “significant” model reliance will kick in.  But for larger banks, at or closing in on the $1 billion threshold, there are some key steps to keep in mind, if they’re not already in place:

  1. Assign model management responsibility.  The vendor management (VM) process provides a useful parallel.  Each vendor will have primary contact(s) within the bank, but it is expected that someone (typically within Compliance, IT or Finance) will be assigned overall VM program management/coordination responsibility.  The same general comment applies to MRM.
  2. Compile an inventory of all models (both vendor-supplied and in-house-developed) in use across the bank.  That database should include updated information on key things like model validation, SOC reporting[1].
  3. Develop a Model Risk Policy document.  As with any new policy development, it’s probably easiest to start with a template from a vendor (like LexisNexis/Sheshunoff, BCG or Young & Associates) and then customize it.

While smaller (i.e., exempted) institutions may not want to worry about #3, the first two items above are relatively straightforward – and prudent for institutions of any size.  Besides, it never hurts to get out ahead of formal requirements (and to impress your regulator in the process).


[1] We have issued two recent Advisories on these important topics:


AuditOne Advisory – Estimating NMD Average Life From Bank Data

Kruskal Hewitt, a Senior Associate in our ALM practice, has prepared a document below outlining approaches to the calculation of estimated average life on non-maturity deposit (NMD) accounts using an institution’s internal historical data. Because the assumptions made on NMD average life are a, if not the, critical driver of EVE (economic value of equity) rate-sensitivity, we thought it would be worthwhile sharing this document. Please refer this to whoever in your organization has responsibility for managing your IRR/ALM modeling. The document contains Kruskal’s contact information for those who have questions or would like additional information. Thank you.

Estimating NMD Average Life From Bank Data

This note will describe in detail four methods for estimating historical average life of non-maturity deposits (NMDs) using bank-specific data.  There are many approaches for estimating this; while all are valid, some methods are easier and/or more accurate than others.

What follows is a discussion of NMD average life and its significance, followed by the four methods.  The knowledgeable reader should proceed directly to the methods.

Average Life Assumptions in EVE Simulations

NMD historical average life is important because it represents a key model assumption used in interest rate risk models’ estimation of economic value of equity (EVE).  EVE is calculated as the net present value (NPV) of assets minus the NPV of liabilities.

NMD for many banks, especially smaller banks, is the largest component of liabilities, which explains large the impact that these assumptions have.  They determine what point on the discount curve will be used to discount cash flows associated with NMDs.  In a positive yield curve environment, the longer the assumed average life, the higher the assumed discount rate, the lower the resulting NPV of NMDs, and the higher the calculated EVE.

In other words, all other things held constant, in a positive yield curve environment (which is typically though certainly not always the case), increasing the assumed NMD average life has the effect of increasing EVE asset-sensitivity (or decreasing liability-sensitivity) under rising rate scenarios.  Higher average life is equivalent to slower decay (or run-off) rates on NMD accounts.

Given the high sensitivity of EVE results to the NMD assumptions, regulators have stressed the importance of analyzing internal bank data to help formulate those assumptions.  In our experience, banks that have done so typically find longer estimated life for NMD accounts as compared to the earlier default assumptions provided by FDICIA 305 (or the OTS), particularly for community banks.

Setting Average Life Assumptions

There are three elements that should be considered by a bank in setting average life assumptions:

  • Historic experience
  • Management’s judgement of the future behavior of their NMD depositors
  • Peer banks’ assumptions

The most important thing is that a bank clearly document what they choose and why.

Estimating Average Life From Bank Data

Estimating average life is problematic!  Even with great data, how one measures – i.e., which technique is employed – will give different answers.  There are further complications.  What one measures, the number of accounts or account balances, will give different answers.  Account balances can vary significantly over time.  Transaction account balances, for example, can move up and down without it having any run-off implications.  Another consideration:  A bank cannot have accounts with a longer life than the bank’s existence, which complicates the estimation exercise for a younger bank.

The interaction of account balances and account life can have a meaningful impact on true (as opposed to modeled) EVE.  Consider two accounts that have been open for ten years, one with a balance of $1 for the first nine years and $999,995 in the tenth, the other with a constant balance of $100,000.  The first account has had little value for the bank (i.e., in discounted terms), while the second had a great deal of value.  But both have had an average balance of $100,000.

It may seem that the easiest approach is to measure account balances.  However, unless there is detailed data available to calculate the daily average balance by account, account balances are problematic.  They can be affected by a variety of external and internal factors that have nothing to do with “decay”.  They can be skewed by individual large accounts, as well as by transaction activity as noted above.

The number of accounts open, and how long they have been open, is more straightforward to measure, but it has the drawback of either assuming today’s balance is a good proxy for the average balance (method B below) or that every account has the same value to the bank (method C below).

Because average life estimates are limited by a bank’s historical data, it can limit the choices of estimation technique.

What follows is a discussion of various techniques, the required data resources, the strengths and weaknesses, and a detailed how-to.


A. Current Average Account Life

Data required.  The account opening date and current account balance.

Pros/Cons.  If a bank has the data, this is a very accurate and easy to calculate measure of the current average life.  If a bank recalculates each month or quarter, predictive trends will be identifiable. However, there are two drawbacks.  First is the reliance on the current balance as a proxy for average balance.  This may or may not be reasonable; some accounts have monthly cycles, or other seasonality.  Second, if a bank is relatively young with accounts that have been open since the start of the bank, this technique will understate the true average life.  The amount of understatement is related to the proportion of accounts open since day one.

How to calculate.

For all accounts Sumproduct(Account Life : Account Balance) / Sum(Account Balance)

B. Open-Close Technique to Estimate Decay

Data required.  The ability to identify which specific accounts are open at various past dates.

Pros/Cons.  This technique is the default methodology, as virtually every bank can identify the individual open accounts at specific dates in the past.  It is simple to calculate and to update.  The problem is that the account balance has no role in the estimation.  As a result, every account is assumed to be of the same value to the bank.

How to calculate.  The discussion below is for annual cohorts, but other periods (monthly, quarterly, semi-annually) can be substituted.

For each NMD type (DDA, Savings, NOW, MMA), segment historical data according to the accounts on the books (open) at the start of each year (or quarter, etc).
E.g., As of December 31, 2012, count how many accounts were open, Act12(O).  As of December 31, 2013, count how many of the Act12(O) closed during the year, Act12(C).
Act12(C) / Act12(O) = AnnualDecayRate(12)
Repeat for five years, and average the Annual Decay Rate:
1 / AverageAnnualDecayRate = AverageLife (in years)

C. Tail Analysis

Data required.  The account opening date and current account balance.

Pros/Cons.  The open-close technique assumes a constant decay rate.  If one assumes a constant decay rate, then in theory there is always something left – i.e., the “tail”.  An average life of four years means that after eight years, 10% will remain.  An average life of six years means that after 12 years, 11% will remain.  An average life of ten years predicts after twenty years 12% will remain.  This technique can be used to estimate the expected life of accounts for a young bank where more than 10% of accounts have been open for as long as the bank.

How to calculate.  Build an excel spread sheet. 
In cell A1 put the number of years the bank has been open.
In cell A3 put 0, A4 put 1… A53 put 50
In cell B2 put the formulae =1/A1
In cell B3 put 1.
In cell B4 put the formulae =(1-$B$2)*B3, copy this formulae to all the cells until cell B53.
In column C place the percentage of accounts open since the beginning of the bank in the cell that corresponds to the number of years the bank has been open (if the bank has been open seven years put the percentage in cell C10)
Change the value in cell A1, until the value in B, adjacent to the percentage in C, is as close as possible.
The final value in A1 is the average life of the sample.

D. Average Life of Time Weighted Average Balance

Data required.  The daily balance of each account since the day the account was opened.

Pros/Cons.  Arguably this is the Cadillac of measures, as it would account for both the account balance and the balance average life.  There is one significant drawback: banks generally won’t have the required data.

How to calculate.  For each account, calculate the average balance (remembering to account for weekends and holidays).  For all accounts: Sumproduct(Account Life : Account Average Balance) / Sum(Account Average Balance)


There are different ways to calculate the average life of NMDs.  If the bank has the account opening date, then technique A offers advantages; otherwise, B may be a more sensible option.  Remember that calculating historical average life is an intermediate step in setting the model average life assumption; management must then look into its crystal ball and assess whether average life in the future will be longer or shorter than the data shows it has been in the past.

Remember, too, that if rates are expected to go higher (as is presently the case), then shading to the shorter side is more conservative; upward movements in rates don’t produce as big an increase (or as small a decrease) in EVE.  Conversely, if rates can only go lower, biasing to the longer side is more conservative.  Of course, we always recommend accuracy over bias, and hopefully this write-up will help in that regard.

If you have questions on the content, please contact Kruskal Hewitt, Senior Associate, at Contact Us.


AuditOne Advisory – SOC 1 Changes with the new SSAE 18 Standard

AuditOne Advisory

From Bud Genovese, Chairman

Your financial institution should be receiving from your major service provider’s annual SOC 1 controls reports (formerly called “SAS 70”). These reports are based on reviews called SOC – Service Organization Controls. The AICPA has just modified the SSAE 16 attestation standard for performing a SOC 1 review. Effective May 1, 2017, the SSAE 16 has been replaced by SSAE 18. The major changes that the SSAE 18 present are reviewed in this advisory written by Robert Kluba, our Technology Practice Co-Director.  Please forward this to appropriate personnel in your firm, such as IT management or the person responsible for vendor management compliance. We hope you enjoy this technical update, thank you! – Bud

SOC 1 Summary of Changes from the SSAE 16 Standard to the SSAE 18 Standard

Services providers that store or process information for third parties should be able to provide an annual SOC (Service Organization Controls) report to customers when requested.  A SOC 1 report focuses on the controls over financial reporting. If the information handled by the service provider relates to financial statements, then a SOC 1 review and report should be completed. The SOC 1, SSAE 16 format was created originally under the SSAE 16 standard which replaced the SAS 70 standard.  Effective May 1, 2017, a SOC 1 report is now completed under the SSAE 18 AICPA attestation standard.  The standard requires that the SOC 1 report only note “SOC 1” and should not reference or use “SSAE 18” as part of the report or title. This advisory
presents the major changes that apply to SOC 1.

SOC 2 and SOC 3 reports are completed according to the AICPA Trust Service Principles. SOC 2 and SOC 3 reports are focused on the controls related to compliance and operation of the service provider. A SOC 2 or SOC 3 report provides documented assurances that operational safeguards are in place that relate to one, or all, of the following trust service principles: security, availability, processing integrity, confidentiality, or privacy. The following changes do not affect the SOC 2 and SOC 3 reports, as the SSAE 18 does not apply to them.

SSAE 18 Changes That Apply to SOC 1

Subservice Organizations:

SSAE 18 is requiring that service organizations implement processes that monitor the controls at subservice organizations. This new requirement requires service organizations to state the vendor management controls they have in place for subservice providers (for example, colocation facility).

Complementary Subservice Organization Controls:

The SSAE 18 introduces the concept of “Complementary Subservice Organization” controls which will be included in the service provider’s system description. This concept establishes and defines the controls for which customers must now assume in the design of the system description. This addition to the system description is similar to the Complementary User Entity Controls section.

Signed Written Assertion Requirement:

The written assertion is the statement found within the SOC report where the service organization asserts that the system description provided is true and complete. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional. Like many firms, AuditOne, Inc. has already been requiring this section to be signed by service providers as a way to strengthen the credibility of the report.

Service Auditor Risk Understanding:

The SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, in order to better identify the risks of material misstatement in an examination engagement. This enhancement should lead to an improved understanding between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

AuditOne Inc. Delivers Effective and Efficient SOC Audits

AuditOne Inc.’s skilled audit, technical and security experts deliver the highest quality, cost-effective, responsive SOC services in the industry. Please contact myself or Bud Genovese to review how we can make the SOC audit an effective and efficient experience for your firm. I will be more than happy to help you understand why AuditOne Inc.’s user-friendly process and focus, makes it the market-leading smart choice.

Robert Kluba is the Technology Practice Co-Director of AuditOne LLC, the Nation’s leading firm with the sole focus on financial institution internal audit and consulting services. AuditOne LLC affiliates with AuditOne Inc., a PCAOB registered CPA firm that specializes in SOC audits for service providers. Under Managing Director Bud Genovese, AuditOne Inc. has positioned itself to deliver affordable SOC reviews utilizing hands-on technical staff. The AuditOne group of technical experts also can assist in SOC related risk assessments and penetration testing requirements. Contact Robert Kluba or Bud Genovese ( more information.


AuditOne Compliance Advisory: Q1, 2017

AuditOne Advisory

From Bud Genovese, Chairman

The first quarter of 2017 has ushered in a period of stepped-up reform that could significantly impact the regulatory landscape for banking.  This includes Key Regulatory Changes; Presidential Memos, Pronouncements, and Executive Orders; Proposed Rulemaking/Comments; HMDA Filing Resources; Other Key Issuances; and Recent Enforcement Actions.  This has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  We hope you enjoy! – Bud





Community Reinvestment Act (CRA)Asset-size thresholds used to define ‘‘Small Bank’’ or ‘‘Small Savings Association’’ and ‘‘Intermediate-mall Bank’’ or ‘‘Intermediate-Small Savings Association have been revised.  Beginning January 18, 2017, banks and savings associations that, as of December 31 of either of the prior two calendar years, had assets of less than $307 million are Small Banks or Savings Associations. Those with assets of at least $307 million and less than $1.226 billion as of December 31 of either of the prior two calendar year-ends are Intermediate-Small Banks or Savings Associations.January 18, 2017
Regulations E & ZThe CFPB issued a final rule to delay the Oct. 1, 2017 effective date of the rule governing Prepaid Accounts under the Electronic Fund Transfer Act (Regulation E) and the Truth in Lending Act (Regulation Z) by six months.Note that legislators have initiated a process to nullify this rule via a procedure established by the Congressional Review Act; the procedure permits
Congress to nullify a covered rule adopted by a federal agency if Congress acts while in session.  The procedure has only been known to be used once before.
Revised Implementation Date: April 1, 2018
Regulatory Freeze MemoThe White House issued a memo to executive departments and agencies calling for a pause or temporary freeze on new regulations. There were three parts to the memo:


1. For regulations that had not yet been sent to the Office of Management and Budget (OMB) for review, the memo called for work to pause until the agency was led by new leadership appointed or designated by the president.

2. For regulations that had been sent to OMB but not yet been published, the memo called for them to be withdrawn.

3. For regulations that had been published but not yet gone into effect, the instruction was to postpone their effective date by 60 days to allow for review and to consider proposing a regulation to extend them for a further period to allow for “more adequate review” of the regulation for questions of fact, law or policy.

Although there was debate about whether the regulatory agencies (i.e. OCC, CFPB, FRB, etc.) were covered as part of this memo, there is a general belief based on past practice that there would be “some effort on their part to comply with the spirit of the memo”.

January 20, 2017
Fiduciary Rule MemoPresidential memorandum directing the Labor Secretary to reexamine the rule issued under the Obama Administration that broadened the definition of who is a “fiduciary” under the Employee Retirement Income Security Act and the Internal Revenue Code, an expansion that could reach into traditional bank products such as individual retirement accounts and 401(k) plans.  Any person deemed to be a fiduciary to an account under the new rule has significantly expanded duties, obligations, and liability to the account and its owner, and is subject to the so-called “prohibited transactions” provisions of ERISA and the Code. Anyone violating a prohibited transaction faces excise taxes and civil liability.Issued February 3, 2017.  Compliance required by April 10,
Delegating Terrorist Report RequestPresidential memorandum that directs the President to review “known instances since 2011 in which a person has traveled or attempted to travel to a conflict zone in Iraq or Syria from the United States to join or provide material support or resources to a terrorist organization,” and submit a report to Congress.April 12, 2017
Reporting Sanctions on Foreign PersonsPresidential memo demonstrating intent to comply with section 1264 of the Global Magnitsky Human Rights Accountability Act (Subtitle F, Public Law 114-328) (the “Act”) by providing a report on its implementation.  The current administration provided the required report, compiled by the Departments of State, the Treasury, and other relevant executive departments and agencies (agencies), outlining support for the legislation and its enforcement. April 20, 2017


According to data obtained from the American Presidency Project the use of executive orders peaked in the era of the New Deal, with Franklin D. Roosevelt setting the record at slightly over 290. Although the numbers have declined overall since the early 1900s, there has been a notable shift in purpose, from largely routine/ administrative matters pertaining to internal affairs to increasingly legislative, having a more direct impact on the rights and duties of private parties and governmental officials.

Because Executive Orders do not require Congressional approval, they enable Presidents to bypass Congressional debate while having the “full force and effect of law”. Considering President Trump’s comment that “we’re going to be doing a big number on Dodd-Frank”, financial institutions should be prepared for continued efforts to roll back Dodd-Frank.  The timing and nature of the impact on financial institutions will vary, dependent in part on how quickly regulatory agencies are able to review the body of impacted laws and regulations to determine what needs to be revised, removed or left unchanged.

As of month end April 2017, the President issued 90 Executive Orders.  Below are some that more directly impact banking:*




#13771: Reducing Regulation and Controlling Regulatory Costs Requires that each proposed new regulation include a proposal to repeal two existing regulations; and, that the costs (or savings via repeal) of the two regulations to be eliminated should equal or exceed the costs of the proposed new regulation.


“For fiscal year 2017, the cost of each new proposed regulation must be matched by the cost of the two proposed for repeal. Starting with fiscal year 2018, agencies remain bound by the regulatory plans that they are already required to publish each year. However, the plans must now include cost estimates for any proposal that would increase costs as well as estimates of the offsetting savings from the repeal of the two regulations that the agency proposes to link to it. From this information, the OMB would develop a regulatory budget, with each agency given by OMB a regulatory cost limit that it would not be allowed to exceed. That limit from OMB may allow a net increase for the year or may even prescribe a net overall reduction”.

January 30, 2017
#13772: The Core Principles of Financial Regulation Sets out seven core principles for regulating the financial system. Although nothing within this order mandates burden reduction or less regulation, it does lay out the process for reviewing regulatory burdens and creating the factual basis for specific regulatory reforms.February 3, 2017
#13773: Combatting Criminal Organizations


#13776: Reducing Crime

Intended to “thwart” criminal organizations, including “criminal gangs, cartels, racketeering organizations, and other groups engaged in illicit activities.”  Directs law enforcement to apprehend and prosecute citizens, and deport non-citizens involved in criminal activities including “the illegal smuggling and trafficking of humans, drugs or other substances, wildlife, and weapons,” “corruption, cybercrime, fraud, financial crimes, and intellectual-property theft,” and money laundering. A second order was signed on this day to reduce violent crime in the US, and “comprehensively address illegal immigration, drug trafficking, and violent crime.” The action directs Attorney General Jeff Sessions to assemble a task force in order to identify new strategies and laws to reduce crime, and to evaluate how well crime data is being collected and leveraged across the country.February 9, 2017
#13768: Enhancing Public Safety in the
Interior of the United States
The EU-U.S. Umbrella Agreement on Data Protection – aka the Privacy Shield – allows for a legal way to gather Europeans’ personally identifiable information and transfer it to servers in the United States without violating EU data protection and privacy laws.   Negotiations during President Obama’s tenure resulted in the United States promising that the protections afforded by the Privacy Act would also be applied to Europeans.  This order mandates that protections of the Privacy Act will now only apply to U.S. citizens and lawful residents of the United States; Europeans are henceforth exempted.   (The Privacy Act was passed in 1974 and establishes a code of fair information practices that governs the collection, maintenance, use and dissemination of information about individuals that is maintained in systems of records by federal agencies, according to the U.S. Department of Justice.) European politicians have demanded that the EU clarify what the impact of the executive order will be warning that results could be bad for American business, pointing to section 14 of the order that says that it will apply “to the extent consistent with applicable law” to prove that the order does not actually deny Privacy Act protections to Europeans.  There is a still a great deal of uncertainty about the impact of this order, particularly given the January 17th designation of 26 countries and the European Union as a whole.  Stay tuned.February 20, 2017
#13777: Enforcing the Regulatory Reform AgendaGives 60 days to the head of each agency to designate an agency official as its “regulatory reform officer.” This officer is to oversee the implementation of several other regulation focused executive orders, while also chairing a newly created Regulatory Reform Task Force in each of the respective agencies. These task forces will evaluate their agencies’ existing regulations and make recommendations regarding their repeal, replacement, or modification.It is currently unclear whether the White House intends this executive order to apply to independent agencies like the banking regulators.February 24, 2017
#13789: Identify and Reducing Tax Regulatory Burdens;
Supplement to Order 13771 (Dodd Frank Roll Back)
Goal is to take action necessary to “reduce the burden existing tax regulations impose on American taxpayers and thereby to provide tax relief and useful, simplified tax guidance”. Also orders a 180-day review of two parts of the Dodd-Frank Act — the Orderly Liquidation Authority (OLA) and the construct and function of the Financial Stability Oversight Council — as part of overall effort to roll back certain aspects of Dodd-Frank.April 21, 2017

*Please note that list is not meant to be all-inclusive; rather, its focus is on key regulatory & legislative actions pertaining to Banking.  Other Executive Orders issued through April 2017 focus on environmental laws, immigration & travel, oil pipelines/energy, trade, climate change, ISIS, reorganizing the National Security Council, Wall Street regulations, the deficit, rural prosperity, law enforcement, protecting national lands and tax regulations. For a complete list of Executive Orders,
go to





Cyber Risk ManagementOn October 26, 2016, the FRB, OCC and FDIC published in the Federal Register an advance notice of proposed rulemaking regarding enhanced cyber risk management standards for large and interconnected
entities under their supervision and those entities’ service providers. The ANPR addresses five categories of cyber standards: Cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
Issued October 26, 2016.  Comment Deadline extended from January
17, 2017 to February 17, 2017
Loan in Special Flood Hazard AreasThe OCC, FRB, FDIC, Farm Credit Administration (FCA), and National Credit Union Administration (NCUA) are issuing a new proposal to amend their regulations regarding loans in areas having special flood hazards
to implement the private flood insurance provisions of the Biggert-Waters Flood Insurance Reform Act of 2012. The proposed rule would require regulated lending institutions to accept policies that meet the statutory
definition of private flood insurance in the Biggert-Waters Act and permit regulated lending institutions to accept flood insurance provided by private insurers that does not meet the statutory definition of ‘‘private flood insurance’’ on a discretionary basis, subject to certain restrictions.
Comments were due January 6, 2017
Mortgage Servicing RulesThe CFPB is working in advance of its five-year deadline in starting the process to get industry feedback on the Real Estate Settlement Procedures Act (RESPA) mortgage servicing rule (MSR). This rule essentially gave borrowers new consumer protections related to mortgage loan servicing, many of which were aimed at helping consumers who were having trouble making their mortgage payments. Relatedly, the CFPB recently finished the MSR slated to go into effect on October 19, 2017. The final rule clarified and revised the 2013 RESPA Servicing Final Rule and the 2013 TILA Servicing Final Rule, which does not fall under Dodd Frank. The final report of the CFPB’s assessment results will not be issued until January 2019. of Plan to Obtain Industry Feedback on MSR: May 4,

*Please note that list is not inclusive; its focus is on key regulatory & legislative actions pertaining to Banking
that are worthy of note. 


The CFPB and FFIEC recently published a list of resources designed to assist financial
institutions with revised HMDA requirements as follows:

  • Frequently Asked Questions (FAQ): The FAQ includes answers to many questions about how to submit and file 2017 HMDA data, particularly how to use the 2017 LAR Formatting Tool;
  • Technology Preview: A webpage to provide an initial view into the way HMDA filers will interact with the new online, designed to help streamline the HMDA submission process;
  • Filing Instruction Guides: Separate Filing Instructions Guides (FIG) are already available for HMDA data to be collected in both 2017 and 2018; and
  • 2017 LAR Formatting Tool: The Loan/Application Register (LAR) Formatting Tool is intended to help financial institutions, typically those with small volumes of covered loans and applications, to create an electronic file that can be submitted to the HMDA Platform.

For a complete description of available tools and resources go to:


  • OCC Exam supplemental examination procedures for Third Party Relationships:  On January 24, 2017, the OCC issued examination procedures to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013.  The focus is primarily on providing more in depth examination guidance around risk management- related processes.
  • CFPB Bulletin on Incentive Compensation Expectations: The CFPB recently issued a Bulletin (the Bulletin) highlighting the risks that production based incentives may pose to consumers, noting that they can lead to practices that result in unintended consumer harm if not properly managed. Examples of those practices include steering consumers into products that are not to their benefit, unauthorized account openings, and unauthorized opt-ins to overdraft services. The Bulletin also includes steps that institutions can take to “detect, prevent, and correct” unexpected outcomes; and, details control areas that should be considered including policies and procedures, training, monitoring/reviews, complaint management, and periodic independent audits.


  • FinCEN and the OCC announced the assessment of civil money penalties totaling $7 million on Merchants Bank of California, Carson, CA, for significant willful violations of the Bank Secrecy Act (April 2017).
  • The CFPB took action against four online lenders–Golden Valley Lending, Inc., Silver Cloud Financial, Inc., Mountain Summit Financial, Inc., and Majestic Lake Financial, Inc.–for deceiving consumers by collecting debt they were not legally owed (April 2017).
  • The CFPB sued Owen, one of the largest non-bank mortgage servicers for violations at several stages of the mortgage servicing process (April 2017).
  • The CFPB issued a $3 million to Experian and its subsidiaries regarding deceptive representation of how credit scores sold to consumer are used (March 2017)
  • The CFPB assessed penalties against Nationstar Mortgage LLC for Home Mortgage Disclosure Act (HMDA) reporting issues (February 2017).
  • The CFPB fined Prospect Mortgage LLC $3.5 million in penalties for an illegal kickback scheme associated with mortgage business referrals in violation of the Real Estate Settlement Procedures Act (RESPA) (January 2017)

AuditOne Compliance Advisory: Model Validations and Related Exercises

AuditOne Advisory

From Bud Genovese, Chairman

Model validations to meet model risk management and governance requirements are clarified in this reprint of WIB’s April 2017 Compliance Digest article written by Jeremy Taylor, Co-CEO, AuditOne LLC. Please feel free to forward it to the appropriate people in your financial institution. Thank you. -Bud

Model Validations and Related Exercises

Jeremy Taylor, Co-CEO, AuditOne LLC

The last 2 – 3 years have seen a burst of emphasis on ensuring a disciplined process for financial institutions’ (FIs’) management of model risk, in accordance with OCC Bulletin 2011-12 (which superseded 2000-16) and FRB SR 11-07.  Neither the FDIC nor the NCUA have issued similar formal guidance, but they have signaled their concurrence in other documents (e.g., the Winter 2005 issue of the FDIC’s Supervisory Insights).

This emphasis has come, not surprisingly, in response to FIs’ growing reliance on models, whether purchased or developed in-house, for a wide range of risk management and other purposes.  While community banks are typically less model-reliant, there are still expectations that they adopt appropriate governance and controls for their models, examples of which are cited below.

While the OCC and FRB documents address all the required elements of model governance, what has become evident is some confusion among model users over terminology and over the particular requirements for verifying satisfactory model performance.  Specifically, we see frequent failure to distinguish clearly between what each of the following is intended to do and when/where it may be needed:

  • Validation
  • Certification
  • Audit
  • Independent review
  • Service Organization Controls report (SOC 1/SSAE 16 and/or SOC 2)

This blurring in terminology can in turn translate into either gaps in required documenting or, perhaps, overkill.  The resulting confusion can easily carry over into an FI’s dialogue with its regulators and auditors as well.

The OCC and FRB guidance clearly states that: “All model components, including input, processing, and reporting, should be subject to validation.”  But who is to do this and how?  For purchased models, it is critical to recognize that the structure, features and core functionality are common to all users; it therefore makes sense for the model vendor to arrange for a validation report to be prepared independently (e.g., by a consulting firm with specialized expertise in that area), to be made available to all users.  This makes more sense than every user going out and independently commissioning such a report.  Its purpose is essentially to answer the question, “Does the model do what it says it does?”  Such a report will attest to those validation concerns relevant to all users, which takes in a model’s logical structure; the underlying math, finance, statistics, etc.; their translation into algorithms and coding; the reliability of those calculations; the reporting options available; alternative/competing models and approaches; etc.

So why, then, the need for audit?  Because it is important to recognize that this list of validation concerns is only a partial list.  There is another, quite different, set of concerns that an off-the-shelf validation report will not touch: the user-specific concerns.  Is the model appropriate for the user and has it been set up properly?  This is where an auditor will focus, taking the validation report as a starting point (including verification that any issues identified in the report have been following up on by the user).  The audit will then address such critical issues as:

  • Is the model appropriate for the FI’s needs?
  • Have the data feeds been set up correctly?
  • Are there controls to ensure continuing data input integrity?
  • Are the assumptions reasonable and properly supported?
  • Is the model producing results that make sense, verified by back-test?

Unfortunately, the audit exercise described above is often referred to as a “validation.”  It also sometimes gets called (e.g., in the 1996 Joint Policy Statement on Interest Rate Risk) an “independent review.”  Let’s call just call it an audit, and the first exercise discussed above a certification.  Again, this distinction only becomes necessary for purchased models; in-house models won’t have the same bifurcation.

For most of the vendor models that our firm encounters – such as for IRR simulations, AML suspicious activity monitoring, ALLL general reserve requirements – independent model certifications are indeed typically available.  To throw in another wrinkle, there are situations where an outside vendor may also need to consider obtaining and making available a Service Organization Controls (SOC) 1 and/or SOC 2 report.  This will come into play where the vendor is not just offering usage of a model but also an outsourced service to take its client’s (e.g., a bank’s) data, run it through the model, and produce reporting to send to the user.  In those cases, the vendor’s internal controls relevant to defined principles – security, availability, processing integrity, confidentiality and privacy – become a separate concern that a model certification report may address only in part.

A SOC 1 is performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16 and is needed when the output relates directly to the financial statements of a client; the ALLL is a good example.  A SOC 2 is broader in its assessment of controls and does not have the financial statement focus.  It was created in response to technology entities such as data centers and cloud-based systems to create an audit that would assess the effectiveness of their controls according to the defined principles listed above, applied across all functional areas and not just those related to financial reporting.  For this reason, some service organizations have both a SOC 1/SSAE 16 and a SOC 2 performed to satisfy different audiences.  The clients of the service provider may need the SOC 1/SSAE 16 for their financial accountants while providing the SOC 2 to the information security officer of the client firm.

Whatever label we apply to these different types of exercise with their different goals and audiences, what is clear is regulators’ growing focus on ensuring a systematic and comprehensive approach to addressing the relevant concerns.

Published in Western Independent Bankers Association’s Compliance Digest, Issue 23 – April 2017.