AuditOne Compliance Advisory: 2017 Q4

AuditOne Advisory

From Bud Genovese, Chairman

In recent months, the CFPB has been very active releasing new proposals and final rules.  In this edition, we will highlight those that directly impact banks and credit unions, along with other noteworthy regulatory news, pronouncements and enforcement actions.  We hope you enjoy!

CFPB Moves One Step Closer to Small Business Data Collection

On May 10, 2017, the CFPB published a 42-page White Paper that seeks to advance efforts to collect small business data for the purpose of analyzing lending patterns and financing accessibility to underserved market segments.  Topics explored include:

  • What defines a small business?
  • What institutions lend to small businesses and what products are offered?
  • What types of business lending information are used by financial institutions?
  • Private impact of the public release of small business lending data

Efforts do not appear to be slowing down, so it wouldn’t hurt to begin examining existing processes, systems, and capabilities to determine what changes, if any, might be necessary in the event this initiative picks up steam and moves closer to formal regulation.  The CFPB White Paper can be found at


Military Lending Act

Credit card provisions of MLA became effective October 3, 2017. Key provisions include a 36 percent Military Annual Percentage (MAPR) cap, what fees can be excluded from the MAPR calculation and how the financial institution’s
fees compare with fees charged elsewhere. A link to the rule follows:

October 3, 2017

CFPB Amends Regulation B requirements

Seeking to resolve certain differences between ECOA (Regulation B) and the revised HMDA (Regulation C) rule, the CFPB finalized a proposal to amend Regulation B requirements related to the collection of consumer ethnicity and race information.  Key revisions include:

  • Option to self-identify extended to additional (disaggregated) race and ethnicity
  • Allows for collection of race and ethnicity data in certain cases where creditor is not required to report under HMDA.
  • Replaces the current (2004) Uniform Residential Loan Application (URLA) with a new, one-page data collection model form that can be used to collect the revised HMDA
    demographic data until the 2016 URLA prepared by Freddie Mac and Fannie Mae
    is implemented
  • Authorizes a financial institution that is subject to the requirement to report closed-end
    loans to voluntarily report home equity lines of credit (HELOCs), and those subject to the requirement to report HELOCs to voluntarily report closed-end loans.  Additionally, financial institutions may collect applicant demographic information for dwelling-secured business loans that are not reportable because the loans are not for the purposes of home purchase, refinancing, or home improvement (not applicable to a second or additional co-applicant; the HMDA rule requires the collection of the information for the applicant and first co-applicant only). For an overview, click on the
    following link:

September 21, 2017

Flood Program Suspension

The Federal Emergency Manage­ment Agency (FEMA) suspended the availability of flood
insurance in some markets because of noncompliance by local governments with
the floodplain management requirements of the program.  Although this puts
banks at risk if a property impacted by this suspension has a mortgage
against it, governments are allowed to prevent suspension or have it lifted
if they are able to provide required documentation demonstrating compliance
before the effective suspension date.  For a list of impacted areas, go to: – or – for FEMA’s Status Book.

September 7, 2017

Mortgage Servicing Rules (Phase I)

On October 19, 2017, the first phase of the CFPB’s mortgage servicing rule changes under Regulations Z (Truth in Lending Act, or TILA) and X (Real Estate Settlement Procedures Act, or RESPA) become effective. The provisions clarify and amend requirements for force-placed
insurance notices, policies and procedures, early intervention, and loss mitigation. 
Also included is an interim Fiduciary final rule with a request for comment that gives mortgage servicers a 10-day window to notify borrowers that have requested that communication
cease under federal debt collection law about their foreclosure options.  A
link follows:

October 19, 2017

Comments due November 15, 2017

Overdraft Disclosure Prototypes Released

To improve the current model form (A-9) that banks provide to consumers weighing
over­draft coverage, the CFPB released four Know Before You Owe overdraft disclosure
prototypes. The prototypes are designed to better explain a financial institution’s overdraft fees and the risks to consumers of opting in to over­draft coverage and fees for ATM and one-time debit card transactions. The CFPB is testing the prototypes as potential replacements for the current Regulation E disclosure form A-9, used to inform consumers of their financial
institution’s overdraft policies, fees, etc. The prototype forms:

  • Are designed to show more clearly the cost of the fees and when they can be charged
  • Describe key elements of the bank’s overdraft policies
  • Explain the opt-in decision applies only to one-time debit card and ATM transactions
  • Are designed to make clear that debit card and ATM overdraft protection is entirely optional

Important to note that as the CFPB tests the proposed prototypes, the current model
form (A-9) pro­vided in the 2010 rule continues to apply.  The current model
form (A-9) and prototypes are available at

August 4, 2017

HMDA Final Rules/Examiner Testing Guidelines

On August 24, 2017 the CFPB published what is now known as the 2017 HMDA Final
Rule.  The rules contain guidance on reporting Mortgage Loan Originator identifiers
for purchased loans: property location, income, temporary financing, and new
funds on certain existing credit.  The guidance also more clearly defines
“extension of credit” and “automated underwriting systems”; clarifies impact
of census tract reporting errors; clarifies that a loan secured by five or
more separate dwellings in more than one loan location is not a loan secured
by a multifamily dwelling; raises applicability thresholds for open end lines
of credit from 100 to 500 covered loans until January 1, 2020; and clarifies
certain aspects of data collection around race and ethnicity. 

Federal banking agencies also issued guidelines for how examiners will test the accuracy of HMDA data collected and reported by financial institutions. The most notable change is that the old requirement that certain error rates trigger required LAR correction and
resubmission has been replaced with new sample review size standards driven
by a financial institution’s mortgage lending activity volumes.  All regulatory
examiners will use the same testing guidelines, which will apply to HMDA data
collected in or after 2018. HMDA Transaction Testing Guidelines are available

August 24, 2017 – Final Rules

August 23, 2017- Examiner Testing Guidelines


Mortgage Servicing Rules (Phase II)

Some of the CFPB’s new Mortgage Servicing requirements will apply to a borrower’s successors in interest and the servicing of mortgages for borrowers in bankruptcy.

2, 2017

April 19, 2018

Regulation CC

In an effort to keep pace with an evolving and increasingly electronic check
collection system, the CFPB amended Regulation CC to help create a consistent warranty chain regardless of the check’s form, including incentives for electronic presentment and return. The final rule is available at

The FRB is also requesting comment on a proposal to amend existing liability
provisions to include a presumption that a substitute or electronic check was
altered instead of forged in certain cases of doubt. Comments are requested
within 60 days of publication in the Federal Register.  To review the
proposed rule, go to the following link:

26, 2017

July 1, 2018

Financial CHOICE ACT

Renaming and Rebranding the CFPB

The Financial Services Committee of the House of Representatives passed the
Financial CHOICE Act (the Act) amending many of the provisions of Dodd Frank – driven, in large part, by a desire to reform the Consumer Financial
Protection Bureau (CFPB), noting that the CFPB has not achieved its intended
purpose relative to availability and the cost of basic banking services and

The CFPB’s new name would be the Consumer Financial Opportunity Commission, and would become an independent agency outside the Federal Reserve with a new a dual purpose: the protection of consumers and the promotion of market competition.  The Act makes specific changes to Dodd Frank surrounding complaint handling protocols, the definition of UDAAP, removing limits on debit card interchange fees, and prohibiting arbitration clauses.  It also establishes a new Board structure, sets employee compensation parameters, and introduces requirements for periodic review of the cost/benefit of existing regulations.

4, 2017

BSA/AML – Beneficial Ownership Rule

Final rule on customer due diligence from the Financial Crimes Enforcement Network (FinCEN) that affects the way financial institutions determine beneficial owners of “legal entity” accounts.

11, 2016

May 18, 2018

*Please note that this list is not intended to be inclusive; its focus is on key regulatory and
legislative actions pertaining to banking that are deemed worthy of note.


AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, Co-CEO at: Contact Us or Kevin Watson, Co-CEO at: Contact Us and for information about all of our audit services see


AuditOne Advisory : How to comply with website ADA (section 508) as a financial institution

AuditOne Advisory

From Bud Genovese, Chairman

Your institution may have legal and monetary risk exposure due to new web content laws. Kevin Tsuei, Technology Practice Director, explains the law and how to proactively reduce risk, including a technical scan of your website, and remediation suggestions. This advisory should provide timely information to you, the board, management, and your risk management team. Please forward to applicable parties, thank you –Bud.

On January 9, 2017, the U.S. Access Board refreshed their accessibility requirements for websites, electronic documents, and software. This standard is often referred to as Section 508. One of the major changes involved adopting Web Content Accessibility Guidelines (WCAG) 2.0 Level A and Level AA criteria. These guidelines are maintained by World Wide Web Consortium (W3C), which is an international community (not a government regulated body). Their mission is stated on their website ( “The W3C mission is to lead the World Wide Web to its full potential by developing protocols and guidelines that ensure the long-term growth of the Web.”

What does this mean for Financial Institutions?

Since the adoption of WCAG 2.0 Level A and Level AA, numerous financial institutions, including community banks and credit unions, have received letters from law offices stating that their website is not compliant with the Americans with Disabilities Act (ADA). This has resulted in remediation and monetary compensation (through settlement or insurance claims) requirements. Note that the monetary compensation requirements have not been inexpensive; most institutions have a deductible in the five figures range.

To assist our clients with complying with the new Section 508 standards, we have developed an assessment product to not only scan institutions’ websites, but also to provide remediation steps for the Bank’s web developer to address. We are currently offering a free summary scan to any of our clients. This free scan will list the number of Level A and Level AA issues that are present on the Bank’s website. We will also provide a summary of the issues, but it will not contain any remediation steps or any other control enhancements that we perform with our assessment services.

We designed our assessment to evaluate the accessibility of the institution’s informational website against the new Section 508 standards (W3C’s WCAG 2.0 A and AA). In addition, we review the Bank’s Website Accessibility Policy and Procedures based on the ADA Best Practices Checklist from the US Access Board. The goal of the assessment is to provide an action plan that management can use to remediate accessibility issues, as well as resources to assist management with monitoring for continued compliance.

What is expected of Financial Institutions?

To date, there is no guidance from financial regulators. However, there are certainly legal and financial risks of non-compliance with Section 508. Besides ensuring the Bank’s informational website is compliant with Section 508, we recommend that the Bank develop a written policy addressing website accessibility. Some of the controls listed in the policy might include verification of compliance over new or changed contents, in-house and contractor training over this topic, periodic audit of its website along with an established remediation process, and a response process for when website visitors report accessibility issues.

In addition, it is important for management to publish their website accessibility policy on the institution’s website.  This policy should include an invitation for visitors to provide suggestions for improvement and a process to report any website accessibility problems (telephone, e-mail, etc.),

If you would like us to perform a free summary scan against the new Standard 508, please email Kevin Tsuei. Please be sure to provide your institution’s website URL.


AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, Co-CEO at Contact Us or Kevin Watson, Co-CEO at Contact Us and for information about all of our audit services see