Categories
News

AuditOne General Compliance Advisory: 2019 Q2

AuditOne Advisory

From Bud Genovese, Chairman

Within this issuance, we discuss further regulatory changes resulting from the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), as well as the Economic Growth, Regulatory Relief and Consumer Protection Act (EGRRCPA).  We go on to explore Federal Reserve Board (FRB) plans to implement real-time payment and settlement by 2024; a Consumer Financial Protection Bureau (CFPB) initiative to develop a “joint data intake system” to streamline data review and exams across regulatory agencies; a Department of Housing of Urban Development (HUD) plan to raise the legal bar for plaintiffs alleging discrimination under the Fair Housing Act; followed by Agency revisions to flood, privacy, community reinvestment, and appraisal requirements.  We conclude with several compliance developments and enforcement actions, including a cautionary decision by the Office of the Comptroller of the Currency (OCC) to permanently ban a bank’s General Counsel from the industry for making false statements and concealing documents related to compliance with the Bank Secrecy Act. 

This Quarterly General Compliance edition has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  We hope you enjoy! – Bud

DODD-FRANK CORNER

  • Regulation CC, which implements the Expedited Funds Availability Act of 1987 (EFA Act), has been formally amended in accordance with Dodd-Frank requirements that require EFA Act dollar amounts to be adjusted for inflation every five years, as well as to implement various changes as a result of the EGRRCPA.  Key amendments include:
    • increasing (from $200 to $225) required next-day availability of the aggregate deposit of local or nonlocal checks; and,
    • extending coverage to American Samoa, the Commonwealth of the Northern Mariana Islands and Guam, along with other technical amendments. 

The effective date is August 24, 2019 for certain amendments (§§ 12 CFR 229.2(c), (ff), and (jj), 229.12(e), 229.43, and 12 CFR Part 1030) and July 1, 2020 for all others.   A link follows:  https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20190624a1.pdf

  • On July 9, 2019, regulators announced the adoption of a final rule that excludes community banks with $10 billion or less in total consolidated assets and total trading assets and liabilities of 5 percent or less of total consolidated assets from the Volcker Rule.  The Volcker Rule generally restricts banking entities from engaging in proprietary trading and from owning, sponsoring, or having certain relationships with hedge funds or private equity funds.  The final rule also permits a hedge fund or private equity fund, under certain circumstances, to share the same name or a variation of the same name with an investment adviser as long as the adviser is not an insured depository institution, a company that controls an insured depository institution, or a bank holding company.  Ii is important to note that regulators will hold off for two years on enforcing Volcker Rule restrictions on some foreign funds.  A link follows:  https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20190709b1.pdf
  • Regulators issued a final rule to simplify and clarify several requirements pertaining to Regulatory Capital Rules.  The final rule only applies to banking organizations that do not use the “advanced approaches” capital framework, which are generally firms with less than $250 billion in total consolidated assets and less than $10 billion in total foreign exposure.  The rule effectively accomplishes the following:
    • Simplifies the capital treatment for mortgage servicing assets, certain deferred tax assets, investments in the capital instruments of unconsolidated financial institutions, and minority interest.
    • Allows bank holding companies and savings and loan holding companies to redeem common stock without prior approval unless otherwise required.

The rule is effective as of April 1, 2020 (for the amendments to simplify capital rules) and as of October 1, 2019 (for revisions to the pre-approval requirements for the redemption of common stock and other technical amendments).  A link follows: https://www.federalreserve.gov/newsevents/pressreleases/other20190709a.htm

  • On June 1, 2019, the CFPB issued a final rule amending the official interpretations for Regulation Z, which implements the Truth in Lending Act (TILA). “The Bureau is required to calculate annually the dollar amounts for several provisions in Regulation Z; this final rule revises, as applicable, the dollar amounts for provisions implementing TILA and amendments to TILA, including under the Credit Card Accountability Responsibility and Disclosure Act of 2009 (CARD Act), the Home Ownership and Equity Protection Act of 1994 (HOEPA), and the Dodd-Frank Act. The CFPB is adjusting these amounts, where appropriate, based on the annual percentage change reflected in the Consumer Price Index (CPI) in effect on June 1, 2019”.  A link follows:  https://www.federalregister.gov/documents/2019/08/01/2019-16300/truth-in-lending-regulation-z-annual-threshold-adjustments-credit-cards-hoepa-and-qualified
  • On June 5, 2019, regulatory agencies adopted as a final rule, the August 31, 2018, interim final rule, which amended the agencies’ liquidity coverage ratio (LCR) rule to treat liquid and readily-marketable, investment-grade municipal obligations as high-quality liquid assets. This treatment was mandated by section 403 of the EGRRCPA.  A The LCR rule generally applies to a bank holding company, savings and loan holding company, or depository institution if: (1) It has total consolidated assets equal to $250 billion or more; (2) it has total consolidated on- balance sheet foreign exposure equal to $10 billion or more; or (3) it is a depository institution with total consolidated assets equal to $10 billion or more and is a consolidated subsidiary of a firm that is subject to the LCR rule (each, a covered company).  A link follows: https://www.govinfo.gov/content/pkg/FR-2019-06-05/pdf/2019-11715.pdf?utm_source=federalregister.gov&utm_medium=email&utm_campaign=subscription+mailing+list
  • The CFPB recently announced a Symposia Series of conferences exploring consumer protections in financial services.  “The series will include topics ranging from abusive acts or practices, behavioral law and economics, small business loan data collection, disparate impact and the Equal Credit Opportunity Act, cost-benefit analysis, and consumer authorized financial data sharing. First to focus on clarifying the meaning of abusive acts or practices under Section 1031 of the Dodd-Frank Act”.  A link follows: https://www.consumerfinance.gov/about-us/newsroom/bureau-announces-symposia-series/

FRB MOVES A STEP CLOSER TO REAL TIME PAYMENTS

The FRB announced that Federal Reserve Banks will develop a new round-the-clock real-time payment and settlement service, called the FedNow℠ Service, to support faster payments in the US. The expectation is that faster payment services, targeted for availability by 2024, will enable the near-instantaneous transfer of funds day and night, weekend and weekdays.
The possibility of real time payments has been a hot button discussion item for several years, in part because of the huge potential impact on the bottom line of financial institutions that may derive a notable source of income from overdraft fees. A link to the Federal Register Notice and FAQs follows:

https://www.federalreserve.gov/newsevents/pressreleases/files/other20190805a1.pdfhttps://www.federalreserve.gov/newsevents/pressreleases/files/other20190805a2.pdf

CFPB SEEKS TO USE JOINT DATA INTAKE SYSTEMS TO REDUCE AGENCY INCONSISTENCIES

CFPB Director Kathleen Kraninger recently announced at an ABA conference in New Orleans that her agency is working with other federal agencies through the Federal Financial Institutions’ Examination Council (FFIEC) on a joint data intake system as the agency looks for ways to streamline its rulemaking systems. Ms. Kraninger also indicated that the bureau is coordinating with other prudential regulators in its examinations, particularly by relying on data gathered by other regulators – to include looking at whether there is an opportunity for the CFPB to do a much more narrow exam looking at similar data at a similar point in time. It is too soon to tell whether these changes will ultimately reduce inconsistencies in exam approach and expectations across regulatory agencies, but that it is being explored is a positive first step. A link follows: http://www.cutoday.info/Fresh-Today/Fed-Financial-Regulators-Working-On-Joint-Data-Intake-System-Says-CFPB-s-Kraninger

HUD PROPOSAL WILL RAISE THE BAR FOR PROVING LENDING DISCRIMINATION

HUD announced plans to amend its “disparate impact” standard to raise the legal bar for plaintiffs alleging discrimination under the Fair Housing Act. Under a proposal that has circulated but has not officially been unveiled, a consumer would have to follow a more rigorous five-step framework to demonstrate that discrimination occurred. This new framework is very likely to have a spillover impact on Fair Lending exam focus areas: https://bankingjournal.aba.com/2019/07/hud-proposal-would-align-disparate-impact-rule-with-court-ruling/

NEW FLOOD INSURANCE REQUIREMENTS FOR CREDIT UNIONS

Effective July 1, 2019, credit unions are required to accept private flood insurance policies that meet the definition of private flood insurance as included under the Biggert-Waters Act.  Under certain conditions, credit unions may accept private flood insurance policies that do not meet the definition of private flood insurance, as well as NCUA-approved private flood insurance plans provided by mutual aid societies.  A link follows: https://www.ncua.gov/files/regulatory-alerts/19-RA-01-flood-insurance-alternatives.pdf

CALIFORNIA CONSUMER PRIVACY ACT EXPECTED TO HAVE SWEEPING IMPACTS

The California Consumer Privacy Act (CCPA) of 2018 is expected to significantly change how businesses handle and protect data in California.  The impact will be heavily felt by companies that store large amounts of personal information, especially social media giants like Google and Facebook.  Amongst other changes, companies will not only be required to disclose the types of data they collect, but also allow consumers to opt out of having their data sold.  Under the Act, California residents are protected with respect to any information that relates to them in their roles as consumers, employees, patients, tenants, students, parents, children, etc. 
Important to note is that the CCPA only applies to any business that meets one of the following criteria:

  • A business that earns $25,000,000 a year in revenue.
  • A business that “annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” In other words, if the combined number of records of personal information from consumers, households, and/or devices exceeds 50,000, the law applies to them.
  • A business that derives 50% or more of its annual revenue by selling personal information, even if fewer than 50,000 separate and distinct entities (consumers, households, and/or devices).

The CCPA was signed into law by California Governor Jerry Brown on June 28, 2018, and will become effective on January 1, 2020, leaving companies a relatively small window still to become compliant. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

NCUA AMENDS APPRAISAL RULES

The Board of the NCUA is amending its rule requiring real estate appraisals for certain transactions. The final rule accomplishes two key objectives:

  • Increases the threshold below which appraisals are not required for commercial real estate transactions from $250,000 to $1,000,000
  • Exempts from the rule certain federally related transactions involving real estate in rural areas

The rule becomes effective 90 days after publishing in the Federal Register, or October 10, 2019. 
A link follows: https://www.govinfo.gov/content/pkg/FR-2019-07-24/pdf/2019-15708.pdf?utm_source=federalregister.gov&utm_medium=email&utm_campaign=subscription+mailing+list

OTHER COMPLIANCE NEWS & DEVELOPMENTS

FinCEN Renews Orders Targeting Natural Persons Behind Shell Companies
FinCEN announced the renewal of its Geographic Targeting Orders that require U.S. title insurance companies to identify the natural persons behind shell companies used in all-cash purchases of residential real estate. The purchase amount threshold remains $300,000 for each covered metropolitan area.  Guidance and FAQs below:

News Release: https://www.fincen.gov/news/news-releases/fincen-reissues-real-estate-geographic-targeting-orders-12-metropolitan-areas   

GTO: https://www.fincen.gov/sites/default/files/shared/Real%20Estate%20GTO%20Order%20FINAL%20GENERIC%205.15.2019_508.pdf

FAQs: https://www.fincen.gov/sites/default/files/shared/FAQs%20on%20Real%20Estate%20GTO%205.15.2019_508.pdf

NCUA Chair Makes Bold Statement Regarding Cannabis Sanction Enforcement  
During an August interview with the Credit Union Times, NCUA Board Chairman Rodney E. Hood stated that “if credit unions providing services to cannabis-related businesses comply with rules by Treasury’s Financial Crimes Enforcement Network (FinCEN), file suspicious activity reports (SARs) and follow other rules, then they will not be cited for doing business with cannabis firms”.  The statement has since created a great deal of buzz around the need to formally clarify what NCUA’s stance is because of what some view as an inconsistent stance on the topic over the last several years.
https://newyorksstateofmind.wordpress.com/2019/08/12/what-chairman-hoods-pot-pronouncement-means-to-your-credit-union/

CFPB Publishes Mortgage Closing Scams Guidance
The CFPB published new resources to educate consumers about recent mortgage closing scams targeting homebuyers just before they close, through the use of email phishing.  These scams have reportedly cost some homebuyers their down payment and closing costs: https://www.consumerfinance.gov/about-us/blog/mortgage-closing-scams-how-protect-yourself-and-your-closing-funds/?utm_source=newsletter&utm_medium=email&utm_campaign=Homebuyers&utm_term=FY19MSC&utm_content=Intermediaries]

Community Reinvestment Act Perspectives
The FRB published “Perspectives from Main Street: Stakeholder Feedback on Modernizing the Community Reinvestment Act,” a summary of feedback received from bankers and community groups (during a series of 29 roundtable discussions involving more than 400 participants) on the current state of, and potential revisions to, the CRA.  The information was gathered between October 2018 and January 2019.  A link follows:  https://www.federalreserve.gov/newsevents/pressreleases/bcreg20190613a.htm

OCC Publishes Guidelines for CRA Strategic Plan Option
Banks may elect to have their CRA performance evaluated on the basis of a pre-approved strategic plan that addresses their CRA responsibilities.  Important to note that the required contents of a strategic plan and the OCC’s criteria for evaluating a strategic plan are already specified in existing CRA regulations.  The guidelines referenced below are not new requirements but instead a summary of the OCC’s process for addressing bank requests for approval or amendment of a CRA strategic plan, including:

  • Information that a bank should provide to substantiate its request
  • The email address for banks to submit requests
  • The OCC’s review and approval processes

This appears to be a proactive effort to encourage more banks to use strategic plans for CRA purposes.  A link follows: https://www.occ.gov/news-issuances/bulletins/2019/bulletin-2019-39.html

New TRID Frequently Asked Questions (FAQ)

The CFPB issued a 12 page Frequently Asked Questions (FAQ) document about TRID.  Although a review of the document in its entirety is encouraged, there are a couple of points worth highlighting here, and perhaps as part of your institution’s training program:

  • A creditor’s use of a model form provides a safe harbor if the model form does not reflect the TRID Rule change finalized in 2017.
  • Creditors may not require consumers to provide any additional information (other than the six pieces of information that constitute an application under the TRID rule) in order to receive a Loan Estimate.  This includes requesting additional verifying information.  Further, if it is represented to the consumer that additional information is required to receive a Loan Estimate, the CFPB reminds us that they may then consider potential UDAAP implications.

A link follows: https://files.consumerfinance.gov/f/documents/cfpb_TILA-RESPA-integrated-disclosure_frequently-asked-questions.pdf

CFPB Elder Abuse Advisory Updated

The CFPB updated a 2016 Advisory on Elder Abuse by recommending that financial institutions file suspicious activity reports on elder fraud to law enforcement agencies.  The CFPB reiterated that elder fraud is “widespread and damaging,” with an average loss of $41,800 among victims over the age of 70.  https://files.consumerfinance.gov/f/documents/cfpb_suspected-elder-financial-exploitation-financial-institutions_report.pdf

PROPOSED RULEMAKING

KEY SANCTIONS AND ENFORCEMENT ACTIONS

Freedom Mortgage Corporation HMDA Enforcement
The recent action against Freedom Mortgage Corporation is worth a read to garner the types of focus areas in recent HMDA enforcement.  It may also complement HMDA training material for loan officers: https://files.consumerfinance.gov/f/documents/cfpb_freedom-mortgage-corporation_consent-order_2019-05.pdf

Citibank Restitution – Consumer Compliance
The OCC assessed a $25 million CMP against Citibank, N.A., of Sioux Falls, SD, for inadequate oversight of a bank program known as Relationship Loan Pricing (RLP), meant to provide mortgage borrowers with a credit to closing costs or an interest rate reduction.  For various reasons, certain Bank borrowers did not receive the RLP benefit for which they were eligible and were adversely affected on the basis of their race, color, national origin, and/or sex.  Citibank has executed a plan to reimburse all customers who did not receive the appropriate RLP benefit, estimated to be about 24,000 customers in the amount of approximately $24 million.  A link follows: https://www.occ.gov/static/enforcement-actions/ea2019-009.pdf

Former California Bank General Counsel Prohibited From Working in the Industry
A former general counsel of a California bank faces a $50,000 civil money penalty and a prohibition from working in the banking industry.  The individual was reportedly terminated by the bank in 2015 after having served as general counsel since 2009. According to the OCC, he allegedly made false statements and concealed bank documents related to the Bank’s compliance with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) requirements.  A link to the action follows:
https://www.occ.gov/static/enforcement-actions/ean19-002.pdf

AuditOne LLC – Company Overview

AuditOne LLC’s is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, BSA/Compliance, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge. For more information on this article, or to receive a proposal for a Compliance Audit, please contact Jeremy Taylor, CEO, AuditOne LLC, at Contact Us. In addition, contact Jeremy for information on how our other services can help reduce risk at your institution. Also, for more information about AuditOne LLC and all our audit services see AuditOneLLC.com

Categories
News

AuditOne Advisory: Liquidity Risk Management Analysis

AuditOne Advisory

From Bud Genovese, Chairman

This Advisory presents data that we have complied to help in your institution’s Liquidity Risk Management (LRM) process. AuditOne performs remote-based LRM audits every year at institutions in the Western US and around the nation. One of our ALM audit specialists, Kruskal Hewitt, has developed the following presentation of liquidity data from a variety of financial institutions. Mr. Hewitt has been a risk and portfolio manager at international and large regional banks. I hope you find this information useful, and please share with your colleagues having responsibilities related to Liquidity Risk Management and Liquidity Policy. Thank you, — Bud

AUDITONE LLC’S ANALYSIS OF LIQUIDITY LIMITS 2016 – 2018

AuditOne LLC is a leading provider of outsourced internal audit and related services for community banks, regional banks, credit unions and other financial institutions (FI). Please refer to our website for further information (www.auditonellc.com). Liquidity risk management (LRM) is among AuditOne’s audit areas, part of our Asset/Liability Management (ALM) practice. US financial institutions (FI) are expected to have regular internal audits of their monitoring and control of LRM, which requires a variety of tools.

AuditOne has compiled (anonymously) data from 67 of our LRM clients on liquidity limits. These are institutions where we have collected data from the most recent AuditOne LRM audit, going no further back than 2016, covering 67 institutions. AuditOne believes this database is relevant to our clients because it covers a relatively narrow range of asset size, geography and business lines. We update this analysis annually.

Unlike for interest rate risk, regulators have not created rules or detailed guidance on how liquidity should be modeled, measured or limited. Nor are liquidity risks straightforward to compare from one FI to another, given that liquidity limits can generally be measured/defined in various, somewhat different ways.

HOW MANY LIMITS?

Within our database of 67 FI clients, there was one that had only one liquidity policy limit measure, and another with 18. The average is eight and the median seven.

There is no correlation between balance sheet size and the number of policy measurements; the second smallest balance sheet ($70 million) has 14 policy measures and the largest ($11 billion) has only one limit.

WHICH LIMITS?

There is a broad proliferation of liquidity metrics and limits. These are presented in detail in the following two sections. However, there are three groups of liquidity limits that are more common than it first appears, because they can show up with slightly different definitions.

  1. Limit on total liquidity: These show for 56 of 67 (84%) of institutions in our LRM database. These represent some form of liquid assets as a percentage of total assets or total deposits. The ratio goes by different names, including primary liquidity ratio, total liquidity ratio. Note that many clients have more than one limit in this category.
  2. Limit on brokered deposits: 44 of 67 (66%) of institutions. This is typically measured as brokered deposits (which in turn requires precise definition) as a percentage of total assets or total deposits.
  3. Loan to deposit ratio: 25 of 67 (37%) of institutions. This is expressed as a percentage of total deposits or deposits plus borrowings. In some cases, the denominator is limited to core deposits.

It appears that the common points of liquidity risk exposure across institutions generally get appropriate attention. But we do not suggest, nor does our database analysis imply, some “ideal set” of liquidity measures.

DEFINITIONS

Brokered Deposit / Total Deposit: In the numerator, all brokered deposits (per regulatory definition) and all deposits > $250,000, unless the institution has specifically designated a core depositor.

FHLB Advances / Total Assets: In the numerator, all collateralized borrowings from the FHLB.

Liquid Assets / Total Assets: In the numerator, all assets that mature within one year plus Available for Sale securities.

Liquid Assets / Total Deposits: Ditto.

Net Loans & Leases / Total Deposits: In the numerator, total loan and lease assets net of ALLL loan loss reserving.

Net Non-Core Funding Dependence: This ratio is noncore liabilities less short-term investments divided by long term assets. Noncore liabilities are total time deposits > $250,000, plus other borrowed money, plus foreign office deposits, plus securities sold under agreements to repurchase, plus Federal Funds purchased, plus insured brokered deposits. Long term assets are net loans and leases, plus securities with a remaining maturity of one year or more, plus Other Real Estate Owned (OREO).

Wholesale Funding / Total Assets: The numerator is brokered deposits (including CDARS), plus listing service deposits, plus security repurchase agreements, plus net Fed Funds purchased.

Note that per our earlier discussion, exact definitions of many of these metrics can vary from FI to FI.

WHAT LIMIT LEVEL?

This analysis presents results across our entire database of 67 institutions, most of them in western states. The 67 have in total 106 different measures of liquidity. But of these 106, 65 are used by only one or two institutions; they represent (less popular) variations on other definitions used more broadly.

The tables below show data on individually-defined limits, some closely related to others. It was indicated earlier, for instance, that total liquidity could be expressed as a percentage of total deposits or total assets; both show below (the 2nd and 5th tables, respectively), so that we can present data on the corresponding limit levels. The tables are ordered according to frequency of occurrence of each individual limit.

We would be happy to recalculate any of the results below for subsets of institutions based on asset size, primary regulator, and/or a specific limit that is not listed below. Please contact David Kellerman (our ALM Practice Director) at 702-279-8130 or Jeremy Taylor (our CEO) at 949-981-0420.

Please note:

  • The difference between “less than” and “less than or equal to” (or “greater than” and “greater than or equal to”) is minimal (in ratio terms). In the following presentation we have made no distinction between the two. For ease of notation, only “less than” (<) and “greater than” (>) are used
  • “<%” implies a limit expressed as a maximum (i.e., the highest that ratio can go), and vice versa. In contrast, in the body of each table below, “Maximum” indicates the highest limit amount across the database and “Minimum” the lowest, independent of how the limit itself is expressed.

Net Non-Core Funding Dependence: <% *

ClientsAverageMedianMinimumMaximum
4925%25%7%60%

Liquid Assets / Total Deposits >%

ClientsAverageMedianMinimumMaximum
3317%15%10%50%

Brokered Deposit / Total Deposit: <%

ClientsAverageMedianMinimumMaximum
3114%10%5%45%

FHLB Advances / Total Assets: <%

ClientsAverageMedianMinimumMaximum
2823%25%10%40%

Liquid Assets / Total Assets: >%

ClientsAverageMedianMinimumMaximum
2612%10%5%20%

Net Loans & Leases / Total Deposits: <%

ClientsAverageMedianMinimumMaximum
2499%98%80%135%

Wholesale Funding / Total Assets: <%

ClientsAverageMedianMinimumMaximum
2231%33%10%50%

* Interpretation: The Net Non-Core Funding Dependence can be no higher than 7% for the lowest FI in our database and no higher than 60% for the highest FI. The average and median are both a policy maximum of 25%.

DATABASE MIX SUMMARY

Database mix by asset size (all dollar figures in millions):

ClientsAverageMedianMinimumMaximum
67$1,022$378$24$11,400

Database mix by primary regulator (all dollar figures in millions):

ClientsAverageMedianMinimumMaximum 
50$1,174$346$70$11,400FDIC
8$786$753$266$2,000FRB
9$391$434$24$1,069OCC

AuditOne LLC – Company Overview

AuditOne LLC’s is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, BSA/Compliance, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge. For more information on this article, or to receive a proposal for an ALM/ IRR / Liquidity Audit, please contact Jeremy Taylor, CEO, AuditOne LLC, at Contact Us. In addition, contact Jeremy for information on how our other services can help reduce risk at your institution. Also, for more information about AuditOne LLC and all our audit services see AuditOneLLC.com

Categories
News

AuditOne Advisory: IRR Limits & Assumptions Analysis

AuditOne Advisory

From Bud Genovese, Chairman

This advisory presents data that we have complied to help you in management of your institution’s Interest Rate Risk (IRR) process. AuditOne performs remote-based IRR audits each week at institutions in the Western US and around the nation. One of our IRR audit specialists, Kruskal Hewitt, has developed the following presentation of IRR data from a variety of financial institutions. Mr. Hewitt has been a risk and portfolio manager at international and large regional banks. I hope you find this information useful and please share with your colleagues having responsibilities related to IRR modeling and related controls, thank you, — Bud

AUDITONE LLC’S ANALYSIS OF IRR LIMITS AND ASSUMPTIONS 2016 – 2018

AuditOne LLC is a leading provider of outsourced internal audit and related services for community banks, regional banks, credit unions and other financial institutions (FI). Please refer to our website for further information (www.auditonellc.com). Interest rate risk (IRR) is among AuditOne’s audit areas, part of our ALM practice. US FI are expected to have an annual internal audit of their modeling, monitoring and control of IRR. Key to modelling IRR are various forward-looking assumptions, while controlling IRR requires appropriate limits

AuditOne has compiled (anonymously) data from 91 of our IRR clients on IRR limits and assumptions. We have used data from the most recent AuditOne IRR audit, no further back than 2016. AuditOne believes this database is relevant to our clients because it covers a relatively narrow range of asset size, geography and business lines. We update this analysis annually.

DEFINITIONS

NII: Net interest income (NII) exposure is a current period (generally, at least one-year and two-year) estimate of interest-sensitive revenues and expenses under different interest rate scenarios.

EVE: Economic value of equity (EVE) is a theoretic valuation of the institution whereby cash flows from all assets and liabilities are discounted to their net present value (NPV), then summed. EVE captures long term risk in the balance sheet. Conceptually, EVE cam be thought of as the sum of the NPV of all future NII.

INSTANT vs. RAMPED INTEREST RATE SHOCKS (for NII): The averages showing in the tables below are for instant (or immediate) rate shocks (81 clients) which assumes rates change instantly, as opposed to a gradual and even rate rise (ramp) spread over 12 months.

BETA: This represents the assumed portion of a market rate change that is reflected in administered rates – most importantly, deposit rates. For example, if the driver rate is Fed Funds and the beta for saving accounts is 45%, then for every 100 basis point rise in Fed Funds, savings account rates are assumed (predicted) to rise 45 basis points. Very few of our clients have different betas for down versus up rate movements. 19 FI assume a time lag in administered rate changes; most of these lags are 15-days and only three FI exceed 30-days.

AVERAGE LIFE: Non-maturity deposits (NMDs) have no contractual maturity and therefore form a stable, longer-term funding source. In order to get a meaningful estimate of EVE, NMDs are assigned an assumed average life by account type, reflecting an assumed run-off (or decay) rate.

PARALLEL vs. NON-PARALLEL RATE SHOCKS: The standard rate shock set-up assumes the yield curve shifts in parallel fashion over the entire maturity spectrum. However, many institutions also run simulations based on flatteners, steepeners and other non-parallel shocks. These can be helpful for assessing specific balance sheet vulnerabilities. But we advise against basing IRR limits on non-parallel shocks because shock details are difficult to define for measurement and control purposes.

STATIC vs. DYNAMIC BALANCE SHEET: For NII simulations, the balance sheet can either be static (constant), with replacement of run-off assets and liabilities, or it can incorporate change, both growth and shrinkage (e.g., budgeted balances). The 2010 Interagency Guidance specified that a static balance sheet be used, though simulations could also be run off a dynamic balance sheet.

2016 – 2018 DATABASE ANALYSIS

There are no major changes from the 2015-17 report to this 2016-18 report. It presents results across the entire database of 91 FI. We would be happy to recalculate any of the results for subsets of institutions based on asset size, primary regulator, and/or model vendor. Please contact David Kellerman or Jeremy Taylor at Contact Us.

See the final section below for the key identifiers. Note, too, that we have presented only average (mean) figures in the tables below. We also computed medians, but these were very close to the corresponding averages.

NII (one-year) simulation limits

NII Shocks-200-100+100+200+300+400
Average-14.1%-8.5%-8.3%-14.1%-19.8%-24.9%

EVE simulation limits

EVE Shock-200-100+100+200+300+400
Average-18.8%-11.4%-11.7%-19.6%-27.2%-33.7%

Beta assumptions for administered deposit rates

BetaNOWSavingsMMACD
Average28.2%32.1%48.0%78.8%

Average life assumptions (in months) for NMD

Aver. LifeNOWSavingsMMADDA
Average65.458.749.360.9

NII (one-year) simulation limits

InstantRamp
810

Note: If asset and liability repricing is evenly spaced during the year (i.e., a ramped shock), then it has roughly half the impact on NII as an instantaneous shock at beginning of the year. This means that institutions running ramped shocks would be expected to have NII risk limits at roughly half the limits for instantaneous shocks.

Parallel versus non-parallel shock analysis

Parallel onlyNon-Parallel onlyBoth
41040

Balance sheet growth analysis

Static onlyDynamic onlyBoth
7119

DATABASE MIX SUMMARY

Database mix by asset size (all dollar figures in millions)

CountMaxMedianMin 
81$11,400$307$24Total

Database mix by primary regulator (all dollar figures in millions)

81MaxMedianMin 
58$11,400$307$71FDIC
9$1,023$429$194FRB
13$1,069$270$24OCC
1nananaNCUA

Database mix by model vendor (all dollar figures in millions)

81MaxMedianMin 
13$1,023$303$89ALX Consulting
5$270$227$128Baker Group IRR Monitor
7$11,400$727$230Darling Consulting BASIS
4$834$251$172FIMAC Risk Analytics
10$2,133$383$174Fiserv Sendero
5$858$110$24Plansmith Bankers GPS
8$1,266$378$71Plansmith Compass
11$1,316$241$113Jack Henry Associates Profitstars
11$4,786$429$140ZMDesk / ZMOnline
7$5,960$400$112Other Systems (6)

AuditOne LLC – Company Overview

AuditOne LLC’s is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, BSA/Compliance, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge. For more information on this article, or to receive a proposal for an ALM/ IRR Audit, please contact Jeremy Taylor, CEO, AuditOne LLC, at Contact Us. In addition, contact Jeremy for information on how our other services can help reduce risk at your institution. Also, for more information about AuditOne LLC and all our audit services see AuditOneLLC.com

Categories
News

AuditOne Advisory: Flat and Inverted Yield Curve Implications for Interest Rate Risk

AuditOne Advisory

From Bud Genovese, Chairman

Our ALM Practice Director, David Kellerman, has offered timely suggestions to consider relative to your Interest Rate Risk (IRR) Modeling based on the recent trends in the yield curve. In addition, he presents the importance of reviewing with ALCO and the Board how the current yield curve trend and new model assumptions may impact loans and your IRR profile. Please share this with colleagues having responsibilities related to IRR modeling. We hope you find this information useful, thank you! – Bud

Implications of Flat and Inverted Yield Curves for Interest Rate Risk (IRR) Modeling

The current yield curve has turned inverted (negative spreads between the 10-year Treasury bond and the 3-month Treasury bill). A flat or inverted yield curve has preceded the last seven recessions; but a recession has not automatically followed a flat or inverted yield curve. It implies expectations of declines to come in short-term rates.

US 10-Year/Three-Month Treasury Spread Falls Below Zero

What are the implications for financial institutions as they model their interest rate risk?

Scenarios:

Institutions typically run parallel rate shocks. However, many institutions also run non-parallel rate scenarios. We highly recommend running rate scenarios that simulate a steepening of the curve and a further inversion. In “normal” periods of an upward sloping yield curve, flattener rate scenarios should also be run. This will help identify whether there is any embedded risk in the balance sheet that might be revealed through these non-parallel scenarios. The 2010 Advisory on Interest Rate Risk Management included guidance on running rate scenarios “across different tenors to reflect changing slopes and twists of the yield curve”.

Focus of Risk Management:

For over a decade now institutions have largely disregarded the risk profile for down rate scenarios. If the projected change in net interest income (NII) was outside of limits, ALCO and/or the Board allowed for the exception without the need for mitigating action plans, citing the remote likelihood of lower rates as the reason. The markets now have priced into rates a decrease in the Fed Funds rate in 2019 and perhaps another two decreases in 2020. IRR risk in down rate scenarios needs to be understood and addressed.

IRR Assumptions:

Perhaps the assumption that is impacted the most by a flat or inverted yield curve are loan prepayment assumptions. Incentives to prepay an existing fixed rate loan to move to a variable rate loan are not the same in flat and inverted yield curve environments. Institutions should at least consider whether existing assumptions for prepayments are still valid in this rate environment.

Additionally, we have seen two dynamics during the 2015-2018 rate cycle (increasing short-term rates) that are worthy of mention. Most institutions have successfully lagged increasing their posted rates for non-maturity deposits (NMDs) without an impact on NMD balances. However, we now see preliminary indications of deposit rates starting to move up, and some institutions have modeled in a “catch-up” period in case rates continue to rise whereby deposit betas for the next 100 basis point increase in rates will have a beta higher than the normal beta assumption, with the normal beta resuming after the 100 basis point increase.

Additionally, loan betas are now being discussed. These betas are almost always set at 100%. That seems to be holding true for loans tied to an index; however, loans priced individually (not directly tied to an index) have seen actual betas lower than 100% during this past rate cycle. Institutions are encouraged to do a correlation analysis for loan betas (similar to what is done for deposit betas) to see if the standard 100% beta for all loans still applies.

Average life (decay rate) assumptions have been influenced by the prolonged period of low rates, and institutions are advised to consider whether historical analysis of deposit average lives computed from 2008 until today are truly a sound foundation for future expectations.

Finally:

A reminder that best practices include a formal review of model assumptions at least annually by ALCO and/or the Board. Support for assumptions is important. Additionally, sensitivity analysis on key model assumptions should be conducted at least annually. These analyses keep ALCO and the Board informed of the potential impact that varying assumption levels might have on the IRR profile.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising Asset/Liability Management (ALM) audits, ADA Website Compliance Review, IT/Information Security, Network Tests, Credit Review/ALLL, BSA/Compliance, ACH rules Compliance, Operations, Trust and SOX/FDICIA Testing, plus many specialty areas within each of these.

Our deep expertise is your edge. For more information on this article, please contact David Kellerman, ALM Practice Director, AuditOne LLC. For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us. Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne General Compliance Advisory Q1 2019

AuditOne Advisory

From Bud Genovese, Chairman

Legislative and regulatory communities have been bustling. The ongoing implementation of changes associated with the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) and the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) has created an onslaught of new committees and workgroups, Frequently Asked Questions (FAQ) updates and supplementary regulatory guidance. Enforcement actions targeting misleading and deceptive practices appear to be on the upswing. And, for the first time since the General Data Protection Regulation (GDPR) took effect, a US technology company was fined for violating Europe’s data privacy rules.

Within this issuance, we cover key Dodd-Frank updates, new Prepaid Account Rules, what’s behind the 37% rise in reported fraud in 2018, and other noteworthy regulatory developments and enforcement actions.

This Quarterly General Compliance edition has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. We hope you enjoy! – Bud

DODD-FRANK CORNER

RESPA Servicing Rule

https://files.consumerfinance.gov/f/documents/cfpb_mortgage-servicing-rule-assessment_report.pdf.

NEW PREPAID ACCOUNT RULES HAVE ARRIVED

Effective April 1, 2019, the CFPB amended Regulations E and Z to extend consumer protections to prepaid accounts. These amendments are known as the Prepaid Accounts Rule and apply to the following:

  • An account that is marketed or labeled as “prepaid” and is redeemable upon presentation at multiple, unaffiliated merchants for goods and services or usable at automated teller machines (ATMs); or
  • An account that meets all of the following:
    (1) Is issued on a prepaid basis in a specified amount or is capable of being loaded with funds after issuance;
    (2) Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, to conduct transactions at ATMs, or to conduct person-to-person (P2P) transfers; and
    (3) Is not a checking account, a share draft account, or a negotiable order of withdrawal (NOW) account.

However, an account that satisfies one or both of these tests is not a prepaid account if it is any of the following:

  • An account loaded only with funds from a health savings account, flexible spending arrangement, medical savings account, health reimbursement arrangement, dependent care assistance program, or transit or parking reimbursement arrangement;
  • An account that is directly or indirectly established through a third party and loaded only with qualified disaster relief payments; a gift certificate; a store gift card; a loyalty, award, or promotional gift card; a general-use prepaid card that is both marketed and labeled as a gift card or gift certificate; or an account established for distributing needs-tested benefits in a program established under state or local law or administered by a state or local agency.

Additionally:

  • The P2P functionality of an account established by or through the U.S. government is not a prepaid account if the account’s primary function is to conduct closed-loop transactions on U.S. military installations or vessels, or similar government facilities.
  • Under the existing definition of account in Regulation E, an account is subject to Regulation E only if it is established primarily for a personal, household, or family purpose. Therefore, an account established for a commercial purpose is not deemed a prepaid account.
  • Under the existing definition in Regulation E, an account held under a bona fide trust agreement is not an account subject to Regulation E and is therefore not deemed a prepaid account.

Available Resources

Regulators developed the following chart to help institutions determine Prepaid Account Coverage:
https://files.consumerfinance.gov/f/documents/Prepaid_coveragechart_v1_10052016.pdf.

Technical specifications can be accessed here:
https://www.federalregister.gov/documents/2019/03/06/2019-03852/technical-specifications-for-submissions-to-the-prepaid-account-agreements-database?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email.

Effective Dates

  • On Jan. 25, 2018, the CFPB issued a final rule modifying several aspects of the prepaid accounts rule and extending the overall effective date to April 1, 2019.
  • On Feb. 27, 2019, the CFPB issued technical specifications for submissions of prepaid account agreements pursuant to the prepaid accounts rule.

The Prepaid Rule does not require financial institutions to pull and replace prepaid account access devices or packaging materials that were manufactured, printed, or otherwise produced in the normal course of business prior to October 1, 2017. The Prepaid Rule does, however, require in certain circumstances that financial institutions provide to consumers notice of certain changes in terms and updated initial disclosures as a result of the Prepaid Rule taking effect. However, the Prepaid Rule provides an accommodation for financial institutions that, on the effective date, do not have readily accessible data necessary to comply with the full requirements for providing electronic and written account transaction histories or summary totals of fees. A financial institution may make available such histories and summary totals using the data for the time period it has until it has accumulated the data necessary to fully comply with the requirements.

EU & US PRIVACY INTERSECT

For the first time since the regulation took effect, a US technology company was fined for violating Europe’s data privacy rules. Although this applies most directly to the technology sector, expanded mechanisms for loan offerings increase the possibility of unknown applicability. It’s certainly worth a closer look at privacy disclosure language for nuances, particularly as talk of a US equivalent to the GDPR seems to be picking up steam.

A link follows: https://www.latimes.com/business/technology/la-fi-tn-google-france-data-privacy-20190121-story.html

DID YOU KNOW? …

According to the Federal Trade Commission (FTC), people reported losing $1.48 billion to fraud last year – an increase of 38% over 2017. Some interesting highlights:

  • Ranked at the top were imposter scams, debt collection, and identity theft.
  • The age of those that formally reported fraud may surprise you: 43% of people in their 20s reported a loss to that fraud, while only 15% of people in their 70s did.
  • Scammers like to get money by wire transfer – for a total of $423 million last year. That was the most of any payment method reported, but we also saw a surge of payments with gift and reload cards – a 95% increase in dollars paid to scammers in 2017.
  • Credit card fraud on new accounts was up 24%. In fact, misusing someone’s information to open a new credit card account was reported more often than any other forms of identity theft in 2018.
  • The top three states for fraud were Florida, Georgia and Nevada. The top three for identity theft reports were Georgia, Nevada and California.

A link to the study follows: https://www.ftc.gov/news-events/blogs/business-blog/2019/02/top-frauds-2018

OTHER COMPLIANCE NEWS & DEVELOPMENTS

Bureau of Consumer Financial Protection (BCFP) reverts to original name, except…


In April 2018, the Acting Director of the CFPB (the Bureau), Mick Mulvaney, changed the name to the BCFP, noting that the “CFPB no longer exists”. For much of 2018, rebranding was underway until December 2018, when the new Director, Kathy Kraninger, backed away from the name change, while noting that changing the name “would make it harder for consumers to find the agency’s website, file complaints, and seek help”. As of December 2018, Director Kraninger announced that she has “officially halted all ongoing efforts to make changes to existing products and materials related to the name correction initiative”, estimated to have cost upwards of $15 million. There is an exception, however. The BCFP title will still be used as an “internal nickname” within the organization. Stay tuned.

TILA-RESPA Integrated Disclosure (TRID) Rule

In March 2019, the CFPB published updated FAQs for TRID. Four additional questions were added pertaining to closing disclosures, the three-day waiting period, and model forms. A link follows:
https://files.consumerfinance.gov/f/documents/cfpb_TILA-RESPA-integrated-disclosure_frequently-asked-questions.pdf

Audit Committees

In January 2019, the International Organizations of Securities Commissions (IOSCO) issued a report on “Good Practices for Audit Committees in Supporting Audit Quality” that outlines the role Audit Committees are expected to play in fostering high-quality audits for publicly listed companies. Although the intended audience is publicly listed companies, the principles within can be easily applied to the Audit Committee of any financial institution as a form of self-assessment. A link to the report follows: https://www.iosco.org/library/pubdocs/pdf/IOSCOPD618.pdf

HMDA Reporting

On January 31, 2019, the CFPB published “Reportable HMDA Data: A Regulatory and Reporting Overview Reference Chart for Data Collected in 2019”. The chart is designed to be a reference tool for data points that are required to be collected and reported. A link follows:
https://files.consumerfinance.gov/f/documents/cfpb_reportable-hmda-data_regulatory-and-reporting-overview-reference-chart-2019.pdf

The Bureau also published policy guidance for HMDA data compiled in or after 2018, as follows:
https://www.govinfo.gov/content/pkg/FR-2019-01-31/pdf/2018-28404.pdf?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email

Community Reinvestment Act (CRA)

The FFIEC released version 2019 for the CY 2019 CRA data due March 2, 2020. A link follows:
https://www.ffiec.gov/software/software.htm

Suspicious Activity Report (SAR) Analysis/Elder Financial Abuse

In February 2019, the CFPB released a report about key facts, trends and patterns revealed in SARs involving elder fraud filed by banks, credit unions, money transmitters, and other financial service providers.

The Bureau analyzed 180,000 SARs filed with the Financial Crimes Enforcement Network (FinCEN) from 2013 to 2017. The effort was birthed out of the increasing number of older customers falling prey to “financial exploitation by perpetrators ranging from offshore scammers to close family members”.

Notable findings:

  • SAR filings on elder financial exploitation (EFE) quadrupled from 2013 to 2017.
  • More than half of the SARs involved a money transfer. The second-most common financial product used to move funds was a checking or savings account (44%).
  • Money services businesses (MSB) have filed an increasing share of EFE SARs. In 2016, MSB filings surpassed depository institution (DI) filings. In 2017, MSB SARs comprised 58% of EFE SARs, compared to 15% in 2013.
  • Financial institutions reported a total of $1.7 billion in suspicious activities in 2017, including actual losses and attempts to steal older adults’ funds.
  • For SARs involving a loss to an older adult, the average amount lost was $34,200.
  • One third of the individuals who lost money were aged 80 or older. Adults aged 70 to 79 had the highest average monetary loss ($45,300).

A link follows: https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/cfpb_suspicious-activity-reports-elder-financial-exploitation_report.pdf

Fair Lending

On February 8, 2019, the Bureau issued its sixth Fair Lending Report to Congress. The report describes the CFPB’s fair lending activities in prioritization, supervision, enforcement, rulemaking, interagency coordination and outreach for calendar year 2017. A link follows:
https://www.govinfo.gov/content/pkg/FR-2019-02-08/pdf/2019-01568.pdf?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email

Flood

In January 2019, regulators issued a joint final rule governing private flood insurance acceptance, effective July 1, 2019. It implements the Biggert-Waters Act provision that requires federally regulated lending institutions to accept private flood insurance policies that meet certain statutory criteria. In addition to placing the onus on the lender to determine whether a policy meets the new requirements, if the following statement is included in the flood insurance policy the institution is allowed to accept the insurance without additional review: “This policy meets the definition of private flood insurance contained in 42 U.S.C. 4012a(b)(7) and the corresponding regulation.”

Finally, the provision opens the doors for the purchase of flood insurance that may be less expensive than polices offered commercially or through the National Flood Insurance Program (NFIP). A link to the rule follows:
https://www.occ.gov/news-issuances/news-releases/2019/nr-ia-2019-15.html

Consumer Complaints

The CFPB recently published a “Complaint Snapshot” that highlights trends and data points identified as a result of analyzing consumer complaints submitted between November 1, 2016 and October 31, 2018. The majority of the complaints submitted focused on trouble during the payment process (42%) and struggling to pay mortgage (36%). A link to the document follows:
https://www.consumerfinance.gov/documents/7211/cfpb_complaint-snapshot-mortage_2019-01_liwsYNV.pdf

Fair Debt Collection Practices Act (FDCPA)

In March 2019, the Bureau published their annual FDCPA Report. The Bureau received approximately 81,500 complaints about debt collection in 2018, making debt collection one of the most common consumer complaints. A link follows:
https://files.consumerfinance.gov/f/documents/cfpb_fdcpa_annual-report-congress_03-2019.pdf

NOTABLE SANCTIONS AND ENFORCEMENT ACTIONS

Unfair, Deceptive or Abusive Acts and Practices (UDAAP)

Avant, LLC, an online lending company, settled with the FTC over charges that it engaged in unfair and deceptive lending practices. A link follows:
https://www.ftc.gov/news-events/press-releases/2019/04/online-lending-company-agrees-settle-ftc-charges-it-engaged?utm_source=govdelivery

$1.3 Billion – Office of Foreign Assets Control (OFAC) Violations

UniCredit AG (UCB) was ordered to pay a fine of $1.3 billion for routing illegal payments through US financial institutions for the benefit of the sanctioned entities in ways that concealed those entities’ involvement. According to OFAC, between January 2007 and December 2011, UCB processed over 2,000 payments totaling over $500 million. Banks that were involved in some manner with this scheme are required to establish Settlement Agreements with OFAC as part of a broader commitment to enhance sanctions compliance.

Fair Housing Act

The OCC has assessed a $25 million civil money penalty against Citibank, N.A., for violations of the Fair Housing Act, 42 USC §3601 – 3619, and its implementing regulation, 24 CFR 100. The Bank had a program that offered either reduced interest rates or a credit to closing costs. The program was applied in a manner that excluded certain applicants on the basis of race, color, national origin, and/or sex. A link follows:
https://occ.treas.gov/news-issuances/news-releases/2019/nr-occ-2019-27.html

USAA Federal Savings Bank

It’s been a while since we’ve seen a combined Electronic Funds Transfer Act (EFTA) and Regulation E order such as the one assessed against USAA. A link follows: https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/bcfp_usaa-federal-savings-bank_consent-order.pdf


AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security/Cybersecurity, ACH rules Compliance, Operations, Network Penetration Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, CEO at Contact Us and for information about all of our audit services see AuditOneLLC.com

Categories
News

AuditOne Compliance Advisory 2019 Q1

AuditOne Advisory

From Bud Genovese, Chairman

Legislative and regulatory communities have been bustling. The ongoing implementation of changes associated with the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) and the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) has created an onslaught of new committees and workgroups, Frequently Asked Questions (FAQ) updates and supplementary regulatory guidance. Enforcement actions targeting misleading and deceptive practices appear to be on the upswing. And, for the first time since the General Data Protection Regulation (GDPR) took effect, a US technology company was fined for violating Europe’s data privacy rules.

Within this issuance, we cover key Dodd-Frank updates, new Prepaid Account Rules, what’s behind the 37% rise in reported fraud in 2018, and other noteworthy regulatory developments and enforcement actions.

This Quarterly General Compliance edition has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. We hope you enjoy! – Bud

DODD-FRANK CORNER

RESPA Servicing Rule

https://files.consumerfinance.gov/f/documents/cfpb_mortgage-servicing-rule-assessment_report.pdf.

NEW PREPAID ACCOUNT RULES HAVE ARRIVED

Effective April 1, 2019, the CFPB amended Regulations E and Z to extend consumer protections to prepaid accounts. These amendments are known as the Prepaid Accounts Rule and apply to the following:

  • An account that is marketed or labeled as “prepaid” and is redeemable upon presentation at multiple, unaffiliated merchants for goods and services or usable at automated teller machines (ATMs); or
  • An account that meets all of the following:
    (1) Is issued on a prepaid basis in a specified amount or is capable of being loaded with funds after issuance;
    (2) Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, to conduct transactions at ATMs, or to conduct person-to-person (P2P) transfers; and
    (3) Is not a checking account, a share draft account, or a negotiable order of withdrawal (NOW) account.

However, an account that satisfies one or both of these tests is not a prepaid account if it is any of the following:

  • An account loaded only with funds from a health savings account, flexible spending arrangement, medical savings account, health reimbursement arrangement, dependent care assistance program, or transit or parking reimbursement arrangement;
  • An account that is directly or indirectly established through a third party and loaded only with qualified disaster relief payments; a gift certificate; a store gift card; a loyalty, award, or promotional gift card; a general-use prepaid card that is both marketed and labeled as a gift card or gift certificate; or an account established for distributing needs-tested benefits in a program established under state or local law or administered by a state or local agency.

Additionally:

  • The P2P functionality of an account established by or through the U.S. government is not a prepaid account if the account’s primary function is to conduct closed-loop transactions on U.S. military installations or vessels, or similar government facilities.
  • Under the existing definition of account in Regulation E, an account is subject to Regulation E only if it is established primarily for a personal, household, or family purpose. Therefore, an account established for a commercial purpose is not deemed a prepaid account.
  • Under the existing definition in Regulation E, an account held under a bona fide trust agreement is not an account subject to Regulation E and is therefore not deemed a prepaid account.

Available Resources

Regulators developed the following chart to help institutions determine Prepaid Account Coverage:
https://files.consumerfinance.gov/f/documents/Prepaid_coveragechart_v1_10052016.pdf.

Technical specifications can be accessed here:
https://www.federalregister.gov/documents/2019/03/06/2019-03852/technical-specifications-for-submissions-to-the-prepaid-account-agreements-database?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email.

Effective Dates

  • On Jan. 25, 2018, the CFPB issued a final rule modifying several aspects of the prepaid accounts rule and extending the overall effective date to April 1, 2019.
  • On Feb. 27, 2019, the CFPB issued technical specifications for submissions of prepaid account agreements pursuant to the prepaid accounts rule.

The Prepaid Rule does not require financial institutions to pull and replace prepaid account access devices or packaging materials that were manufactured, printed, or otherwise produced in the normal course of business prior to October 1, 2017. The Prepaid Rule does, however, require in certain circumstances that financial institutions provide to consumers notice of certain changes in terms and updated initial disclosures as a result of the Prepaid Rule taking effect. However, the Prepaid Rule provides an accommodation for financial institutions that, on the effective date, do not have readily accessible data necessary to comply with the full requirements for providing electronic and written account transaction histories or summary totals of fees. A financial institution may make available such histories and summary totals using the data for the time period it has until it has accumulated the data necessary to fully comply with the requirements.

EU & US PRIVACY INTERSECT

For the first time since the regulation took effect, a US technology company was fined for violating Europe’s data privacy rules. Although this applies most directly to the technology sector, expanded mechanisms for loan offerings increase the possibility of unknown applicability. It’s certainly worth a closer look at privacy disclosure language for nuances, particularly as talk of a US equivalent to the GDPR seems to be picking up steam.

A link follows: https://www.latimes.com/business/technology/la-fi-tn-google-france-data-privacy-20190121-story.html

DID YOU KNOW? …

According to the Federal Trade Commission (FTC), people reported losing $1.48 billion to fraud last year – an increase of 38% over 2017. Some interesting highlights:

  • Ranked at the top were imposter scams, debt collection, and identity theft.
  • The age of those that formally reported fraud may surprise you: 43% of people in their 20s reported a loss to that fraud, while only 15% of people in their 70s did.
  • Scammers like to get money by wire transfer – for a total of $423 million last year. That was the most of any payment method reported, but we also saw a surge of payments with gift and reload cards – a 95% increase in dollars paid to scammers in 2017.
  • Credit card fraud on new accounts was up 24%. In fact, misusing someone’s information to open a new credit card account was reported more often than any other forms of identity theft in 2018.
  • The top three states for fraud were Florida, Georgia and Nevada. The top three for identity theft reports were Georgia, Nevada and California.

A link to the study follows: https://www.ftc.gov/news-events/blogs/business-blog/2019/02/top-frauds-2018

OTHER COMPLIANCE NEWS & DEVELOPMENTS

Bureau of Consumer Financial Protection (BCFP) reverts to original name, except…

In April 2018, the Acting Director of the CFPB (the Bureau), Mick Mulvaney, changed the name to the BCFP, noting that the “CFPB no longer exists”. For much of 2018, rebranding was underway until December 2018, when the new Director, Kathy Kraninger, backed away from the name change, while noting that changing the name “would make it harder for consumers to find the agency’s website, file complaints, and seek help”. As of December 2018, Director Kraninger announced that she has “officially halted all ongoing efforts to make changes to existing products and materials related to the name correction initiative”, estimated to have cost upwards of $15 million. There is an exception, however. The BCFP title will still be used as an “internal nickname” within the organization. Stay tuned.

TILA-RESPA Integrated Disclosure (TRID) Rule

In March 2019, the CFPB published updated FAQs for TRID. Four additional questions were added pertaining to closing disclosures, the three-day waiting period, and model forms. A link follows:
https://files.consumerfinance.gov/f/documents/cfpb_TILA-RESPA-integrated-disclosure_frequently-asked-questions.pdf

Audit Committees

In January 2019, the International Organizations of Securities Commissions (IOSCO) issued a report on “Good Practices for Audit Committees in Supporting Audit Quality” that outlines the role Audit Committees are expected to play in fostering high-quality audits for publicly listed companies. Although the intended audience is publicly listed companies, the principles within can be easily applied to the Audit Committee of any financial institution as a form of self-assessment. A link to the report follows: https://www.iosco.org/library/pubdocs/pdf/IOSCOPD618.pdf

HMDA Reporting

On January 31, 2019, the CFPB published “Reportable HMDA Data: A Regulatory and Reporting Overview Reference Chart for Data Collected in 2019”. The chart is designed to be a reference tool for data points that are required to be collected and reported. A link follows:
https://files.consumerfinance.gov/f/documents/cfpb_reportable-hmda-data_regulatory-and-reporting-overview-reference-chart-2019.pdf

The Bureau also published policy guidance for HMDA data compiled in or after 2018, as follows:
https://www.govinfo.gov/content/pkg/FR-2019-01-31/pdf/2018-28404.pdf?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email

Community Reinvestment Act (CRA)

The FFIEC released version 2019 for the CY 2019 CRA data due March 2, 2020. A link follows:
https://www.ffiec.gov/software/software.htm

Suspicious Activity Report (SAR) Analysis/Elder Financial Abuse

In February 2019, the CFPB released a report about key facts, trends and patterns revealed in SARs involving elder fraud filed by banks, credit unions, money transmitters, and other financial service providers.

The Bureau analyzed 180,000 SARs filed with the Financial Crimes Enforcement Network (FinCEN) from 2013 to 2017. The effort was birthed out of the increasing number of older customers falling prey to “financial exploitation by perpetrators ranging from offshore scammers to close family members”.

Notable findings:

  • SAR filings on elder financial exploitation (EFE) quadrupled from 2013 to 2017.
  • More than half of the SARs involved a money transfer. The second-most common financial product used to move funds was a checking or savings account (44%).
  • Money services businesses (MSB) have filed an increasing share of EFE SARs. In 2016, MSB filings surpassed depository institution (DI) filings. In 2017, MSB SARs comprised 58% of EFE SARs, compared to 15% in 2013.
  • Financial institutions reported a total of $1.7 billion in suspicious activities in 2017, including actual losses and attempts to steal older adults’ funds.
  • For SARs involving a loss to an older adult, the average amount lost was $34,200.
  • One third of the individuals who lost money were aged 80 or older. Adults aged 70 to 79 had the highest average monetary loss ($45,300).

A link follows: https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/cfpb_suspicious-activity-reports-elder-financial-exploitation_report.pdf

Fair Lending

On February 8, 2019, the Bureau issued its sixth Fair Lending Report to Congress. The report describes the CFPB’s fair lending activities in prioritization, supervision, enforcement, rulemaking, interagency coordination and outreach for calendar year 2017. A link follows:
https://www.govinfo.gov/content/pkg/FR-2019-02-08/pdf/2019-01568.pdf?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email

Flood

In January 2019, regulators issued a joint final rule governing private flood insurance acceptance, effective July 1, 2019. It implements the Biggert-Waters Act provision that requires federally regulated lending institutions to accept private flood insurance policies that meet certain statutory criteria. In addition to placing the onus on the lender to determine whether a policy meets the new requirements, if the following statement is included in the flood insurance policy the institution is allowed to accept the insurance without additional review: “This policy meets the definition of private flood insurance contained in 42 U.S.C. 4012a(b)(7) and the corresponding regulation.”

Finally, the provision opens the doors for the purchase of flood insurance that may be less expensive than polices offered commercially or through the National Flood Insurance Program (NFIP). A link to the rule follows:
https://www.occ.gov/news-issuances/news-releases/2019/nr-ia-2019-15.html

Consumer Complaints

The CFPB recently published a “Complaint Snapshot” that highlights trends and data points identified as a result of analyzing consumer complaints submitted between November 1, 2016 and October 31, 2018. The majority of the complaints submitted focused on trouble during the payment process (42%) and struggling to pay mortgage (36%). A link to the document follows:
https://www.consumerfinance.gov/documents/7211/cfpb_complaint-snapshot-mortage_2019-01_liwsYNV.pdf

Fair Debt Collection Practices Act (FDCPA)

In March 2019, the Bureau published their annual FDCPA Report. The Bureau received approximately 81,500 complaints about debt collection in 2018, making debt collection one of the most common consumer complaints. A link follows:
https://files.consumerfinance.gov/f/documents/cfpb_fdcpa_annual-report-congress_03-2019.pdf

NOTABLE SANCTIONS AND ENFORCEMENT ACTIONS

Unfair, Deceptive or Abusive Acts and Practices (UDAAP)

Avant, LLC, an online lending company, settled with the FTC over charges that it engaged in unfair and deceptive lending practices. A link follows:
https://www.ftc.gov/news-events/press-releases/2019/04/online-lending-company-agrees-settle-ftc-charges-it-engaged?utm_source=govdelivery

$1.3 Billion – Office of Foreign Assets Control (OFAC) Violations

UniCredit AG (UCB) was ordered to pay a fine of $1.3 billion for routing illegal payments through US financial institutions for the benefit of the sanctioned entities in ways that concealed those entities’ involvement. According to OFAC, between January 2007 and December 2011, UCB processed over 2,000 payments totaling over $500 million. Banks that were involved in some manner with this scheme are required to establish Settlement Agreements with OFAC as part of a broader commitment to enhance sanctions compliance.

Fair Housing Act

The OCC has assessed a $25 million civil money penalty against Citibank, N.A., for violations of the Fair Housing Act, 42 USC §3601 – 3619, and its implementing regulation, 24 CFR 100. The Bank had a program that offered either reduced interest rates or a credit to closing costs. The program was applied in a manner that excluded certain applicants on the basis of race, color, national origin, and/or sex. A link follows:
https://occ.treas.gov/news-issuances/news-releases/2019/nr-occ-2019-27.html

USAA Federal Savings Bank

It’s been a while since we’ve seen a combined Electronic Funds Transfer Act (EFTA) and Regulation E order such as the one assessed against USAA. A link follows: https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/bcfp_usaa-federal-savings-bank_consent-order.pdf


AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security/Cybersecurity, ACH rules Compliance, Operations, Network Penetration Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, CEO at: Contact Us for information about all of our audit services see AuditOneLLC.com

Categories
News

ADA Website Access Lawsuits Proliferating: What to Do About It

AuditOne Advisory

From Bud Genovese, Chairman

This advisory details proactive steps to help reduce your liability related to website compliance with the American with Disabilities Act (ADA). Financial institution websites remain a target for ADA lawsuits. Kevin Tsuei, Technology Practice Director, AuditOne LLC, has listed risk reducing solutions to consider – including an audit for compliance vulnerabilities and how to remediate them. I hope you find this article useful and please share with your colleagues having responsibilities related to technology compliance, thank you, — Bud

ADA Website Access Lawsuits Proliferating: What to Do About It

Many of you may have been hit with a lawsuit or other notification regarding Americans with Disabilities Act (ADA) deficiencies in your website access. If not, you certainly would be aware of others who have. The number of such lawsuits tripled in 2018 and continues to surge this year. Banks, by providing customers with internet access to information and services, have been a major (though certainly not the only) target. The trend has been fueled by significant penalties coming out of some recent rulings.

Title III of the ADA obliges banks to ensure website access to those impaired in terms of sight (e.g., font size), hearing (e.g., audio messages) or mobility (e.g., keyboard versus mouse). While the Department of Justice (DOJ) is charged with ADA enforcement, it has yet to issue formal guidelines and has refused to get involved in recent lawsuits, referring such matters to state bar associations. The lack of DOJ guidance has been a concern (e.g., a high-profile California case brought by Domino’s where the court ruled that the company must meet ADA requirements even in the absence of DOJ specifications). However, it is notable that the both the ADA and DOJ have endorsed the 2017 Website Accessibility Standards based on the World Wide Web Consortium’s (WC3’s) Web Content Accessibility Guidelines (WCAG) 2.0; level AA of WCAG 2.0 applies to banks.

So what’s a banker to do? Settling may be easier in the short term, but it’s not a permanent solution and can leave the bank vulnerable to further actions. Review your contracts with your core system and other online service providers, to verify their obligations as regards ADA compliance. And take action – hopefully ahead of any legal entanglements. Software is available to test for access concerns, though the subjectivity involved in such determinations means that combining software and human testing is generally recommended.

This is the approach we have taken at AuditOne, in our work with various clients to help them both assess and address accessibility issues. The first step is to establish internal processes and procedures in this area, which should include:

  1. Ensuring that design changes and new content are not added to your website until they are made (and confirmed to be) accessible.
  2. Establish periodic website accessibility training for in-house staff and contractors.
  3. Conduct periodic testing to ensure that your website is/remains accessible.
  4. Create a tracking log that includes a plan and timeframe on making your existing web content accessible.
  5. Establish procedures to assure, among other things, a quick response from visitors who provide website accessibility feedback.

The second step is to post a website accessibility policy on your informational website, to include the following topics:

  1. The Bank’s plans or commitments to ensure your website is accessible by a screen reader – for example, by complying with WC3 WCAG 2.0 Level AA guidelines and conducting periodic testing to ensure compliance.
  2. Invite website visitors to suggest improvements.
  3. Add easily locatable information, such as telephone number or contact form, to report website accessibility problems or request accessible services and information.
  4. Offer alternate ways for people with disabilities who cannot access information or services through the Bank’s website – for example, an invitation to visit a local ADA-compliant branch or ATM, or to contact the Bank by telephone, e-mail or snail mail.

While it is not required by financial regulators to conduct periodic testing in this area, such testing can help enhance the Bank’s controls over website accessibilities. During the review that we perform for our clients, not only do we audit the controls listed above but we also conduct both an automated compliance scan and a manual review. The key goals of these reviews are to:

  1. Identify common and specific website accessibility issues on the Bank’s informational website, down to the actual line of codes that are causing the accessibility issue. This allows the institution to work with its in-house or outsourced developers to improve the site so as to make the content more accessible.
  2. Identity navigational feedback and feature problems for those who are visually impaired and use a screen reader. The manual review is conducted by a non-profit group that supports people who are visually impaired and are users of assistive technologies. The manual review has provided valuable feedback for our clients who do not themselves use or have access to such technologies on a day-to-day basis.

AuditOne LLC – Company Overview

AuditOne LLC’s is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising ADA Website Compliance Audits, IT/Information Security, Network Tests, Credit Review/ALLL, BSA/Compliance, ACH rules Compliance, Operations, Trust and Asset/Liability Management (ALM) audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge. For more information on this article, or to receive a proposal for an ADA Website Compliance Audit, please contact Kevin Tsuei, Technology Practices Director, AuditOne LLC, at: Contact Us For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us. Also, for more information about AuditOne LLC and all of our audit services see AuditOneLLC.com.

Categories
News

AuditOne Compliance Advisory: 2018 Q4

AuditOne LLC Advisory

From Bud Genovese, Chairman

As we move into the new year, efforts to revisit and refine the Dodd-Frank Wall Street Reform and Consumer Protection Act remain in full swing. Legislators, regulators and other government agencies are continuing work to ensure that laws and regulations drafted by different US agencies align with the current administration’s goals while maintaining competitive markets and effective legislative and regulatory oversight. As part of this effort, we are seeing an increasing number of agency requests for public comments on proposed rule changes to implement the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA).

Within this issuance, we cover key changes to Dodd-Frank along with other noteworthy regulatory developments and enforcement actions that we hope your organization finds useful. This Quarterly General Compliance edition has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. We hope you enjoy! – Bud

DODD FRANK

General Updates

Public Comment Requests

Regulatory agencies are seeking public comments on:

  • Impending legislative changes surrounding the sharing of Nonpublic Personal Information. This action could have a significant impact on the amount and type of data obtained and retained by financial institutions. Two key focus areas include:
    • Ways to enhance the quality, utility and clarity of the information to be collected
    • Ways to minimize the burden of the collection of information on respondents, including using automated collection techniques or other forms of information technology

    The deadline to submit Comments is January 22, 2019. A link follows:
    https://www.federalregister.gov/documents/2018/12/21/2018-27738/agency-information-collection-activities-submission-for-omb-review-comment-request?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email

  • Impending rulemaking that would amend existing stress testing regulations to change the minimum threshold for applicability from $10 billion to $250 billion, revise the frequency of required stress tests by FDIC-supervised institutions from annual to periodic, and reduce the number of required stress testing scenarios from three to two. The deadline to submit Comments is February 19, 2019. A link follows: https://www.govinfo.gov/content/pkg/FR-2018-12-28/pdf/2018-27824.pdf
  • A proposal that would establish risk-based categories for determining applicability of requirements under the regulatory capital rule, the liquidity coverage ratio rule and the proposed net stable funding ratio rule for large U.S. banking organizations. The proposal would not extend to intermediate holding companies of a foreign banking organization or its subsidiary depository institutions or federal branches or agencies of foreign banking organizations. The deadline to submit Comments is January 22, 2019. A link follows: https://www.govinfo.gov/content/pkg/FR-2018-12-21/pdf/2018-27177.pdf
  • A proposed rule that would increase the threshold level at or below which appraisals would not be required for residential real estate-related transactions from $250,000 to $400,000. Applicable regulated institutions would still be required to obtain an evaluation of the real property collateral that is consistent with safe and sound banking practices. The proposed rule would also include consideration of residential property in rural areas that have been exempted from existing appraisal requirements pursuant to the EGRRCPA (evaluations would instead be required for these transactions). The deadline to submit Comments is February 5, 2019. A link follows: https://www.govinfo.gov/content/pkg/FR-2018-12-07/pdf/2018-26507.pdf
  • A proposed rule to expand the eligibility to file the FFIEC 051 Call Report, to include certain insured depository institutions with less than $5 billion in total consolidated assets that meet other criteria, and to establish reduced reporting on the FFIEC 051 Call Report for the first and third reports of condition for a year. The deadline to submit Comments is January 18, 2019. A link follows: https://www.govinfo.gov/content/pkg/FR-2018-11-19/pdf/2018-24587.pdf

HEMP (MARIJUANA) DECRIMINALIZATION: WHAT DOES IT MEAN FOR BANKING?

On December 20, 2018, President Trump signed into law the Agriculture Improvement Act of 2018, a.k.a. the Farm Bill (the Act). The Act removed “hemp” from the “Controlled Substances Act”, a move that effectively decriminalizes marijuana production at the federal level. Some noteworthy changes as a result of this Act follows:

  • Allows hemp production in all states – even those that have not yet acted to allow it.
  • Cannabis sativa L. plants at or below 0.3% THC are no longer classified as controlled substances under the Controlled Substances Act.
  • Allows hemp farmers to get crop insurance and access to federal water rights.
  • Protects hemp farmers from criminal prosecution for growing hemp with elevated THC content.

What Does This Mean for Banking?

Only time will tell. To date, 22 states have decriminalized marijuana; 33 states have approved medical marijuana, and 10 states and Washington, D.C. have legalized the sale and use of marijuana. Proponents believe that the combination of Sessions’s departure and the new House composition is likely to open the door for greater marijuana law reform measures and policy changes. If and until then, financial institutions should continue conducting customer due diligence that includes registration/license verification; understanding normal and expected activity levels, including the types of products sold and the type of customers served; monitoring publicly available data sources for adverse information; and ongoing monitoring for suspicious activity. Follow this link for further details:
https://en.wikipedia.org/wiki/2018_United_States_farm_bill

CRA NEWS & DEVELOPMENTS

CRA Data on Small Business, Small Farm & Community Development Lending

On October 25, 2018, the FRB, OCC and FDIC announced the availability of CRA data on small business, small farm, and community development lending reported by certain commercial banks and savings associations. An FFIEC disclosure statement on the reported 2017 CRA data is now available for each reporting commercial bank and savings association. The FFIEC also prepared aggregate disclosure statements of small business and small farm lending for all of the metropolitan statistical areas and non-metropolitan counties in the United States and its territories. These statements are available for public inspection on the FFIEC website (www.ffiec.gov/cra).

New CRA Data Thresholds

As a result of the 2.59 percent increase in the Consumer Price Index for the period ending in November 2018, the definitions of Small and Intermediate Small institutions for CRA examinations changed (effective January 1, 2019) as follows:

  • “Small Bank” or “Small Savings Association” means an institution that, as of December 31 of either of the prior two calendar years, had assets of less than $1.284 billion.
  • “Intermediate Small Bank” or “Intermediate Small Savings Association” means a Small Institution with assets of at least $321 million as of December 31 of both of the prior two calendar years but less than $1.284 billion as of December 31 of either of the prior two calendar years.

A link to the joint final rule follows:
https://www.fdic.gov/news/news/press/2018/pr18100a.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery

Federal Home Loan Board Federal Housing Program & CRA

On November 28, 2018, the Federal Housing Agency issued a final rule (12 CFR Parts 1290 and 1291) to amend its regulation governing the Federal Home Loan Board Affordable Housing Program (AHP or Program). The Federal Home Loan Bank Act (Bank Act) requires banks to establish a Program to provide subsidies for long-term, low- and moderate- income, owner-occupied and affordable rental housing. Institutions subject to compliance are required to allocate annually 10 percent of its prior year’s net income to fund its Program to help subsidize the purchase, construction, and rehabilitation of affordable rental and owner-occupied housing. Homeowners and homebuyers receiving AHP subsidies must be low- or moderate-income (incomes at or below 80 percent of area median income (AMI)). For rental housing, at least 20 percent of the units must be occupied by very low-income households (incomes at or below 50 percent of AMI) and must be affordable (rents charged do not exceed 30 percent of income).

This final rule amends the FHA regulation to, amongst other things,

  • provide banks with additional authority and flexibility when it comes to how AHP funds are allocated;
  • allow banks to use noncompetitive project selection methods;
  • ease certain project monitoring requirements;
  • clarify expectations for resolving project noncompliance scenarios; and,
  • eliminate some of the red tape associated with household subsidy repayments.

Worthy of note is that under the new Competitive Application Program, for-profit developers may now apply to Banks for AHP subsidies (which, prior to this rule, had been set aside for nonprofit affordable housing developers). We encourage financial institutions to consider potential CRA impacts and adjust planning and allocations accordingly.

The rule becomes effective December 28, 2018, with a qualification that – under certain conditions stated within the rule – through December 31, 2020 a Bank may comply with either the AHP regulation in effect immediately prior to this final rule’s effective date or this final rule. After January 1, 2020, Banks must only comply only with this final rule.

For more information, click on this link:
https://www.gpo.gov/fdsys/search/pagedetails.action?granuleId=2018-25635&packageId=FR-2018-11-28

HOME MORTGAGE DISCLOSURE ACT

OTHER COMPLIANCE NEWS & DEVELOPMENTS

Appraisal Regulation Guidance

On October 16, 2018, the FFIEC issued Frequently Asked Questions on the Appraisal Regulations and Interagency Appraisal and Evaluation Guidelines. A link follows:
https://www.occ.gov/news-issuances/bulletins/2018/bulletin-2018-39a.pdf

Flood Insurance

Regulatory agencies issued guidance for financial institutions on issuing loans when the National Flood Insurance Program in unavailable. A link follows:
https://www.federalreserve.gov/newsevents/pressreleases/bcreg20181228a.htm

BSA/AML

On December 28th, the FDIC announced the release of an updated technical assistance video on BSA/AML requirements, and the Treasury Department’s OFAC sanctions programs. The updated video provides an overview of current BSA/AML and OFAC requirements for directors of FDIC-supervised banks and savings associations. https://www.fdic.gov/news/news/financial/2018/fil18090.pdf

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is effective January 1, 2020. The Act includes a 12-month “look back” requirement, which means it is a good time to pause to ensure that your financial institution has the infrastructure to comply.
https://www.caprivacy.org/

FFIEC Statement on OFAC Cyber-Related Sanctions

The FIIEC issued a statement about recent actions taken by the Department of Treasury’s Office of Foreign Asset Control (OFAC) under their Cyber-Related Sanctions Program and to the potential impact it may have on financial institutions’ risk-management programs. A link follows:
https://www.ffiec.gov/press/pr110518.htm

Telephone Consume Protection Act

On December 13, 2018, the FCC released an Order “directing the creation of a single comprehensive database for disconnected and reassigned telephone numbers.”. The Act is effectively designed to insulate certain impacted callers from Telephone Consumer Protection Act violations.
https://www.jdsupra.com/legalnews/fcc-establishes-reassigned-number-18629/

FFIEC Examination Modernization Project

On November 27, 2018, the FFIEC issued a second update on the “Examination Modernization Project”, focused on tailoring examination plans and procedures based on risk, which is another area that holds promise for reducing burden. The project identifies and assesses ways to improve the effectiveness, efficiency, and quality of community financial institutions Safety and Soundness examination processes, particularly through increased use of technology. The first update was issued on March 22, 2018, with a focus on steps taken to improve the examination process, which included the identification of areas with the potential for the most meaningful supervisory burden reduction. A link follows:
https://www.ffiec.gov/press/pr112718.htm

NOTABLE SANCTIONS AND ENFORCEMENT ACTIONS

UBS

FinCEN assessed a $14.5 million civil money penalty on UBS Financial Services, Inc. (UBSFS) for willful violations of AML Program requirements (associated with brokerage and “banking-like” services) and Section 312 of the USA Patriot Act (regarding due diligence on correspondent accounts and financial institutions). UBS was also cited for failing to provide its AML compliance officer with “the resources needed to ensure day-to-day compliance with the BSA”, adversely impacting their ability to adequately review potentially suspicious activity “triggered by its automated monitoring system and make reasonable determinations whether or not to file suspicious activity reports (SARs).” Inadequate staffing was also cited as the reason for backlogged alerts and SAR filings. The order can be found here:
www.fincen.gov/sites/default/files/enforcement_action/2018-12-18/UBS%20Assessment%2012.17.2018%20FINAL_508%20Revised.pdf

AllNations

On October 25, 2018 the FRB issued an enforcement action against AllNations Bank. Amongst other things, it requires very specific actions related to the BSA and overall Compliance Program, including improvement to controls surrounding customer due diligence, suspicious activity monitoring and reporting and resources. A link follows:
https://www.federalreserve.gov/newsevents/pressreleases/enforcement20181025a.htm

International Network of Corporations

The FTC alleges that – using shell companies and straw owners – an international network of corporations and individuals made false claims about “free” trial offers, followed by unauthorized charges to their accounts. Aside from the UDAAP implications that are more directly cited, can you see how the new BSA “beneficial ownership rule” – if followed – may have raised enough suspicion to prompt further inquiry/ investigation. A link to the FTC action follows:
https://www.ftc.gov/news-events/press-releases/2018/11/court-temporarily-halts-international-operation-allegedly

JP Morgan Chase

JPMorgan Chase recently paid $5.3 million settlement for OFAC violations. Settlement details may be found at https://www.law.com/corpcounsel/2018/10/09/jp-morgan-chases-5-3m-sanctions-settlement-some-lessons/?slreturn=20190011155721

FFIEC Statement on OFAC Cyber-Related Sanctions

The FIIEC issued a statement about recent actions taken by the Department of Treasury’s Office of Foreign Asset Control (OFAC) under their Cyber-Related Sanctions Program and to the potential impact it may have on financial institutions’ risk-management programs. A link follows:
https://www.ffiec.gov/press/pr110518.htm

USAA

It’s been a while since we’ve seen a combined Electronic Funds Transfer Act (EFTA) & Regulation E order such as the one assessed against USAA. A link follows:
https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/bcfp_usaa-federal-savings-bank_consent-order.pdf


AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, Co-CEO at (949) 981-0420 or Kevin Watson, Co-CEO at (562) 802-3581 and for information about all of our audit services see AuditOneLLC.com