Categories
News

AuditOne Compliance Advisory: Q2 2020

AuditOne Advisory

From Bud Genovese, Chairman

In this issue, we offer practical tools and insights for managing Compliance risk resulting from the unprecedented demand for Payment Protection Program (PPP) loans.  We also discuss the importance of corrective action tracking and other significant compliance news and developments, including COVID-19 Appraisal Requirement Suspensions; Regulation X Loss Mitigation/Forbearance; changes to Regulation D Transfer Limits and Regulation E Remittance Transfer rules; and updates to Unfair, Deceptive or Abusive Acts or Practices (UDAAP), Truth In Lending Integrated Disclosures (TRID), Rural Development Act (RDA), Community Reinvestment Act (CRA), Home Mortgage Disclosure Act (HMDA/Regulation C) and Expedited Funds Availability Act (Regulation CC).  We conclude with commentary on two recent high-profile cases on PPP and on bank and securities fraud, which may be valuable for employee training and reinforcement.

This Compliance Advisory was prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  I hope you find this information useful – please share with your colleagues having responsibilities related to the areas covered in this Advisory.  Thank you, — Bud

WHAT HAPPENS NOW?

In recent months, regulatory agencies and various industry pundits have published numerous communications related to initiatives purposed to support the flow of credit to households and businesses, most notably the PPP.  To handle the unprecedented volume of PPP loans, financial institutions have sometimes redeployed employees from traditional assignments to temporary ones on the “PPP assembly line.”  Standing protocols were sometimes abandoned or deferred, and there was little time, if any, to modify documented policies, standards or practices to meet the demand for this new product and to adapt it to the much riskier, COVID-19 operating environment for financial institutions.

MANAGING THROUGH PPP IMPACT ON YOUR ORGANIZATION

Following are a few questions that we recommend you consider during your next Compliance and or Audit Committee Meeting:

  1. Enterprise Risk Assessment:  Has our institution updated its Enterprise Risk Assessment to include PPP-related impacts on essential Credit, Operational, Compliance, Treasury, Finance, Information Technology and Vendor risks?  Have these impacts been formally documented and included in governance committee discussions/minutes? 
  2. Strategic Plan/Budget:  Have Strategic Plan and Budget impacts been explored and documented?  For example, what is the impact on our operations if Loan Forgiveness proposals (e.g., the ability to use a one-page document for loans under $150,000) are not approved?
  3. Policies, Practices and Lines of Defense:  Have Credit and Operational policies pertaining to PPP been documented and approved by the Board?  Were factors such as the institution’s risk appetite, resource capability and regulatory limits considered?  What first, second and third line of defense operations are being impacted, and are we accounting for and attempting to mitigate that impact? 
  4. Potential Consumer Harm:  Have potential consumer harm impacts been reasonably considered?  Is documented training provided to loan officers/approvers on how to ensure loans are being sourced, offered and administered consistently across the Bank’s client’s base?  If exceptions are made, how should we evidence our decision and related justification?
  5. Information Technology:  Have minimum security standards been put in place for remote working (i.e., that may require the exchange of or access to sensitive customer information)?  Is there a means to detect and monitor employees and decisions that may not align with existing IT policy?

As with any new product, service or risk, Audit and Examination functions want to see that your financial institution has done its due diligence.  Auditors and examiners understand that there will be adverse impacts on normal operations, and that management may defer certain routine internal compliance or monitoring reviews.  However, they also expect evidence that your institution has reasonably assessed and mitigated potential adverse impacts.  It’s never too late. Know your risk, know where your potential gaps are vis-à-vis the new risk environment, and have a documented roadmap on how your institution will minimize the exposure associated with those gaps.

COMPLIANCE EXCEPTION RATES MAY INCREASE DUE TO PANDEMIC-RELATED RESOURCE LIMITATIONS.  WILL WE BE PENALIZED BY OUR REGULATORS?

In June 2020, regulatory agencies (FDIC, FRB, NCUA and OCC) issued joint guidance to promote consistency and flexibility in the supervision and examination of financial institutions affected by the coronavirus crisis.  According to the agencies, “stresses caused by the spread of COVID-19 have led to significant economic strain and adversely affected global financial markets.”  The guidance instructs examiners to consider the nature of the issues confronting the institutions they supervise due to the pandemic – and to “exercise appropriate flexibility in their supervisory response.”

Some regulatory agencies such as the FDIC and OCC have recently shared that they will continue to assess institutions in accordance with existing policies and procedures, specifically:

  • Examiners will consider whether an institution’s management has managed risks appropriately, including taking appropriate actions in response to stresses caused by COVID-19 impacts.
  • Examiners will consider the challenges involved in assessing the risk that the response presents to the institution in real-time, given the level of information available and the stage of local economic recovery.
  • In assessing an institution under the principles in the interagency examiner guidance, examiners will consider the institution’s asset size, complexity, and risk profile, as well as the industry and business focus of its customers.

It would be unreasonable to expect that a smaller institution (i.e., with only one or two Compliance resources) would have the infrastructure to withstand what has occurred over the last several months without some battle scars.  In the world of Compliance, those battle scars typically show up in the form of increased technical compliance exception rates.  Not to fear, however, as there is a way to manage this risk within reason, which is all any organization can be expected to do:

  1. Do your homework.  Through discussion with department heads and staff and through spot checks, identify those areas (in your end-to-end processes) where the likelihood of higher exceptions has increased. 
  2. Develop a plan for stepped-up monitoring to proactively identify where control gaps may exist.  Ensure the timing of your plan is reasonable (e.g., perhaps not the day loan forgiveness processing begins).  Adjust your Compliance Schedule accordingly, and be prepared to discuss and support the reason for the change. 
  3. Present resultant control gaps, if any, to the Compliance/Audit Committee (or other Risk/Governance Committee) in your organization.  Discuss and agree on action plans that are reasonable and address the root cause. 
  4. Where customer restitution may be necessary, identify those areas and ensure necessary action is taken within a reasonable period.

Finally, be prepared to demonstrate that you have identified the potential impact on your organization and put reasonable protocols in place to identify, detect and address issues as they arise.   And, remember:

  • Be upfront about the impacts on your organization.
  • Provide auditors and examiners your modified Enterprise (or Compliance) Risk Assessment, updated to include PPP impact. 
  • Discuss where your management team has identified the need to do stepped-up monitoring and plans to address any gaps.  Share related reporting to governance committees and the Board.
  • Follow through on what you commit to addressing within the timelines that you commit to.

CORRECTIVE ACTION TRACKING COMPONENTS IMPORTANCE

An examination concludes.  Auditors depart.  Consultants request the last file to review.  And all go about their merry way.  Fast forward, the next audit or exam begins, your Corrective Action Tracking log is requested, and the scramble begins to get it up to date.

When it comes to identifying or detecting an opportunity to enhance a policy, procedure, process or protocol, how your institution documents, tracks, reports and resolves control gaps or areas where enhancements may be required is very important. 

Our advice to you, particularly important today, is to create a centralized Corrective Action Log.  The log can include as many attributes as your institution desires, though, at a minimum, the following should be considered:

  • Source (Regulatory Agency, Audit Group, Internal Compliance Group/Associate, or Consultant)
  • Dates (Identified, Assigned, Due/Target date, Completed)
  • Issue Description (Verbatim from the source, not paraphrased)
  • Person(s) Responsible (Include necessary support, vendor and or /IT resources, as appropriate)
  • Status (Include as much detail as possible; track status to target dates at least monthly, more often as the risk warrants)
  • Timeline (Target Completion/Resolution Date)

Depending on the organization’s size, high-risk issues should be given 30 days to one quarter.  Escalate to the Board issues that do not have sufficient traction or resources necessary to achieve target dates.  Often, the Board is able to assist with a solution that considers available human and financial resources, including the need to outsource or use consultants for assistance

  • Comments (Add notes that are necessary and perhaps unique to your organization.  If timelines are delayed or not being met, this is a great place to document the justification)

Most importantly, keep the Corrective Action Tracking Log current, and include it as a standing agenda item in your periodic Compliance/Audit reporting to the Board.  Minutes should reflect the discussion of the Corrective Action Log status.

OTHER COMPLIANCE NEWS, DEVELOPMENTS and ENFORCEMENT

Home Mortgage Disclosure Act (HMDA)

Note: Effective January 1, 2020, the permanent threshold for collecting and reporting data about open-end lines of credit went from 100 to 200, when the current temporary threshold of 500 of open-end lines of credit expires.  As regards the open-end lines of credit, CFPB noted that last October, it extended the temporary open-end threshold until Jan. 1, 2022.  A link to the ruling follows: https://files.consumerfinance.gov/f/documents/cfpb_final-rule_home-mortgage-disclosure_regulation-c_2020-04.pdf

OCC Issues New UDAAP Examination Procedures 

The OCC published new Examination procedures and guidelines that provide a new layer of insight into potential UDAAP compliance implications throughout organizations. 

We strongly recommend that organizations consider adding a segment to your next Compliance/Governance Committee meeting that is dedicated to addressing poignant points with your leadership teams.  This should also be extended to employees in the form of job-based training.  A link follows: https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/unfair-deceptive-act/pub-ch-udap-udaap.pdf

Joint Community Reinvestment Act Statement Issued; Underserved Areas Further Defined

The FDIC, FRB and OCC issued a Joint Statement on CRA Consideration for Activities in Response to COVID-19. The issuance encourages financial institutions to work with affected customers and communities, particularly those that are low- and moderate-income (LMI), noting that the agencies will provide favorable consideration under the CRA for certain retail banking services, retail lending activities and community development activities related to this national emergency.  The FDIC’s FIL-19-2020 reports that this statement will be effective through the six-month period after the national emergency declaration is lifted, unless extended by the agencies. A link follows: https://www.fdic.gov/news/news/financial/2020/fil20019.html.

The CFPB also issued an interpretive rule to provide additional guidance on how “underserved areas” are defined during a given calendar year.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_interpretive-rule_determining-underserved-areas-using-hmda-data.pdf

New Regulation CC Guidance Effective

Effective July 1, 2020, the following Regulation CC changes took effect:

  • Immediate Availability $200 Rule [§229.10(c)(1)(vii)]:  The minimum amount of deposited funds that must be made available for withdrawal increased from $200 to $225.
  • Invoked $400 Rule [§229.12(d)]: The amount that must be made available for withdrawals by cash or other means (if the Bank elects to invoke this option) increased from $400 to $450.
  • New Account Exception [§229.13(a)]: The amount of funds deposited by certain checks in a new account that are subject to next-day availability increased from $5,000 to $5,525.
  • Large Deposit Exception [§229.13(b)]: The threshold for using an exception to the funds-availability schedules if the aggregate amount of checks on any one banking day exceeds the threshold amount increased from $5,000 to $5,525.
  • Repeat Overdraft Exception [§229.13(d)(2)]: The threshold for determining whether an account has been repeatedly overdrawn increased from $5,000 to $5,525.

We encourage a quick temperature check to make sure that client hold notice templates, system settings for automatic hold placement, and terms and conditions have been updated to comply.  We also recommend that you check with your IT group and/or system vendor to make sure that the capability to generate hold reporting that includes the hold placement date, reason and hold release date is available to you.

CFPB Slightly Eases Regulation X (COVID-19) Loss Mitigation and Credit Reporting Implications

The CFPB issued an interim final rule to clarify that mortgage servicers will not violate Regulation X by offering certain loss mitigation options during the COVID-19 pandemic.  Under normal circumstances, Regulation X would require servicers to collect a complete loss mitigation application before making an offer to a borrower who has submitted an incomplete loss mitigation application. 

Regarding forbearance and related credit reporting:

  • Under the CARES Act, borrowers with federally backed mortgage loans experiencing a financial hardship due, directly or indirectly, to the COVID-19 emergency, may request a forbearance by making a request to their mortgage servicer and affirming that they are experiencing a related financial hardship.  A forbearance under the CARES Act qualifies as a short-term payment forbearance program under Regulation X.
  • If a mortgage servicer provides a borrower a short-term forbearance payment option, the agencies do not intend to take supervisory or enforcement action for failing to meet certain timing requirements for consumer communications related to incomplete application acknowledgement, loss mitigation and early intervention, or annual escrow. The Act requires lenders to report to credit bureaus that consumers are current on their loans if consumers have sought relief from their lenders due to the pandemic.  The CFPB’s statement informs lenders they must comply with the CARES Act.  It encourages lenders to continue to voluntarily provide payment relief to consumers and to report accurate information to credit bureaus relating to this relief. 

A link to the rule follows: https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-interim-final-rule-loss-mitigation-options-pandemic-related-financial-hardships/; Joint Statement on Supervisory and Enforcement Practices Regarding the Mortgage Servicing Rules in Response to the COVID-19 Emergency and the CARES Acthttps://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-credit-reporting-guidance-during-covid-19-pandemic/

Appraisals Suspended for 120 Days for Certain Transaction Types

The FRB, FDIC and OCC issued an interim final rule to temporarily defer real estate-related appraisals and evaluations under the agencies’ interagency appraisal regulations for real estate-related financial transactions affected by COVID-19.  The agencies are deferring certain appraisals and evaluations for up to 120 days after closing of residential or commercial real estate loan transactions.  Transactions involving acquisition, development or construction of real estate are excluded from this interim rule.  The NCUA recently considered and adopted this rule.  These temporary provisions will expire on December 31, 2020, unless extended by the federal banking agencies.  In addition, the agencies, together with National Credit Union Administration and Consumer Financial Protection Bureau, in consultation with the Conference of State Bank Supervisors, issued a joint statement to address challenges relating to appraisals and evaluations for real estate-related financial transactions affected by COVID-19.  Links to both statements follow: https://www.fdic.gov/news/news/press/2020/pr20051a.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery; https://www.fdic.gov/news/news/press/2020/pr20051b.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery

Interim Rule Temporarily Lifts Six-Per-Month Limit on Savings Transfers (Regulation D)

The FRB issued an interim final rule to amend Regulation D to delete the six-per-month limit on convenience transfers from the “savings deposit” definition. The interim final rule allows depository institutions to suspend enforcement of the six transfer limit and to allow their customers to make an unlimited number of convenience transfers and withdrawals from their savings deposits at a time when financial events associated with the coronavirus pandemic have made such access more urgent.  The regulatory limit in Regulation D was the basis for distinguishing between reservable “transaction accounts” and non-reservable “savings accounts.”  The Board’s recent action reducing all reserve requirement ratios to zero has rendered this regulatory distinction unnecessary.  Concurrently, the FRB made temporary revisions to the FR 2900 series, FR Y-9, and FR 2886b reports to reflect the amendments to Regulation D.  A link follows: https://www.federalregister.gov/documents/2020/04/28/2020-09044/regulation-d-reserve-requirements-of-depository-institutions

B&I Guaranteed Loan Program Authorized by Rural Development Act Updated

Effective May 22, 2020, the RBCS, a Rural Development agency of the United States Department of Agriculture (USDA), issued an interim final rule to update the Business and Industry (B&I) Guaranteed Loan Program to allow flexibility to make available federal funds for guaranteed loans pursuant to the CARES Act in response to  the COVID-19 pandemic.  The B&I Guaranteed Loan Program was authorized by the Rural Development Act of 1972.  The loans are made by private lenders to rural businesses for the purpose of creating new businesses, expanding existing businesses, and for other purposes that create employment opportunities in rural America. 

The Rural Business-Cooperative Service (RBCS) is responsible for administering the B&I Guaranteed Loan Program.  Rural Development is a mission area within the USDA comprised of the Rural Utilities Service, Rural Housing Service and RBCS.  Its mission is to “increase economic opportunity and improve the quality of life in rural communities by providing the leadership, infrastructure, access to capital, and technical support that enables rural communities to prosper”.  To achieve its mission, Rural Development provides financial support through more than 40 programs including direct loans, grants, loan guarantees, and technical assistance to help improve the quality of life and provide the foundation for economic development in rural areas.  A link to the interim rule follows: https://www.govinfo.gov/content/pkg/FR-2020-05-22/pdf/2020-11242.pdf?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

CFPB Announces Higher Than Ever Complaints; FTC Makes Certain State-Level Complaint Data Available

The CFPB recently stated that they have received “higher than ever” complaint volumes in March and April 2020, which means the likelihood of examiner focus naturally increases.  Many of us would likely agree that Complaint logs can be difficult to entirely rely on, (primarily) because of:

  • Employee uncertainty about what constitutes an “inquiry” versus a “complaint”
  • Decentralized, manual complaint receipt and handling

While there is no perfect one-size-fits-all solution, there may be an opportunity to modify certain practices to optimize complaint management.  Consider these processes to assess whether they are well-documented and being administered as intended:

  • How complaints are received and whether the means for capturing and tracking complaints from any of these sources is sound (e.g., website only, centralized email box or phone, through individual relationship managers, etc.).
  • Whether all employees know what constitutes a complaint versus an inquiry, and that employees know whom to contact when a complaint is received.
  • Compliance should (ideally) have a view of all complaints to affirm decisions on those that do or do not have potential compliance implications.
  • Review publicly available CFPB complaint data to ensure there are no complaints posted publicly that are excluded from the Bank’s Complaint Tracking Log/Database.  
  • Consider how and where complaints are recorded (e.g., in a log on a shared drive, or submitted to a centralized area or person in the Bank to record them, etc.) and whether they are easily accessible.
  • Include complaint tracking in regular Compliance/Governance committee reporting. Trends should be analyzed to determine whether broader impacts exist that may require a root cause analysis or to potentially make a customer whole. 

A link to the CFPB complaint search tool follows: https://www.consumerfinance.gov/data-research/consumer-complaints/search/?dataNormalization=None&dateInterval=3y&date_received_max=2020-05-13&date_received_min=2017-05-13&from=0&page=1&searchField=all&size=25&sort=created_date_desc&state=CA&tab=List

A link to the state level compliant data made available by the FTC also follows: https://www.ftc.gov/news-events/press-releases/2020/06/ftc-makes-more-state-level-data-available-about-covid-19-related?utm_source=govdelivery

FRB Extends S.A.F.E. Act Registration from One to Three Years

Section 1504 of the S.A.F.E. Act (12 U.S.C. 5103) requires that mortgage loan originators (MLOs) maintain their registration annually. The final rule requires that a registered mortgage loan originator must renew his or her registration with the Registry during the annual renewal period.  In accordance with the S.A.F.E. Act, the CFPB’s Regulation G requires MLOs to register with the Nationwide Mortgage Licensing System (NMLS), maintain this registration, obtain a unique identifier, and disclose to consumers upon request and through the Registry their unique identifier and the MLO’s employment history and any publicly adjudicated disciplinary and enforcement actions.  The CFPB’s regulation also requires the institutions employing MLOs to adopt and follow written policies and procedures to ensure that their employees comply with these requirements and to conduct annual independent compliance tests.

On May 11, 2020, the FRB adopted a proposal to extend for three years, without revision, the Registration of Mortgage Loan Originators (CFPB G; OMB No. 7100-0328).  A link follows: https://www.govinfo.gov/content/pkg/FR-2020-05-11/pdf/2020-09937.pdf?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

CFPB Publishes Additional TRID Guidance

The CFPB has published additional guidance related to the TILA-RESPA Integrated Disclosure (TRID) Rule:

The CFPB also issued interpretive guidance that allows for the pandemic to be classified as a “changed circumstance” on a Loan Estimate and allows for loan consummation before the end of the TRID rescission period, noting a “bona fide personal financial emergency”.  A link follows: https://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/tila-respa-integrated-disclosure-rule-regulation-z-right-rescission-rules-covid-19/

Remittance Transfers Rule Updated (Regulation E)

ECOA Valuations Rule FAQs Issued

The CFPB issued two fact sheets on the ECOA Valuations Rule in response to frequently asked questions. The factsheets provide information on transaction coverage under the Rule, and delivery method and timing requirements for appraisals and other written valuations.  The CFPB also issued FAQs pertaining to Mortgage Origination related to COVID-19.  Links follow:
https://files.consumerfinance.gov/f/documents/cfpb_ecoa-valuation_transaction-coverage-factsheet.pdf; https://files.consumerfinance.gov/f/documents/cfpb_ecoa-valuation_delivery-of-appraisals-factsheet.pdf;
https://files.consumerfinance.gov/f/documents/cfpb_mortgage-origination-rules_faqs-covid-19.pdf

FCRA FAQs Issued

The CFPB issued a Compliance Aid to assist with credit reporting to consumer reporting agencies during the pandemic.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_fcra_consumer-reporting-faqs-covid-19_2020-06.pdf

Temporary Leverage Relief:  CFPB Issues Clarifying Adverse Action Guidance for PPP Loans

A link follows to the CFPB Adverse Action guidance, to include when the Regulation B clock starts and stops for SBA PPP applicants: https://files.consumerfinance.gov/f/documents/cfpb_ecoa-regulation-b_faqs-covid-19.pdf

FFIEC Makes New Census Data Available

The FFIEC website has been updated to include 2020 Census Data Products and updated Geocoding/Mapping information.  A link follows: https://www.ffiec.gov/hmda/

Updated Manual, Proposed Revisions to Flood Disaster Protection Act Requirements

The FDIC, FRB, OCC, NCUA and FCA (Agencies) recently issued proposed new and revised Interagency Questions and Answers Regarding Flood Insurance (Interagency Questions and Answers).  The proposal seeks to incorporate into the Interagency Questions and Answers amendments to federal flood insurance laws regarding the escrow of flood insurance premiums, the detached structure exemption, and force placement of insurance. The document is intended to help lenders meet their responsibilities pursuant to the federal flood insurance laws that were last updated in 2011.  A link to the proposed revisions follows: https://www.fdic.gov/news/press-releases/2020/pr20077a.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery The FDIC also updated its manual regarding the assessment of mandatory Civil Money Penalties for violations of certain aspects of this Act.  A link follows: https://www.fdic.gov/regulations/examinations/enforcement-actions/ch-09.pdf

CFPB Requests Input on Ways to Prevent Credit Discrimination

On July 28, 2020, the CFPB issued a request for information (RFI) to seek public input on how best to create a regulatory environment that expands access to credit and ensures that all consumers and communities are protected from discrimination in all aspects of a credit transaction.The information provided will reportedly help the CFPB continue to explore ways to address regulatory compliance challenges while fulfilling the Bureau’s core mission to prevent unlawful discrimination and foster innovation.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_rfi_equal-credit-opportunity-act-regulation-b.pdf.

RECENT CASES:

PPP Fraud and Arrest

According to the U.S. Department of Justice, two businessmen were charged with allegedly filing fraudulent bank loan applications in pursuit of more than $500,000 in forgivable loans guaranteed by the SBA PPP.  The men were formerly charged by way of a federal criminal complaint with conspiracy to make false statements to influence the SBA and conspiracy to commit bank fraud. Additionally, one of the men is charged with aggravated identity theft.  According to court documents, the fraudulent loan requests were to pay employees of businesses that were not operating prior to the start of the COVID-19 pandemic and had no salaried employees, or, in one instance, to pay employees at a business the loan applicant did not own.  A link to the action follows: https://www.justice.gov/opa/pr/two-charged-rhode-island-stimulus-fraud

CEO, Firm Plead Guilty to Bank and Securities Fraud

Noise surrounding fraud has gotten a bit louder in recent months.  Although we will not detail each allegation on this topic, we thought it might be useful to highlight one of the more involved cases.  Certain control gaps may come to mind that your organization may want to consider while continuing to manage and enhance the overall control environment.   

Secondary market investors are increasingly concerned about asset quality of loan pools involving jumbo and larger dollar residential loan offerings.  There were some interesting tidbits in a local summary of the subject fraud that may raise your audit radar.  A link to the press release also follows.

In summary, the Chief Executive Officer of consulting firm Cash Flow Partners LLC pleaded guilty to one count of conspiracy to commit bank fraud and one count of securities fraud in a multi-million dollar scheme operated through the company, according to a release shared by the Federal Deposit Insurance Corporation’s (FDIC) Office of Inspector General (OIG).  The release, based on one issued by the Justice Department, says that the CEO pleaded guilty by videoconference before U.S. District Judge Kevin McNulty.  The release states:

  • Beginning at least as early as July 2016, through about September 2019, the CEO led and directed a bank fraud conspiracy designed to obtain millions of dollars in loans from banks on the basis of false representations.  To attract customers, Cash Flow released internet advertisements and held seminars offering to assist customers with low-paying salaries in obtaining loans.  These advertisements included promotional videos featuring the CEO and a former telenovela actor.
  • Customers contacted Cash Flow and were routed to the company’s sales department, where employees encouraged customers to sign up for various loan programs that Cash Flow provided and to enter into contracts with Cash Flow.  Under those contracts, employees would help customers obtain loans from banks.  The Cash Flow contracts permitted customers to keep a portion of the loan proceeds and customers agreed to provide the remaining proceeds to Cash Flow.  Cash Flow agreed to pay off the loans on behalf of its customers.
  • Cash Flow then used false information and fraudulent documents to obtain loans for its customers for which they otherwise would not have qualified and posed as the customers in communications with the banks.
  • From July 2016 through September 2019, the CEO obtained more than $5 million in investments from victim investors based on fraudulent representations.  He solicited investments from prospective customers using a marketing campaign on Spanish language television channels and the internet, the “Cash Flow TV” YouTube page, and live presentations in Cash Flow’s offices and elsewhere.  He also solicited investments from individuals who obtained loans through Cash Flow’s bank fraud conspiracy, encouraging loan customers to invest loan proceeds in Cash Flow’s investment program.
  • Once investors agreed to invest in Cash Flow, Espinal issued “promissory notes” to investors that guaranteed monthly investment returns between 1.25% and 4%.  The promissory notes stated that Cash Flow would return investors’ principal either one year from the date of the promissory note, or 60 days after investors demanded payment.  The CEO and other Cash Flow employees signed the promissory notes on behalf of Cash Flow.
  • The CEO made a number of misrepresentations to investors. He told investors that he would pool their funds with other investors’ funds in investments related to real estate, real estate companies, a gold mine in Ecuador, and construction projects in other countries.  In reality, the C.E.O. used investor funds to pay returns to earlier investors, pay for personal expenses for himself, his family and another Cash Flow employee, perpetuate the bank fraud scheme, and market the bank fraud and investment scheme to future victims.

The conspiracy to commit bank fraud charge carries a maximum potential penalty of 30 years in prison and a $1 million fine.  The securities fraud counts carry a maximum penalty of 20 years in prison and a $5 million fine.  The release, which also credits the FDIC OIG and others for their part in the investigation, said sentencing is scheduled for Oct. 13, 2020.  A link to the release follows: https://www.fdicoig.gov/press-release/owner-business-consulting-firm-admits-orchestrating-multimillion-dollar-bank-fraud-and

Note:  For additional insights on the steps we have taken to assist our clients in operating in this challenging COVID-19 pandemic environment, please see our website: www.AuditOneLLC.com.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our financial institution clients. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for a Compliance audit, please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Webinar – Banking Risk and Control: What’s Important Now, What will be Important Post-COVID

AuditOne Webinar
From Bud Genovese, Chairman

AuditOne is pleased to invite you to attend a webinar we are hosting on Thurs., June 11th, 11 am PST, addressing risk and control issues associated with the current COVID disruptions and with whatever state of normality we return to in coming months. It will be hosted by our CEO, Jeremy Taylor, and will feature brief presentations from each of our Practice Directors, highlighting key developments/trends impacting their respective areas and the implications for audit. Besides specific COVID-related effects, we will also consider any major trends we were seeing pre-lockdown and what’s expected to persist post-COVID. We will move briskly through these presentations, to be wrapped up well before 12:30PM PST. We hope you’re able to join us, and please feel free to share this invitation with any others who may be interested. For those unable to join us next Thursday, we’ll be recording this and making it available afterwards on our website.

Here are some of the topics that our Practice Directors will discuss:

  • ALM: David Kellerman will assess the impact of the pandemic disruption and associated relief measures on financial institutions’ IRR, liquidity, investment and capital management.
  • Credit & Lending: Brock Williamson will go over the now quite different imperatives of portfolio monitoring in the COVID environment and how recent supervisory guidance can help.
  • Technology: Kevin Tsuei will discuss the latest tools to secure your cloud computing environment, laptop and remote VPN access, based on both regulatory guidance and industry best practice.
  • BSA/AML: Kevin Watson will consider the critical elements of the Five Pillars requirements and how COVID may affect your compliance with them.
  • Electronic Funds Transfer: Genelle Wrzesinski will review recent changes impacting her area (e.g., Reg. E, NACHA rules), significant audit trends evident pre-crisis, and the recent supervisory FAQs pertaining to these products, including pandemic effects.
  • Operations: Gary Andreini will discuss some of the higher-risk areas that have become even higher risk in the current environment and how to mitigate them.
  • Compliance: Celeste Burton will present a) recent regulatory changes of note, including those in response to the COVID disruptions, and b) what examiners and auditors are looking for in terms of a sound compliance program to manage those changes – in a volatile environment.

Thanks. -Bud

For further information on AuditOne’s COVID-19 response, see https://www.auditonellc.com/auditone-advisory-covid-19/.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/AML Program, Automated AML System Validation, IRR and other Asset/Liability Management (ALM), ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

 

Our deep expertise is your edge.  To receive an audit proposal or more information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, directly at https://www.auditonellc.com/team-contact/.  Also, for more information about AuditOne LLC and all our audit services, see www.AuditOneLLC.com.

Categories
News

AuditOne Advisory: Audit focus in response to increased risk during the Pandemic

AuditOne Advisory

From Bud Genovese, Chairman

Audit focus in response to increased risk during the Pandemic

We at AuditOne hope that you, your colleagues and families are all keeping safe and well in these stressful times.  Many of your staff have been able to work from home, doing their part for social distancing and helping reduce viral contamination risk for everyone.  But under these circumstances, skeletal on-site staff may become stretched to complete tasks requiring on-site presence and to comply with segregation of duties and other key controls, especially with the demands you’re facing concurrently to respond to PPP and other government support program loan requests in timely fashion. 

With all this in mind, we ourselves recognize that our task in assisting you to maintain safe and prudent practices across all your functional areas becomes all the more important.  I want to assure you that we are attuned to the marked changes in risk profile across financial institutions in the current environment and to the need for our audit procedures to adapt to those changes.  Through the rest of this year, our auditors will be paying particular attention to help ensure that the integrity of client operations was not compromised during this period of upheaval when the response to COVID-19 required many changes directed at other, more pressing (e.g., health and safety-related) goals.  To accomplish this control oversight, we will give particular attention to focal period sample selection since control lapses are more likely to occur when staffing resources are stretched beyond the norm. 

We appreciate the trust that you place in us when you allow us to meet your internal audit needs.  And in such an unusual and disruptive environment, I want you to be comfortable that we are adjusting our audit activity so as to help protect you against not just the normal range of risk exposures but also, even more so, those that are elevated by the demands posed by a world now changed in ways that none of us could have predicted.

All of us at AuditOne wish you well.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/AML Program, Automated AML System Validation, IRR and other Asset/Liability Management (ALM), ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  To receive an audit proposal or more information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, directly at https://www.auditonellc.com/team-contact/.  Also, for more information about AuditOne LLC and all our audit services, see www.AuditOneLLC.com.

Categories
News

IRR Limits & Assumptions Analysis – Revised

Note: This Advisory was originally issued on April 8, 2020. It contained an error in the NMD average life table that has been corrected in the version showing below.

AuditOne Advisory

From Bud Genovese, Chairman

This Advisory presents data that we have compiled to help you in management of your institution’s Interest Rate Risk (IRR) process. AuditOne performs remote-based IRR audits each week at institutions in the Western US and around the nation. One of our IRR audit specialists, Kruskal Hewitt, has developed the following presentation of IRR data on exposure limits and modeling assumptions from a range of our financial institution clients. Mr. Hewitt has been a risk manager, portfolio manager and trader at international and regional banks. I hope you find this information useful, and please share with your colleagues having responsibilities related to IRR modeling and related controls. Thank you, — Bud

AUDITONE LLC’S ANALYSIS OF IRR LIMITS AND ASSUMPTIONS 2017 – 2019

AuditOne LLC is a leading provider of outsourced internal audits for community banks and other small/mid-sized financial institutions (FIs), predominantly in the western US.  Please refer to our website (www.auditonellc.com) for further information.  Asset/Liability Management (ALM) is among AuditOne’s practice areas, and within that we perform many audits of Interest Rate Risk (IRR) management every year. US FIs are expected to have an annual internal audit of their modeling, monitoring and control of IRR.  Key to IRR modelling are several forward-looking assumptions.

AuditOne has compiled (anonymously) data from 80 of our IRR clients on IRR limits and assumptions from our last three years’ audits; we have used data from the most recent AuditOne IRR audit, no further back than 2017.  AuditOne believes this database is relevant to AuditOne clients because it covers a relatively narrow range of asset size, geography and business lines.  AuditOne updates this analysis annually.

DEFINITIONS

NII:  Net interest income.  FIs are expected to model and project (over at least a one- and two-year horizon) interest-sensitive revenues and expenses under different interest rate scenarios.

EVE:  Economic value of equity.  This is a theoretic valuation of the institution whereby cash flows from all assets and liabilities are discounted to their net present value (NPV), then summed.  EVE captures long term risk in the balance sheet.  Conceptually, EVE cam be thought of as the sum of the NPV of all future NII streams.

Instant vs. Ramped Interest Rate Shocks (for NII):  The averages showing in the tables below are for instant (or immediate) rate shocks (78 clients) which assumes rates change instantly, as opposed to a gradual and even rate rise (ramp) over 12 months.

Beta:  This represents the assumed percentage of a market rate change that is reflected in administered rates – most importantly, deposit rates.  For example, if the driver rate is Fed Funds and the beta for saving accounts is 45%, then for every 100-basis point rise in the Fed Funds rate, savings account rates are assumed (predicted) to rise 45 basis points.  Relatively few of our clients have different betas for down versus up rate movements.  Nineteen FIs assume a time lag in administered rate changes; most of these lags are 15 days and only three exceed 30 days.

Average Life:  Non-maturity deposits (NMDs) have no contractual maturity and therefore form a more stable, longer-term funding source.  In order to get a meaningful estimate of EVE, NMDs must be assigned an assumed (predicted) average life by account type.

Parallel vs. Non-Parallel Rate Shocks:  The standard rate shock set-up assumes the yield curve shifts in parallel fashion over the entire maturity spectrum.  However, many institutions also run simulations based on flatteners, steepeners and other non-parallel shocks.  These can be helpful for assessing specific balance sheet vulnerabilities.  But we advise against basing IRR limits on non-parallel shocks because shock specifications are very difficult to define for assessing limit compliance.

Static vs. Dynamic Balance Sheet:  For NII simulations, the balance sheet can either be static (constant), with like replacement of run-off assets and liabilities, or it can incorporate change, both growth and shrinkage (e.g., based on budgeted balances).  The 2010 Interagency Guidance specified that a static balance sheet be used, though simulations could also be run off a dynamic balance sheet as well.  

2017 – 2019 DATABASE ANALYSIS

There are no significant changes from the 2016 – 18 report to this 2017 – 19 report.  It presents results across the entire database of 80 IRR audit clients.  We would be happy to recalculate any of the results for subsets of institutions based on asset size, primary regulator, and/or model vendor; please contact our CEO Jeremy Taylor at 562-802-3581. 

See the final section below for the key identifiers.  Note, too, that we have presented only average (mean) figures in the tables below.  We also computed medians, but these were very close to the corresponding averages and have therefore not been presented separately here.

NII-at-risk (one-year) simulation limits

NII Shocks (bps)-200-100+100+200+300+400
Average Limit-14.3%-8.6%-8.4%-14.2%-20.3%-25.8%

EVE-at-risk simulation limits

EVE Shocks (bps)-200-100+100+200+300+400
Average Limit-18.3%-11.0%-11.4%-19.0%-26.6%-33.2%

Beta assumptions

Account TypeNOWMMASavingsCD
Average Beta (%)26.9%46.4%31.3%79.2%

Average life (AL) assumptions

Account TypeDDANOWMMASavings
Average AL (Months)62665259

Interest rate shocks (for NII limits) – number of FIs

InstantRamp
782

Note:  If asset and liability repricing is evenly spaced during the year (i.e., a ramped shock), then it has roughly half the impact on NII as an instantaneous shock at beginning of the year.  This means that institutions running ramped shocks would be expected to have NII risk limits at roughly half the limits for instantaneous shocks. 

DATABASE MIX SUMMARY

Database mix by asset size (all dollar figures in millions)

CountMaxMedianMin
80$11,400$322$24

Database mix by primary regulator (all dollar figures in millions)

80MAXMedianMin 
57$11,400$327$71FDIC
13$1,069$264$24OCC
7$834$322$194FRB
2nananaNCUA
1nananaFISCU

Database mix by primary regulator (all dollar figures in millions)

80MAXMedianMin 
14$723$308$68ALX Consulting
4$270$234$128Baker Group IRR Monitor
8$11,400$691$264Darling Consulting BASIS
4$834$251$172FIMAC Risk Analytics
9$2,133$321$174Fiserv Sendero
4$858$59$24Plansmith Bankers GPS
7$1,266$434$71Plansmith Compass
9$1,316$241$113Jack Henry Associates ProfitStar
12$4,786$426$140ZMDesk / ZMOnline
9$5,960$449$112Other Systems (8)

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, a broad range of Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust/Wealth Management, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for Asset/Liability Management (ALM) or IRR Audits, please contact David Kellerman, ALM Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Advisory: Liquidity Risk Management Analysis 2020

AuditOne Advisory

From Bud Genovese, Chairman

This Advisory presents data that we have compiled to help in your institution’s Liquidity Risk Management (LRM) process. AuditOne performs many remote-based LRM audits every year at institutions in the Western US and around the nation. One of our ALM audit specialists, Kruskal Hewitt, has developed the following presentation of liquidity metrics and limits from a range of financial institutions. Mr. Hewitt has been a risk manager, portfolio manager and trader at international and regional banks. I hope you find this information useful, and please share with your colleagues having responsibilities related to Liquidity Risk Management and Liquidity Policy. Thank you, — Bud

AUDITONE LLC’S ANALYSIS OF LIQUIDITY LIMITS 2017 – 2019

AuditOne LLC is a leading provider of outsourced internal audits for community banks and other small/midsized financial institutions (FIs), predominantly in the western US.  Please refer to our website (www.auditonellc.com) for further information. Asset/Liability Management (ALM) is among AuditOne’s practice areas, and within that we perform many audits of Liquidity Risk Management (LRM) every year. US FIs are expected to have regular internal audits of their monitoring and control of LRM, which requires a variety of tools. 

AuditOne has compiled (anonymously) data from 70 of our LRM clients on liquidity limits.  These are institutions where we have used data from the most recent AuditOne LRM audit, no further back than 2017.  AuditOne believes this database is relevant to AuditOne clients because it covers a relatively narrow range of asset size, geography and business lines.  AuditOne updates this analysis annually.

WHICH LIMITS?

Regulators have not created rules or detailed guidance on how liquidity risk should be modeled, measured or limited, as there are with interest rate risk.  Nor are liquidity risks similar from one FI to another, as in investments risk (where all FIs invest in a relatively narrow range of financial instruments).  As a result, there is a broad proliferation of metrics (and limits), differing widely across institutions.  As shows below, there are only two measures that are used by more than half of our clients and only seven that are used by more than 30%.  As a result, our analysis of FI liquidity risk limits is inconclusive; rather, those limits are customized to each FI’s individual needs.

AuditOne has analyzed the limits on liquidity and funding sources of 70 regulated FIs over the period 2017 through 2019.  In this group there is one FI with only two liquidity policy limit measures, and two with as many as 18 measures; the average is nine.  There is no correlation between balance sheet size and the number of policy measurements; the second smallest balance sheet ($70 million) has 14 policy measures and the largest ($11 billion) only two limits.  The 70 FIs have in total 109 different measures of liquidity.  Of these, 71 are used by only one or two FIs.  However, 58 out of 70 FIs have at least one of the two most prevalent limits:

  • Net Non-Core Funding Dependence, used by 51 (73%) of the 70 clients
  • Loans / Deposits, used by 37 (51%)

Brokered deposits are also a common limit variable; 45 (64%) of the institutions covered have a limit on brokered deposits expressed as a percentage of either total deposits or total assets.  

Overall, we believe that our clients are satisfactorily monitoring their liquidity positions, and that the common points of liquidity risk exposure across institutions generally get appropriate attention.  We do not suggest an “ideal” set of liquidity measures.

Please note:  The difference between “less than” and “less than or equal to” (or “greater than” and “greater than or equal to,”), is minimal (in ratio terms).  In the following presentation we have made no distinction between the two.  For ease of notation, only “less than” (<) and “greater than” (>) are used.

DEFINITIONS

Brokered Deposits / Total Deposits:  In the numerator, all brokered deposits (per regulatory definition) and all deposits > $250,000 (unless the institution has designated specific large depositors as core).

FHLB Advances / Total Assets:  In the numerator, all collateralized borrowings from the FHLB.

Liquid Assets / Total Assets:  In the numerator, all assets that mature within one year plus all Available for Sale securities (all maturities).

Liquid Assets / Total Deposits:  Ditto.

Net Non-Core Funding Dependence:  Calculated as noncore liabilities less short-term investments divided by long term assets.  Noncore liabilities are total time deposits > $250,000 plus other borrowed money plus foreign office deposits plus securities sold under agreements to repurchase plus Federal Funds purchased plus insured brokered deposits.  Long term assets are net loans and leases, plus all securities less debt securities with a remaining maturity of one year or less, plus other real estate owned (non-investment).

Wholesale Funding / Assets:  The numerator is brokered deposits (including CDARS) plus listing service deposits plus security repurchase agreements plus net Fed Funds purchased.

2017 – 2019 DATABASE ANALYSIS

This analysis presents results across our entire database of 70 LRM audit clients.  We would be happy to recalculate any of the results for subsets of institutions based on asset size, primary regulator, and/or a specific limit that is not listed below; please contact our CEO Jeremy Taylor at 562-802-3581.

Note that “< %” implies a limit expressed as a maximum (i.e., the highest that ratio can go), and vice versa.  This is in contrast, in the tables below, with “Maximum” which indicates the highest limit amount across the database and “Minimum”, the lowest limit amount, whether the limit itself represents the highest or lowest the ratio in question, allowed.

Net Non-Core Funding Dependence: <%

ClientsAverageMedianMinimumMaximum
5126%25%7%60%

Loans / Deposits: <%

ClientsAverageMedianMinimumMaximum
37103%100%75%135%

On Balance Sheet Liquidity / Deposits: >%

ClientsAverageMedianMinimumMaximum
3115%15%7%40%

On Balance Sheet Liquidity / Assets:  >%

ClientsAverageMedianMinimumMaximum
3112%10%3%20%

Brokered Deposits / Total Deposits:  <%

ClientsAverageMedianMinimumMaximum
3016%13%5%75%

FHLB Advances / Assets: <%

ClientsAverageMedianMinimumMaximum
2624%25%10%40%

Wholesale Funding / Assets: <%

ClientsAverageMedianMinimumMaximum
2230%30%10%50%

DATABASE MIX SUMMARY

Database mix by asset size (all dollar figures in millions):

ClientsAverageMedianMinimumMaximum
70$1,018$371$24$11,400

Database mix by primary regulator (all dollar figures in millions):

ClientsAverageMedianMinimumMaximumRegulator
51$1,153$378$70$11,400FDIC
9$316$235$24$1,069OCC
8$721$497$209$2,000FRB
1nanananaFISCU
1nanananaNACU

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, a broad range of Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust/Wealth Management, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for Liquidity Risk or other Asset/Liability Management Audits, please contact David Kellerman, ALM Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Compliance Advisory: Q4 2019 / Q1 2020

AuditOne Advisory

From Bud Genovese, Chairman

In this issue, we cover significant changes in the compliance arena, to include the OCC’s rescission of over 200 outdated rules; updated Agency exam manuals; regulatory guidance and FAQs associated with the new retirement-related SECURE Act, TILA/RESPA Integrated Disclosure (TRID) Rule, Community Reinvestment Act (CRA) and Home Mortgage Disclosure Act (HMDA); and the status of efforts to modernize regulations such as Advertising & Signage requirements, the Remittance Transfer Rule, CRA and the Fair Debt Collection Practices Act (FDCPA).  We also offer practical insights on how financial institutions can maintain an effective compliance framework while incorporating recent regulatory incentives to support the flow of credit as a result of the Coronavirus pandemic (COVID-19).  

Note: As a result of the significant increase in regulatory issuances with near to immediate impact as a result of COVID-19, we expanded this 4Q 2019 Compliance Advisory to include key compliance-related updates through March 31, 2020.

This Compliance Advisory has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. We hope you enjoy! – Bud

TIPS FOR MAINTAINING AN EFFECTIVE COMPLIANCE FRAMEWORK IN ANY ENVIRONMENT

In recent weeks, regulatory Agencies have published several communications on initiatives to support the flow of credit to households and businesses during the COVID-19 pandemic. Below, we’ve highlighted the Agency incentives most pertinent to the world of Compliance followed by some practical insights on maintaining a sound compliance framework, whether times are stable or, like now, disrupted.

AGENCY INCENTIVES TO ENCOURAGE THE FLOW OF CREDIT:

INTERAGENCY STATEMENT ON LOAN MODIFICATIONS
The FDIC, FRB, OCC, NCUA and CFPB issued an Interagency Statement on Loan Modifications and Reporting by Financial Institutions Working with Customers Affected by the COVID-19 to encourage financial institutions to work constructively with borrowers impacted by COVID-19 and provide additional information regarding loan modifications. Highlights:

  • Encourages financial institutions to work constructively with borrowers affected by COVID-19;
  • Will not criticize institutions for prudent loan modifications and will not direct supervised institutions to automatically categorize COVID-19-related loan modifications as troubled debt restructurings (TDRs);
  • Confirmed with the Financial Accounting Standards Board (FASB) that short-term modifications made on a good faith basis in response to COVID-19 to borrowers who were current prior to any relief are not TDRs;
  • Modification efforts described in the interagency statement for one-to-four family residential mortgages where loans are prudently underwritten and not past due or carried in nonaccrual status do not result in loans being considered restructured or modified for the purpose of respective risk-based capital rules; and
  • Views prudent loan modification programs in response to COVID-19 as positive actions that can effectively manage or mitigate adverse impacts on borrowers due to COVID-19, leading to improved loan performance and reduced credit risk.

The Interagency Statement also provides supervisory views on regulatory reporting of past due and nonaccrual status for loan modification programs whereby past due status should be based on the modified due date.  Additionally, it reminds institutions that loans that have been restructured will continue to be eligible as collateral at the FRB’s discount window based on the usual criteria.  This applies to financial institutions with assets under $1 billion.  A link to the statement follows: https://www.fdic.gov/news/news/press/2020/pr20038a.pdf

LETTER FROM THE NATIONAL CREDIT UNION ADMINISTRATION (NCUA) 
The NCUA recently issued a Letter that seeks to encourage credit unions to provide additional financial assistance to borrowers impacted by COVID-19…“The NCUA encourages credit unions to work with affected borrowers”…noting that  examiners “will not criticize a credit union’s efforts to provide prudent relief for members when such efforts are conducted in a reasonable manner with proper controls and management oversight.”  Among the suggested accommodations:

  • Waive overdraft, late and ATM fees;
  • Waive early withdrawal penalties on time deposits;
  • Ease credit terms and restrictions on check cashing;
  • Increase credit card limits;
  • Increase ATM daily cash withdrawal limits;
  • Ease restrictions on cashing out-of-state and non-member checks;
  • Offer payment accommodations, such as allowing borrowers to defer or skip some payments or extend the payment due dates, which would avoid delinquencies and negative credit bureau reporting caused by any COVID-19-related disruptions.

A link follows: https://www.ncua.gov/files/letters-credit-unions/20-cu-02-ncua-actions-related-covid-19.pdf

HUD, FHFA, CFPB SUPENSION OF FORECLOSURES & EVICTIONS 
Several announcements were made regarding this initiative:

  • The U.S. Department of Housing and Urban Development (HUD) and the Federal Housing Finance Agency (FHFA) temporarily suspended all foreclosures and evictions “in response to the economic shock renters and homeowners are experiencing due to the outbreak of COVID-19.”
  • The CFPB announced a moratorium on foreclosures and evictions of borrowers with federally backed mortgage loans, noting that it is a “timely and an important step in providing assurance to consumers amid ongoing concerns about the spread of the COVID-19”
  • The FHFA announced it had directed government-sponsored enterprises (GSEs) Fannie Mae and Freddie Mac to suspend foreclosures and evictions for at least 60 days due to the COVID-19 national emergency. The foreclosure and eviction suspension applies to homeowners with a GSE-backed single-family mortgage.
  • President Trump announced a suspension through April of foreclosures and evictions related to mortgages insured by the Federal Housing Administration.  The White House later put out a statement clarifying that the policy will extend at least 60 days.

PRIMARY DEALER CREDIT FACILITY 
To support the credit needs of American households and businesses, the FRB announced that it will establish a Primary Dealer Credit Facility (PDCF) that will offer overnight and term funding with maturities up to 90 days (available as of March 20, 2020).  It will be in place for at least six months and may be extended as conditions warrant.  Credit extended to primary dealers under this facility may be collateralized by a broad range of investment grade debt securities, including commercial paper, municipal bonds and a broad range of equity securities.  The interest rate charged will be the primary credit rate, or discount rate, at the Federal Reserve Bank of New York.  An explanatory link follows: https://www.investopedia.com/terms/p/primary-dealer-credit-facility-pdcf.asp

MONEY MARKET MUTUAL FUND LIQUIDITY FACILITY  (MMLF) 
The FRB launched the MMLF to enhance the liquidity and functioning of money markets and to support the economy.  The interim final rule modifies the Agencies’ capital rules so that financial institutions receive credit for the low risk of their MMLF activities, reflecting the fact that institutions would be taking no credit or market risk in association with such activities.  An explanatory link follows: https://www.investopedia.com/money-market-mutual-fund-liquidity-facility-4800304

AGENCY STATEMENTS ON CREDIT LOSS ACCOUNTING STANDARDS AND COUNTERPARTY CREDIT RISK DERIVATIVES
On March 27, 2020, the FRB, OCC and FDIC announced two actions to support the U.S. economy and allow banking organizations to continue lending to households and businesses:

TOTAL LOSS ABSORBING CAPACITY
The FRB announced a technical change and interim final rule that will phase in gradually the automatic restrictions associated with a firm’s “total loss absorbing capacity,” or TLAC, buffer requirements, if TLAC levels decline. TLAC is an additional cushion of capital and long-term debt that could be used to recapitalize a bank if it is in distress.   A link follows:  https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20200323a1.pdf

PRACTICAL INSIGHTS

While regulatory Agencies have consistently provided financial institutions assurance that they will not criticize activities designed to ensure the flow of credit to households  “when they are  conducted in a reasonable manner with proper controls and management oversight”, the expectation that consumers not be harmed remains a regulator concern – as demonstrated by a very recent suit by the CFPB against multiple institutions and individuals over FCRA, UDAAP and TSR (detailed later in this edition).

There is a saying that the Old is Forever New, which also rings true when it comes to the basics of maintaining an effective compliance framework.  So, we wanted to leave you with some basic principles that can be applied to ensure a sound Compliance environment at any time.  We hope you find the following key components of an effective Compliance Management System useful.

  • Fully document “end-to-end” compliance processes in the form of policies and procedures.
  • Update the Compliance Risk Assessment as significant changes to products, services and underlying processes occur.
  • Identify and document exception criteria (e.g., to established credit/income qualifications, fees, rates, terms, etc.).  Ensure exception criteria are consistently applied (e.g., if ATM fees are waived in location A, the same practice is applied in location B).  And if the relative risk warrants that different practices be applied, ensure that the justification is documented and that a supervisor/manager provides documented concurrence.  Where uncertainties exist, documented legal opinion is recommended.
  • Train employees on the documented processes, including any exception criteria.
  • Establish a means to monitor and enforce compliance with documented policies and procedures.  Ensure any exceptions noted are reviewed for the root cause, that consumers are all made whole individually, and that any trends are examined.
  • Identify consequences of non-compliance, including impact on performance evaluations and incentive compensation.
  • Ensure that senior management and the Board are provided periodic Compliance updates.

SECURE ACT SIGNED INTO LAW

The Setting Every Community Up for Retirement Enhancement (SECURE) Act, signed into law and effective January 1, 2020, changes certain retirement rules that are worthy of mention.  Key provisions:

  • Eliminates maximum cap for contributions to traditional individual retirement accounts
  • Allows employers to offer annuities as investment options in 401(k) plans
  • Increases required minimum distribution age to 72 (formerly 70.5) and eliminates the maximum age for IRA contributions (formerly capped at 70.5)
  • Provides small business tax incentives to set up automatic enrollment in retirement plans – and opens the door for institutions to work with a broader range of companies to offer employee retirement accounts
  • Eliminates rule that lets account beneficiaries stretch distributions across their lifetime; the entire balance must be distributed by the 10th year

Details: https://money.com/what-serure-act-retirement-law-means-for-you/

CRA MODERNIZATION

Efforts continue to rewrite rules implementing the Community Reinvestment Act (CRA) with a desire to expand qualifying activities and credit associated with activities that benefit communities outside of bank branch networks.  The comment period on proposed amendments has been extended to April 8, 2020.  A link follows:

https://www.federalregister.gov/documents/2020/02/26/2020-03766/community-reinvestment-act-regulations-extension-of-comment-period?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

ASSET THRESHOLDS:  Effective January 1, 2020, the OCC, FRB and FDIC amended their CRA regulations to adjust the asset-size thresholds.  Up to $326 million is now considered a Small Institution; from $326 million up to $1.305 billion is now Intermediate Small; and greater than $1.305 billion is now Large.

FRB ANALYTICS DATA TABLES:  The FRB recently announced the publication of Analytics Data Tables combining HMDA, CRA small business, small farm loan and manually extracted data from CRA Performance Evaluations.  This is intended to provide insight into the historical relationship between bank lending activity and regulatory assessments.  Bank attributes, deposit data, branching, demographics, and other third-party vendor data supplement the tables – a step forward in helping financial institutions prepare for CRA exams.  Links to the new CRA Analytics Data Tables as well as the User Guide and Data Dictionary follow:

OTHER COMPLIANCE NEWS, DEVELOPMENTS and ENFORCEMENT

OCC Rescinds 205 Outdated Rules and Makes Technical Amendments to Other Real Estate Owned (OREO)

FDIC Updates Risk Management Exam Module, Issues New Technology Guide

  • “In its continuing effort to encourage technological innovation in the banking sector, the FDIC’s technology lab (FDiTech) released a new guide to help financial technology companies and others partner with banks.  Conducting Business with Banks: A Guide for Third Parties is designed to help third parties understand the environment in which banks operate and navigate the requirements unique to banking. The Guide is an initial effort to address concerns that Chairman McWilliams has heard from banks and technology companies across the country related to challenges associated with on-boarding at institutions. FDiTech is working to develop additional tools and resources to increase opportunities for partnerships and eliminate unnecessary burdens and costs associated with third party risk management. In the meantime, Conducting Business with Banks should serve as a helpful guide to both banks and third parties.”  A link follows:  https://www.fdic.gov/fditech/guide.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery
  • The FDIC Risk Management examination module is now updated with a new appendix focusing on exam processes and tools.  A link follows: https://www.fdic.gov/news/news/financial/2019/fil19084.pdf

CFPB Publishes Several New Guides and FAQ’s

  • On February 1st, the CFPB announced plans to establish a new category of materials that are similar to previous compliance resources but will now be designated as “Compliance Aids.”  Of particular importance is that the CFPB asserted that – when exercising its enforcement and supervisory discretion – it does not intend to sanction, or ask a court to sanction, entities that reasonably rely on these Compliance Aids.  So, although regulated entities are not required to comply with the Compliance Aids themselves (they are required only to comply with the underlying rules and statutes), the Aids may provide a window into how the CFPB is likely to assess compliance with the requirements referenced within.  A link follows: https://www.govinfo.gov/content/pkg/FR-2020-01-27/pdf/2020-00648.pdf
  • The CFPB published two Guides that provide guidance and examples for commonly asked questions pertaining to these areas – one on disclosing construction and construction-permanent loans with a separate Loan Estimate and Closing Disclosure for each phase of the transaction, and one on disclosing a combined Loan Estimate and a combined Closing Disclosure for both phases of a construction-permanent transaction.  A link follows: https://www.consumerfinance.gov/policy-compliance/guidance/tila-respa-disclosure-rule/
  • The CFPB updated its 2013 Bulletin on Responsible Business Conduct.  The crux of the guidance focuses on building a culture of compliance internally and with service providers, in order to minimize the likelihood of violations of laws and regulations, for the overarching purpose of preventing harm to consumers.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_bulletin-2020-01_responsible-business-conduct.pdf
  • New TRID FAQs  have been issued covering Loan Estimates, Closing Disclosures, Model Forms and Lender Credits, among other areas.  A link follows: https://www.consumerfinance.gov/policy-compliance/guidance/tila-respa-disclosure-rule/tila-respa-integrated-disclosure-faqs/
  • The CFPB issued new HMDA FAQs.  Topics covered include Universal Loan Identifier & Legal Entity Identifier; Ethnicity, Race, and Sex; Discount Points; and Construction and Construction/Permanent Transactions.  A link to the most recent version, updated March 6, 2020, follows: https://files.consumerfinance.gov/f/documents/cfpb_HMDA_frequently-asked-questions.pdf
  • The 2020 edition of the “Guide to HMDA Reporting:  Getting It Right!” is now available at https://www.ffiec.gov/hmda/pdf/2020guide.pdf.  It reflects updates to incorporate content from the HMDA Rule issued by the CFPB in October 2019. 

Comment Period Extended for Modernizing Signage and Advertising Requirements & Fair Debt Collection Practices Act (FDCPA)

The FDIC announced that it is extending to April 20, 2020, the public comment period for its Request for Information (RFI) on potentially modernizing FDIC sign and advertising requirements (12 C.F.R. Part 328) to reflect how banks take deposits through various evolving channels. The RFI was published in the Federal Register on February 26, 2020, with a comment period originally set to close on March 19, 2020.  A link follows: https://www.fdic.gov/news/news/financial/2020/fil20015.html?source=govdelivery&utm_medium=email&utm_source=govdelivery

The CFPB announced that it is extending the comment period for the Supplemental Debt Collection Proposal on Time-Barred Debt, until June 5, 2020.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_debt-collection-supplemental-nprm_comment-extension-notice.pdf

Civil Money Penalty (CMP) Maximums Increased

Effective January 15, 2010, the CFPB, FDIC, FRB and NCUA CMP maximum penalties increased.  The highest CMP that may be charged by any one agency is just under $2.05 million – up from $2.01 million in 2019.  The increased amounts will apply to penalties applied toward misconduct occurring on or after Nov. 5, 2015.

Truth In Lending Exemption Threshold Change

Effective January 1, 2020, creditors with assets of less than $2.202 billion (including assets of certain affiliates) as of December 31, 2019, are exempt from the requirement to establish escrow accounts for higher priced loans,  if other requirements of Regulation Z are being met.  A link follows: https://www.federalregister.gov/documents/2019/12/23/2019-27523/truth-in-lending-act-regulation-z-adjustment-to-asset-size-exemption-threshold?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

FinCEN Issues Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies

FinCEN issued an advisory to financial institutions regarding the Financial Action Task Force’s (FATF) updated list of jurisdictions with strategic anti-money laundering and combating the financing of terrorism (AML/CFT) deficiencies.  These changes may affect U.S. financial institutions’ obligations and risk-based approaches regarding relevant jurisdictions.  The advisory also reminds financial institutions of the status and obligations involving these jurisdictions.  A link follows: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2020-a001

FTC Issues Annual Letter on FDCPA Activities

The FTC shares enforcement responsibility for the Fair Debt Collection Practices Act (FDCPA) with the CFPB, which provides an annual report to Congress about debt collection practices.  The FTC prepared and provided to the CFPB the annual report for 2019.  The report concludes that during 2019, the FDIC:

  • Filed or resolved law enforcement actions against 25 defendants and obtained more than $24.7 million in judgments;
  • Banned 23 companies and individuals who engaged in serious and repeated violations of law from ever working in debt collection again;
  • Announced the return of $516,000 to 3,977 consumers who lost money to an unlawful debt collection operation previously stopped by the FTC;
  • Deployed educational materials to inform consumers about their rights and to educate debt collectors about their responsibilities under the FDCPA and FTC Act;
  • Supplied more than 27,500 copies of a fotonovela (graphic novel) on debt collection, developed for Spanish speakers, to raise awareness about scams targeting the Latino community;
  • Organized and cosponsored Common Ground conferences, bringing together law enforcement personnel, consumer advocates and community members to discuss consumer protection issues, including debt collection; and
  • Hosted public forums on small business financing and credit reporting, which raised debt collection policy issues.

A link follows: https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-enforcement-fair-debt-collection-practices-act-calendar-2019-report-bureau/ftc_annual_report_re_fdcpa.pdf

Top Frauds of 2019

During 2019, the FTC received over 1.7 million fraud reports and returned slightly over $230 million to consumers.  Imposter, Social Security, and phone scams are the most common fraud types noted.  Informational links follow: https://www.consumer.ftc.gov/features/feature-0037-imposter-scams; https://www.consumer.ftc.gov/articles/paying-scammers-gift-cards

Grace Periods

Regulatory agencies have extended grace periods for standard reporting, to include Call Reports and the HMDA LAR due March 1st of every year. Check with your local examiner for requirements specific to your jurisdiction.

CFPB Sues over Fair Credit Reporting, UDAAP and Telemarketing Sales Rule

The CFPB recently filed suit against multiple firms and individuals allegedly involved in violations of the Fair Credit Reporting Act. Charges included illegally obtaining consumer reports, unlawful advance fees, and deceptive conduct. A link follows: https://files.consumerfinance.gov/f/documents/cfpb_chou-team-realty-monster-loans_complaint_2020-01.pdf.

Membership of CFPB Task Force on Federal Consumer Financial Law Announced

This Task Force was established to  conduct a thorough examination of our current regulatory framework and report on how we can improve federal consumer financial laws to benefit and protect consumers,” said Director Kathleen L. Kraninger. Taskforce members are:

  • J. Howard Beales, III, former Professor of Strategic Management and Public Policy at the George Washington University and former Director of the Bureau of Consumer Protection at the Federal Trade Commission;
  • Thomas Durkin, Senior Economist (Retired) at the Federal Reserve Board;
  • Jean Noonan, Partner at Hudson Cook, former General Counsel at the Farm Credit Administration, and former Associate Director of the Bureau of Consumer Protection’s Credit Practice at the Federal Trade Commission; and
  • Todd J. Zywicki, Professor of Law at George Mason University (GMU) Antonin Scalia Law School, Senior Fellow of the Cato Institute, and former Executive Director of the GMU Law and Economics Center.

The CFPB announced the designation of Todd Zywicki to serve as the Chair of the Taskforce.

Note:  For additional insights on the COVID-19 pandemic response, please see AuditOne’s Pandemic Advisory issued March 24, 2020.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for a Compliance audit, please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Advisory: COVID-19

AuditOne Advisory

From Bud Genovese, Chairman

This Pandemic Advisory was prepared by Kevin Tsuei, Technology Practice Director, AuditOne LLC. I hope you find this article useful as we all chart a course through these troubled waters, and also please share with your colleagues having responsibilities related to pandemic response. Thank you!—Bud

COVID-19: Communication tips for a time of crisis

COVID-19 is moving fast, and so are the regulators; the FDIC is releasing guidance almost on a daily basis, including this past weekend. If you have not visited their dedicated COVID-19 webpage, it is a good centralized source for both institutions and depositors. I’m sure that you have received many e-mails on COVID-19 responses already, but I thought you might find something focused on crisis communication tips, going beyond what the regulators have put forward, helpful during these turbulent times.

Communicating with employees

Per FDIC’s FIL-14-2020 (published March 6), the regulators advised institutions to promote employee awareness, specifically, “Communicating the risks of a pandemic outbreak and discussing the steps employees can take to reduce the likelihood of contracting an illness.” However, the guidance does not provide the communication cycles or other helpful content to share. As part of executing AuditOne’s own Pandemic Response Plan, I have used several resources, including articles from Harvard Business Review (HBR).

In the HBR articles, Lead Your Business Through the Coronavirus Crisis and How to Reassure Your Team When the News Is Scary, the authors advise on frequent COVID-19 intelligence. The authors mention that in their own organization, they were communicating every 72 hours, but they have since switched to daily at the time of publication. The frequent communication provides employees confidence that the organization is actively following the issue.

As for the contents, you have probably sent updated summaries with facts and implications. At AuditOne, we have mostly cited resources from the CDC website. If your branches are in a certain geographic area, the local county or state website is often a better resource since COVID-19 is an epidemic affecting some local geographic areas more severely than others. The CDC has acknowledged in their Situation Summary dated March 21, 2020 that some communities are still in the initiation phase of CDC’s Pandemic Interval while others are in the acceleration phase.

In times of crisis such as this, infographics can often help convey important public health information more than words. Throughout our own internal communication with employees, I try to use infographics from CDC https://www.cdc.gov/coronavirus/2019-ncov/communication/graphics.html. However, World Health Organization (WHO) or our local public health websites are good sources too:  

If you have an internal website (such as Sharepoint), the authors also advise creating a living page dedicated to COVID-19 in addition to your e-mail communication. It allows employees to find updates as well as the institution’s action plans in one place.

Communicating with customers

The FDIC’s FAQs for Financial Institutions Affected by the Coronavirus (published March 18) specifically mentions to “[r]emind customers ways they can access services without physically coming to a facility, such as online/mobile banking, ATM, telephone banking. Provide information about how to use electronic payments: bill pay, and mobile remote deposit capture services.”

In addition, the regulators also recommend, “[f]inancial institutions may want to remind customers about the safety of their money in your FDIC-insured institution and discuss deposit insurance coverage.” In fact, I observed on the FDIC COVID-19 dedicated webpage that they have added a banner since last week, to give assurance to all depositors:

This image has an empty alt attribute; its file name is PandemicAdvisoryFDICHeading.png

Times like this will draw customers and perhaps non-customers too, to your website, seeking information and assurances. That makes it a good opportunity to revisit the relevance as well as the effectiveness of your site, now that it’s become the only point of contact for many of your constituents.

Similar to having a dedicated intranet page conveying COVID-19 related communication for employees, it might be a good idea to have a dedicated COVID-19 page for your customers too, reinforcing the points above and expanding on any additional resources you can provide on these alternative servicing options.

In-person interaction with customers

It is the American social norm to shake hands. However, given what we understand about COVID-19 today, any physical contact is discouraged as it violates social distancing. This might be easier said than done, especially when community banking is all about building relationships.

In the HBR article, How to Avoid Shaking Hands, by Amy Gallo, she discussed that we can advise an employee to decide ahead of time what they are comfortable with. She stated that, “having a plan will give you confidence and potentially make it less awkward.” After your employee establishes a plan, one of the best ways to defuse any discomfort is to use humor. She gave an example of how she “got used to keeping my hand in my pocket and saying, with a smile on [her] face, [saying] ‘I guess we’re not supposed to shake hands now.’”

In the same article, Ms.Gallo referenced another author, Andy Molinsky, who suggests another cue, “saying hello at a slightly farther distance and giving a quick wave before returning [your] hand to [your] pocket.” Again, it really depends on what your employee is comfortable with.  

AuditOne’s COVID-19 action plans

In closing, I hope you find these communication tips helpful for your institution. In the last few weeks, many clients have contacted us about our Pandemic Plan. Like many organizations, we are enforcing social distancing by performing audits remotely. We are fortunate that many of our audits can be performed offsite, due to our clients increasingly requesting such arrangements over many years in order to save on travel expenses. We are utilizing both Microsoft’s and Box Enterprise’s collaborative and communication tools to help provide secure remote audit services while keeping everyone safe. We have highlighted our remote audit capabilities using the infographic below:

This image has an empty alt attribute; its file name is PandemicAdvisoryAuditOneTools.png

In addition, we understand how strain human resources can be during these difficult times. At AuditOne, we have always believed in a collaborative approach, we are not here to check boxes and create audit reports, but we are here to help you. Whether this is conducting an audit around your availability or answer any questions you might have during these turbulent times, we are always here to help. I have included a quick list of contacts below for your convenience:

Sales and Marketing: Jeremy Taylor, CEO | Contact Us
Client Support Services: Angela Canda and Myra Woods | Contact Us

You may also reach out to our individual Practice Director using our website.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for an ADA Website Compliance Review, IT/Information Security/Cybersecurity audit, or Network Penetration Tests please contact Kevin Tsuei, Technology Practice Director, AuditOne LLC, at: Contact US

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com

Categories
News

Advisory January 2020

AuditOne Advisory

From Bud Genovese, Chairman

This advisory contains our first BSA Bulletin.  Our intention is to publish the Bulletin on a semiannual basis so as to provide BSA professionals with a timely resource for changes in the BSA/AML environment.  Our BSA Practice Director, Kevin K. Watson, will summarize recent regulatory communications and also share our insights obtained by extensive and ongoing experience providing BSA audit and AML system validation services to a sizable client base of financial institutions.  I hope you find this article useful – please share with your colleagues having responsibilities related to BSA/ AML compliance in this area, thank you, – Bud

BSA BULLETIN – JANUARY 2020

This document summarizes recent regulatory communications pertaining to The Bank Secrecy Act and other Anti-Money Laundering laws, regulations and guidelines.  The types of entities that are generally covered by those communications are presented in italics where applicable.  We also present our observations of recent trends in the industry based on our experience reading examination reports and enforcement orders, discussions with clients and industry professionals and keeping tabs on industry publications and media events.

Regulatory Communications

  • Kenneth Blanco, FinCEN Director, Presentation at the American Bankers Association/ American Bar Association Conference on Financial Crimes Enforcement, December 2019
  • Emphasis was placed on the increasing trend of SAR filings associated with convertible virtual currency (CVC).  FIN-2019-A003 addresses those in significant detail.  Some of the more prominent are as follows.
  • Virtual currency exchanges identifying potential unregistered, foreign located MSBs, particularly Venezuela based peer to peer exchangers.
  • Customers conducting transactions with CVC addresses linked to darknet marketplaces.
  • CVC kiosk operators have reported activity indicative of scam victims, particularly with new customers having limited knowledge of CVC, such as the elderly.
  • FFIEC, 12/3/19, Providing Financial Services to Customers Engaged in Hemp-Related Businesses.  (banks, credit unions and U.S. offices of foreign banks)
  • FinCEN, 11/8/19, Reissuance of Real Estate Geographic Targeting Orders for 12 Metropolitan Areas (title companies)
  • Joint Statement – CFTC, FinCEN, SEC, 10/11/19, Joint Statement on Activities Involving Digital Assets (banks, credit unions, U.S. offices of foreign banks, MSBs, broker/dealers, mutual funds)
  • 31 CFR Part 1010, 11/4/19, Imposition of Fifth Special Measure Against the Islamic Republic of Iran as a Jurisdiction of Primary Money Laundering Concern (all U.S. businesses and individuals)
  • Conference of State Bank Supervisors, 9/16/19 – CSBS Cannabis Job Aid (state chartered financial institutions)
  • FIN-2019-A006, 8/21/19 – Advisory to FIs on Illicit Financial Schemes and Methods Related to the Trafficking of Fentanyl and Other Synthetic Opioids (all financial institutions)
  • FIN-2019-A003, 5/9/19 – Advisory on Illicit Activity Involving Convertible Virtual Currency (all FinCEN regulated financial institutions)

Trends

  • We have noticed increased focus by regulatory examiners on independent testing (audit) reports and workpapers over the past few years.  Being one of the five pillars, this emphasis is understandable.  We applaud this effort as it contributes to enhanced quality of audit work and reduces the risk that a financial institution receives an audit that is not consistent with the level of risk.  Some of the major themes are as follows.
  • Enhanced due diligence of high risk customers should be sufficiently documented.  Some areas of examiner concern have been the following.
  • Inadequate coverage of complex customers
  • Lack of comparison of actual to expected activity
  • Lack of global analysis.  Review should be documented at both the account and customer (global) level.

Advice

  • Pay particular attention to regulatory pronouncements and communications as they signal those matters that will be of primary focus during upcoming examinations.  Based on that, we expect FIs to have monitoring procedures in place for suspicious CVC activity.
  • Use the CSBS Cannabis Job Aid as a reference resource for those states where your FI is operating.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for an Automated AML System Validation or BSA/ Anti-Money Laundering Program audit please contact Kevin K. Watson, BSA Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com

Categories
News

AuditOne Advisory: Cannabis 2019

AuditOne Advisory

From Bud Genovese, Chairman

This advisory summarizes regulations and guidelines related to banking cannabis related businesses (CRB) and also suggests a means for your institution to comply with FinCEN’s third pillar of an effective BSA Program (independent testing) as it pertains to CRB customers.  Our BSA Practice Director, Kevin K. Watson, will review our audit approach to determine your institution’s compliance.  I hope you find this article useful – please share with your colleagues having responsibilities related to BSA/ AML compliance in this area, thank you, — Bud

According to a recent periodical by the Meredith Corporation, George Washington and Thomas Jefferson were cannabis farmers.  Apparently, the cannabis grown by our two former presidents was only of the hemp variety and cultivated for the purpose of producing cloth as opposed to the marijuana strain that can be smoked or ingested to relieve pain or induce mind altered experiences.  Interestingly, President Jefferson made the business decision to discontinue hemp farming at Monticello in 1815.  His reasoning is said to be based on the cost and benefit as the process to convert hemp to cloth was laborious and also led his enslaved laborers to complain about the hardships.  Cotton, tobacco and other crops were easier to harvest.1

The modern day problem for American society and financial institutions (FI) is how to bring the cannabis related business (CRB) into the federally insured financial services market.  The issue has been that, with cannabis being a Schedule I drug under the Controlled Substances Act, federally regulated institutions could not accept deposits without great risk.  That is despite more than 30 states having legalized cannabis for one or more uses such as for medicinal use, recreational use or for hemp and hemp derived products.  As a result, transactions have been typically conducted in cash or crypto currency outside the banking system.  The social costs of that have been high, with significant money laundering and violent crime associated with doing business in the black market.

Marijuana related businesses (MRB) and hemp related businesses (HRB) pose different concerns for a FI.  Thankfully, with the passage of the Farm Act in December 2018, the low-THC (tetrahydrocannabinol) cannabis variety, commonly known as hemp, is very near to being completely legal.  THC is the chemical ingredient that causes psychoactive effects and cannabis with levels less than .3% are considered to be hemp rather than marijuana.  Although federally legalized by the December 2018 Farm Act, cultivation and interstate sales of hemp are not technically protected unless a) grown under one of the federal pilot programs, b) the USDA has created its own plan, or c) the USDA has a separate plan for the state where the business operates from.  That hasn’t stopped many states from licensing hemp farmers.  Also, the USDA has issued an interim final rule on October 29, 2019. With the legalization of hemp cultivation and sales, processed hemp, known as CBD (Cannabidiol), is also legalized, but not as an ingredient in food or drink even though it has THC levels lower than 0.3%.  CBD products are thought to have therapeutic benefits for a variety of ailments and so are available in a variety of non-food forms such as ointments, capsules and tinctures.

Cannabis related businesses (CRB) represent unique challenges for the AML Pillars of Independent Testing and Customer Due Diligence (CDD).   As an audit firm, our responsibility pertaining to CRB is to independently test whether the FI exercises appropriate due diligence and ongoing monitoring over those customers.  This article presents our approach to that testing.  But first, it is useful to summarize the current regulatory environment.  The important regulations and guidelines are as follows.

  • Controlled Substance Act
  • U.S. Justice Department Cole Memorandum (rescinded, but still referenced by regulators)
  • FIN-2014-G001: “BSA Expectations Regarding Marijuana-Related Businesses,” FinCEN, February 14, 2014.
  • State laws2
  • The Farm Acts of 2014 and 2018

Our audit approach is to determine compliance with the most significant requirements or guidelines within those documents.  To do that we organize our test procedures as follows.

Risk assessment

Verify that the overall AML Risk Assessment considers the following pertaining to cannabis:

  • The FI’s state CRB regulatory setup (extent of legality for medicinal marijuana, recreational marijuana, and hemp or CBD)
  • Specific risks (e.g., not operating under federal regulations; hemp or CBD product inadvertently  > 0.3% THC; co-mingling or front for illegal activity; violation of one of the Cole Memo objectives)
  • Activity levels
  • Mitigating controls such as for policies and procedures, customer due diligence, and monitoring

Policies and procedures

Assess the appropriateness of policies and procedures, especially to the extent the following are addressed:

Customer Due Diligence (CDD)

For a sample of MRB and HRB customers, we verify that basic CDD processes are in place at account opening and are updated on a periodic basis, including customer identification, beneficial owner identification, expected activity documentation and customer risk rating.  There is no universal standard for risk rating cannabis related businesses, though certainly Tier I or II would be high risk in most any circumstance, FIs might want to classify most hemp/CBD and MRB Tier III as high risk so that they can be sure to conduct appropriate Enhanced Due Diligence (EDD) on  those businesses, especially suspicious activity monitoring.

We also verify that Enhanced Due Diligence (EDD) procedures described in the 2014 FinCEN Guidance on MRBs have been completed by the FI.  Those include the following:

  • Verification of appropriate and current license
  • Review of the license application
  • Consideration of information on the business from the applicable state (such as inspection reports)
  • Ongoing monitoring of public information (negative news searches)

Ongoing Monitoring

The FinCEN Guidance also requires risk based ongoing transaction monitoring for suspicious activity.    Assess whether ongoing monitoring is appropriately risk-based.  Many FIs utilize a tier classification system with businesses actually touching marijuana as Tier I and others as Tier II or III.  HRB should be its own classification.  At the very least, we expect all transactions for Tier I companies to be reviewed.  Many FIs also collect supplemental information from MRBs such as daily sales and purchasing registers and inventory reports.  As a consequence, it is typical that a specialized automated system is implemented to monitor Tier I businesses.

Suspicious Activity Reporting

The FinCEN Guidelines have specific instructions for the filing of regular SARs or limited SARs for marijuana businesses.  They do distinguish between marijuana and hemp, so we would expect that limited SARs be filed on hemp businesses, until such time as there is official guidance on how it should be treated for SAR purposes.  Our test procedure is to review a sample of marijuana and hemp businesses and assess whether SARs have been appropriately filed in compliance with the FinCEN Guidelines. 

The independent testing approach described above might alert directors, managers and BSA personnel to the most critical compliance concerns pertaining to offering financial services to CRBs.  In our opinion, cannabis banking presents a unique opportunity for community FIs in this era when deposit relationships are so difficult to develop.  With a robust control program, an associated deposit pricing mechanism and an appropriate independent testing program, the cannabis business just might take your FI to a higher place.

Sources:

  1. “History: Marijuana, Meredith Corporation”, 2019.
  2. “Cannabis Job Aid”, Conference of State Bank Supervisors (CSBS), September 2019.
  3. “Defining Marijuana Related Businesses”, Steven Kemmerling, ACAMS Today, September 20, 2016.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these. 

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for an  Automated AML System Validation or BSA/ Anti-Money Laundering Program audit please contact Kevin K. Watson, BSA Practice Director, AuditOne LLC, at: Contact Us.

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne General Compliance Advisory: 2019 Q3

AuditOne Advisory

From Bud Genovese, Chairman

Within this Advisory, we cover legislative and regulatory rule changes introduced through July 2020, to assist your organization with strategic planning for compliance governance.  We also discuss recent OCC and CFPB court challenges and introduce an emerging threat known as Synthetic Identity Payments Fraud.  We conclude with commentary on notable compliance developments, public comment requests and enforcement actions.

This Quarterly General Compliance Advisory was prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  I hope you find this article useful, and also please share with your colleagues having responsibilities related to compliance. We hope you enjoy it, thank you!—Bud

IMPLEMENTING THROUGH 2020…

APPRAISALS

The FDIC, FRB and OCC issued an amended rule (the Appraisal Rule) that covers the following:

  • Increases the threshold for residential real estate transactions requiring an appraisal from $250,000 to $400,000.  For transactions exempted by the $400,000 threshold, the Appraisal Rule requires an Evaluation.
  • Incorporates the appraisal exemption for rural residential properties provided by the Economic Growth, Regulatory Relief, and Consumer Protection Act and requires evaluations for these exempt transactions.
  • Requires appraisals for federally related transactions to be subject to appropriate review for compliance with the Uniform Standards of Professional Appraisal Practice (USPAP).

The final rule becomes effective the first day after publication in the Federal Register, except for provisions related to appraisal review and the evaluation requirement related to the rural residential exemption, which become effective on January 1, 2020. A link follows: https://www.govinfo.gov/content/pkg/FR-2019-07-24/pdf/2019-15708.pdf?utm_source=federalregister.gov&utm_medium=email&utm_campaign=subscription+mailing+list

The Board of the NCUA also amended its rule to raise the CU threshold for residential real estate appraisals to $400,000, the same as for banks: 
https://www.ncua.gov/newsroom/press-release/2019/board-approves-second-chance-policy-changes

OTHER REAL ESTATE OWNED (OREO)

The OCC issued a final rule to clarify and streamline its regulation on OREO for national banks and update the regulatory framework for OREO activities at federal savings associations.  In addition to certain technical amendments and provisions, key coverage areas within the changed rule include:

  • How long a national bank or federal saving association may hold OREO
  • Methods for national banks and federal savings associations to dispose of OREO
  • Appraisal requirements applicable to OREO
  • Permissible expenditures on OREO

Certain outdated capital rules that include provisions related to OREO were also removed as part of this OCC issuance.  The final rule is effective December 1, 2019: https://www.federalregister.gov/documents/2019/10/22/2019-22823/other-real-estate-owned-and-technical-amendments

REGULATION C (HOME MORTGAGE DISCLOSURE ACT) *

The CFPB amended Regulation C to extend the current open-end line of credit HMDA reporting threshold of 500 an additional two years, to January 1, 2022 (effective January 1, 2020).  The CFPB continues to receive industry pressure to make the threshold exemption permanent.
The final rule also incorporates into Regulation C the interpretations and procedures from the interpretive and procedural rule issued by the CFPB in August 2018 (https://www.govinfo.gov/content/pkg/FR-2018-09-07/pdf/2018-19244.pdf), and further implements the amendments made to HMDA by the EGRCCPA.  The red line version of the final rule follows:
https://files.consumerfinance.gov/f/documents/cfpb_hmda_unofficial-redline-2019-final-rule.pdf
*12 CFR part 1003 implements the Home Mortgage Disclosure Act (HMDA), 12 U.S.C. 2801 through 2810, and includes coverage thresholds that determine whether financial institutions are required to collect, record, and report any HMDA data on closed-end mortgage loans or open-end lines of credit.  The EGRRCPA added partial exemptions from HMDA’s requirements for certain insured depository institutions and insured credit unions from reporting some but not all HMDA data for certain transactions.   The original rule (in October 2015) set the closed-end threshold at 25 loans in each of the two preceding calendar years, and the open-end threshold at 100 open-end lines of credit in each of the two preceding calendar years. However, in 2017, before those thresholds took effect, the CFPB temporarily increased the open-end threshold to 500 open-end lines of credit for two years (calendar years 2018 and 2019). The final rule extends this temporary threshold to January 1, 2022.

TRUTH IN LENDING ACT (TILA) APPRAISAL EXEMPTION FOR HIGH COST MORTGAGES

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) amended TILA to add special appraisal requirements for higher-risk mortgages.  Since January 2013, regulators have issued joint rules to allow for certain exemptions, including the new HPML appraisal rules for transactions of $25,000 or less.  These are adjusted annually for inflation, and effective January 1, 2020 the exemption threshold amount increased from $26,700 to $27,200, based on the CPI-W in effect on June 1, 2019.  The  exemption threshold for smaller loans will be adjusted effective January 1 of each year:
https://www.federalregister.gov/documents/2019/10/30/2019-21559/appraisals-for-higher-priced-mortgage-loans-exemption-threshold?utm_source=federalregister.gov&utm_medium=email&utm_campaign=subscription+mailing+list

HIGH VOLATILITY COMMERCIAL REAL ESTATE

Federal bank regulatory agencies finalized a rule to modify the treatment of high volatility commercial real estate (HVCRE) exposures as required by the EGRCCPA.  The final rule clarifies certain terms contained in the HVCRE exposure definition, generally consistent with their usage in the Call Report instructions. The final rule also clarifies the treatment of credit facilities that finance 1-4 family residential properties and the development of land, which is substantially similar to the proposal issued in July.

Finally, the final rule provides banking organizations with the option to maintain their current capital treatment for acquisition, development or construction loans originated between January 1, 2015 and the effective date of the final rule, April 1, 2020.
https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20191119b1.pdf

REGULATORY CAPITAL RULES

Regulators are looking to simplify certain aspects of the regulatory capital rulein response to the EGRPRA. The EGRRCPA requires the regulatory agencies to permit certain banking organizations—those predominantly engaged in custody, safekeeping and asset servicing activities—to exclude qualifying deposits at certain central banks from their supplementary leverage ratio.  The supplementary leverage ratio is one of many tools used by the agencies to determine minimum required capital levels and ensure financial stability in the event of stress in the banking system.  It applies only to large or complex internationally-active banking organizations.
Certain banking organizations (referred to as “non-advanced approaches banking organizations”) will now be subject to simplified regulatory capital requirements for certain assets (see below).  The rule only applies to banking organizations that do not use the Advanced Approaches capital framework, which are generally firms with less than $250 billion in total consolidated assets and less than $10 billion in total foreign exposure.  The rule effectively accomplishes the following:

  • Simplifies the capital treatment for mortgage servicing assets, certain deferred tax assets, investments in the capital instruments of unconsolidated financial institutions, and minority interest.
  • Allows bank holding companies and Savings & Loan holding companies to redeem common stock without prior approval unless otherwise required.
  • Makes technical amendments to (and clarifies certain aspects of) the agencies’ capital rule for both non-advanced and advanced approaches banking organizations.

The final rule is effective April 1, 2020.  Revisions to pre-approval requirements for the redemption of common stock and other technical amendments became effective October 1, 2019.  In addition, in October 2019, a rule (effective December 31, 2019) was published that establishes four criteria for determining the applicability of requirements [under the regulatory capital rule and liquidity coverage ratio (LCR)] rule for U.S. banking companies and the U.S. intermediate holding companies of certain foreign banking organizations. A link follows:
https://www.federalregister.gov/documents/2019/11/01/2019-23800/changes-to-applicability-thresholds-for-regulatory-capital-and-liquidity-requirements?utm_source=federalregister.gov&utm_medium=email&utm_campaign=subscription+mailing+list

CALIFORNIA CONSUMER PRIVACY ACT

The California Consumer Privacy Act (CCPA) of 2018 governs how businesses handle and protect data in California.As noted in our prior Advisory, the CCPA only applies to any business that meets one of the following criteria:

  • A business that earns $25,000,000 a year in revenue.
  • A business that annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices based in California. In other words, if the combined number of records of personal information from California consumers, households and/or devices exceeds 50,000, the law applies to them.
  • A business that derives 50% or more of its annual revenue by selling personal information, even if it involves fewer than 50,000 separate and distinct California entities (consumers, households, and/or devices).

There are some exemptions based on factors such as size and complexity, most of which are covered by Gramm-Leach-Bliley Act and Fair Credit Reporting Act. We recommend consultation with Legal to confirm whether exemptions apply to the full scope of entity operations. 
The CCPA was signed into law by California Governor Jerry Brown on June 28, 2018 and will become effective on January 1, 2020, leaving institutions subject to compliance a relatively small window still to become compliant.  Here’s a link:
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375

REGULATION CC (EXPEDITED FUNDS AVAILABILITY ACT)

Regulation CC, which implements the Expedited Funds Availability Act of 1987 (EFA Act), has been amended as a result of the EGRRCPA.  Key amendments include increasing (from $200 to $225) required next-day availability of the aggregate deposit of local or nonlocal checks and extending coverage to American Samoa, the Commonwealth of the Northern Mariana Islands and Guam. 
The amendments became effective August 24, 2019 (§§ 12 CFR 229.2(c), (ff), and (jj), 229.12(e), 229.43, and 12 CFR Part 1030).  Remaining amendments implement July 1, 2020.   A link follows:
https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20190624a1.pdf

OCC TO APPEAL DECISION BLOCKING FINTECH

In July 2018, the OCC announced that it would consider charter applications from companies seeking to become special-purpose national banks that would engage in one or more of the core banking activities of paying checks or lending money, but that would not take deposits or be insured by the FDIC.  However, a U.S. District Court Judge recently rendered a decision blocking charters from the OCC for non-depository, special-purpose national banks, commonly referred to as “fintech charters”.  The Judge ruled that the National Bank Act does not give the OCC authority to grant national bank charters to non-depository institutions without a statutory exception.  The question is whether this decision effectively vacates an OCC regulation permitting the charters.  The OCC announced plans to appeal the court’s decision.

CFPB STRUCTURE CHALLENGED IN COURT

The Supreme Court recently decided to consider a case brought by Seila Law, a debt relief company, that the CFPB is unconstitutional in that its director may only be removed by the President for cause and not at will. The plaintiff is arguing that the Supreme Court has “consistently recognized that the Constitution empowers the president to keep federal officers accountable by removing them from office”.  In May 2019, the 9th U.S. Circuit Court of Appeals in San Francisco upheld the CFPB structure, stating the agency’s structure is constitutional under the Supreme Court precedent that has upheld the structure of the Federal Trade Commission. The FTC’s commissioners also are removable only for cause.

Industry opinion on this matter is mixed, though the overwhelming majority agree that some form of change is needed.    Most notably, the American Bankers Association (ABA), the Independent Community Bankers of America (ICBA) and the National Association of Federal Credit Unions (NAFCU) voiced a preference for a multi-member commission to lead the agency, rather than a single director.  (The bank groups have both called for a five-member oversight body.)

Following this ruling, the CFPB decided to no longer defend a provision in the Consumer Financial Protection Act (CFPA) limiting the President’s ability to remove the director for cause. Director Kathleen Kraninger commented on this matter noting that this “does not mean the Bureau will stop its work”, while also pointing to a provision in the CFPA that, should any provision of the bureau’s statute be found unconstitutional, the remainder of the act will not be affected.

While challenges to the CFPB’s existence are not new, this is the first time that the Supreme Court will hear a case that challenges its constitutionality on these grounds.  Stay tuned.

FRB EXAMINES EFFECT OF SYNTHETIC IDENTITY PAYMENTS FRAUD

A synthetic identity is created by using a combination of real information (such as a legitimate Social Security number) with fictional information (which can include a made-up name, address or date of birth). Synthetic identities are used to commit payments fraud, which may escape detection by existing identity verification and credit-screening processes.  Over time, fraudsters can build credit and eventually purchase high-value goods and services on credit.  The ability to trace and hold fraudsters accountable is limited because the identities are effectively fake.  Other consequences could include denial of disability benefits, rejection of tax returns, and inaccuracies in health records.

The FRB wrote a white paper designed to “provide information on the current state of synthetic identity fraud, including the scope of the issue, causes, contributing factors, and its impact on the payments industry.”  Here’s a link: https://fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-july-2019.pdf

REQUESTS FOR PUBLIC COMMENTS

The CFPB is requesting public comment on an assessment it will conduct on the TRID Integrated Disclosure Rule.  As part of its assessment, the CFPB  intends to address the TRID Rule’s effectiveness in meeting the purposes and objectives of Title X of the Dodd-Frank Act, the specific goals of the rule, and other relevant factors.  The public is invited to comment on the feasibility and effectiveness of the assessment plan, recommendations to improve the assessment plan, and recommendations for modifying, expanding, or eliminating the TRID Rule, among other questions. 

The TRID Rule implemented the Dodd-Frank Act’s directive to combine certain mortgage disclosures that consumers receive under TILA and RESPA and requires that all creditors use standardized forms for most transactions.  Creditors are also required to provide loan estimates and closing disclosures within three business days.”  Comments must be received by January 21, 2020.  A link to the notice follows:

https://www.consumerfinance.gov/policy-compliance/notice-opportunities-comment/open-notices/request-for-information-regarding-tila-respa-integrated-disclosures-rule-assessment

CAMEL Ratings

The FDIC and FRB are seeking information and comments regarding the consistency and usage of ratings assigned by the agencies under the Uniform Financial Institutions Rating System (more commonly known as CAMELS ratings).  Comments must be received 60 days after the October 18, 2019 publication.  A link follows: https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20191018a1.pdf

Credit Risk Review Systems   

The FDIC, FRB, OCC and NCUA are seeking comment on proposed guidance for credit risk review systems. “The proposed guidance discusses sound management of credit risk, a system of independent and ongoing credit review, and appropriate communication regarding the performance of the institution’s loan portfolio to its management and board of directors.”  The proposed guidance updates, as a stand-alone document, the elements of an effective credit risk review system currently contained in the Interagency Policy Statement on the Allowance for Loan and Lease Losses (Attachment 1 – Loan Review Systems), issued in 2006.  Comments must be received by December 16, 2019. A link follows:
https://www.fdic.gov/news/news/financial/2019/fil19060.pdf

The FDIC, FRB, OCC and NCUA are seeking comment on a proposed Interagency Policy Statement on Allowances for Credit Losses. “This proposed policy statement is intended to promote consistency in the interpretation and application of the Financial Accounting Standards Board’s (FASB) credit losses accounting standard, which introduces the current expected credit losses (CECL) methodology.”  The proposed interagency policy statement describes the measurement of expected credit losses using the CECL methodology and updates concepts and practices detailed in existing supervisory guidance that remain applicable.  CECL is effective for most public financial institutions beginning in 2020, and the FASB recently decided to defer the effective date of CECL for most other institutions to 2023. The proposed interagency policy statement would be effective at the time of each institution’s adoption of the credit losses accounting standards.”  A link follows: https://www.govinfo.gov/content/pkg/FR-2019-10-17/pdf/2019-22655.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery

OTHER COMPLIANCE NEWS & DEVELOPMENTS

The CFPB periodically publishes Supervisory Highlights to share key examination findings and communicate any noteworthy changes to its supervision program, resources, etc.  Below are key highlights from the Summer 2019 publication.

  • Credit card management:  Examiners found that entities failed to clearly and conspicuously provide disclosures required by triggering terms in online advertisements. In some instances, the triggered disclosures were available to consumers via a hyperlink that was not clearly labeled.  In other instances, consumers had to click on multiple hyperlinks and could only view the triggered disclosures after completing an eight-page application.
  • Debt collection:  Examiners found that one or more debt collectors claimed and collected from consumers interest not authorized by the underlying contracts between the debt collectors and the creditors.  In doing so, one or more debt collectors falsely represented to consumers the amount due and authorized, in violation of federal debt collection practices laws.
  • Information furnishers:  Examiners found that one or more information furnishers failed to complete dispute investigations within the required time period.  They found certain disputes where the furnisher(s) received notice from the credit reporting company (CRC) but failed to conduct an investigation or respond to the CRC.
  • Mortgage origination: In one or more examinations, examiners observed that creditors were disclosing inaccurate APRs for closed-end reverse mortgages.  Specifically, the bureau said that while conducting loan file reviews, examiners observed creditors using a unit period of one month instead of one year to calculate the APR, leading to inaccurate calculations, outside Regulation Z’s permissible tolerances.

CFPB Establishes Task Force To Modernize Consumer Financial Laws

The CFPB announced that it will establish a taskforce to examine ways to harmonize and modernize federal consumer financial laws.  The taskforce intends to produce new research and legal analysis of consumer financial laws in the United States.  The primary focus will be on updating the enumerated consumer credit laws (and their implementing regulations) and identifying gaps in knowledge that should be addressed through research, ways to improve consumer understanding of markets and products, and potential conflicts or inconsistencies in existing regulations and guidance.  The taskforce is in its infancy stages, but we will keep a pulse on this for notable announcements.

FinCEN Anti-Money Laundering Remarks

FinCEN Director Kenneth A. Blanco provided remarks at the 12th annual Las Vegas Anti-Money Laundering Conference: https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-12th-annual-las-vegas-anti

FFIEC IT Examination Handbook Updated

The FFIEC issued the “Business Continuity Management” (BCM) booklet, which is part of the FFIEC Information Technology Examination Handbook (FIL-71-2019). This booklet replaces the Business Continuity Planning (BCP) booklet issued in February 2015.  The BCM Booklet is primarily designed to help examiners determine whether management adequately addresses risks related to the availability of critical financial products and services. 

Key highlights:

  • The change from business continuity planning to business continuity management reflects the expanded role that information technology (IT) plays in supporting business operations and meeting customer expectations.
  • Focuses on assessing an entity’s resilience through an enterprise risk management (ERM) perspective that considers technology, business operations, communication strategies, training, testing, maintenance, and improvement — issues critical to business continuity. The degree of maturity, integration and documentation between the BCM and ERM processes are recommended to be assessed commensurate with the entity’s size, complexity and risk profile.
  • Contains updated procedures to help examiners evaluate the adequacy of an entity’s business continuity management program.

A link to the BCM booklet follows: https://ithandbook.ffiec.gov/media/296178/ffiec_itbooklet_businesscontinuitymanagement.pdf

U.S. Financial Regulatory Agencies Joins the Global Financial Innovations Network 

The Commodity Futures Trading Commission (CFTC), FDIC, OCC and SEC announced that they are joining the Global Financial Innovation Network (GFIN).  The published statement follows:

U.S. financial regulators have taken proactive steps in recent years to enhance regulatory clarity and understanding for all stakeholders and promote early identification of emerging regulatory opportunities, challenges, and risks. Participation in the GFIN furthers these objectives and enhances the agencies’ abilities to encourage responsible innovation in the financial services industry in the United States and abroad. By promoting knowledge-sharing on innovation in financial services, U.S. members of GFIN will seek to advance financial and market integrity, consumer and investor protection, financial inclusion, competition, and financial stability. Participation in international organizations such as this helps U.S. financial regulators represent the interests and needs of the nation and its financial services stakeholders.

The agencies join 46 other financial authorities, central banks, and international organizations from around the globe that are members of the GFIN to foster greater cooperation among financial authorities on a variety of innovation topics, regulatory approaches, and lessons learned. 

A link to the announcement follows: https://www.dnb.com/perspectives/supply-chain/innovation-anti-money-laundering-compliance.html

NOTEWORTHY ENFORCEMENT ACTION

Bank fined $275,000 for placing marketing calls to ‘do-not-call’ registrants

An Oregon bank has agreed to pay a $275,000 civil money penalty (CMP) to the FDIC for allegedly placing telemarketing calls to consumers on the “Do-Not-Call” list, and using an automated dialing system to send pre-recorded or text messages to consumers’ cell phones.  Violations cited included the Real Estate Settlement Procedures Act (RESPA) for agreeing to pay and accept fees for the referral of mortgage loans business, and the Telephone Consumer Protection Act related to the telemarketing and cell phone calls.  Link: https://www.bankersonline.com/penalty/162832


_______________________________________________________________

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for a Compliance audit please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.