AuditOne Compliance Advisory: 2018 Q4

AuditOne LLC Advisory

From Bud Genovese, Chairman

As we move into the new year, efforts to revisit and refine the Dodd-Frank Wall Street Reform and Consumer Protection Act remain in full swing. Legislators, regulators and other government agencies are continuing work to ensure that laws and regulations drafted by different US agencies align with the current administration’s goals while maintaining competitive markets and effective legislative and regulatory oversight. As part of this effort, we are seeing an increasing number of agency requests for public comments on proposed rule changes to implement the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA).

Within this issuance, we cover key changes to Dodd-Frank along with other noteworthy regulatory developments and enforcement actions that we hope your organization finds useful. This Quarterly General Compliance edition has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. We hope you enjoy! – Bud


General Updates

Public Comment Requests

Regulatory agencies are seeking public comments on:

  • Impending legislative changes surrounding the sharing of Nonpublic Personal Information. This action could have a significant impact on the amount and type of data obtained and retained by financial institutions. Two key focus areas include:
    • Ways to enhance the quality, utility and clarity of the information to be collected
    • Ways to minimize the burden of the collection of information on respondents, including using automated collection techniques or other forms of information technology

    The deadline to submit Comments is January 22, 2019. A link follows:

  • Impending rulemaking that would amend existing stress testing regulations to change the minimum threshold for applicability from $10 billion to $250 billion, revise the frequency of required stress tests by FDIC-supervised institutions from annual to periodic, and reduce the number of required stress testing scenarios from three to two. The deadline to submit Comments is February 19, 2019. A link follows:
  • A proposal that would establish risk-based categories for determining applicability of requirements under the regulatory capital rule, the liquidity coverage ratio rule and the proposed net stable funding ratio rule for large U.S. banking organizations. The proposal would not extend to intermediate holding companies of a foreign banking organization or its subsidiary depository institutions or federal branches or agencies of foreign banking organizations. The deadline to submit Comments is January 22, 2019. A link follows:
  • A proposed rule that would increase the threshold level at or below which appraisals would not be required for residential real estate-related transactions from $250,000 to $400,000. Applicable regulated institutions would still be required to obtain an evaluation of the real property collateral that is consistent with safe and sound banking practices. The proposed rule would also include consideration of residential property in rural areas that have been exempted from existing appraisal requirements pursuant to the EGRRCPA (evaluations would instead be required for these transactions). The deadline to submit Comments is February 5, 2019. A link follows:
  • A proposed rule to expand the eligibility to file the FFIEC 051 Call Report, to include certain insured depository institutions with less than $5 billion in total consolidated assets that meet other criteria, and to establish reduced reporting on the FFIEC 051 Call Report for the first and third reports of condition for a year. The deadline to submit Comments is January 18, 2019. A link follows:


On December 20, 2018, President Trump signed into law the Agriculture Improvement Act of 2018, a.k.a. the Farm Bill (the Act). The Act removed “hemp” from the “Controlled Substances Act”, a move that effectively decriminalizes marijuana production at the federal level. Some noteworthy changes as a result of this Act follows:

  • Allows hemp production in all states – even those that have not yet acted to allow it.
  • Cannabis sativa L. plants at or below 0.3% THC are no longer classified as controlled substances under the Controlled Substances Act.
  • Allows hemp farmers to get crop insurance and access to federal water rights.
  • Protects hemp farmers from criminal prosecution for growing hemp with elevated THC content.

What Does This Mean for Banking?

Only time will tell. To date, 22 states have decriminalized marijuana; 33 states have approved medical marijuana, and 10 states and Washington, D.C. have legalized the sale and use of marijuana. Proponents believe that the combination of Sessions’s departure and the new House composition is likely to open the door for greater marijuana law reform measures and policy changes. If and until then, financial institutions should continue conducting customer due diligence that includes registration/license verification; understanding normal and expected activity levels, including the types of products sold and the type of customers served; monitoring publicly available data sources for adverse information; and ongoing monitoring for suspicious activity. Follow this link for further details:


CRA Data on Small Business, Small Farm & Community Development Lending

On October 25, 2018, the FRB, OCC and FDIC announced the availability of CRA data on small business, small farm, and community development lending reported by certain commercial banks and savings associations. An FFIEC disclosure statement on the reported 2017 CRA data is now available for each reporting commercial bank and savings association. The FFIEC also prepared aggregate disclosure statements of small business and small farm lending for all of the metropolitan statistical areas and non-metropolitan counties in the United States and its territories. These statements are available for public inspection on the FFIEC website (

New CRA Data Thresholds

As a result of the 2.59 percent increase in the Consumer Price Index for the period ending in November 2018, the definitions of Small and Intermediate Small institutions for CRA examinations changed (effective January 1, 2019) as follows:

  • “Small Bank” or “Small Savings Association” means an institution that, as of December 31 of either of the prior two calendar years, had assets of less than $1.284 billion.
  • “Intermediate Small Bank” or “Intermediate Small Savings Association” means a Small Institution with assets of at least $321 million as of December 31 of both of the prior two calendar years but less than $1.284 billion as of December 31 of either of the prior two calendar years.

A link to the joint final rule follows:

Federal Home Loan Board Federal Housing Program & CRA

On November 28, 2018, the Federal Housing Agency issued a final rule (12 CFR Parts 1290 and 1291) to amend its regulation governing the Federal Home Loan Board Affordable Housing Program (AHP or Program). The Federal Home Loan Bank Act (Bank Act) requires banks to establish a Program to provide subsidies for long-term, low- and moderate- income, owner-occupied and affordable rental housing. Institutions subject to compliance are required to allocate annually 10 percent of its prior year’s net income to fund its Program to help subsidize the purchase, construction, and rehabilitation of affordable rental and owner-occupied housing. Homeowners and homebuyers receiving AHP subsidies must be low- or moderate-income (incomes at or below 80 percent of area median income (AMI)). For rental housing, at least 20 percent of the units must be occupied by very low-income households (incomes at or below 50 percent of AMI) and must be affordable (rents charged do not exceed 30 percent of income).

This final rule amends the FHA regulation to, amongst other things,

  • provide banks with additional authority and flexibility when it comes to how AHP funds are allocated;
  • allow banks to use noncompetitive project selection methods;
  • ease certain project monitoring requirements;
  • clarify expectations for resolving project noncompliance scenarios; and,
  • eliminate some of the red tape associated with household subsidy repayments.

Worthy of note is that under the new Competitive Application Program, for-profit developers may now apply to Banks for AHP subsidies (which, prior to this rule, had been set aside for nonprofit affordable housing developers). We encourage financial institutions to consider potential CRA impacts and adjust planning and allocations accordingly.

The rule becomes effective December 28, 2018, with a qualification that – under certain conditions stated within the rule – through December 31, 2020 a Bank may comply with either the AHP regulation in effect immediately prior to this final rule’s effective date or this final rule. After January 1, 2020, Banks must only comply only with this final rule.

For more information, click on this link:



Appraisal Regulation Guidance

On October 16, 2018, the FFIEC issued Frequently Asked Questions on the Appraisal Regulations and Interagency Appraisal and Evaluation Guidelines. A link follows:

Flood Insurance

Regulatory agencies issued guidance for financial institutions on issuing loans when the National Flood Insurance Program in unavailable. A link follows:


On December 28th, the FDIC announced the release of an updated technical assistance video on BSA/AML requirements, and the Treasury Department’s OFAC sanctions programs. The updated video provides an overview of current BSA/AML and OFAC requirements for directors of FDIC-supervised banks and savings associations.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is effective January 1, 2020. The Act includes a 12-month “look back” requirement, which means it is a good time to pause to ensure that your financial institution has the infrastructure to comply.

FFIEC Statement on OFAC Cyber-Related Sanctions

The FIIEC issued a statement about recent actions taken by the Department of Treasury’s Office of Foreign Asset Control (OFAC) under their Cyber-Related Sanctions Program and to the potential impact it may have on financial institutions’ risk-management programs. A link follows:

Telephone Consume Protection Act

On December 13, 2018, the FCC released an Order “directing the creation of a single comprehensive database for disconnected and reassigned telephone numbers.”. The Act is effectively designed to insulate certain impacted callers from Telephone Consumer Protection Act violations.

FFIEC Examination Modernization Project

On November 27, 2018, the FFIEC issued a second update on the “Examination Modernization Project”, focused on tailoring examination plans and procedures based on risk, which is another area that holds promise for reducing burden. The project identifies and assesses ways to improve the effectiveness, efficiency, and quality of community financial institutions Safety and Soundness examination processes, particularly through increased use of technology. The first update was issued on March 22, 2018, with a focus on steps taken to improve the examination process, which included the identification of areas with the potential for the most meaningful supervisory burden reduction. A link follows:



FinCEN assessed a $14.5 million civil money penalty on UBS Financial Services, Inc. (UBSFS) for willful violations of AML Program requirements (associated with brokerage and “banking-like” services) and Section 312 of the USA Patriot Act (regarding due diligence on correspondent accounts and financial institutions). UBS was also cited for failing to provide its AML compliance officer with “the resources needed to ensure day-to-day compliance with the BSA”, adversely impacting their ability to adequately review potentially suspicious activity “triggered by its automated monitoring system and make reasonable determinations whether or not to file suspicious activity reports (SARs).” Inadequate staffing was also cited as the reason for backlogged alerts and SAR filings. The order can be found here:


On October 25, 2018 the FRB issued an enforcement action against AllNations Bank. Amongst other things, it requires very specific actions related to the BSA and overall Compliance Program, including improvement to controls surrounding customer due diligence, suspicious activity monitoring and reporting and resources. A link follows:

International Network of Corporations

The FTC alleges that – using shell companies and straw owners – an international network of corporations and individuals made false claims about “free” trial offers, followed by unauthorized charges to their accounts. Aside from the UDAAP implications that are more directly cited, can you see how the new BSA “beneficial ownership rule” – if followed – may have raised enough suspicion to prompt further inquiry/ investigation. A link to the FTC action follows:

JP Morgan Chase

JPMorgan Chase recently paid $5.3 million settlement for OFAC violations. Settlement details may be found at

FFIEC Statement on OFAC Cyber-Related Sanctions

The FIIEC issued a statement about recent actions taken by the Department of Treasury’s Office of Foreign Asset Control (OFAC) under their Cyber-Related Sanctions Program and to the potential impact it may have on financial institutions’ risk-management programs. A link follows:


It’s been a while since we’ve seen a combined Electronic Funds Transfer Act (EFTA) & Regulation E order such as the one assessed against USAA. A link follows:

AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, Co-CEO at (949) 981-0420 or Kevin Watson, Co-CEO at (562) 802-3581 and for information about all of our audit services see