AuditOne Compliance Advisory – Preparing for HMDA changes

AuditOne Compliance Advisory – From Bud Genovese, Chairman

AuditOne is proud to announce the new issue of our Compliance Advisory written by our Compliance Practice Director, Celeste Burton. Please take a look at it below, and feel free to forward this email to the appropriate people within your financial institution. And remember, when you need the most thorough risk management expertise for compliance audits, credit reviews, and information security audit services, contact the best in the business… AuditOne. Our expertise is your edge, thank you. –Bud

Volume 1 / Issue 1

Preparing for HMDA

We anticipated, we waited, and it’s finally arrived…On October 15, 2015, the Consumer Financial Protection Bureau (CFPB) released a 797-page final rule that expands the scope of mandatory data reporting under the Home Mortgage Disclosure Act (HMDA). The new rule, which
will be implemented in phases through 2020,
represents the most significant changes to HMDA and Regulation C in over a decade. The presiding expectation is that data gathered as a result of this new rule will allow regulators to better identify discriminatory lending patterns, and monitor whether financial institutions are serving the needs of their communities. The requirements can be placed into four categories:

1. New applicability standards: A new 25-loan threshold was established for determining whether a lender is subject to the data collection and reporting requirements.

2. Expansion of types of reportable applications and loans:
Data must now be collected on all “dwelling-secured” or “covered” loans. This would include Closed-end mortgage loans, Open-end lines of credit, Reverse mortgages, and Business-purpose loans and lines of credit secured by a dwelling.

3. Expansion of reportable data: The items of information HMDA lenders must collect and report have more than doubled, with specific – and different- data requirements from both Dodd-Frank and the CFPB.

4. Quarterly reporting for large-volume HMDA lenders:
Lenders that reported at least 75,000 reportable transactions in the prior year would be required to submit data within 60 days following each quarter end.


TRID Grace Period?

While there are varying opinions about the true meaning of a “hold harmless grace period” for compliance with the TILA-RESPA Integrated Disclosure (TRID) rule that became effective October 3, 2015, we do know with certainty that examiners will expect banks to demonstrate evidence of good faith efforts to comply. Efforts to update policies, procedures, processes, systems, training and protocols for handling implementation issues as they arise are all fair game. BUT……regulators can’t protect banks from private lawsuits.
A House bill recently passed that provides some safe harbor protections until January 2016, but the bill still needs to go to the Senate and would need to survive a possible Presidential veto.

Hope for the best – prepare for the worst.

When are financial institutions expected to comply?

January 1, 2017: Institutions that meet certain requirements and did not originate at least 25 home purchased loans (or refinancings of home purchase loans) in 2015 and 2016 become
exempt from HMDA.

January 1, 2018:

· Institutions that did not originate at least 25 covered closed-end mortgage loans or 100 covered open-end lines of credit in the previous two years become exempt from HMDA.

· Lenders must collect and report on the new and amended data points.

· Lenders must use a new web-based submission tool currently being developed by the CFPB to report HMDA data.

· Loans secured by a dwelling will now be covered by HMDA regardless of purpose.

March 1, 2019: Lenders must submit first data sets under the new standards.

January 1, 2020: Each large volume lender reporting at least 60,000 applications and loans must begin submitting quarterly reports.

March 30, 2020: Large volume lenders must submit their first quarterly reports.


Questions to Ask In Preparing For New HMDA Reporting Requirements…

1. Do we currently obtain new required data fields during the application process?

2. Does our system include (or have the capability to retain) required data fields?

3. Do we have a source document matrix that identifies the source (i.e. loan file location) of each data field required for ease of internal and 3rd party review?


“If you fail to plan,
you are planning to fail.” – Benjamin Franklin


AML software tips

Make the most of your investment in BSA Automated Software to assist in achieving compliance with BSA/AML/OFAC regulatory requirements. Whether your software is “Rules” or “Behavior” based (a), there are certain key controls that all institutions should consider in their ongoing
monitoring routines (b):

· Data Integrity

o Alerts

o Quality & Usefulness

o Documented Results of Alert Analysis

o Timely Addressing of Alerts

· Proper Documentation for Cases not Resulting in SAR filings

· Parameters are Appropriate and Aligned with Risk Assessment/Policies/Practices

· Testing of System Changes

· Periodic System Validation

· Model (Performance, Testing, Validation)

· Key Information Reported to the Management

· Appropriate Understanding by Personnel (training)

· Appropriate User Authorities and Controls

· Vendor Management Oversight

a) Rules Based Alerts are based on specific, often logic or activity based, rules. When the criteria for that rule is met then an alert is generated. Behavior Based Alerts are
based on specific customer behavior. Defined parameters exist for
expected behavior (either overall or for specific customers) and alerts are
generated when activity is outside of expected behavior.

b) Typically includes but is not limited to cash, wire transfers, negotiable instruments, ATM/debit cards, ACH, electronic transfers, lending transactions, and deposit activity.


Staying a step ahead

Meeting heightened regulatory expectations in today’s environment requires a gradual and continuous shift in focus on improving specific processes to fully integrating risk management and compliance into the bank’s culture. Below are a few tips on how to stay ahead:

· Boards should continually challenge senior management’s risk assumptions and business plans, documenting such instances in Board minutes.

· Chief Risk Officers should collaborate with business lines as compliance and risk management continue to be an enterprise-wide focus.

· Risk Management and Compliance responsibilities should be clearly reflected in performance management programs and reinforced in employee training.

· Continually integrate the evaluation of potential Consumer Protection impacts on new or changing products, services, practices and disclosures into existing compliance monitoring protocols.


On the horizon…



Flood Insurance (12CFR Part 339) · Requires institutions to escrow premiums and fees for certain
designated loans that are made, increased, extended, or renewed on or after January 1, 2016.

· Requires lenders to offer and make available to consumers the option to escrow premiums and fees for certain loans outstanding as of January 1, 2016. Implements exemptions to the escrow requirement provided under the Homeowner Flood Insurance Affordability Act.

January 2016Military Lending Act

The Department of Defense (DOD) issued a final rule (amending the implementing regulations of the Military Lending Act of 2006 (MLA)) that “expands specific protections provided to service members and their families, and addresses a wider range of credit products than the DOD’s previous regulation.”

“The Final Rule:

· Extends MLA protections, to a wider range of credit products, including credit cards.

· Modifies the MAPR to include fees for credit-related ancillary products sold in connection with the credit transaction, finance charges associated with consumer credit, and certain application and participation
fees. Also, for credit cards, the MAPR excludes certain fees if bona fide and reasonable.

· Provides a safe harbor for creditors ascertaining whether a consumer is covered by the final rule’s protections.

· Modifies the existing prohibition on rolling over, renewing or refinancing consumer credit.

· Subjects creditors to civil liability and administrative enforcement for MLA violations.”

institutions and other creditors must comply with the rule for new covered
transactions beginning October 3, 2016.
credit extended in a new credit card account under an open-end consumer
credit plan, compliance is required beginning October 3, 2017.


Celeste Burton is Compliance Practice Director at AuditOne and can be reached on our Team & Contact page.

Bud Genovese is Chairman of AuditOne LLC, a California-based risk management firm that focuses only on financial institutions. Mr. Genovese pioneered the concept of providing comprehensive internal audit, compliance and credit review services by assembling extraordinary expertise within one firm.

AuditOne now serves over 200 clients throughout the Western United States, and nationally. Contact Kevin Watson, Co-CEO at 562.802.3581 or Jeremy Taylor, Co-CEO at 650.299.9185. Both may also be reached on our Team & Contact page.

Bud Genovese, Chairman
AuditOne LLC


Our Expertise, Your Edge™