AuditOne Compliance Advisory: Q2 2020

AuditOne Advisory

From Bud Genovese, Chairman

In this issue, we offer practical tools and insights for managing Compliance risk resulting from the unprecedented demand for Payment Protection Program (PPP) loans.  We also discuss the importance of corrective action tracking and other significant compliance news and developments, including COVID-19 Appraisal Requirement Suspensions; Regulation X Loss Mitigation/Forbearance; changes to Regulation D Transfer Limits and Regulation E Remittance Transfer rules; and updates to Unfair, Deceptive or Abusive Acts or Practices (UDAAP), Truth In Lending Integrated Disclosures (TRID), Rural Development Act (RDA), Community Reinvestment Act (CRA), Home Mortgage Disclosure Act (HMDA/Regulation C) and Expedited Funds Availability Act (Regulation CC).  We conclude with commentary on two recent high-profile cases on PPP and on bank and securities fraud, which may be valuable for employee training and reinforcement.

This Compliance Advisory was prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  I hope you find this information useful – please share with your colleagues having responsibilities related to the areas covered in this Advisory.  Thank you, — Bud


In recent months, regulatory agencies and various industry pundits have published numerous communications related to initiatives purposed to support the flow of credit to households and businesses, most notably the PPP.  To handle the unprecedented volume of PPP loans, financial institutions have sometimes redeployed employees from traditional assignments to temporary ones on the “PPP assembly line.”  Standing protocols were sometimes abandoned or deferred, and there was little time, if any, to modify documented policies, standards or practices to meet the demand for this new product and to adapt it to the much riskier, COVID-19 operating environment for financial institutions.


Following are a few questions that we recommend you consider during your next Compliance and or Audit Committee Meeting:

  1. Enterprise Risk Assessment:  Has our institution updated its Enterprise Risk Assessment to include PPP-related impacts on essential Credit, Operational, Compliance, Treasury, Finance, Information Technology and Vendor risks?  Have these impacts been formally documented and included in governance committee discussions/minutes? 
  2. Strategic Plan/Budget:  Have Strategic Plan and Budget impacts been explored and documented?  For example, what is the impact on our operations if Loan Forgiveness proposals (e.g., the ability to use a one-page document for loans under $150,000) are not approved?
  3. Policies, Practices and Lines of Defense:  Have Credit and Operational policies pertaining to PPP been documented and approved by the Board?  Were factors such as the institution’s risk appetite, resource capability and regulatory limits considered?  What first, second and third line of defense operations are being impacted, and are we accounting for and attempting to mitigate that impact? 
  4. Potential Consumer Harm:  Have potential consumer harm impacts been reasonably considered?  Is documented training provided to loan officers/approvers on how to ensure loans are being sourced, offered and administered consistently across the Bank’s client’s base?  If exceptions are made, how should we evidence our decision and related justification?
  5. Information Technology:  Have minimum security standards been put in place for remote working (i.e., that may require the exchange of or access to sensitive customer information)?  Is there a means to detect and monitor employees and decisions that may not align with existing IT policy?

As with any new product, service or risk, Audit and Examination functions want to see that your financial institution has done its due diligence.  Auditors and examiners understand that there will be adverse impacts on normal operations, and that management may defer certain routine internal compliance or monitoring reviews.  However, they also expect evidence that your institution has reasonably assessed and mitigated potential adverse impacts.  It’s never too late. Know your risk, know where your potential gaps are vis-à-vis the new risk environment, and have a documented roadmap on how your institution will minimize the exposure associated with those gaps.


In June 2020, regulatory agencies (FDIC, FRB, NCUA and OCC) issued joint guidance to promote consistency and flexibility in the supervision and examination of financial institutions affected by the coronavirus crisis.  According to the agencies, “stresses caused by the spread of COVID-19 have led to significant economic strain and adversely affected global financial markets.”  The guidance instructs examiners to consider the nature of the issues confronting the institutions they supervise due to the pandemic – and to “exercise appropriate flexibility in their supervisory response.”

Some regulatory agencies such as the FDIC and OCC have recently shared that they will continue to assess institutions in accordance with existing policies and procedures, specifically:

  • Examiners will consider whether an institution’s management has managed risks appropriately, including taking appropriate actions in response to stresses caused by COVID-19 impacts.
  • Examiners will consider the challenges involved in assessing the risk that the response presents to the institution in real-time, given the level of information available and the stage of local economic recovery.
  • In assessing an institution under the principles in the interagency examiner guidance, examiners will consider the institution’s asset size, complexity, and risk profile, as well as the industry and business focus of its customers.

It would be unreasonable to expect that a smaller institution (i.e., with only one or two Compliance resources) would have the infrastructure to withstand what has occurred over the last several months without some battle scars.  In the world of Compliance, those battle scars typically show up in the form of increased technical compliance exception rates.  Not to fear, however, as there is a way to manage this risk within reason, which is all any organization can be expected to do:

  1. Do your homework.  Through discussion with department heads and staff and through spot checks, identify those areas (in your end-to-end processes) where the likelihood of higher exceptions has increased. 
  2. Develop a plan for stepped-up monitoring to proactively identify where control gaps may exist.  Ensure the timing of your plan is reasonable (e.g., perhaps not the day loan forgiveness processing begins).  Adjust your Compliance Schedule accordingly, and be prepared to discuss and support the reason for the change. 
  3. Present resultant control gaps, if any, to the Compliance/Audit Committee (or other Risk/Governance Committee) in your organization.  Discuss and agree on action plans that are reasonable and address the root cause. 
  4. Where customer restitution may be necessary, identify those areas and ensure necessary action is taken within a reasonable period.

Finally, be prepared to demonstrate that you have identified the potential impact on your organization and put reasonable protocols in place to identify, detect and address issues as they arise.   And, remember:

  • Be upfront about the impacts on your organization.
  • Provide auditors and examiners your modified Enterprise (or Compliance) Risk Assessment, updated to include PPP impact. 
  • Discuss where your management team has identified the need to do stepped-up monitoring and plans to address any gaps.  Share related reporting to governance committees and the Board.
  • Follow through on what you commit to addressing within the timelines that you commit to.


An examination concludes.  Auditors depart.  Consultants request the last file to review.  And all go about their merry way.  Fast forward, the next audit or exam begins, your Corrective Action Tracking log is requested, and the scramble begins to get it up to date.

When it comes to identifying or detecting an opportunity to enhance a policy, procedure, process or protocol, how your institution documents, tracks, reports and resolves control gaps or areas where enhancements may be required is very important. 

Our advice to you, particularly important today, is to create a centralized Corrective Action Log.  The log can include as many attributes as your institution desires, though, at a minimum, the following should be considered:

  • Source (Regulatory Agency, Audit Group, Internal Compliance Group/Associate, or Consultant)
  • Dates (Identified, Assigned, Due/Target date, Completed)
  • Issue Description (Verbatim from the source, not paraphrased)
  • Person(s) Responsible (Include necessary support, vendor and or /IT resources, as appropriate)
  • Status (Include as much detail as possible; track status to target dates at least monthly, more often as the risk warrants)
  • Timeline (Target Completion/Resolution Date)

Depending on the organization’s size, high-risk issues should be given 30 days to one quarter.  Escalate to the Board issues that do not have sufficient traction or resources necessary to achieve target dates.  Often, the Board is able to assist with a solution that considers available human and financial resources, including the need to outsource or use consultants for assistance

  • Comments (Add notes that are necessary and perhaps unique to your organization.  If timelines are delayed or not being met, this is a great place to document the justification)

Most importantly, keep the Corrective Action Tracking Log current, and include it as a standing agenda item in your periodic Compliance/Audit reporting to the Board.  Minutes should reflect the discussion of the Corrective Action Log status.


Home Mortgage Disclosure Act (HMDA)

Note: Effective January 1, 2020, the permanent threshold for collecting and reporting data about open-end lines of credit went from 100 to 200, when the current temporary threshold of 500 of open-end lines of credit expires.  As regards the open-end lines of credit, CFPB noted that last October, it extended the temporary open-end threshold until Jan. 1, 2022.  A link to the ruling follows:

OCC Issues New UDAAP Examination Procedures 

The OCC published new Examination procedures and guidelines that provide a new layer of insight into potential UDAAP compliance implications throughout organizations. 

We strongly recommend that organizations consider adding a segment to your next Compliance/Governance Committee meeting that is dedicated to addressing poignant points with your leadership teams.  This should also be extended to employees in the form of job-based training.  A link follows:

Joint Community Reinvestment Act Statement Issued; Underserved Areas Further Defined

The FDIC, FRB and OCC issued a Joint Statement on CRA Consideration for Activities in Response to COVID-19. The issuance encourages financial institutions to work with affected customers and communities, particularly those that are low- and moderate-income (LMI), noting that the agencies will provide favorable consideration under the CRA for certain retail banking services, retail lending activities and community development activities related to this national emergency.  The FDIC’s FIL-19-2020 reports that this statement will be effective through the six-month period after the national emergency declaration is lifted, unless extended by the agencies. A link follows:

The CFPB also issued an interpretive rule to provide additional guidance on how “underserved areas” are defined during a given calendar year.  A link follows:

New Regulation CC Guidance Effective

Effective July 1, 2020, the following Regulation CC changes took effect:

  • Immediate Availability $200 Rule [§229.10(c)(1)(vii)]:  The minimum amount of deposited funds that must be made available for withdrawal increased from $200 to $225.
  • Invoked $400 Rule [§229.12(d)]: The amount that must be made available for withdrawals by cash or other means (if the Bank elects to invoke this option) increased from $400 to $450.
  • New Account Exception [§229.13(a)]: The amount of funds deposited by certain checks in a new account that are subject to next-day availability increased from $5,000 to $5,525.
  • Large Deposit Exception [§229.13(b)]: The threshold for using an exception to the funds-availability schedules if the aggregate amount of checks on any one banking day exceeds the threshold amount increased from $5,000 to $5,525.
  • Repeat Overdraft Exception [§229.13(d)(2)]: The threshold for determining whether an account has been repeatedly overdrawn increased from $5,000 to $5,525.

We encourage a quick temperature check to make sure that client hold notice templates, system settings for automatic hold placement, and terms and conditions have been updated to comply.  We also recommend that you check with your IT group and/or system vendor to make sure that the capability to generate hold reporting that includes the hold placement date, reason and hold release date is available to you.

CFPB Slightly Eases Regulation X (COVID-19) Loss Mitigation and Credit Reporting Implications

The CFPB issued an interim final rule to clarify that mortgage servicers will not violate Regulation X by offering certain loss mitigation options during the COVID-19 pandemic.  Under normal circumstances, Regulation X would require servicers to collect a complete loss mitigation application before making an offer to a borrower who has submitted an incomplete loss mitigation application. 

Regarding forbearance and related credit reporting:

  • Under the CARES Act, borrowers with federally backed mortgage loans experiencing a financial hardship due, directly or indirectly, to the COVID-19 emergency, may request a forbearance by making a request to their mortgage servicer and affirming that they are experiencing a related financial hardship.  A forbearance under the CARES Act qualifies as a short-term payment forbearance program under Regulation X.
  • If a mortgage servicer provides a borrower a short-term forbearance payment option, the agencies do not intend to take supervisory or enforcement action for failing to meet certain timing requirements for consumer communications related to incomplete application acknowledgement, loss mitigation and early intervention, or annual escrow. The Act requires lenders to report to credit bureaus that consumers are current on their loans if consumers have sought relief from their lenders due to the pandemic.  The CFPB’s statement informs lenders they must comply with the CARES Act.  It encourages lenders to continue to voluntarily provide payment relief to consumers and to report accurate information to credit bureaus relating to this relief. 

A link to the rule follows:; Joint Statement on Supervisory and Enforcement Practices Regarding the Mortgage Servicing Rules in Response to the COVID-19 Emergency and the CARES Act

Appraisals Suspended for 120 Days for Certain Transaction Types

The FRB, FDIC and OCC issued an interim final rule to temporarily defer real estate-related appraisals and evaluations under the agencies’ interagency appraisal regulations for real estate-related financial transactions affected by COVID-19.  The agencies are deferring certain appraisals and evaluations for up to 120 days after closing of residential or commercial real estate loan transactions.  Transactions involving acquisition, development or construction of real estate are excluded from this interim rule.  The NCUA recently considered and adopted this rule.  These temporary provisions will expire on December 31, 2020, unless extended by the federal banking agencies.  In addition, the agencies, together with National Credit Union Administration and Consumer Financial Protection Bureau, in consultation with the Conference of State Bank Supervisors, issued a joint statement to address challenges relating to appraisals and evaluations for real estate-related financial transactions affected by COVID-19.  Links to both statements follow:;

Interim Rule Temporarily Lifts Six-Per-Month Limit on Savings Transfers (Regulation D)

The FRB issued an interim final rule to amend Regulation D to delete the six-per-month limit on convenience transfers from the “savings deposit” definition. The interim final rule allows depository institutions to suspend enforcement of the six transfer limit and to allow their customers to make an unlimited number of convenience transfers and withdrawals from their savings deposits at a time when financial events associated with the coronavirus pandemic have made such access more urgent.  The regulatory limit in Regulation D was the basis for distinguishing between reservable “transaction accounts” and non-reservable “savings accounts.”  The Board’s recent action reducing all reserve requirement ratios to zero has rendered this regulatory distinction unnecessary.  Concurrently, the FRB made temporary revisions to the FR 2900 series, FR Y-9, and FR 2886b reports to reflect the amendments to Regulation D.  A link follows:

B&I Guaranteed Loan Program Authorized by Rural Development Act Updated

Effective May 22, 2020, the RBCS, a Rural Development agency of the United States Department of Agriculture (USDA), issued an interim final rule to update the Business and Industry (B&I) Guaranteed Loan Program to allow flexibility to make available federal funds for guaranteed loans pursuant to the CARES Act in response to  the COVID-19 pandemic.  The B&I Guaranteed Loan Program was authorized by the Rural Development Act of 1972.  The loans are made by private lenders to rural businesses for the purpose of creating new businesses, expanding existing businesses, and for other purposes that create employment opportunities in rural America. 

The Rural Business-Cooperative Service (RBCS) is responsible for administering the B&I Guaranteed Loan Program.  Rural Development is a mission area within the USDA comprised of the Rural Utilities Service, Rural Housing Service and RBCS.  Its mission is to “increase economic opportunity and improve the quality of life in rural communities by providing the leadership, infrastructure, access to capital, and technical support that enables rural communities to prosper”.  To achieve its mission, Rural Development provides financial support through more than 40 programs including direct loans, grants, loan guarantees, and technical assistance to help improve the quality of life and provide the foundation for economic development in rural areas.  A link to the interim rule follows:

CFPB Announces Higher Than Ever Complaints; FTC Makes Certain State-Level Complaint Data Available

The CFPB recently stated that they have received “higher than ever” complaint volumes in March and April 2020, which means the likelihood of examiner focus naturally increases.  Many of us would likely agree that Complaint logs can be difficult to entirely rely on, (primarily) because of:

  • Employee uncertainty about what constitutes an “inquiry” versus a “complaint”
  • Decentralized, manual complaint receipt and handling

While there is no perfect one-size-fits-all solution, there may be an opportunity to modify certain practices to optimize complaint management.  Consider these processes to assess whether they are well-documented and being administered as intended:

  • How complaints are received and whether the means for capturing and tracking complaints from any of these sources is sound (e.g., website only, centralized email box or phone, through individual relationship managers, etc.).
  • Whether all employees know what constitutes a complaint versus an inquiry, and that employees know whom to contact when a complaint is received.
  • Compliance should (ideally) have a view of all complaints to affirm decisions on those that do or do not have potential compliance implications.
  • Review publicly available CFPB complaint data to ensure there are no complaints posted publicly that are excluded from the Bank’s Complaint Tracking Log/Database.  
  • Consider how and where complaints are recorded (e.g., in a log on a shared drive, or submitted to a centralized area or person in the Bank to record them, etc.) and whether they are easily accessible.
  • Include complaint tracking in regular Compliance/Governance committee reporting. Trends should be analyzed to determine whether broader impacts exist that may require a root cause analysis or to potentially make a customer whole. 

A link to the CFPB complaint search tool follows:

A link to the state level compliant data made available by the FTC also follows:

FRB Extends S.A.F.E. Act Registration from One to Three Years

Section 1504 of the S.A.F.E. Act (12 U.S.C. 5103) requires that mortgage loan originators (MLOs) maintain their registration annually. The final rule requires that a registered mortgage loan originator must renew his or her registration with the Registry during the annual renewal period.  In accordance with the S.A.F.E. Act, the CFPB’s Regulation G requires MLOs to register with the Nationwide Mortgage Licensing System (NMLS), maintain this registration, obtain a unique identifier, and disclose to consumers upon request and through the Registry their unique identifier and the MLO’s employment history and any publicly adjudicated disciplinary and enforcement actions.  The CFPB’s regulation also requires the institutions employing MLOs to adopt and follow written policies and procedures to ensure that their employees comply with these requirements and to conduct annual independent compliance tests.

On May 11, 2020, the FRB adopted a proposal to extend for three years, without revision, the Registration of Mortgage Loan Originators (CFPB G; OMB No. 7100-0328).  A link follows:

CFPB Publishes Additional TRID Guidance

The CFPB has published additional guidance related to the TILA-RESPA Integrated Disclosure (TRID) Rule:

The CFPB also issued interpretive guidance that allows for the pandemic to be classified as a “changed circumstance” on a Loan Estimate and allows for loan consummation before the end of the TRID rescission period, noting a “bona fide personal financial emergency”.  A link follows:

Remittance Transfers Rule Updated (Regulation E)

ECOA Valuations Rule FAQs Issued

The CFPB issued two fact sheets on the ECOA Valuations Rule in response to frequently asked questions. The factsheets provide information on transaction coverage under the Rule, and delivery method and timing requirements for appraisals and other written valuations.  The CFPB also issued FAQs pertaining to Mortgage Origination related to COVID-19.  Links follow:;;

FCRA FAQs Issued

The CFPB issued a Compliance Aid to assist with credit reporting to consumer reporting agencies during the pandemic.  A link follows:

Temporary Leverage Relief:  CFPB Issues Clarifying Adverse Action Guidance for PPP Loans

A link follows to the CFPB Adverse Action guidance, to include when the Regulation B clock starts and stops for SBA PPP applicants:

FFIEC Makes New Census Data Available

The FFIEC website has been updated to include 2020 Census Data Products and updated Geocoding/Mapping information.  A link follows:

Updated Manual, Proposed Revisions to Flood Disaster Protection Act Requirements

The FDIC, FRB, OCC, NCUA and FCA (Agencies) recently issued proposed new and revised Interagency Questions and Answers Regarding Flood Insurance (Interagency Questions and Answers).  The proposal seeks to incorporate into the Interagency Questions and Answers amendments to federal flood insurance laws regarding the escrow of flood insurance premiums, the detached structure exemption, and force placement of insurance. The document is intended to help lenders meet their responsibilities pursuant to the federal flood insurance laws that were last updated in 2011.  A link to the proposed revisions follows: The FDIC also updated its manual regarding the assessment of mandatory Civil Money Penalties for violations of certain aspects of this Act.  A link follows:

CFPB Requests Input on Ways to Prevent Credit Discrimination

On July 28, 2020, the CFPB issued a request for information (RFI) to seek public input on how best to create a regulatory environment that expands access to credit and ensures that all consumers and communities are protected from discrimination in all aspects of a credit transaction.The information provided will reportedly help the CFPB continue to explore ways to address regulatory compliance challenges while fulfilling the Bureau’s core mission to prevent unlawful discrimination and foster innovation.  A link follows:


PPP Fraud and Arrest

According to the U.S. Department of Justice, two businessmen were charged with allegedly filing fraudulent bank loan applications in pursuit of more than $500,000 in forgivable loans guaranteed by the SBA PPP.  The men were formerly charged by way of a federal criminal complaint with conspiracy to make false statements to influence the SBA and conspiracy to commit bank fraud. Additionally, one of the men is charged with aggravated identity theft.  According to court documents, the fraudulent loan requests were to pay employees of businesses that were not operating prior to the start of the COVID-19 pandemic and had no salaried employees, or, in one instance, to pay employees at a business the loan applicant did not own.  A link to the action follows:

CEO, Firm Plead Guilty to Bank and Securities Fraud

Noise surrounding fraud has gotten a bit louder in recent months.  Although we will not detail each allegation on this topic, we thought it might be useful to highlight one of the more involved cases.  Certain control gaps may come to mind that your organization may want to consider while continuing to manage and enhance the overall control environment.   

Secondary market investors are increasingly concerned about asset quality of loan pools involving jumbo and larger dollar residential loan offerings.  There were some interesting tidbits in a local summary of the subject fraud that may raise your audit radar.  A link to the press release also follows.

In summary, the Chief Executive Officer of consulting firm Cash Flow Partners LLC pleaded guilty to one count of conspiracy to commit bank fraud and one count of securities fraud in a multi-million dollar scheme operated through the company, according to a release shared by the Federal Deposit Insurance Corporation’s (FDIC) Office of Inspector General (OIG).  The release, based on one issued by the Justice Department, says that the CEO pleaded guilty by videoconference before U.S. District Judge Kevin McNulty.  The release states:

  • Beginning at least as early as July 2016, through about September 2019, the CEO led and directed a bank fraud conspiracy designed to obtain millions of dollars in loans from banks on the basis of false representations.  To attract customers, Cash Flow released internet advertisements and held seminars offering to assist customers with low-paying salaries in obtaining loans.  These advertisements included promotional videos featuring the CEO and a former telenovela actor.
  • Customers contacted Cash Flow and were routed to the company’s sales department, where employees encouraged customers to sign up for various loan programs that Cash Flow provided and to enter into contracts with Cash Flow.  Under those contracts, employees would help customers obtain loans from banks.  The Cash Flow contracts permitted customers to keep a portion of the loan proceeds and customers agreed to provide the remaining proceeds to Cash Flow.  Cash Flow agreed to pay off the loans on behalf of its customers.
  • Cash Flow then used false information and fraudulent documents to obtain loans for its customers for which they otherwise would not have qualified and posed as the customers in communications with the banks.
  • From July 2016 through September 2019, the CEO obtained more than $5 million in investments from victim investors based on fraudulent representations.  He solicited investments from prospective customers using a marketing campaign on Spanish language television channels and the internet, the “Cash Flow TV” YouTube page, and live presentations in Cash Flow’s offices and elsewhere.  He also solicited investments from individuals who obtained loans through Cash Flow’s bank fraud conspiracy, encouraging loan customers to invest loan proceeds in Cash Flow’s investment program.
  • Once investors agreed to invest in Cash Flow, Espinal issued “promissory notes” to investors that guaranteed monthly investment returns between 1.25% and 4%.  The promissory notes stated that Cash Flow would return investors’ principal either one year from the date of the promissory note, or 60 days after investors demanded payment.  The CEO and other Cash Flow employees signed the promissory notes on behalf of Cash Flow.
  • The CEO made a number of misrepresentations to investors. He told investors that he would pool their funds with other investors’ funds in investments related to real estate, real estate companies, a gold mine in Ecuador, and construction projects in other countries.  In reality, the C.E.O. used investor funds to pay returns to earlier investors, pay for personal expenses for himself, his family and another Cash Flow employee, perpetuate the bank fraud scheme, and market the bank fraud and investment scheme to future victims.

The conspiracy to commit bank fraud charge carries a maximum potential penalty of 30 years in prison and a $1 million fine.  The securities fraud counts carry a maximum penalty of 20 years in prison and a $5 million fine.  The release, which also credits the FDIC OIG and others for their part in the investigation, said sentencing is scheduled for Oct. 13, 2020.  A link to the release follows:

Note:  For additional insights on the steps we have taken to assist our clients in operating in this challenging COVID-19 pandemic environment, please see our website:

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our financial institution clients. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for a Compliance audit, please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see