AuditOne General Compliance Advisory: 2019 Q3

AuditOne Advisory

From Bud Genovese, Chairman

Within this Advisory, we cover legislative and regulatory rule changes introduced through July 2020, to assist your organization with strategic planning for compliance governance.  We also discuss recent OCC and CFPB court challenges and introduce an emerging threat known as Synthetic Identity Payments Fraud.  We conclude with commentary on notable compliance developments, public comment requests and enforcement actions.

This Quarterly General Compliance Advisory was prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  I hope you find this article useful, and also please share with your colleagues having responsibilities related to compliance. We hope you enjoy it, thank you!—Bud



The FDIC, FRB and OCC issued an amended rule (the Appraisal Rule) that covers the following:

  • Increases the threshold for residential real estate transactions requiring an appraisal from $250,000 to $400,000.  For transactions exempted by the $400,000 threshold, the Appraisal Rule requires an Evaluation.
  • Incorporates the appraisal exemption for rural residential properties provided by the Economic Growth, Regulatory Relief, and Consumer Protection Act and requires evaluations for these exempt transactions.
  • Requires appraisals for federally related transactions to be subject to appropriate review for compliance with the Uniform Standards of Professional Appraisal Practice (USPAP).

The final rule becomes effective the first day after publication in the Federal Register, except for provisions related to appraisal review and the evaluation requirement related to the rural residential exemption, which become effective on January 1, 2020. A link follows:

The Board of the NCUA also amended its rule to raise the CU threshold for residential real estate appraisals to $400,000, the same as for banks:


The OCC issued a final rule to clarify and streamline its regulation on OREO for national banks and update the regulatory framework for OREO activities at federal savings associations.  In addition to certain technical amendments and provisions, key coverage areas within the changed rule include:

  • How long a national bank or federal saving association may hold OREO
  • Methods for national banks and federal savings associations to dispose of OREO
  • Appraisal requirements applicable to OREO
  • Permissible expenditures on OREO

Certain outdated capital rules that include provisions related to OREO were also removed as part of this OCC issuance.  The final rule is effective December 1, 2019:


The CFPB amended Regulation C to extend the current open-end line of credit HMDA reporting threshold of 500 an additional two years, to January 1, 2022 (effective January 1, 2020).  The CFPB continues to receive industry pressure to make the threshold exemption permanent.
The final rule also incorporates into Regulation C the interpretations and procedures from the interpretive and procedural rule issued by the CFPB in August 2018 (, and further implements the amendments made to HMDA by the EGRCCPA.  The red line version of the final rule follows:
*12 CFR part 1003 implements the Home Mortgage Disclosure Act (HMDA), 12 U.S.C. 2801 through 2810, and includes coverage thresholds that determine whether financial institutions are required to collect, record, and report any HMDA data on closed-end mortgage loans or open-end lines of credit.  The EGRRCPA added partial exemptions from HMDA’s requirements for certain insured depository institutions and insured credit unions from reporting some but not all HMDA data for certain transactions.   The original rule (in October 2015) set the closed-end threshold at 25 loans in each of the two preceding calendar years, and the open-end threshold at 100 open-end lines of credit in each of the two preceding calendar years. However, in 2017, before those thresholds took effect, the CFPB temporarily increased the open-end threshold to 500 open-end lines of credit for two years (calendar years 2018 and 2019). The final rule extends this temporary threshold to January 1, 2022.


The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) amended TILA to add special appraisal requirements for higher-risk mortgages.  Since January 2013, regulators have issued joint rules to allow for certain exemptions, including the new HPML appraisal rules for transactions of $25,000 or less.  These are adjusted annually for inflation, and effective January 1, 2020 the exemption threshold amount increased from $26,700 to $27,200, based on the CPI-W in effect on June 1, 2019.  The  exemption threshold for smaller loans will be adjusted effective January 1 of each year:


Federal bank regulatory agencies finalized a rule to modify the treatment of high volatility commercial real estate (HVCRE) exposures as required by the EGRCCPA.  The final rule clarifies certain terms contained in the HVCRE exposure definition, generally consistent with their usage in the Call Report instructions. The final rule also clarifies the treatment of credit facilities that finance 1-4 family residential properties and the development of land, which is substantially similar to the proposal issued in July.

Finally, the final rule provides banking organizations with the option to maintain their current capital treatment for acquisition, development or construction loans originated between January 1, 2015 and the effective date of the final rule, April 1, 2020.


Regulators are looking to simplify certain aspects of the regulatory capital rulein response to the EGRPRA. The EGRRCPA requires the regulatory agencies to permit certain banking organizations—those predominantly engaged in custody, safekeeping and asset servicing activities—to exclude qualifying deposits at certain central banks from their supplementary leverage ratio.  The supplementary leverage ratio is one of many tools used by the agencies to determine minimum required capital levels and ensure financial stability in the event of stress in the banking system.  It applies only to large or complex internationally-active banking organizations.
Certain banking organizations (referred to as “non-advanced approaches banking organizations”) will now be subject to simplified regulatory capital requirements for certain assets (see below).  The rule only applies to banking organizations that do not use the Advanced Approaches capital framework, which are generally firms with less than $250 billion in total consolidated assets and less than $10 billion in total foreign exposure.  The rule effectively accomplishes the following:

  • Simplifies the capital treatment for mortgage servicing assets, certain deferred tax assets, investments in the capital instruments of unconsolidated financial institutions, and minority interest.
  • Allows bank holding companies and Savings & Loan holding companies to redeem common stock without prior approval unless otherwise required.
  • Makes technical amendments to (and clarifies certain aspects of) the agencies’ capital rule for both non-advanced and advanced approaches banking organizations.

The final rule is effective April 1, 2020.  Revisions to pre-approval requirements for the redemption of common stock and other technical amendments became effective October 1, 2019.  In addition, in October 2019, a rule (effective December 31, 2019) was published that establishes four criteria for determining the applicability of requirements [under the regulatory capital rule and liquidity coverage ratio (LCR)] rule for U.S. banking companies and the U.S. intermediate holding companies of certain foreign banking organizations. A link follows:


The California Consumer Privacy Act (CCPA) of 2018 governs how businesses handle and protect data in California.As noted in our prior Advisory, the CCPA only applies to any business that meets one of the following criteria:

  • A business that earns $25,000,000 a year in revenue.
  • A business that annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices based in California. In other words, if the combined number of records of personal information from California consumers, households and/or devices exceeds 50,000, the law applies to them.
  • A business that derives 50% or more of its annual revenue by selling personal information, even if it involves fewer than 50,000 separate and distinct California entities (consumers, households, and/or devices).

There are some exemptions based on factors such as size and complexity, most of which are covered by Gramm-Leach-Bliley Act and Fair Credit Reporting Act. We recommend consultation with Legal to confirm whether exemptions apply to the full scope of entity operations. 
The CCPA was signed into law by California Governor Jerry Brown on June 28, 2018 and will become effective on January 1, 2020, leaving institutions subject to compliance a relatively small window still to become compliant.  Here’s a link:


Regulation CC, which implements the Expedited Funds Availability Act of 1987 (EFA Act), has been amended as a result of the EGRRCPA.  Key amendments include increasing (from $200 to $225) required next-day availability of the aggregate deposit of local or nonlocal checks and extending coverage to American Samoa, the Commonwealth of the Northern Mariana Islands and Guam. 
The amendments became effective August 24, 2019 (§§ 12 CFR 229.2(c), (ff), and (jj), 229.12(e), 229.43, and 12 CFR Part 1030).  Remaining amendments implement July 1, 2020.   A link follows:


In July 2018, the OCC announced that it would consider charter applications from companies seeking to become special-purpose national banks that would engage in one or more of the core banking activities of paying checks or lending money, but that would not take deposits or be insured by the FDIC.  However, a U.S. District Court Judge recently rendered a decision blocking charters from the OCC for non-depository, special-purpose national banks, commonly referred to as “fintech charters”.  The Judge ruled that the National Bank Act does not give the OCC authority to grant national bank charters to non-depository institutions without a statutory exception.  The question is whether this decision effectively vacates an OCC regulation permitting the charters.  The OCC announced plans to appeal the court’s decision.


The Supreme Court recently decided to consider a case brought by Seila Law, a debt relief company, that the CFPB is unconstitutional in that its director may only be removed by the President for cause and not at will. The plaintiff is arguing that the Supreme Court has “consistently recognized that the Constitution empowers the president to keep federal officers accountable by removing them from office”.  In May 2019, the 9th U.S. Circuit Court of Appeals in San Francisco upheld the CFPB structure, stating the agency’s structure is constitutional under the Supreme Court precedent that has upheld the structure of the Federal Trade Commission. The FTC’s commissioners also are removable only for cause.

Industry opinion on this matter is mixed, though the overwhelming majority agree that some form of change is needed.    Most notably, the American Bankers Association (ABA), the Independent Community Bankers of America (ICBA) and the National Association of Federal Credit Unions (NAFCU) voiced a preference for a multi-member commission to lead the agency, rather than a single director.  (The bank groups have both called for a five-member oversight body.)

Following this ruling, the CFPB decided to no longer defend a provision in the Consumer Financial Protection Act (CFPA) limiting the President’s ability to remove the director for cause. Director Kathleen Kraninger commented on this matter noting that this “does not mean the Bureau will stop its work”, while also pointing to a provision in the CFPA that, should any provision of the bureau’s statute be found unconstitutional, the remainder of the act will not be affected.

While challenges to the CFPB’s existence are not new, this is the first time that the Supreme Court will hear a case that challenges its constitutionality on these grounds.  Stay tuned.


A synthetic identity is created by using a combination of real information (such as a legitimate Social Security number) with fictional information (which can include a made-up name, address or date of birth). Synthetic identities are used to commit payments fraud, which may escape detection by existing identity verification and credit-screening processes.  Over time, fraudsters can build credit and eventually purchase high-value goods and services on credit.  The ability to trace and hold fraudsters accountable is limited because the identities are effectively fake.  Other consequences could include denial of disability benefits, rejection of tax returns, and inaccuracies in health records.

The FRB wrote a white paper designed to “provide information on the current state of synthetic identity fraud, including the scope of the issue, causes, contributing factors, and its impact on the payments industry.”  Here’s a link:


The CFPB is requesting public comment on an assessment it will conduct on the TRID Integrated Disclosure Rule.  As part of its assessment, the CFPB  intends to address the TRID Rule’s effectiveness in meeting the purposes and objectives of Title X of the Dodd-Frank Act, the specific goals of the rule, and other relevant factors.  The public is invited to comment on the feasibility and effectiveness of the assessment plan, recommendations to improve the assessment plan, and recommendations for modifying, expanding, or eliminating the TRID Rule, among other questions. 

The TRID Rule implemented the Dodd-Frank Act’s directive to combine certain mortgage disclosures that consumers receive under TILA and RESPA and requires that all creditors use standardized forms for most transactions.  Creditors are also required to provide loan estimates and closing disclosures within three business days.”  Comments must be received by January 21, 2020.  A link to the notice follows:

CAMEL Ratings

The FDIC and FRB are seeking information and comments regarding the consistency and usage of ratings assigned by the agencies under the Uniform Financial Institutions Rating System (more commonly known as CAMELS ratings).  Comments must be received 60 days after the October 18, 2019 publication.  A link follows:

Credit Risk Review Systems   

The FDIC, FRB, OCC and NCUA are seeking comment on proposed guidance for credit risk review systems. “The proposed guidance discusses sound management of credit risk, a system of independent and ongoing credit review, and appropriate communication regarding the performance of the institution’s loan portfolio to its management and board of directors.”  The proposed guidance updates, as a stand-alone document, the elements of an effective credit risk review system currently contained in the Interagency Policy Statement on the Allowance for Loan and Lease Losses (Attachment 1 – Loan Review Systems), issued in 2006.  Comments must be received by December 16, 2019. A link follows:

The FDIC, FRB, OCC and NCUA are seeking comment on a proposed Interagency Policy Statement on Allowances for Credit Losses. “This proposed policy statement is intended to promote consistency in the interpretation and application of the Financial Accounting Standards Board’s (FASB) credit losses accounting standard, which introduces the current expected credit losses (CECL) methodology.”  The proposed interagency policy statement describes the measurement of expected credit losses using the CECL methodology and updates concepts and practices detailed in existing supervisory guidance that remain applicable.  CECL is effective for most public financial institutions beginning in 2020, and the FASB recently decided to defer the effective date of CECL for most other institutions to 2023. The proposed interagency policy statement would be effective at the time of each institution’s adoption of the credit losses accounting standards.”  A link follows:


The CFPB periodically publishes Supervisory Highlights to share key examination findings and communicate any noteworthy changes to its supervision program, resources, etc.  Below are key highlights from the Summer 2019 publication.

  • Credit card management:  Examiners found that entities failed to clearly and conspicuously provide disclosures required by triggering terms in online advertisements. In some instances, the triggered disclosures were available to consumers via a hyperlink that was not clearly labeled.  In other instances, consumers had to click on multiple hyperlinks and could only view the triggered disclosures after completing an eight-page application.
  • Debt collection:  Examiners found that one or more debt collectors claimed and collected from consumers interest not authorized by the underlying contracts between the debt collectors and the creditors.  In doing so, one or more debt collectors falsely represented to consumers the amount due and authorized, in violation of federal debt collection practices laws.
  • Information furnishers:  Examiners found that one or more information furnishers failed to complete dispute investigations within the required time period.  They found certain disputes where the furnisher(s) received notice from the credit reporting company (CRC) but failed to conduct an investigation or respond to the CRC.
  • Mortgage origination: In one or more examinations, examiners observed that creditors were disclosing inaccurate APRs for closed-end reverse mortgages.  Specifically, the bureau said that while conducting loan file reviews, examiners observed creditors using a unit period of one month instead of one year to calculate the APR, leading to inaccurate calculations, outside Regulation Z’s permissible tolerances.

CFPB Establishes Task Force To Modernize Consumer Financial Laws

The CFPB announced that it will establish a taskforce to examine ways to harmonize and modernize federal consumer financial laws.  The taskforce intends to produce new research and legal analysis of consumer financial laws in the United States.  The primary focus will be on updating the enumerated consumer credit laws (and their implementing regulations) and identifying gaps in knowledge that should be addressed through research, ways to improve consumer understanding of markets and products, and potential conflicts or inconsistencies in existing regulations and guidance.  The taskforce is in its infancy stages, but we will keep a pulse on this for notable announcements.

FinCEN Anti-Money Laundering Remarks

FinCEN Director Kenneth A. Blanco provided remarks at the 12th annual Las Vegas Anti-Money Laundering Conference:

FFIEC IT Examination Handbook Updated

The FFIEC issued the “Business Continuity Management” (BCM) booklet, which is part of the FFIEC Information Technology Examination Handbook (FIL-71-2019). This booklet replaces the Business Continuity Planning (BCP) booklet issued in February 2015.  The BCM Booklet is primarily designed to help examiners determine whether management adequately addresses risks related to the availability of critical financial products and services. 

Key highlights:

  • The change from business continuity planning to business continuity management reflects the expanded role that information technology (IT) plays in supporting business operations and meeting customer expectations.
  • Focuses on assessing an entity’s resilience through an enterprise risk management (ERM) perspective that considers technology, business operations, communication strategies, training, testing, maintenance, and improvement — issues critical to business continuity. The degree of maturity, integration and documentation between the BCM and ERM processes are recommended to be assessed commensurate with the entity’s size, complexity and risk profile.
  • Contains updated procedures to help examiners evaluate the adequacy of an entity’s business continuity management program.

A link to the BCM booklet follows:

U.S. Financial Regulatory Agencies Joins the Global Financial Innovations Network 

The Commodity Futures Trading Commission (CFTC), FDIC, OCC and SEC announced that they are joining the Global Financial Innovation Network (GFIN).  The published statement follows:

U.S. financial regulators have taken proactive steps in recent years to enhance regulatory clarity and understanding for all stakeholders and promote early identification of emerging regulatory opportunities, challenges, and risks. Participation in the GFIN furthers these objectives and enhances the agencies’ abilities to encourage responsible innovation in the financial services industry in the United States and abroad. By promoting knowledge-sharing on innovation in financial services, U.S. members of GFIN will seek to advance financial and market integrity, consumer and investor protection, financial inclusion, competition, and financial stability. Participation in international organizations such as this helps U.S. financial regulators represent the interests and needs of the nation and its financial services stakeholders.

The agencies join 46 other financial authorities, central banks, and international organizations from around the globe that are members of the GFIN to foster greater cooperation among financial authorities on a variety of innovation topics, regulatory approaches, and lessons learned. 

A link to the announcement follows:


Bank fined $275,000 for placing marketing calls to ‘do-not-call’ registrants

An Oregon bank has agreed to pay a $275,000 civil money penalty (CMP) to the FDIC for allegedly placing telemarketing calls to consumers on the “Do-Not-Call” list, and using an automated dialing system to send pre-recorded or text messages to consumers’ cell phones.  Violations cited included the Real Estate Settlement Procedures Act (RESPA) for agreeing to pay and accept fees for the referral of mortgage loans business, and the Telephone Consumer Protection Act related to the telemarketing and cell phone calls.  Link:


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for a Compliance audit please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see