AuditOne General Compliance Advisory Q1 2019

AuditOne Advisory

From Bud Genovese, Chairman

Legislative and regulatory communities have been bustling. The ongoing implementation of changes associated with the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) and the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) has created an onslaught of new committees and workgroups, Frequently Asked Questions (FAQ) updates and supplementary regulatory guidance. Enforcement actions targeting misleading and deceptive practices appear to be on the upswing. And, for the first time since the General Data Protection Regulation (GDPR) took effect, a US technology company was fined for violating Europe’s data privacy rules.

Within this issuance, we cover key Dodd-Frank updates, new Prepaid Account Rules, what’s behind the 37% rise in reported fraud in 2018, and other noteworthy regulatory developments and enforcement actions.

This Quarterly General Compliance edition has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. We hope you enjoy! – Bud


RESPA Servicing Rule


Effective April 1, 2019, the CFPB amended Regulations E and Z to extend consumer protections to prepaid accounts. These amendments are known as the Prepaid Accounts Rule and apply to the following:

  • An account that is marketed or labeled as “prepaid” and is redeemable upon presentation at multiple, unaffiliated merchants for goods and services or usable at automated teller machines (ATMs); or
  • An account that meets all of the following:
    (1) Is issued on a prepaid basis in a specified amount or is capable of being loaded with funds after issuance;
    (2) Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, to conduct transactions at ATMs, or to conduct person-to-person (P2P) transfers; and
    (3) Is not a checking account, a share draft account, or a negotiable order of withdrawal (NOW) account.

However, an account that satisfies one or both of these tests is not a prepaid account if it is any of the following:

  • An account loaded only with funds from a health savings account, flexible spending arrangement, medical savings account, health reimbursement arrangement, dependent care assistance program, or transit or parking reimbursement arrangement;
  • An account that is directly or indirectly established through a third party and loaded only with qualified disaster relief payments; a gift certificate; a store gift card; a loyalty, award, or promotional gift card; a general-use prepaid card that is both marketed and labeled as a gift card or gift certificate; or an account established for distributing needs-tested benefits in a program established under state or local law or administered by a state or local agency.


  • The P2P functionality of an account established by or through the U.S. government is not a prepaid account if the account’s primary function is to conduct closed-loop transactions on U.S. military installations or vessels, or similar government facilities.
  • Under the existing definition of account in Regulation E, an account is subject to Regulation E only if it is established primarily for a personal, household, or family purpose. Therefore, an account established for a commercial purpose is not deemed a prepaid account.
  • Under the existing definition in Regulation E, an account held under a bona fide trust agreement is not an account subject to Regulation E and is therefore not deemed a prepaid account.

Available Resources

Regulators developed the following chart to help institutions determine Prepaid Account Coverage:

Technical specifications can be accessed here:

Effective Dates

  • On Jan. 25, 2018, the CFPB issued a final rule modifying several aspects of the prepaid accounts rule and extending the overall effective date to April 1, 2019.
  • On Feb. 27, 2019, the CFPB issued technical specifications for submissions of prepaid account agreements pursuant to the prepaid accounts rule.

The Prepaid Rule does not require financial institutions to pull and replace prepaid account access devices or packaging materials that were manufactured, printed, or otherwise produced in the normal course of business prior to October 1, 2017. The Prepaid Rule does, however, require in certain circumstances that financial institutions provide to consumers notice of certain changes in terms and updated initial disclosures as a result of the Prepaid Rule taking effect. However, the Prepaid Rule provides an accommodation for financial institutions that, on the effective date, do not have readily accessible data necessary to comply with the full requirements for providing electronic and written account transaction histories or summary totals of fees. A financial institution may make available such histories and summary totals using the data for the time period it has until it has accumulated the data necessary to fully comply with the requirements.


For the first time since the regulation took effect, a US technology company was fined for violating Europe’s data privacy rules. Although this applies most directly to the technology sector, expanded mechanisms for loan offerings increase the possibility of unknown applicability. It’s certainly worth a closer look at privacy disclosure language for nuances, particularly as talk of a US equivalent to the GDPR seems to be picking up steam.

A link follows:


According to the Federal Trade Commission (FTC), people reported losing $1.48 billion to fraud last year – an increase of 38% over 2017. Some interesting highlights:

  • Ranked at the top were imposter scams, debt collection, and identity theft.
  • The age of those that formally reported fraud may surprise you: 43% of people in their 20s reported a loss to that fraud, while only 15% of people in their 70s did.
  • Scammers like to get money by wire transfer – for a total of $423 million last year. That was the most of any payment method reported, but we also saw a surge of payments with gift and reload cards – a 95% increase in dollars paid to scammers in 2017.
  • Credit card fraud on new accounts was up 24%. In fact, misusing someone’s information to open a new credit card account was reported more often than any other forms of identity theft in 2018.
  • The top three states for fraud were Florida, Georgia and Nevada. The top three for identity theft reports were Georgia, Nevada and California.

A link to the study follows:


Bureau of Consumer Financial Protection (BCFP) reverts to original name, except…

In April 2018, the Acting Director of the CFPB (the Bureau), Mick Mulvaney, changed the name to the BCFP, noting that the “CFPB no longer exists”. For much of 2018, rebranding was underway until December 2018, when the new Director, Kathy Kraninger, backed away from the name change, while noting that changing the name “would make it harder for consumers to find the agency’s website, file complaints, and seek help”. As of December 2018, Director Kraninger announced that she has “officially halted all ongoing efforts to make changes to existing products and materials related to the name correction initiative”, estimated to have cost upwards of $15 million. There is an exception, however. The BCFP title will still be used as an “internal nickname” within the organization. Stay tuned.

TILA-RESPA Integrated Disclosure (TRID) Rule

In March 2019, the CFPB published updated FAQs for TRID. Four additional questions were added pertaining to closing disclosures, the three-day waiting period, and model forms. A link follows:

Audit Committees

In January 2019, the International Organizations of Securities Commissions (IOSCO) issued a report on “Good Practices for Audit Committees in Supporting Audit Quality” that outlines the role Audit Committees are expected to play in fostering high-quality audits for publicly listed companies. Although the intended audience is publicly listed companies, the principles within can be easily applied to the Audit Committee of any financial institution as a form of self-assessment. A link to the report follows:

HMDA Reporting

On January 31, 2019, the CFPB published “Reportable HMDA Data: A Regulatory and Reporting Overview Reference Chart for Data Collected in 2019”. The chart is designed to be a reference tool for data points that are required to be collected and reported. A link follows:

The Bureau also published policy guidance for HMDA data compiled in or after 2018, as follows:

Community Reinvestment Act (CRA)

The FFIEC released version 2019 for the CY 2019 CRA data due March 2, 2020. A link follows:

Suspicious Activity Report (SAR) Analysis/Elder Financial Abuse

In February 2019, the CFPB released a report about key facts, trends and patterns revealed in SARs involving elder fraud filed by banks, credit unions, money transmitters, and other financial service providers.

The Bureau analyzed 180,000 SARs filed with the Financial Crimes Enforcement Network (FinCEN) from 2013 to 2017. The effort was birthed out of the increasing number of older customers falling prey to “financial exploitation by perpetrators ranging from offshore scammers to close family members”.

Notable findings:

  • SAR filings on elder financial exploitation (EFE) quadrupled from 2013 to 2017.
  • More than half of the SARs involved a money transfer. The second-most common financial product used to move funds was a checking or savings account (44%).
  • Money services businesses (MSB) have filed an increasing share of EFE SARs. In 2016, MSB filings surpassed depository institution (DI) filings. In 2017, MSB SARs comprised 58% of EFE SARs, compared to 15% in 2013.
  • Financial institutions reported a total of $1.7 billion in suspicious activities in 2017, including actual losses and attempts to steal older adults’ funds.
  • For SARs involving a loss to an older adult, the average amount lost was $34,200.
  • One third of the individuals who lost money were aged 80 or older. Adults aged 70 to 79 had the highest average monetary loss ($45,300).

A link follows:

Fair Lending

On February 8, 2019, the Bureau issued its sixth Fair Lending Report to Congress. The report describes the CFPB’s fair lending activities in prioritization, supervision, enforcement, rulemaking, interagency coordination and outreach for calendar year 2017. A link follows:


In January 2019, regulators issued a joint final rule governing private flood insurance acceptance, effective July 1, 2019. It implements the Biggert-Waters Act provision that requires federally regulated lending institutions to accept private flood insurance policies that meet certain statutory criteria. In addition to placing the onus on the lender to determine whether a policy meets the new requirements, if the following statement is included in the flood insurance policy the institution is allowed to accept the insurance without additional review: “This policy meets the definition of private flood insurance contained in 42 U.S.C. 4012a(b)(7) and the corresponding regulation.”

Finally, the provision opens the doors for the purchase of flood insurance that may be less expensive than polices offered commercially or through the National Flood Insurance Program (NFIP). A link to the rule follows:

Consumer Complaints

The CFPB recently published a “Complaint Snapshot” that highlights trends and data points identified as a result of analyzing consumer complaints submitted between November 1, 2016 and October 31, 2018. The majority of the complaints submitted focused on trouble during the payment process (42%) and struggling to pay mortgage (36%). A link to the document follows:

Fair Debt Collection Practices Act (FDCPA)

In March 2019, the Bureau published their annual FDCPA Report. The Bureau received approximately 81,500 complaints about debt collection in 2018, making debt collection one of the most common consumer complaints. A link follows:


Unfair, Deceptive or Abusive Acts and Practices (UDAAP)

Avant, LLC, an online lending company, settled with the FTC over charges that it engaged in unfair and deceptive lending practices. A link follows:

$1.3 Billion – Office of Foreign Assets Control (OFAC) Violations

UniCredit AG (UCB) was ordered to pay a fine of $1.3 billion for routing illegal payments through US financial institutions for the benefit of the sanctioned entities in ways that concealed those entities’ involvement. According to OFAC, between January 2007 and December 2011, UCB processed over 2,000 payments totaling over $500 million. Banks that were involved in some manner with this scheme are required to establish Settlement Agreements with OFAC as part of a broader commitment to enhance sanctions compliance.

Fair Housing Act

The OCC has assessed a $25 million civil money penalty against Citibank, N.A., for violations of the Fair Housing Act, 42 USC §3601 – 3619, and its implementing regulation, 24 CFR 100. The Bank had a program that offered either reduced interest rates or a credit to closing costs. The program was applied in a manner that excluded certain applicants on the basis of race, color, national origin, and/or sex. A link follows:

USAA Federal Savings Bank

It’s been a while since we’ve seen a combined Electronic Funds Transfer Act (EFTA) and Regulation E order such as the one assessed against USAA. A link follows:

AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security/Cybersecurity, ACH rules Compliance, Operations, Network Penetration Tests, Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Jeremy Taylor, CEO at Contact Us and for information about all of our audit services see