AuditOne LLC Q3 Compliance Advisory

AuditOne Advisory

From Bud Genovese, Chairman

Our firm’s Compliance Practice Director has written a timely Q3 Compliance Advisory. This issue covers Mobile Banking, an increasingly core banking feature that is changing the way financial institutions do business with customers every day. Notable Regulatory Enactments & News, changes On The Horizon, and Recent Enforcement Actions have also been included for your awareness. I hope you enjoy it, and please feel free to forward to other appropriate people in your financial institution. And remember, when you need up-to-date, industry-recognized risk management expertise for internal audit, credit review, and certified technology services, contact the best in the business… AuditOne. Thank you, –Bud


In layman’s terms, Mobile Banking is any type of banking or financial service that is provided through mobile devices such as phones, laptops and other wearables/mobile technology.  Mobile Banking features are now being used for everyday banking functions including account balances, transfers, deposits, wires, and bill payments.

The overall benefit?  Higher customer engagement and profitability are the more common benefits circulating to date:

  • “Our data shows customers who adopt mobile banking increase their balances on deposit, decrease their attrition and see their overall profitability rise very clearly. Compared over time to other customers who had identical profiles but did not go mobile when they did, they become more profitable.” Andres Wolberg-Stok, Global Mobile and Tablet Banking Director, Citi Consumer Banking; American Banker – Bank Technology
  • “The high levels of engagement engendered by digital banking translated into improved financial outcomes for banks, with online and mobile consumers proving 61% more profitable than offline customers, says Intuit.”  FinExtra
  • “For financial institutions, mobile banking creates efficiencies, cost savings, drives customer loyalty, engages new segments and offers real-time solutions. For consumers, mobile banking offers a consistent experience, improved speed of information and empowerment.” Nielsen

For financial institutions that may be contemplating the integration of Mobile Banking into existing operations, we recommend a formal integration effort. Ideally, the effort should include a Project Manager, Project Sponsor, and detailed Project Plan – with a cross of Technology, Operational, and Compliance resources to ensure both a seamless customer experience and compliance with applicable regulatory guidance.   Key processes and functionality to consider follow:

  1. Features
    • Deposits (Validation checks to prevent duplicate deposits; Email receipts with check images; transaction limits; immediate availability of funds; ability to take photo & deposit check)
    • Payments (Instant payment capability positions using Venmo/Paypal)
    • Collections (Accessing contacts on phone to add Payee)
    • Transaction limits
  2. Agreements/Terms & Conditions (including E Banking capabilities such as Security, E-Sign, Consent to access features on user’s phone, device shut off if lost/stolen, and Privacy)
  3. Authentication (device fingerprint/ user name & password for login)
  4. Account Opening forms/disclosures
  5. Information Security/Privacy (Data Sharing/Storage, Malware detection, Shared devices, Turn Off  capability if lost/stolen)
  6. Functionality (Chat, SMS, Biometrics, Push notifications)
  7. Marketing/Advertising
  8. Monitoring (returned emails)

While technology is attractive, it is of course not without regulation.  Below is a list of applicable guidance that should be considered when implementing Mobile Banking capabilities:

  • FFIEC – Internet Banking Authentication (2005 & 2011 supplement); Mobile Financial Services Risk Management (IT Exam Handbook, Appendix E, issued April 2016)
  • CFPB – Tips to Consumers when Using Mobile Devices (June 2013)
  • CFPB – Inquiry into Mobile Financial Services (RFI issued June 2014,
    Comments submitted Sept. 2014)
  • Telephone Consumer Protection Act requirements/FCC – TCPA Declaratory
    Ruling (July 2015)
  • Remittance Transfer Rule – provisions about disclosures made on a mobile
    device (See Regulation E §1005.31)
  • BSA/AML Implications (use of geo-location services to monitor for
    suspicious activity)/OFAC risks
  • NACHA Rules for Payment to Payment systems (P2P)
  • Americans With Disabilities Act (ADA): Department of Justice expects websites and mobile applications to be accessible to users with disabilities and will enforce compliance. DOJ Rules expected in 2017-2018; DOJ issued Supplemental Advanced Notice of Proposed Rule Making in May 2016
  • Web Content Accessibility Guidelines 2.0 (WCAG 2.0)
  • Web accessibility standards for federal government agencies (Section 508
    of the Rehabilitation Act)
  • FTC — .com Disclosures (Updated March 2013)
  • FTC – Mobile Privacy Disclosures (Feb. 2013)
  • CA Attorney General – Privacy on the Go (Jan. 2013)
  • Regulation Z – specific font size requirements for open end credit
    disclosures (Regulation Z §1026.6(b)(2)(i))
  • State Laws on Biometrics
  • Consumer concerns (NCLC Paper March 2016)
  • Privacy/GLBA
  • DOJ Rules – website and mobile accessibility (expected 2017-2018)

We recommend that clients consult legal counsel, as appropriate, for forms, disclosures and other areas with potential legal impact.


Military Lending ActThe Department of Defense (DOD) issued a final rule (amending the implementing regulations of the Military Lending Act of 2006 (MLA)) that “expands specific protections provided to service members and their families, and addresses a wider range of credit products than the DOD’s previous regulation.  The Final Rule extended MLA protections to much a wider range of credit products, including credit cards; modified the MAPR to include fees for credit-related ancillary products sold in connection with the credit transaction, finance charges associated with consumer credit, and certain application and participation fees. Also, for credit cards, the MAPR excludes certain fees if bona fide and reasonable; provided a safe harbor for creditors ascertaining whether a consumer is covered by the final rule’s protections; modified the existing prohibition on rolling over, renewing or refinancing consumer credit; and subjects creditors to civil liability and administrative enforcement for MLA violations. There are three primary differences between the MLA and the SCRA:


1)The MLA excludes loans secured by real estate and purchase-money loans, including a loan to finance the purchase of a vehicle.

2)The MLA  limits interest rates and fees to 36 percent MAPR (Military Annual Percentage Rate) whereas the  SCRA caps interest rate charges, including late fees and other transaction fees, at 6 percent.

3)The SCRA requires that disclosures be provided by mortgage servicers on mortgages at 45 days of delinquency. This disclosure must be provided in written format only whereas MLA requires the following disclosures both orally and in a written format the borrower can keep :

  • MAPR statement
  • Payment obligation descriptions
  • Other applicable Regulation Z disclosures.

FDIC-supervised institutions and other creditors were required to comply with the rule for new covered transactions beginning October 3, 2016. This includes compliance with Defense Department rule requiring independent determination of whether a consumer is a covered military member or a dependent of a military member effective October 3, 2016. A link to the issuance follows:


BSA/AML: Beneficial OwnershipFinCEN’s final rules under the Bank Secrecy Act requiring enhanced due diligence for identifying beneficial owners of legal entity customers becomes effective July 11, 2016.  The guidance is over 60 pages.  There will essentially be three new requirements that translate into an extension of our current CDD review.  Those requirements pertain to:


  1. How beneficial owners are identified and verified,
  2. How the nature and purpose of the customer relationship is ascertained; and,
  3. Ongoing monitoring to report any related suspicious transactions and maintain current customer risk profiles.

Covered financial institutions are required to comply in May 11, 2018.  A link to the issuance follows:


New Loan Application

Fannie Mae and Freddie Mac redesigned the Uniform Residential Loan Application in part as a result of new required data fields as a result of recently implemented HMDA requirements. A “Demographic Information Addendum” was also created to replace Section X of the existing URLA for use by institutions that are not prepared to use the new URLA on January 1, 2018.  On the current URLA, Section X will need to be crossed-out or otherwise deleted.  For forms and more information, visit the following webpage:

Lenders are not required to use the form until January 1, 2018 but have the option of using it earlier if preferred.


CRA Interagency Q&AThe OCC, FRB & FDIC (the Agencies) issued revised Interagency Questions and Answers Regarding Community Reinvestment Act.   The new guidance was issued to clarify 9 of the 10 proposed questions and answers (Q&A), revise four existing Q&As and adopt two new Q&As. Technical corrections were also made.  The changes became effective July 25, 2016. A link to the issuance follows:



HMDA Warning LettersOn October 27, 2016, the CFPB announced that it is issuing warning letters to 44 mortgage lenders and mortgage brokers stating that it “has information that appears to show that your company may not be in compliance with certain provisions of the Home Mortgage Disclosure Act (HMDA) and its implementing regulation, Regulation C.”:



CybersecurityOn October 25, 2016 FINCEN issued an Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime as a result of increased cyber-events and cyber-enabled crime. The advisory covers Reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs); Including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs; Collaborating between BSA/Anti-Money Laundering (AML) units and in-house cybersecurity units to identify suspicious activity; and Sharing information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime. A link to the issuance follows:
Regulation Z The FDIC has updated its technical assistance videos on the Ability-to-Repay and Qualified Mortgages (ATR/QM) Rule. A link to the issuance follows:



The CFPB is looking to amend TRID by April 2017.  The comment period ended October 18, 2016. Desired amendments follow:


  • Create a tolerance for the Total of Payments calculation to reduce exposure to extended rescission periods or private liability for minor inaccuracies in the Total of Payments.
  • Clarification on TRID applicability to construction loans leveraging a webinar provided by CFPB staff on March 1, 2016.
  • Technical fixes and clarifications to the Cash to Close and Projected Payments tables, escrow account disclosures, rounding provisions, and various other technical provisions.
  • Amend the scope of the TRID rule to clarify that it covers loans secured by cooperative units, regardless of whether the cooperative is treated as real property under State law.
  • Clarify how a creditor may provide separate Closing Disclosures to the consumer and the seller to address privacy issues.
  • Expand the exemption for down payment assistance and similar subordinate lien loans often made by housing finance agencies, non-profits, and similar entities.

Insurance Rules

As a result of the response to the initial request for comment, five federal regulatory agencies issued a second request for comment on the joint notice of proposed rulemaking to implement provisions of the Biggert-Waters Flood Insurance Reform Act (Biggert-Waters Act). The proposed rules includes provisions and establishes certain criteria surrounding the private flood insurance policies.   We encourage participation in this comment process as it will have a direct impact on existing loan closing related processes associated with flood insurance.



Servicing Rule

CFPB published the final Mortgage Servicing Rule on October 19, 2016.  The rule will go into effect October 19, 2017; the only exception is for the successor in interest and bankruptcy periodic statements provisions, which take effect April 19, 2018.  In summary, the new rule requires servicers to provide certain borrowers with foreclosure protections more than once over the life of the loan, clarifies borrower protections when the servicing of a loan is transferred and provides loan information to borrowers in bankruptcy.




Mega Bank – $180 million fine for various BSA violations.  Mega Bank is based in Taiwan.  Its New York foreign branch received a hefty fine for a series of purported AML violations.  If history serves itself, NY’s fine will likely prompt other regulatory bodies to apply more focus on this area during their reviews.  The citings are very strongly worded, and touch upon nearly every aspect of the end to end BSA control process.  There are also specific transactions that examiners connect to likely money laundering based on external legal and industry factors considered at the time. A link to the regulatory action follows for reference:

Wells Fargo: Hundreds of thousands of accounts secretly created by Wells Fargo Bank employees leads to $185 million CFPB fine.  A link to the regulatory action follows for reference:

Santandar Bank: CFPB orders the Bank to pay $10 million for illegal overdraft practices. A link to the regulatory action follows for reference: