Categories
News

AuditOne Year End Compliance Advisory 2020

AuditOne Advisory

From Bud Genovese, Chairman

The latter half of 2020 ushered in notably fewer new or changing regulations – a welcome pace after a surge in new loan originations following the unprecedented demand for Payment Protection Program (PPP) loans. In this Advisory, we discuss the Agency rule that provided financial institutions temporary relief from compliance and reporting obligations following the recent pandemic. We provide updates on various of the “alphabet soup regulations”, insights on current enforcement trends to assist with 2021 compliance planning, and other noteworthy compliance news and developments, including modifications to how Community Reinvestment Act performance will now be evaluated.

This Compliance Advisory was prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. I hope you find this information useful – please share with your colleagues having responsibilities related to the areas covered in this Advisory. Thank you, — Bud


AGENCIES ISSUE RULE TO EASE REGULATORY BURDEN

Regulatory compliance obligations generally differ based on an institution’s size and complexity of operations. Many financial institutions have experienced unusually high growth due to recent stimulus program offerings such as PPP loans.

Effective December 2, 2020, the FDIC, OCC and FRB issued an interim final rule to temporarily suspend compliance and reporting obligations for community banking organizations that reach increased size thresholds resulting from growth. Impacted institutions will have until January 1, 2022 to either reduce their size or prepare for their new regulatory and reporting standards. The relief applies to national banks, savings associations, state banks, bank holding companies, savings and loan holding companies, and U.S. branches and agencies of foreign banking organizations with under $10 billion in total assets as of December 31, 2019 (collectively, “community banking organizations”) with less than $10 billion in total assets as of December 31, 2019. Consult the threshold matrix in the link to the rule that follows to determine your institutions applicability:

https://www.federalregister.gov/documents/2020/12/02/2020-26138/temporary-asset-thresholds
.
Although the NAFCU was not a part of the original rule, there is a possibility that they may join or issue related guidance in the coming weeks. Consult the following link for the most recent list of NAFCU actions associated with regulatory relief.
https://www.nafcu.org/regrelief.


“ALPHABET SOUP” REGULATORY UPDATES


Regulation C (HMDA)

  • The CFPB issued additional HMDA FAQs covering reporting requirements for various data points, including denials for multiple reasons (which includes credit scores).
  • The CFPB published a reference tool for HMDA data required to be collected and recorded in 2021 and reported in 2022.
  • Reminder: Effective July 1, 2020, institutions originating fewer than 100 closed-end mortgage loans in either of the two preceding calendar years will not have to report such data. In addition, the threshold for reporting data about open-end lines of credit will be set at 200 upon the expiration of the current temporary threshold of 500 open-end lines of credit.

All HMDA updates can be found here:

https://www.consumerfinance.gov/compliance/compliance-resources/mortgage-resources/hmda-reporting-requirements/


Regulation E (Electronic Funds Transfer Act)

CFPB increased a safe harbor threshold in the regulation related to whether a person makes remittance transfers during the normal course of business. A link follows:


h ttps://files.consumerfinance.gov/f/documents/cfpb_remittance-transfers_final-rule_2020-05.pdf


Regulation F (Fair Debt Collection Practices Act)

The CFPB issued a final rule to restate and clarify prohibitions on harassment and abuse, false or misleading representations, and unfair practices by debt collectors when collecting consumer debt. Key provisions follow:

  • Clarifies that the FDCPA’s general prohibition on harassing, oppressive, or abusive conduct applies to telephone calls and other communication media, such as email and text messages, and provides examples demonstrating how the prohibition restricts emails and text messages.
  • Clarifies how the protections of the FDCPA, which was passed in 1977, apply to newer communication technologies, such as email and text messages.
  • Provides that consumers may, if the debt collector communicates through a medium of electronic communications, use that medium to place a cease-communication request or notify the debt collector that they refuse to pay the debt.
  • Requires debt collectors who communicate electronically to offer the consumer a reasonable and simple method to opt out of such communications at a specific email address or telephone number.
  • Clarifies how consumers may set limits on debt collection communications to reflect their preferences and the limits on communicating with third parties about a consumer’s debt.
  • Restates the FDCPA’s prohibitions regarding false, deceptive, or misleading representations and unfair or unconscionable means.
  • Notes that the CFPB is not finalizing the proposed safe harbor for debt collectors against claims that an attorney falsely represented the attorney’s involvement in preparing a litigation submission.

A link follows:

https://files.consumerfinance.gov/f/documents/cfpb_debt-collection_final- rule_2020-10.pdf


Regulation X (RESPA)

The CFPB recently issued FAQs on Marketing Services Agreements, Gifts and Promotional Activity. The allowances and limitations of RESPA Section 8 have garnered ongoing discussion in the regulatory community for decades. These FAQs move us one step closer to how the provisions are best applied, inclusive of what is and is not prohibited. A link follows:

https://files.consumerfinance.gov/f/documents/cfpb_respa_frequently_asked_questions.pdf


Regulation Z (Truth in Lending) / TRID

  • In addition to annual threshold changes, agencies issued revised Interagency Examination procedures.   Key revisions include:
    • Updates to Regulation Z that relate to the TILA-RESPA Integrated Disclosure (TRID) Rule 3
    • Updates to TILA relating to the Economic Growth, Regulatory Relief, and Consumer Protection (EGRRCP) Act, including:
    • Provisions relating to high-cost loans, appraisals, and student lending
    • An additional type of qualified mortgage and escrow exemption for insured depository institutions with less than $10 billion in assets

    A link to the updated publication follows:

    https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/truth-in-lending-act/pub-ch-tila.pdf

  • The CFPB published an assessment of the TRID rule.   After reviewing 50,000 mortgages, they came out with some very interesting conclusions that may assist with compliance and resource planning:
    • 90 percent of mortgage loans involved at least one revision
    • 62 percent received at least one revised Loan Estimate
    • 49 percent received at least one corrected Closing Disclosure
    • 40 percent received at least one APR change
    • 25 percent had loan to value ratio changes
    • 8 percent had at least one interest rate change

The TRID Rule Assessment Report is available at:

https://files.consumerfinance.gov/f/documents/cfpb_trid-rule-assessment_report.pdf


Regulation BB (Community Reinvestment Act)

  • The OCC has issued a final rule to clarify and expand the activities that may qualify for CRA credit, has modified its approach towards evaluating CRA performance, and has enhanced CRA data collection recordkeeping and reporting with the goal of creating greater transparency.   Effective dates are October 1, 2020, January 1, 2023 and January 1, 2024, as applicable.   A link to the final rule follows:

    https://www.occ.gov/news-issuances/federal-register/2020/nr-occ-2020-63a.pdf
  • 2020 CRA Data Entry Software Release 2 is now available .   It includes the 2020 census update and an enhancement of the “Submission via Web” data export option.   A link follows:

    https://www.ffiec.gov/software/software.htm


NOTEWORTHY COMPLIANCE NEWS AND DEVELOPMENTS


SMALL DOLLAR LENDING FREQUENTLY ASKED QUESTIONS (FAQs)

The CFPB recently issued a Compliance Aid of FAQs related to the Small Dollar Lending Rule (i.e., Payday Loans).   The FAQs focus on the following key areas:

  • Defining covered, excluded and exempt loans
  • Cost determination and calculation
  • Leveraged payments
  • High-cost and small-dollar loan applicability
  • Compliance requirements when an open-end loan becomes a covered longer-term loan due to an increase in the cost of credit during the loan’s term

A link follows:

https://files.consumerfinance.gov/f/documents/cfpb_payday-lending-rule_frequently-asked-questions.pdf


FDIC INTRODUCES NEW CONSUMER INFORMATION ACCESS TOOL

The FDIC recently implemented a new website tool ( BankFind Suite) that is designed to serve as a single point of access to available agency information on banks, including purchases, mergers, acquisitions, assumptions, and structural and governance information.   A link follows:

https://banks.data.fdic.gov/bankfind-suite/


FTC LAUNCHES NEW FRAUD REPORTING PLATFORM FOR CONSUMER USE

The Federal Trade Commission has launched a new website, ReportFraud.ftc.gov, where consumers can report to the FTC about scams, fraud, bad business practices and all other consumer issues.   The web address is
ReportFraud.ftc.gov.


NEW FRAUD REPORTING:   FEDERAL RESERVE LAUNCHES FedNowSM
SERVICE

The scuttlebutt over real-time payments recently got a bit louder with the FRB’s launch of a new service designed to support instant payments in the United States.   The implementation will occur in phases, with the formal launch anticipated in 2023 or 2024.   FedNow was initially launched a ye ar ago, when core features and functionality based on input from numerous stakeholders were formally approved.   The recent announcement:

“The rapid expenditure of COVID emergency relief payments highlighted the critical importance of having a resilient instant payments infrastructure with nationwide reach, especially for households and small businesses with cash flow constraints,” said Federal Reserve Board Governor Lael Brainard. “Since we initiated FedNow one year ago, we have been hitting our project milestones, and today I am pleased to announce the Federal Reserve Board has approved the core features and functionality based on extensive input from stakeholders.”

A link follows:

https://www.federalregister.gov/documents/2020/08/11/2020-17539/service-details-on-federal-reserve-actions-to-support-interbank-settlement-of-instant-payments


FDIC ALLOWS BANKERS TO HIRE INDIVIDUALS WITH MINOR CRIMINAL OFFENSES

Section 19 of the Federal Deposit Insurance Act (FDI Act), prohibits, except with the prior written consent of the FDIC, any person who has been convicted of any criminal offense involving dishonesty, breach of trust, or money laundering, or who has entered into a pretrial diversion or similar program in connection with such an offense, from becoming or continuing as an institution-affiliated party with respect to any insured depository institution; from owning or controlling, directly or indirectly, any insured depository institution; or from otherwise participating, directly or indirectly, in the conduct of the affairs of any insured depository institution.   Primary changes follow:

  • Individuals whose covered offenses have been expunged will be exempt from the requirement to submit an application under Section 19.
  • Expands the scope of the de minimis exception for certain qualifying offenses involving the use or possession of false or fake identification, as well as for small-dollar, simple theft offenses.
  • Allows a person with two, rather than one, de minimis crimes to qualify for the exception and decreases the waiting period for individuals with two such offenses to three years (or 18 months for those who were 21 years or younger at the time of their misconduct).
  • Eliminates the waiting periods for applicants who have had only one qualifying covered offense.

The FDIC estimates that this new rule will reduce applications required under Section 19 by 30 percent.   A link to the issuance follows:

https://www.fdic.gov/news/board/2020/2020-07-24-notational-fr-a.pdf


HUD ISSUES UNIFORM STANDARD FOR DETERMINING WHEN A HOUSING POLICY OR PRACTICE IS DISCRIMINATORY

HUD’s amended issuance is intended to provide greater clarity on the law for individuals, litigants, regulators, and industry professionals.   The rule amends HUD’s 2013 disparate impact standard regulation to more closely align with the Supreme Court’s 2015 ruling in the Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc.   The rule revises the test for determining whether a practice has a discriminatory effect and adds to illustrations of discriminatory housing practices found in HUD’s Fair Housing Act regulations.   A link follows:

https://www.hud.gov/sites/dfiles/ENF/documents/6111-F-03%20Disparate%20Impact%20Final%20Rule%209-3-20%20FOR%20POSTING.pdf


CONGRESS REAUTHORIZES THE NATIONAL FLOOD INSURANCE PROGRAM (NFIP)

The Federal Emergency Management Agency’s (FEMA’s) authority to issue flood insurance policies was due to lapse at midnight on September 30, 2020.   Congress reauthorized the NFIP through September 30, 2021.   A link follows:

https://www.fdic.gov/news/news/financial/2010/fil10023.html


FFIEC MAKES 2020 CENSUS AND DEMOGRAPHIC DATA AVAILABLE

The FFIEC’s 2020 Geocoding System has been updated with the 2020 Census demographic data based on the 2011 – 2015 five-year estimated American Community Survey (ACS).   A link follows:

https://www.ffiec.gov/censusproducts.html


AGENCY PROPOSALS

In recent months, there has been a notable increase in the number of Agency proposals and changes to the composition of Agency Boards and Advisory Committees.    If history is any indicator, there will be varying iterations of pending proposals.   As the ink dries, we’ll continue to provide insights on those proposals that are most relevant to your organization’s strategic planning, budgeting and risk assessment process.


2021 COMPLIANCE MONITORING CONSIDERATIONS

As you wind down the year and pencil in compliance monitoring focus areas in 2021, we encourage consideration of some key recent enforcement actions, as summarized below, to inform your risk ratings, risk direction and planned spot checks next year. We have observed a heightened focus on consumer protection regulations involving deceptive or misleading practices during account opening and at the time of servicing, and on the customer complaints that tend to follow.


Agency

Penalty/ Settlement

Regulation/ Legislation

Violations/Focus Areas

CFPB

$97 million
Regulation E
(Electronic Funds Transfer Act (EFTA)) Overdraft Practices

Consumer Financial Protection Act (CFPA) *

Regulation V (Fair Credit Reporting Act (FCRA))

Violated the EFTA and Regulation E by charging consumers O/D fees for ATM and one-time debit card transactions without obtaining affirmative consent.

Deceptively claimed that an offering was a “free” service or benefit or that it was a “feature” or “package” that “comes with” new consumer-checking accounts when the FI charged customers $35 for each overdraft transaction.

Required new customers to sign its overdraft notice with the “enrolled” option pre-checked
; enrolled new customers in service without requesting the customer’s oral enrollment decision;
deliberately obscured, or attempted to obscure, the overdraft notice.

Failed to establish and implement reasonable written policies and procedures concerning the accuracy and integrity of consumer account information it supplied to credit bureaus.

Failed to conduct timely investigations of indirect consumer disputes concerning some of that same information. These practices ring all the bells for bad overdraft programs.


OCC

$85 million
Compliance Management System (Program)

Servicemembers’ Civil Relief Act (SCRA)

Military Lending Act (MLA)

Failed to implement an effective Compliance Management Program, resulting in violations of SCRA and MLA.

CFPB

$15 million
Fair Debt Collection Practices Act (FDCPA)

Consumer Financial Protection Act (CFPA)

Violated the CFPA, and the FDCPA by:

  1. suing consumers to collect debts even though the statutes of limitations had run on those debts
  2. suing consumerswithout possessing required documentation, using law firms and an internal legal department to engage in collection efforts without providing required disclosures, and failing to provide consumers with required loan documentation
    after consumers requested it.
  3. failing to disclose possible international transaction fees

FTC

$9.3 million
Unfair, Deceptive or Abusive Acts or Practices (UDAAP)

CARES Act


Misleading small businesses to think they are affiliated with the Small Business Administration
.

Illegally targeted small businesses directly through telephone calls, e-mails and the website, claiming to be representing the SBA; soliciting loan applications on behalf of the businesses’ banks; making statements on the website like “We are a Direct Lender for the PPP Program” and “We are currently offering stimulus relief spending under the Economic Security Act (CARES Act).”


CFPB

$2 million
Regulation E (EFTA) Violated the EFTA and the Remittance Transfer Rule by failing to adhere to error resolution requirements and to properly respond to cancellation requests, failing to provide the refunds the Remittance Transfer Rule requires, failing to maintain required policies and procedures,
and failing to provide required disclosures.

CFPB

$16 million
Regulation E (EFTA) O/D Practices Illegally charged a second NSF fee on the same returned item the second time it was presented, which impacted 700,000 credit union members

CFPB

$230,000
Consumer Financial Protection Act Settled with six mortgage companies regarding the use of deceptive mailers to advertise VA-guaranteed mortgages.

CFPB

$200,000
Home Mortgage Disclosure Act (HMDA) Reported inaccurate HMDA data about mortgage transactions over a 2 -year period. Errors were noted in several different required fields, and were determined to be caused by a lack of appropriate staff, training and quality control.


* This Act established the CFPB.   Allows suits for unfair, deceptive, or abusive practices, including illegal charging of overdraft fees to consumers.

If the ink is not yet dry on your 2021 Compliance Monitoring Plan, we encourage consideration of these recent enforcement action trends.



Note:

Stay tuned for our next BSA Advisory for a discussion of recent updates in the world of anti-money laundering.   Also, for additional insights on the steps we have taken to assist our clients in operating in this challenging COVID-19 pandemic environment, please see our website:

www.AuditOneLLC.com
.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our financial institution clients. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge. For more information on this article, or to request a proposal for a Compliance audit, please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at:


Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO. Also, for more information about AuditOne LLC and all our audit services see

www.AuditOneLLC.com
.

Categories
News

AuditOne Compliance Advisory: Q2 2020

AuditOne Advisory

From Bud Genovese, Chairman

In this issue, we offer practical tools and insights for managing Compliance risk resulting from the unprecedented demand for Payment Protection Program (PPP) loans.  We also discuss the importance of corrective action tracking and other significant compliance news and developments, including COVID-19 Appraisal Requirement Suspensions; Regulation X Loss Mitigation/Forbearance; changes to Regulation D Transfer Limits and Regulation E Remittance Transfer rules; and updates to Unfair, Deceptive or Abusive Acts or Practices (UDAAP), Truth In Lending Integrated Disclosures (TRID), Rural Development Act (RDA), Community Reinvestment Act (CRA), Home Mortgage Disclosure Act (HMDA/Regulation C) and Expedited Funds Availability Act (Regulation CC).  We conclude with commentary on two recent high-profile cases on PPP and on bank and securities fraud, which may be valuable for employee training and reinforcement.

This Compliance Advisory was prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC.  I hope you find this information useful – please share with your colleagues having responsibilities related to the areas covered in this Advisory.  Thank you, — Bud

WHAT HAPPENS NOW?

In recent months, regulatory agencies and various industry pundits have published numerous communications related to initiatives purposed to support the flow of credit to households and businesses, most notably the PPP.  To handle the unprecedented volume of PPP loans, financial institutions have sometimes redeployed employees from traditional assignments to temporary ones on the “PPP assembly line.”  Standing protocols were sometimes abandoned or deferred, and there was little time, if any, to modify documented policies, standards or practices to meet the demand for this new product and to adapt it to the much riskier, COVID-19 operating environment for financial institutions.

MANAGING THROUGH PPP IMPACT ON YOUR ORGANIZATION

Following are a few questions that we recommend you consider during your next Compliance and or Audit Committee Meeting:

  1. Enterprise Risk Assessment:  Has our institution updated its Enterprise Risk Assessment to include PPP-related impacts on essential Credit, Operational, Compliance, Treasury, Finance, Information Technology and Vendor risks?  Have these impacts been formally documented and included in governance committee discussions/minutes? 
  2. Strategic Plan/Budget:  Have Strategic Plan and Budget impacts been explored and documented?  For example, what is the impact on our operations if Loan Forgiveness proposals (e.g., the ability to use a one-page document for loans under $150,000) are not approved?
  3. Policies, Practices and Lines of Defense:  Have Credit and Operational policies pertaining to PPP been documented and approved by the Board?  Were factors such as the institution’s risk appetite, resource capability and regulatory limits considered?  What first, second and third line of defense operations are being impacted, and are we accounting for and attempting to mitigate that impact? 
  4. Potential Consumer Harm:  Have potential consumer harm impacts been reasonably considered?  Is documented training provided to loan officers/approvers on how to ensure loans are being sourced, offered and administered consistently across the Bank’s client’s base?  If exceptions are made, how should we evidence our decision and related justification?
  5. Information Technology:  Have minimum security standards been put in place for remote working (i.e., that may require the exchange of or access to sensitive customer information)?  Is there a means to detect and monitor employees and decisions that may not align with existing IT policy?

As with any new product, service or risk, Audit and Examination functions want to see that your financial institution has done its due diligence.  Auditors and examiners understand that there will be adverse impacts on normal operations, and that management may defer certain routine internal compliance or monitoring reviews.  However, they also expect evidence that your institution has reasonably assessed and mitigated potential adverse impacts.  It’s never too late. Know your risk, know where your potential gaps are vis-à-vis the new risk environment, and have a documented roadmap on how your institution will minimize the exposure associated with those gaps.

COMPLIANCE EXCEPTION RATES MAY INCREASE DUE TO PANDEMIC-RELATED RESOURCE LIMITATIONS.  WILL WE BE PENALIZED BY OUR REGULATORS?

In June 2020, regulatory agencies (FDIC, FRB, NCUA and OCC) issued joint guidance to promote consistency and flexibility in the supervision and examination of financial institutions affected by the coronavirus crisis.  According to the agencies, “stresses caused by the spread of COVID-19 have led to significant economic strain and adversely affected global financial markets.”  The guidance instructs examiners to consider the nature of the issues confronting the institutions they supervise due to the pandemic – and to “exercise appropriate flexibility in their supervisory response.”

Some regulatory agencies such as the FDIC and OCC have recently shared that they will continue to assess institutions in accordance with existing policies and procedures, specifically:

  • Examiners will consider whether an institution’s management has managed risks appropriately, including taking appropriate actions in response to stresses caused by COVID-19 impacts.
  • Examiners will consider the challenges involved in assessing the risk that the response presents to the institution in real-time, given the level of information available and the stage of local economic recovery.
  • In assessing an institution under the principles in the interagency examiner guidance, examiners will consider the institution’s asset size, complexity, and risk profile, as well as the industry and business focus of its customers.

It would be unreasonable to expect that a smaller institution (i.e., with only one or two Compliance resources) would have the infrastructure to withstand what has occurred over the last several months without some battle scars.  In the world of Compliance, those battle scars typically show up in the form of increased technical compliance exception rates.  Not to fear, however, as there is a way to manage this risk within reason, which is all any organization can be expected to do:

  1. Do your homework.  Through discussion with department heads and staff and through spot checks, identify those areas (in your end-to-end processes) where the likelihood of higher exceptions has increased. 
  2. Develop a plan for stepped-up monitoring to proactively identify where control gaps may exist.  Ensure the timing of your plan is reasonable (e.g., perhaps not the day loan forgiveness processing begins).  Adjust your Compliance Schedule accordingly, and be prepared to discuss and support the reason for the change. 
  3. Present resultant control gaps, if any, to the Compliance/Audit Committee (or other Risk/Governance Committee) in your organization.  Discuss and agree on action plans that are reasonable and address the root cause. 
  4. Where customer restitution may be necessary, identify those areas and ensure necessary action is taken within a reasonable period.

Finally, be prepared to demonstrate that you have identified the potential impact on your organization and put reasonable protocols in place to identify, detect and address issues as they arise.   And, remember:

  • Be upfront about the impacts on your organization.
  • Provide auditors and examiners your modified Enterprise (or Compliance) Risk Assessment, updated to include PPP impact. 
  • Discuss where your management team has identified the need to do stepped-up monitoring and plans to address any gaps.  Share related reporting to governance committees and the Board.
  • Follow through on what you commit to addressing within the timelines that you commit to.

CORRECTIVE ACTION TRACKING COMPONENTS IMPORTANCE

An examination concludes.  Auditors depart.  Consultants request the last file to review.  And all go about their merry way.  Fast forward, the next audit or exam begins, your Corrective Action Tracking log is requested, and the scramble begins to get it up to date.

When it comes to identifying or detecting an opportunity to enhance a policy, procedure, process or protocol, how your institution documents, tracks, reports and resolves control gaps or areas where enhancements may be required is very important. 

Our advice to you, particularly important today, is to create a centralized Corrective Action Log.  The log can include as many attributes as your institution desires, though, at a minimum, the following should be considered:

  • Source (Regulatory Agency, Audit Group, Internal Compliance Group/Associate, or Consultant)
  • Dates (Identified, Assigned, Due/Target date, Completed)
  • Issue Description (Verbatim from the source, not paraphrased)
  • Person(s) Responsible (Include necessary support, vendor and or /IT resources, as appropriate)
  • Status (Include as much detail as possible; track status to target dates at least monthly, more often as the risk warrants)
  • Timeline (Target Completion/Resolution Date)

Depending on the organization’s size, high-risk issues should be given 30 days to one quarter.  Escalate to the Board issues that do not have sufficient traction or resources necessary to achieve target dates.  Often, the Board is able to assist with a solution that considers available human and financial resources, including the need to outsource or use consultants for assistance

  • Comments (Add notes that are necessary and perhaps unique to your organization.  If timelines are delayed or not being met, this is a great place to document the justification)

Most importantly, keep the Corrective Action Tracking Log current, and include it as a standing agenda item in your periodic Compliance/Audit reporting to the Board.  Minutes should reflect the discussion of the Corrective Action Log status.

OTHER COMPLIANCE NEWS, DEVELOPMENTS and ENFORCEMENT

Home Mortgage Disclosure Act (HMDA)

Note: Effective January 1, 2020, the permanent threshold for collecting and reporting data about open-end lines of credit went from 100 to 200, when the current temporary threshold of 500 of open-end lines of credit expires.  As regards the open-end lines of credit, CFPB noted that last October, it extended the temporary open-end threshold until Jan. 1, 2022.  A link to the ruling follows: https://files.consumerfinance.gov/f/documents/cfpb_final-rule_home-mortgage-disclosure_regulation-c_2020-04.pdf

OCC Issues New UDAAP Examination Procedures 

The OCC published new Examination procedures and guidelines that provide a new layer of insight into potential UDAAP compliance implications throughout organizations. 

We strongly recommend that organizations consider adding a segment to your next Compliance/Governance Committee meeting that is dedicated to addressing poignant points with your leadership teams.  This should also be extended to employees in the form of job-based training.  A link follows: https://www.occ.gov/publications-and-resources/publications/comptrollers-handbook/files/unfair-deceptive-act/pub-ch-udap-udaap.pdf

Joint Community Reinvestment Act Statement Issued; Underserved Areas Further Defined

The FDIC, FRB and OCC issued a Joint Statement on CRA Consideration for Activities in Response to COVID-19. The issuance encourages financial institutions to work with affected customers and communities, particularly those that are low- and moderate-income (LMI), noting that the agencies will provide favorable consideration under the CRA for certain retail banking services, retail lending activities and community development activities related to this national emergency.  The FDIC’s FIL-19-2020 reports that this statement will be effective through the six-month period after the national emergency declaration is lifted, unless extended by the agencies. A link follows: https://www.fdic.gov/news/news/financial/2020/fil20019.html.

The CFPB also issued an interpretive rule to provide additional guidance on how “underserved areas” are defined during a given calendar year.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_interpretive-rule_determining-underserved-areas-using-hmda-data.pdf

New Regulation CC Guidance Effective

Effective July 1, 2020, the following Regulation CC changes took effect:

  • Immediate Availability $200 Rule [§229.10(c)(1)(vii)]:  The minimum amount of deposited funds that must be made available for withdrawal increased from $200 to $225.
  • Invoked $400 Rule [§229.12(d)]: The amount that must be made available for withdrawals by cash or other means (if the Bank elects to invoke this option) increased from $400 to $450.
  • New Account Exception [§229.13(a)]: The amount of funds deposited by certain checks in a new account that are subject to next-day availability increased from $5,000 to $5,525.
  • Large Deposit Exception [§229.13(b)]: The threshold for using an exception to the funds-availability schedules if the aggregate amount of checks on any one banking day exceeds the threshold amount increased from $5,000 to $5,525.
  • Repeat Overdraft Exception [§229.13(d)(2)]: The threshold for determining whether an account has been repeatedly overdrawn increased from $5,000 to $5,525.

We encourage a quick temperature check to make sure that client hold notice templates, system settings for automatic hold placement, and terms and conditions have been updated to comply.  We also recommend that you check with your IT group and/or system vendor to make sure that the capability to generate hold reporting that includes the hold placement date, reason and hold release date is available to you.

CFPB Slightly Eases Regulation X (COVID-19) Loss Mitigation and Credit Reporting Implications

The CFPB issued an interim final rule to clarify that mortgage servicers will not violate Regulation X by offering certain loss mitigation options during the COVID-19 pandemic.  Under normal circumstances, Regulation X would require servicers to collect a complete loss mitigation application before making an offer to a borrower who has submitted an incomplete loss mitigation application. 

Regarding forbearance and related credit reporting:

  • Under the CARES Act, borrowers with federally backed mortgage loans experiencing a financial hardship due, directly or indirectly, to the COVID-19 emergency, may request a forbearance by making a request to their mortgage servicer and affirming that they are experiencing a related financial hardship.  A forbearance under the CARES Act qualifies as a short-term payment forbearance program under Regulation X.
  • If a mortgage servicer provides a borrower a short-term forbearance payment option, the agencies do not intend to take supervisory or enforcement action for failing to meet certain timing requirements for consumer communications related to incomplete application acknowledgement, loss mitigation and early intervention, or annual escrow. The Act requires lenders to report to credit bureaus that consumers are current on their loans if consumers have sought relief from their lenders due to the pandemic.  The CFPB’s statement informs lenders they must comply with the CARES Act.  It encourages lenders to continue to voluntarily provide payment relief to consumers and to report accurate information to credit bureaus relating to this relief. 

A link to the rule follows: https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-interim-final-rule-loss-mitigation-options-pandemic-related-financial-hardships/; Joint Statement on Supervisory and Enforcement Practices Regarding the Mortgage Servicing Rules in Response to the COVID-19 Emergency and the CARES Acthttps://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-credit-reporting-guidance-during-covid-19-pandemic/

Appraisals Suspended for 120 Days for Certain Transaction Types

The FRB, FDIC and OCC issued an interim final rule to temporarily defer real estate-related appraisals and evaluations under the agencies’ interagency appraisal regulations for real estate-related financial transactions affected by COVID-19.  The agencies are deferring certain appraisals and evaluations for up to 120 days after closing of residential or commercial real estate loan transactions.  Transactions involving acquisition, development or construction of real estate are excluded from this interim rule.  The NCUA recently considered and adopted this rule.  These temporary provisions will expire on December 31, 2020, unless extended by the federal banking agencies.  In addition, the agencies, together with National Credit Union Administration and Consumer Financial Protection Bureau, in consultation with the Conference of State Bank Supervisors, issued a joint statement to address challenges relating to appraisals and evaluations for real estate-related financial transactions affected by COVID-19.  Links to both statements follow: https://www.fdic.gov/news/news/press/2020/pr20051a.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery; https://www.fdic.gov/news/news/press/2020/pr20051b.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery

Interim Rule Temporarily Lifts Six-Per-Month Limit on Savings Transfers (Regulation D)

The FRB issued an interim final rule to amend Regulation D to delete the six-per-month limit on convenience transfers from the “savings deposit” definition. The interim final rule allows depository institutions to suspend enforcement of the six transfer limit and to allow their customers to make an unlimited number of convenience transfers and withdrawals from their savings deposits at a time when financial events associated with the coronavirus pandemic have made such access more urgent.  The regulatory limit in Regulation D was the basis for distinguishing between reservable “transaction accounts” and non-reservable “savings accounts.”  The Board’s recent action reducing all reserve requirement ratios to zero has rendered this regulatory distinction unnecessary.  Concurrently, the FRB made temporary revisions to the FR 2900 series, FR Y-9, and FR 2886b reports to reflect the amendments to Regulation D.  A link follows: https://www.federalregister.gov/documents/2020/04/28/2020-09044/regulation-d-reserve-requirements-of-depository-institutions

B&I Guaranteed Loan Program Authorized by Rural Development Act Updated

Effective May 22, 2020, the RBCS, a Rural Development agency of the United States Department of Agriculture (USDA), issued an interim final rule to update the Business and Industry (B&I) Guaranteed Loan Program to allow flexibility to make available federal funds for guaranteed loans pursuant to the CARES Act in response to  the COVID-19 pandemic.  The B&I Guaranteed Loan Program was authorized by the Rural Development Act of 1972.  The loans are made by private lenders to rural businesses for the purpose of creating new businesses, expanding existing businesses, and for other purposes that create employment opportunities in rural America. 

The Rural Business-Cooperative Service (RBCS) is responsible for administering the B&I Guaranteed Loan Program.  Rural Development is a mission area within the USDA comprised of the Rural Utilities Service, Rural Housing Service and RBCS.  Its mission is to “increase economic opportunity and improve the quality of life in rural communities by providing the leadership, infrastructure, access to capital, and technical support that enables rural communities to prosper”.  To achieve its mission, Rural Development provides financial support through more than 40 programs including direct loans, grants, loan guarantees, and technical assistance to help improve the quality of life and provide the foundation for economic development in rural areas.  A link to the interim rule follows: https://www.govinfo.gov/content/pkg/FR-2020-05-22/pdf/2020-11242.pdf?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

CFPB Announces Higher Than Ever Complaints; FTC Makes Certain State-Level Complaint Data Available

The CFPB recently stated that they have received “higher than ever” complaint volumes in March and April 2020, which means the likelihood of examiner focus naturally increases.  Many of us would likely agree that Complaint logs can be difficult to entirely rely on, (primarily) because of:

  • Employee uncertainty about what constitutes an “inquiry” versus a “complaint”
  • Decentralized, manual complaint receipt and handling

While there is no perfect one-size-fits-all solution, there may be an opportunity to modify certain practices to optimize complaint management.  Consider these processes to assess whether they are well-documented and being administered as intended:

  • How complaints are received and whether the means for capturing and tracking complaints from any of these sources is sound (e.g., website only, centralized email box or phone, through individual relationship managers, etc.).
  • Whether all employees know what constitutes a complaint versus an inquiry, and that employees know whom to contact when a complaint is received.
  • Compliance should (ideally) have a view of all complaints to affirm decisions on those that do or do not have potential compliance implications.
  • Review publicly available CFPB complaint data to ensure there are no complaints posted publicly that are excluded from the Bank’s Complaint Tracking Log/Database.  
  • Consider how and where complaints are recorded (e.g., in a log on a shared drive, or submitted to a centralized area or person in the Bank to record them, etc.) and whether they are easily accessible.
  • Include complaint tracking in regular Compliance/Governance committee reporting. Trends should be analyzed to determine whether broader impacts exist that may require a root cause analysis or to potentially make a customer whole. 

A link to the CFPB complaint search tool follows: https://www.consumerfinance.gov/data-research/consumer-complaints/search/?dataNormalization=None&dateInterval=3y&date_received_max=2020-05-13&date_received_min=2017-05-13&from=0&page=1&searchField=all&size=25&sort=created_date_desc&state=CA&tab=List

A link to the state level compliant data made available by the FTC also follows: https://www.ftc.gov/news-events/press-releases/2020/06/ftc-makes-more-state-level-data-available-about-covid-19-related?utm_source=govdelivery

FRB Extends S.A.F.E. Act Registration from One to Three Years

Section 1504 of the S.A.F.E. Act (12 U.S.C. 5103) requires that mortgage loan originators (MLOs) maintain their registration annually. The final rule requires that a registered mortgage loan originator must renew his or her registration with the Registry during the annual renewal period.  In accordance with the S.A.F.E. Act, the CFPB’s Regulation G requires MLOs to register with the Nationwide Mortgage Licensing System (NMLS), maintain this registration, obtain a unique identifier, and disclose to consumers upon request and through the Registry their unique identifier and the MLO’s employment history and any publicly adjudicated disciplinary and enforcement actions.  The CFPB’s regulation also requires the institutions employing MLOs to adopt and follow written policies and procedures to ensure that their employees comply with these requirements and to conduct annual independent compliance tests.

On May 11, 2020, the FRB adopted a proposal to extend for three years, without revision, the Registration of Mortgage Loan Originators (CFPB G; OMB No. 7100-0328).  A link follows: https://www.govinfo.gov/content/pkg/FR-2020-05-11/pdf/2020-09937.pdf?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

CFPB Publishes Additional TRID Guidance

The CFPB has published additional guidance related to the TILA-RESPA Integrated Disclosure (TRID) Rule:

The CFPB also issued interpretive guidance that allows for the pandemic to be classified as a “changed circumstance” on a Loan Estimate and allows for loan consummation before the end of the TRID rescission period, noting a “bona fide personal financial emergency”.  A link follows: https://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/tila-respa-integrated-disclosure-rule-regulation-z-right-rescission-rules-covid-19/

Remittance Transfers Rule Updated (Regulation E)

ECOA Valuations Rule FAQs Issued

The CFPB issued two fact sheets on the ECOA Valuations Rule in response to frequently asked questions. The factsheets provide information on transaction coverage under the Rule, and delivery method and timing requirements for appraisals and other written valuations.  The CFPB also issued FAQs pertaining to Mortgage Origination related to COVID-19.  Links follow:
https://files.consumerfinance.gov/f/documents/cfpb_ecoa-valuation_transaction-coverage-factsheet.pdf; https://files.consumerfinance.gov/f/documents/cfpb_ecoa-valuation_delivery-of-appraisals-factsheet.pdf;
https://files.consumerfinance.gov/f/documents/cfpb_mortgage-origination-rules_faqs-covid-19.pdf

FCRA FAQs Issued

The CFPB issued a Compliance Aid to assist with credit reporting to consumer reporting agencies during the pandemic.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_fcra_consumer-reporting-faqs-covid-19_2020-06.pdf

Temporary Leverage Relief:  CFPB Issues Clarifying Adverse Action Guidance for PPP Loans

A link follows to the CFPB Adverse Action guidance, to include when the Regulation B clock starts and stops for SBA PPP applicants: https://files.consumerfinance.gov/f/documents/cfpb_ecoa-regulation-b_faqs-covid-19.pdf

FFIEC Makes New Census Data Available

The FFIEC website has been updated to include 2020 Census Data Products and updated Geocoding/Mapping information.  A link follows: https://www.ffiec.gov/hmda/

Updated Manual, Proposed Revisions to Flood Disaster Protection Act Requirements

The FDIC, FRB, OCC, NCUA and FCA (Agencies) recently issued proposed new and revised Interagency Questions and Answers Regarding Flood Insurance (Interagency Questions and Answers).  The proposal seeks to incorporate into the Interagency Questions and Answers amendments to federal flood insurance laws regarding the escrow of flood insurance premiums, the detached structure exemption, and force placement of insurance. The document is intended to help lenders meet their responsibilities pursuant to the federal flood insurance laws that were last updated in 2011.  A link to the proposed revisions follows: https://www.fdic.gov/news/press-releases/2020/pr20077a.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery The FDIC also updated its manual regarding the assessment of mandatory Civil Money Penalties for violations of certain aspects of this Act.  A link follows: https://www.fdic.gov/regulations/examinations/enforcement-actions/ch-09.pdf

CFPB Requests Input on Ways to Prevent Credit Discrimination

On July 28, 2020, the CFPB issued a request for information (RFI) to seek public input on how best to create a regulatory environment that expands access to credit and ensures that all consumers and communities are protected from discrimination in all aspects of a credit transaction.The information provided will reportedly help the CFPB continue to explore ways to address regulatory compliance challenges while fulfilling the Bureau’s core mission to prevent unlawful discrimination and foster innovation.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_rfi_equal-credit-opportunity-act-regulation-b.pdf.

RECENT CASES:

PPP Fraud and Arrest

According to the U.S. Department of Justice, two businessmen were charged with allegedly filing fraudulent bank loan applications in pursuit of more than $500,000 in forgivable loans guaranteed by the SBA PPP.  The men were formerly charged by way of a federal criminal complaint with conspiracy to make false statements to influence the SBA and conspiracy to commit bank fraud. Additionally, one of the men is charged with aggravated identity theft.  According to court documents, the fraudulent loan requests were to pay employees of businesses that were not operating prior to the start of the COVID-19 pandemic and had no salaried employees, or, in one instance, to pay employees at a business the loan applicant did not own.  A link to the action follows: https://www.justice.gov/opa/pr/two-charged-rhode-island-stimulus-fraud

CEO, Firm Plead Guilty to Bank and Securities Fraud

Noise surrounding fraud has gotten a bit louder in recent months.  Although we will not detail each allegation on this topic, we thought it might be useful to highlight one of the more involved cases.  Certain control gaps may come to mind that your organization may want to consider while continuing to manage and enhance the overall control environment.   

Secondary market investors are increasingly concerned about asset quality of loan pools involving jumbo and larger dollar residential loan offerings.  There were some interesting tidbits in a local summary of the subject fraud that may raise your audit radar.  A link to the press release also follows.

In summary, the Chief Executive Officer of consulting firm Cash Flow Partners LLC pleaded guilty to one count of conspiracy to commit bank fraud and one count of securities fraud in a multi-million dollar scheme operated through the company, according to a release shared by the Federal Deposit Insurance Corporation’s (FDIC) Office of Inspector General (OIG).  The release, based on one issued by the Justice Department, says that the CEO pleaded guilty by videoconference before U.S. District Judge Kevin McNulty.  The release states:

  • Beginning at least as early as July 2016, through about September 2019, the CEO led and directed a bank fraud conspiracy designed to obtain millions of dollars in loans from banks on the basis of false representations.  To attract customers, Cash Flow released internet advertisements and held seminars offering to assist customers with low-paying salaries in obtaining loans.  These advertisements included promotional videos featuring the CEO and a former telenovela actor.
  • Customers contacted Cash Flow and were routed to the company’s sales department, where employees encouraged customers to sign up for various loan programs that Cash Flow provided and to enter into contracts with Cash Flow.  Under those contracts, employees would help customers obtain loans from banks.  The Cash Flow contracts permitted customers to keep a portion of the loan proceeds and customers agreed to provide the remaining proceeds to Cash Flow.  Cash Flow agreed to pay off the loans on behalf of its customers.
  • Cash Flow then used false information and fraudulent documents to obtain loans for its customers for which they otherwise would not have qualified and posed as the customers in communications with the banks.
  • From July 2016 through September 2019, the CEO obtained more than $5 million in investments from victim investors based on fraudulent representations.  He solicited investments from prospective customers using a marketing campaign on Spanish language television channels and the internet, the “Cash Flow TV” YouTube page, and live presentations in Cash Flow’s offices and elsewhere.  He also solicited investments from individuals who obtained loans through Cash Flow’s bank fraud conspiracy, encouraging loan customers to invest loan proceeds in Cash Flow’s investment program.
  • Once investors agreed to invest in Cash Flow, Espinal issued “promissory notes” to investors that guaranteed monthly investment returns between 1.25% and 4%.  The promissory notes stated that Cash Flow would return investors’ principal either one year from the date of the promissory note, or 60 days after investors demanded payment.  The CEO and other Cash Flow employees signed the promissory notes on behalf of Cash Flow.
  • The CEO made a number of misrepresentations to investors. He told investors that he would pool their funds with other investors’ funds in investments related to real estate, real estate companies, a gold mine in Ecuador, and construction projects in other countries.  In reality, the C.E.O. used investor funds to pay returns to earlier investors, pay for personal expenses for himself, his family and another Cash Flow employee, perpetuate the bank fraud scheme, and market the bank fraud and investment scheme to future victims.

The conspiracy to commit bank fraud charge carries a maximum potential penalty of 30 years in prison and a $1 million fine.  The securities fraud counts carry a maximum penalty of 20 years in prison and a $5 million fine.  The release, which also credits the FDIC OIG and others for their part in the investigation, said sentencing is scheduled for Oct. 13, 2020.  A link to the release follows: https://www.fdicoig.gov/press-release/owner-business-consulting-firm-admits-orchestrating-multimillion-dollar-bank-fraud-and

Note:  For additional insights on the steps we have taken to assist our clients in operating in this challenging COVID-19 pandemic environment, please see our website: www.AuditOneLLC.com.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our financial institution clients. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for a Compliance audit, please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Webinar – Banking Risk and Control: What’s Important Now, What will be Important Post-COVID

AuditOne Webinar
From Bud Genovese, Chairman

AuditOne is pleased to invite you to attend a webinar we are hosting on Thurs., June 11th, 11 am PST, addressing risk and control issues associated with the current COVID disruptions and with whatever state of normality we return to in coming months. It will be hosted by our CEO, Jeremy Taylor, and will feature brief presentations from each of our Practice Directors, highlighting key developments/trends impacting their respective areas and the implications for audit. Besides specific COVID-related effects, we will also consider any major trends we were seeing pre-lockdown and what’s expected to persist post-COVID. We will move briskly through these presentations, to be wrapped up well before 12:30PM PST. We hope you’re able to join us, and please feel free to share this invitation with any others who may be interested. For those unable to join us next Thursday, we’ll be recording this and making it available afterwards on our website.

Here are some of the topics that our Practice Directors will discuss:

  • ALM: David Kellerman will assess the impact of the pandemic disruption and associated relief measures on financial institutions’ IRR, liquidity, investment and capital management.
  • Credit & Lending: Brock Williamson will go over the now quite different imperatives of portfolio monitoring in the COVID environment and how recent supervisory guidance can help.
  • Technology: Kevin Tsuei will discuss the latest tools to secure your cloud computing environment, laptop and remote VPN access, based on both regulatory guidance and industry best practice.
  • BSA/AML: Kevin Watson will consider the critical elements of the Five Pillars requirements and how COVID may affect your compliance with them.
  • Electronic Funds Transfer: Genelle Wrzesinski will review recent changes impacting her area (e.g., Reg. E, NACHA rules), significant audit trends evident pre-crisis, and the recent supervisory FAQs pertaining to these products, including pandemic effects.
  • Operations: Gary Andreini will discuss some of the higher-risk areas that have become even higher risk in the current environment and how to mitigate them.
  • Compliance: Celeste Burton will present a) recent regulatory changes of note, including those in response to the COVID disruptions, and b) what examiners and auditors are looking for in terms of a sound compliance program to manage those changes – in a volatile environment.

Thanks. -Bud

For further information on AuditOne’s COVID-19 response, see https://www.auditonellc.com/auditone-advisory-covid-19/.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/AML Program, Automated AML System Validation, IRR and other Asset/Liability Management (ALM), ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

 

Our deep expertise is your edge.  To receive an audit proposal or more information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, directly at https://www.auditonellc.com/team-contact/.  Also, for more information about AuditOne LLC and all our audit services, see www.AuditOneLLC.com.

Categories
News

AuditOne Advisory: Audit focus in response to increased risk during the Pandemic

AuditOne Advisory

From Bud Genovese, Chairman

Audit focus in response to increased risk during the Pandemic

We at AuditOne hope that you, your colleagues and families are all keeping safe and well in these stressful times.  Many of your staff have been able to work from home, doing their part for social distancing and helping reduce viral contamination risk for everyone.  But under these circumstances, skeletal on-site staff may become stretched to complete tasks requiring on-site presence and to comply with segregation of duties and other key controls, especially with the demands you’re facing concurrently to respond to PPP and other government support program loan requests in timely fashion. 

With all this in mind, we ourselves recognize that our task in assisting you to maintain safe and prudent practices across all your functional areas becomes all the more important.  I want to assure you that we are attuned to the marked changes in risk profile across financial institutions in the current environment and to the need for our audit procedures to adapt to those changes.  Through the rest of this year, our auditors will be paying particular attention to help ensure that the integrity of client operations was not compromised during this period of upheaval when the response to COVID-19 required many changes directed at other, more pressing (e.g., health and safety-related) goals.  To accomplish this control oversight, we will give particular attention to focal period sample selection since control lapses are more likely to occur when staffing resources are stretched beyond the norm. 

We appreciate the trust that you place in us when you allow us to meet your internal audit needs.  And in such an unusual and disruptive environment, I want you to be comfortable that we are adjusting our audit activity so as to help protect you against not just the normal range of risk exposures but also, even more so, those that are elevated by the demands posed by a world now changed in ways that none of us could have predicted.

All of us at AuditOne wish you well.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally. Our sole focus enables us to deliver effective and efficient internal audit and credit review services. This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions. We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/AML Program, Automated AML System Validation, IRR and other Asset/Liability Management (ALM), ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  To receive an audit proposal or more information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, directly at https://www.auditonellc.com/team-contact/.  Also, for more information about AuditOne LLC and all our audit services, see www.AuditOneLLC.com.

Categories
News

IRR Limits & Assumptions Analysis – Revised

Note: This Advisory was originally issued on April 8, 2020. It contained an error in the NMD average life table that has been corrected in the version showing below.

AuditOne Advisory

From Bud Genovese, Chairman

This Advisory presents data that we have compiled to help you in management of your institution’s Interest Rate Risk (IRR) process. AuditOne performs remote-based IRR audits each week at institutions in the Western US and around the nation. One of our IRR audit specialists, Kruskal Hewitt, has developed the following presentation of IRR data on exposure limits and modeling assumptions from a range of our financial institution clients. Mr. Hewitt has been a risk manager, portfolio manager and trader at international and regional banks. I hope you find this information useful, and please share with your colleagues having responsibilities related to IRR modeling and related controls. Thank you, — Bud

AUDITONE LLC’S ANALYSIS OF IRR LIMITS AND ASSUMPTIONS 2017 – 2019

AuditOne LLC is a leading provider of outsourced internal audits for community banks and other small/mid-sized financial institutions (FIs), predominantly in the western US.  Please refer to our website (www.auditonellc.com) for further information.  Asset/Liability Management (ALM) is among AuditOne’s practice areas, and within that we perform many audits of Interest Rate Risk (IRR) management every year. US FIs are expected to have an annual internal audit of their modeling, monitoring and control of IRR.  Key to IRR modelling are several forward-looking assumptions.

AuditOne has compiled (anonymously) data from 80 of our IRR clients on IRR limits and assumptions from our last three years’ audits; we have used data from the most recent AuditOne IRR audit, no further back than 2017.  AuditOne believes this database is relevant to AuditOne clients because it covers a relatively narrow range of asset size, geography and business lines.  AuditOne updates this analysis annually.

DEFINITIONS

NII:  Net interest income.  FIs are expected to model and project (over at least a one- and two-year horizon) interest-sensitive revenues and expenses under different interest rate scenarios.

EVE:  Economic value of equity.  This is a theoretic valuation of the institution whereby cash flows from all assets and liabilities are discounted to their net present value (NPV), then summed.  EVE captures long term risk in the balance sheet.  Conceptually, EVE cam be thought of as the sum of the NPV of all future NII streams.

Instant vs. Ramped Interest Rate Shocks (for NII):  The averages showing in the tables below are for instant (or immediate) rate shocks (78 clients) which assumes rates change instantly, as opposed to a gradual and even rate rise (ramp) over 12 months.

Beta:  This represents the assumed percentage of a market rate change that is reflected in administered rates – most importantly, deposit rates.  For example, if the driver rate is Fed Funds and the beta for saving accounts is 45%, then for every 100-basis point rise in the Fed Funds rate, savings account rates are assumed (predicted) to rise 45 basis points.  Relatively few of our clients have different betas for down versus up rate movements.  Nineteen FIs assume a time lag in administered rate changes; most of these lags are 15 days and only three exceed 30 days.

Average Life:  Non-maturity deposits (NMDs) have no contractual maturity and therefore form a more stable, longer-term funding source.  In order to get a meaningful estimate of EVE, NMDs must be assigned an assumed (predicted) average life by account type.

Parallel vs. Non-Parallel Rate Shocks:  The standard rate shock set-up assumes the yield curve shifts in parallel fashion over the entire maturity spectrum.  However, many institutions also run simulations based on flatteners, steepeners and other non-parallel shocks.  These can be helpful for assessing specific balance sheet vulnerabilities.  But we advise against basing IRR limits on non-parallel shocks because shock specifications are very difficult to define for assessing limit compliance.

Static vs. Dynamic Balance Sheet:  For NII simulations, the balance sheet can either be static (constant), with like replacement of run-off assets and liabilities, or it can incorporate change, both growth and shrinkage (e.g., based on budgeted balances).  The 2010 Interagency Guidance specified that a static balance sheet be used, though simulations could also be run off a dynamic balance sheet as well.  

2017 – 2019 DATABASE ANALYSIS

There are no significant changes from the 2016 – 18 report to this 2017 – 19 report.  It presents results across the entire database of 80 IRR audit clients.  We would be happy to recalculate any of the results for subsets of institutions based on asset size, primary regulator, and/or model vendor; please contact our CEO Jeremy Taylor at 562-802-3581. 

See the final section below for the key identifiers.  Note, too, that we have presented only average (mean) figures in the tables below.  We also computed medians, but these were very close to the corresponding averages and have therefore not been presented separately here.

NII-at-risk (one-year) simulation limits

NII Shocks (bps)-200-100+100+200+300+400
Average Limit-14.3%-8.6%-8.4%-14.2%-20.3%-25.8%

EVE-at-risk simulation limits

EVE Shocks (bps)-200-100+100+200+300+400
Average Limit-18.3%-11.0%-11.4%-19.0%-26.6%-33.2%

Beta assumptions

Account TypeNOWMMASavingsCD
Average Beta (%)26.9%46.4%31.3%79.2%

Average life (AL) assumptions

Account TypeDDANOWMMASavings
Average AL (Months)62665259

Interest rate shocks (for NII limits) – number of FIs

InstantRamp
782

Note:  If asset and liability repricing is evenly spaced during the year (i.e., a ramped shock), then it has roughly half the impact on NII as an instantaneous shock at beginning of the year.  This means that institutions running ramped shocks would be expected to have NII risk limits at roughly half the limits for instantaneous shocks. 

DATABASE MIX SUMMARY

Database mix by asset size (all dollar figures in millions)

CountMaxMedianMin
80$11,400$322$24

Database mix by primary regulator (all dollar figures in millions)

80MAXMedianMin 
57$11,400$327$71FDIC
13$1,069$264$24OCC
7$834$322$194FRB
2nananaNCUA
1nananaFISCU

Database mix by primary regulator (all dollar figures in millions)

80MAXMedianMin 
14$723$308$68ALX Consulting
4$270$234$128Baker Group IRR Monitor
8$11,400$691$264Darling Consulting BASIS
4$834$251$172FIMAC Risk Analytics
9$2,133$321$174Fiserv Sendero
4$858$59$24Plansmith Bankers GPS
7$1,266$434$71Plansmith Compass
9$1,316$241$113Jack Henry Associates ProfitStar
12$4,786$426$140ZMDesk / ZMOnline
9$5,960$449$112Other Systems (8)

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, a broad range of Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust/Wealth Management, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for Asset/Liability Management (ALM) or IRR Audits, please contact David Kellerman, ALM Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Advisory: Liquidity Risk Management Analysis 2020

AuditOne Advisory

From Bud Genovese, Chairman

This Advisory presents data that we have compiled to help in your institution’s Liquidity Risk Management (LRM) process. AuditOne performs many remote-based LRM audits every year at institutions in the Western US and around the nation. One of our ALM audit specialists, Kruskal Hewitt, has developed the following presentation of liquidity metrics and limits from a range of financial institutions. Mr. Hewitt has been a risk manager, portfolio manager and trader at international and regional banks. I hope you find this information useful, and please share with your colleagues having responsibilities related to Liquidity Risk Management and Liquidity Policy. Thank you, — Bud

AUDITONE LLC’S ANALYSIS OF LIQUIDITY LIMITS 2017 – 2019

AuditOne LLC is a leading provider of outsourced internal audits for community banks and other small/midsized financial institutions (FIs), predominantly in the western US.  Please refer to our website (www.auditonellc.com) for further information. Asset/Liability Management (ALM) is among AuditOne’s practice areas, and within that we perform many audits of Liquidity Risk Management (LRM) every year. US FIs are expected to have regular internal audits of their monitoring and control of LRM, which requires a variety of tools. 

AuditOne has compiled (anonymously) data from 70 of our LRM clients on liquidity limits.  These are institutions where we have used data from the most recent AuditOne LRM audit, no further back than 2017.  AuditOne believes this database is relevant to AuditOne clients because it covers a relatively narrow range of asset size, geography and business lines.  AuditOne updates this analysis annually.

WHICH LIMITS?

Regulators have not created rules or detailed guidance on how liquidity risk should be modeled, measured or limited, as there are with interest rate risk.  Nor are liquidity risks similar from one FI to another, as in investments risk (where all FIs invest in a relatively narrow range of financial instruments).  As a result, there is a broad proliferation of metrics (and limits), differing widely across institutions.  As shows below, there are only two measures that are used by more than half of our clients and only seven that are used by more than 30%.  As a result, our analysis of FI liquidity risk limits is inconclusive; rather, those limits are customized to each FI’s individual needs.

AuditOne has analyzed the limits on liquidity and funding sources of 70 regulated FIs over the period 2017 through 2019.  In this group there is one FI with only two liquidity policy limit measures, and two with as many as 18 measures; the average is nine.  There is no correlation between balance sheet size and the number of policy measurements; the second smallest balance sheet ($70 million) has 14 policy measures and the largest ($11 billion) only two limits.  The 70 FIs have in total 109 different measures of liquidity.  Of these, 71 are used by only one or two FIs.  However, 58 out of 70 FIs have at least one of the two most prevalent limits:

  • Net Non-Core Funding Dependence, used by 51 (73%) of the 70 clients
  • Loans / Deposits, used by 37 (51%)

Brokered deposits are also a common limit variable; 45 (64%) of the institutions covered have a limit on brokered deposits expressed as a percentage of either total deposits or total assets.  

Overall, we believe that our clients are satisfactorily monitoring their liquidity positions, and that the common points of liquidity risk exposure across institutions generally get appropriate attention.  We do not suggest an “ideal” set of liquidity measures.

Please note:  The difference between “less than” and “less than or equal to” (or “greater than” and “greater than or equal to,”), is minimal (in ratio terms).  In the following presentation we have made no distinction between the two.  For ease of notation, only “less than” (<) and “greater than” (>) are used.

DEFINITIONS

Brokered Deposits / Total Deposits:  In the numerator, all brokered deposits (per regulatory definition) and all deposits > $250,000 (unless the institution has designated specific large depositors as core).

FHLB Advances / Total Assets:  In the numerator, all collateralized borrowings from the FHLB.

Liquid Assets / Total Assets:  In the numerator, all assets that mature within one year plus all Available for Sale securities (all maturities).

Liquid Assets / Total Deposits:  Ditto.

Net Non-Core Funding Dependence:  Calculated as noncore liabilities less short-term investments divided by long term assets.  Noncore liabilities are total time deposits > $250,000 plus other borrowed money plus foreign office deposits plus securities sold under agreements to repurchase plus Federal Funds purchased plus insured brokered deposits.  Long term assets are net loans and leases, plus all securities less debt securities with a remaining maturity of one year or less, plus other real estate owned (non-investment).

Wholesale Funding / Assets:  The numerator is brokered deposits (including CDARS) plus listing service deposits plus security repurchase agreements plus net Fed Funds purchased.

2017 – 2019 DATABASE ANALYSIS

This analysis presents results across our entire database of 70 LRM audit clients.  We would be happy to recalculate any of the results for subsets of institutions based on asset size, primary regulator, and/or a specific limit that is not listed below; please contact our CEO Jeremy Taylor at 562-802-3581.

Note that “< %” implies a limit expressed as a maximum (i.e., the highest that ratio can go), and vice versa.  This is in contrast, in the tables below, with “Maximum” which indicates the highest limit amount across the database and “Minimum”, the lowest limit amount, whether the limit itself represents the highest or lowest the ratio in question, allowed.

Net Non-Core Funding Dependence: <%

ClientsAverageMedianMinimumMaximum
5126%25%7%60%

Loans / Deposits: <%

ClientsAverageMedianMinimumMaximum
37103%100%75%135%

On Balance Sheet Liquidity / Deposits: >%

ClientsAverageMedianMinimumMaximum
3115%15%7%40%

On Balance Sheet Liquidity / Assets:  >%

ClientsAverageMedianMinimumMaximum
3112%10%3%20%

Brokered Deposits / Total Deposits:  <%

ClientsAverageMedianMinimumMaximum
3016%13%5%75%

FHLB Advances / Assets: <%

ClientsAverageMedianMinimumMaximum
2624%25%10%40%

Wholesale Funding / Assets: <%

ClientsAverageMedianMinimumMaximum
2230%30%10%50%

DATABASE MIX SUMMARY

Database mix by asset size (all dollar figures in millions):

ClientsAverageMedianMinimumMaximum
70$1,018$371$24$11,400

Database mix by primary regulator (all dollar figures in millions):

ClientsAverageMedianMinimumMaximumRegulator
51$1,153$378$70$11,400FDIC
9$316$235$24$1,069OCC
8$721$497$209$2,000FRB
1nanananaFISCU
1nanananaNACU

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, a broad range of Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust/Wealth Management, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for Liquidity Risk or other Asset/Liability Management Audits, please contact David Kellerman, ALM Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Compliance Advisory: Q4 2019 / Q1 2020

AuditOne Advisory

From Bud Genovese, Chairman

In this issue, we cover significant changes in the compliance arena, to include the OCC’s rescission of over 200 outdated rules; updated Agency exam manuals; regulatory guidance and FAQs associated with the new retirement-related SECURE Act, TILA/RESPA Integrated Disclosure (TRID) Rule, Community Reinvestment Act (CRA) and Home Mortgage Disclosure Act (HMDA); and the status of efforts to modernize regulations such as Advertising & Signage requirements, the Remittance Transfer Rule, CRA and the Fair Debt Collection Practices Act (FDCPA).  We also offer practical insights on how financial institutions can maintain an effective compliance framework while incorporating recent regulatory incentives to support the flow of credit as a result of the Coronavirus pandemic (COVID-19).  

Note: As a result of the significant increase in regulatory issuances with near to immediate impact as a result of COVID-19, we expanded this 4Q 2019 Compliance Advisory to include key compliance-related updates through March 31, 2020.

This Compliance Advisory has been prepared by Celeste Burton, Compliance Practice Director, AuditOne LLC. We hope you enjoy! – Bud

TIPS FOR MAINTAINING AN EFFECTIVE COMPLIANCE FRAMEWORK IN ANY ENVIRONMENT

In recent weeks, regulatory Agencies have published several communications on initiatives to support the flow of credit to households and businesses during the COVID-19 pandemic. Below, we’ve highlighted the Agency incentives most pertinent to the world of Compliance followed by some practical insights on maintaining a sound compliance framework, whether times are stable or, like now, disrupted.

AGENCY INCENTIVES TO ENCOURAGE THE FLOW OF CREDIT:

INTERAGENCY STATEMENT ON LOAN MODIFICATIONS
The FDIC, FRB, OCC, NCUA and CFPB issued an Interagency Statement on Loan Modifications and Reporting by Financial Institutions Working with Customers Affected by the COVID-19 to encourage financial institutions to work constructively with borrowers impacted by COVID-19 and provide additional information regarding loan modifications. Highlights:

  • Encourages financial institutions to work constructively with borrowers affected by COVID-19;
  • Will not criticize institutions for prudent loan modifications and will not direct supervised institutions to automatically categorize COVID-19-related loan modifications as troubled debt restructurings (TDRs);
  • Confirmed with the Financial Accounting Standards Board (FASB) that short-term modifications made on a good faith basis in response to COVID-19 to borrowers who were current prior to any relief are not TDRs;
  • Modification efforts described in the interagency statement for one-to-four family residential mortgages where loans are prudently underwritten and not past due or carried in nonaccrual status do not result in loans being considered restructured or modified for the purpose of respective risk-based capital rules; and
  • Views prudent loan modification programs in response to COVID-19 as positive actions that can effectively manage or mitigate adverse impacts on borrowers due to COVID-19, leading to improved loan performance and reduced credit risk.

The Interagency Statement also provides supervisory views on regulatory reporting of past due and nonaccrual status for loan modification programs whereby past due status should be based on the modified due date.  Additionally, it reminds institutions that loans that have been restructured will continue to be eligible as collateral at the FRB’s discount window based on the usual criteria.  This applies to financial institutions with assets under $1 billion.  A link to the statement follows: https://www.fdic.gov/news/news/press/2020/pr20038a.pdf

LETTER FROM THE NATIONAL CREDIT UNION ADMINISTRATION (NCUA) 
The NCUA recently issued a Letter that seeks to encourage credit unions to provide additional financial assistance to borrowers impacted by COVID-19…“The NCUA encourages credit unions to work with affected borrowers”…noting that  examiners “will not criticize a credit union’s efforts to provide prudent relief for members when such efforts are conducted in a reasonable manner with proper controls and management oversight.”  Among the suggested accommodations:

  • Waive overdraft, late and ATM fees;
  • Waive early withdrawal penalties on time deposits;
  • Ease credit terms and restrictions on check cashing;
  • Increase credit card limits;
  • Increase ATM daily cash withdrawal limits;
  • Ease restrictions on cashing out-of-state and non-member checks;
  • Offer payment accommodations, such as allowing borrowers to defer or skip some payments or extend the payment due dates, which would avoid delinquencies and negative credit bureau reporting caused by any COVID-19-related disruptions.

A link follows: https://www.ncua.gov/files/letters-credit-unions/20-cu-02-ncua-actions-related-covid-19.pdf

HUD, FHFA, CFPB SUPENSION OF FORECLOSURES & EVICTIONS 
Several announcements were made regarding this initiative:

  • The U.S. Department of Housing and Urban Development (HUD) and the Federal Housing Finance Agency (FHFA) temporarily suspended all foreclosures and evictions “in response to the economic shock renters and homeowners are experiencing due to the outbreak of COVID-19.”
  • The CFPB announced a moratorium on foreclosures and evictions of borrowers with federally backed mortgage loans, noting that it is a “timely and an important step in providing assurance to consumers amid ongoing concerns about the spread of the COVID-19”
  • The FHFA announced it had directed government-sponsored enterprises (GSEs) Fannie Mae and Freddie Mac to suspend foreclosures and evictions for at least 60 days due to the COVID-19 national emergency. The foreclosure and eviction suspension applies to homeowners with a GSE-backed single-family mortgage.
  • President Trump announced a suspension through April of foreclosures and evictions related to mortgages insured by the Federal Housing Administration.  The White House later put out a statement clarifying that the policy will extend at least 60 days.

PRIMARY DEALER CREDIT FACILITY 
To support the credit needs of American households and businesses, the FRB announced that it will establish a Primary Dealer Credit Facility (PDCF) that will offer overnight and term funding with maturities up to 90 days (available as of March 20, 2020).  It will be in place for at least six months and may be extended as conditions warrant.  Credit extended to primary dealers under this facility may be collateralized by a broad range of investment grade debt securities, including commercial paper, municipal bonds and a broad range of equity securities.  The interest rate charged will be the primary credit rate, or discount rate, at the Federal Reserve Bank of New York.  An explanatory link follows: https://www.investopedia.com/terms/p/primary-dealer-credit-facility-pdcf.asp

MONEY MARKET MUTUAL FUND LIQUIDITY FACILITY  (MMLF) 
The FRB launched the MMLF to enhance the liquidity and functioning of money markets and to support the economy.  The interim final rule modifies the Agencies’ capital rules so that financial institutions receive credit for the low risk of their MMLF activities, reflecting the fact that institutions would be taking no credit or market risk in association with such activities.  An explanatory link follows: https://www.investopedia.com/money-market-mutual-fund-liquidity-facility-4800304

AGENCY STATEMENTS ON CREDIT LOSS ACCOUNTING STANDARDS AND COUNTERPARTY CREDIT RISK DERIVATIVES
On March 27, 2020, the FRB, OCC and FDIC announced two actions to support the U.S. economy and allow banking organizations to continue lending to households and businesses:

TOTAL LOSS ABSORBING CAPACITY
The FRB announced a technical change and interim final rule that will phase in gradually the automatic restrictions associated with a firm’s “total loss absorbing capacity,” or TLAC, buffer requirements, if TLAC levels decline. TLAC is an additional cushion of capital and long-term debt that could be used to recapitalize a bank if it is in distress.   A link follows:  https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20200323a1.pdf

PRACTICAL INSIGHTS

While regulatory Agencies have consistently provided financial institutions assurance that they will not criticize activities designed to ensure the flow of credit to households  “when they are  conducted in a reasonable manner with proper controls and management oversight”, the expectation that consumers not be harmed remains a regulator concern – as demonstrated by a very recent suit by the CFPB against multiple institutions and individuals over FCRA, UDAAP and TSR (detailed later in this edition).

There is a saying that the Old is Forever New, which also rings true when it comes to the basics of maintaining an effective compliance framework.  So, we wanted to leave you with some basic principles that can be applied to ensure a sound Compliance environment at any time.  We hope you find the following key components of an effective Compliance Management System useful.

  • Fully document “end-to-end” compliance processes in the form of policies and procedures.
  • Update the Compliance Risk Assessment as significant changes to products, services and underlying processes occur.
  • Identify and document exception criteria (e.g., to established credit/income qualifications, fees, rates, terms, etc.).  Ensure exception criteria are consistently applied (e.g., if ATM fees are waived in location A, the same practice is applied in location B).  And if the relative risk warrants that different practices be applied, ensure that the justification is documented and that a supervisor/manager provides documented concurrence.  Where uncertainties exist, documented legal opinion is recommended.
  • Train employees on the documented processes, including any exception criteria.
  • Establish a means to monitor and enforce compliance with documented policies and procedures.  Ensure any exceptions noted are reviewed for the root cause, that consumers are all made whole individually, and that any trends are examined.
  • Identify consequences of non-compliance, including impact on performance evaluations and incentive compensation.
  • Ensure that senior management and the Board are provided periodic Compliance updates.

SECURE ACT SIGNED INTO LAW

The Setting Every Community Up for Retirement Enhancement (SECURE) Act, signed into law and effective January 1, 2020, changes certain retirement rules that are worthy of mention.  Key provisions:

  • Eliminates maximum cap for contributions to traditional individual retirement accounts
  • Allows employers to offer annuities as investment options in 401(k) plans
  • Increases required minimum distribution age to 72 (formerly 70.5) and eliminates the maximum age for IRA contributions (formerly capped at 70.5)
  • Provides small business tax incentives to set up automatic enrollment in retirement plans – and opens the door for institutions to work with a broader range of companies to offer employee retirement accounts
  • Eliminates rule that lets account beneficiaries stretch distributions across their lifetime; the entire balance must be distributed by the 10th year

Details: https://money.com/what-serure-act-retirement-law-means-for-you/

CRA MODERNIZATION

Efforts continue to rewrite rules implementing the Community Reinvestment Act (CRA) with a desire to expand qualifying activities and credit associated with activities that benefit communities outside of bank branch networks.  The comment period on proposed amendments has been extended to April 8, 2020.  A link follows:

https://www.federalregister.gov/documents/2020/02/26/2020-03766/community-reinvestment-act-regulations-extension-of-comment-period?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

ASSET THRESHOLDS:  Effective January 1, 2020, the OCC, FRB and FDIC amended their CRA regulations to adjust the asset-size thresholds.  Up to $326 million is now considered a Small Institution; from $326 million up to $1.305 billion is now Intermediate Small; and greater than $1.305 billion is now Large.

FRB ANALYTICS DATA TABLES:  The FRB recently announced the publication of Analytics Data Tables combining HMDA, CRA small business, small farm loan and manually extracted data from CRA Performance Evaluations.  This is intended to provide insight into the historical relationship between bank lending activity and regulatory assessments.  Bank attributes, deposit data, branching, demographics, and other third-party vendor data supplement the tables – a step forward in helping financial institutions prepare for CRA exams.  Links to the new CRA Analytics Data Tables as well as the User Guide and Data Dictionary follow:

OTHER COMPLIANCE NEWS, DEVELOPMENTS and ENFORCEMENT

OCC Rescinds 205 Outdated Rules and Makes Technical Amendments to Other Real Estate Owned (OREO)

FDIC Updates Risk Management Exam Module, Issues New Technology Guide

  • “In its continuing effort to encourage technological innovation in the banking sector, the FDIC’s technology lab (FDiTech) released a new guide to help financial technology companies and others partner with banks.  Conducting Business with Banks: A Guide for Third Parties is designed to help third parties understand the environment in which banks operate and navigate the requirements unique to banking. The Guide is an initial effort to address concerns that Chairman McWilliams has heard from banks and technology companies across the country related to challenges associated with on-boarding at institutions. FDiTech is working to develop additional tools and resources to increase opportunities for partnerships and eliminate unnecessary burdens and costs associated with third party risk management. In the meantime, Conducting Business with Banks should serve as a helpful guide to both banks and third parties.”  A link follows:  https://www.fdic.gov/fditech/guide.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery
  • The FDIC Risk Management examination module is now updated with a new appendix focusing on exam processes and tools.  A link follows: https://www.fdic.gov/news/news/financial/2019/fil19084.pdf

CFPB Publishes Several New Guides and FAQ’s

  • On February 1st, the CFPB announced plans to establish a new category of materials that are similar to previous compliance resources but will now be designated as “Compliance Aids.”  Of particular importance is that the CFPB asserted that – when exercising its enforcement and supervisory discretion – it does not intend to sanction, or ask a court to sanction, entities that reasonably rely on these Compliance Aids.  So, although regulated entities are not required to comply with the Compliance Aids themselves (they are required only to comply with the underlying rules and statutes), the Aids may provide a window into how the CFPB is likely to assess compliance with the requirements referenced within.  A link follows: https://www.govinfo.gov/content/pkg/FR-2020-01-27/pdf/2020-00648.pdf
  • The CFPB published two Guides that provide guidance and examples for commonly asked questions pertaining to these areas – one on disclosing construction and construction-permanent loans with a separate Loan Estimate and Closing Disclosure for each phase of the transaction, and one on disclosing a combined Loan Estimate and a combined Closing Disclosure for both phases of a construction-permanent transaction.  A link follows: https://www.consumerfinance.gov/policy-compliance/guidance/tila-respa-disclosure-rule/
  • The CFPB updated its 2013 Bulletin on Responsible Business Conduct.  The crux of the guidance focuses on building a culture of compliance internally and with service providers, in order to minimize the likelihood of violations of laws and regulations, for the overarching purpose of preventing harm to consumers.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_bulletin-2020-01_responsible-business-conduct.pdf
  • New TRID FAQs  have been issued covering Loan Estimates, Closing Disclosures, Model Forms and Lender Credits, among other areas.  A link follows: https://www.consumerfinance.gov/policy-compliance/guidance/tila-respa-disclosure-rule/tila-respa-integrated-disclosure-faqs/
  • The CFPB issued new HMDA FAQs.  Topics covered include Universal Loan Identifier & Legal Entity Identifier; Ethnicity, Race, and Sex; Discount Points; and Construction and Construction/Permanent Transactions.  A link to the most recent version, updated March 6, 2020, follows: https://files.consumerfinance.gov/f/documents/cfpb_HMDA_frequently-asked-questions.pdf
  • The 2020 edition of the “Guide to HMDA Reporting:  Getting It Right!” is now available at https://www.ffiec.gov/hmda/pdf/2020guide.pdf.  It reflects updates to incorporate content from the HMDA Rule issued by the CFPB in October 2019. 

Comment Period Extended for Modernizing Signage and Advertising Requirements & Fair Debt Collection Practices Act (FDCPA)

The FDIC announced that it is extending to April 20, 2020, the public comment period for its Request for Information (RFI) on potentially modernizing FDIC sign and advertising requirements (12 C.F.R. Part 328) to reflect how banks take deposits through various evolving channels. The RFI was published in the Federal Register on February 26, 2020, with a comment period originally set to close on March 19, 2020.  A link follows: https://www.fdic.gov/news/news/financial/2020/fil20015.html?source=govdelivery&utm_medium=email&utm_source=govdelivery

The CFPB announced that it is extending the comment period for the Supplemental Debt Collection Proposal on Time-Barred Debt, until June 5, 2020.  A link follows: https://files.consumerfinance.gov/f/documents/cfpb_debt-collection-supplemental-nprm_comment-extension-notice.pdf

Civil Money Penalty (CMP) Maximums Increased

Effective January 15, 2010, the CFPB, FDIC, FRB and NCUA CMP maximum penalties increased.  The highest CMP that may be charged by any one agency is just under $2.05 million – up from $2.01 million in 2019.  The increased amounts will apply to penalties applied toward misconduct occurring on or after Nov. 5, 2015.

Truth In Lending Exemption Threshold Change

Effective January 1, 2020, creditors with assets of less than $2.202 billion (including assets of certain affiliates) as of December 31, 2019, are exempt from the requirement to establish escrow accounts for higher priced loans,  if other requirements of Regulation Z are being met.  A link follows: https://www.federalregister.gov/documents/2019/12/23/2019-27523/truth-in-lending-act-regulation-z-adjustment-to-asset-size-exemption-threshold?utm_campaign=subscription+mailing+list&utm_source=federalregister.gov&utm_medium=email

FinCEN Issues Advisory on the FATF-Identified Jurisdictions with AML/CFT Deficiencies

FinCEN issued an advisory to financial institutions regarding the Financial Action Task Force’s (FATF) updated list of jurisdictions with strategic anti-money laundering and combating the financing of terrorism (AML/CFT) deficiencies.  These changes may affect U.S. financial institutions’ obligations and risk-based approaches regarding relevant jurisdictions.  The advisory also reminds financial institutions of the status and obligations involving these jurisdictions.  A link follows: https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2020-a001

FTC Issues Annual Letter on FDCPA Activities

The FTC shares enforcement responsibility for the Fair Debt Collection Practices Act (FDCPA) with the CFPB, which provides an annual report to Congress about debt collection practices.  The FTC prepared and provided to the CFPB the annual report for 2019.  The report concludes that during 2019, the FDIC:

  • Filed or resolved law enforcement actions against 25 defendants and obtained more than $24.7 million in judgments;
  • Banned 23 companies and individuals who engaged in serious and repeated violations of law from ever working in debt collection again;
  • Announced the return of $516,000 to 3,977 consumers who lost money to an unlawful debt collection operation previously stopped by the FTC;
  • Deployed educational materials to inform consumers about their rights and to educate debt collectors about their responsibilities under the FDCPA and FTC Act;
  • Supplied more than 27,500 copies of a fotonovela (graphic novel) on debt collection, developed for Spanish speakers, to raise awareness about scams targeting the Latino community;
  • Organized and cosponsored Common Ground conferences, bringing together law enforcement personnel, consumer advocates and community members to discuss consumer protection issues, including debt collection; and
  • Hosted public forums on small business financing and credit reporting, which raised debt collection policy issues.

A link follows: https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-enforcement-fair-debt-collection-practices-act-calendar-2019-report-bureau/ftc_annual_report_re_fdcpa.pdf

Top Frauds of 2019

During 2019, the FTC received over 1.7 million fraud reports and returned slightly over $230 million to consumers.  Imposter, Social Security, and phone scams are the most common fraud types noted.  Informational links follow: https://www.consumer.ftc.gov/features/feature-0037-imposter-scams; https://www.consumer.ftc.gov/articles/paying-scammers-gift-cards

Grace Periods

Regulatory agencies have extended grace periods for standard reporting, to include Call Reports and the HMDA LAR due March 1st of every year. Check with your local examiner for requirements specific to your jurisdiction.

CFPB Sues over Fair Credit Reporting, UDAAP and Telemarketing Sales Rule

The CFPB recently filed suit against multiple firms and individuals allegedly involved in violations of the Fair Credit Reporting Act. Charges included illegally obtaining consumer reports, unlawful advance fees, and deceptive conduct. A link follows: https://files.consumerfinance.gov/f/documents/cfpb_chou-team-realty-monster-loans_complaint_2020-01.pdf.

Membership of CFPB Task Force on Federal Consumer Financial Law Announced

This Task Force was established to  conduct a thorough examination of our current regulatory framework and report on how we can improve federal consumer financial laws to benefit and protect consumers,” said Director Kathleen L. Kraninger. Taskforce members are:

  • J. Howard Beales, III, former Professor of Strategic Management and Public Policy at the George Washington University and former Director of the Bureau of Consumer Protection at the Federal Trade Commission;
  • Thomas Durkin, Senior Economist (Retired) at the Federal Reserve Board;
  • Jean Noonan, Partner at Hudson Cook, former General Counsel at the Farm Credit Administration, and former Associate Director of the Bureau of Consumer Protection’s Credit Practice at the Federal Trade Commission; and
  • Todd J. Zywicki, Professor of Law at George Mason University (GMU) Antonin Scalia Law School, Senior Fellow of the Cato Institute, and former Executive Director of the GMU Law and Economics Center.

The CFPB announced the designation of Todd Zywicki to serve as the Chair of the Taskforce.

Note:  For additional insights on the COVID-19 pandemic response, please see AuditOne’s Pandemic Advisory issued March 24, 2020.


AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for a Compliance audit, please contact Celeste Burton, Compliance Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at: Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.

Categories
News

AuditOne Advisory: COVID-19

AuditOne Advisory

From Bud Genovese, Chairman

This Pandemic Advisory was prepared by Kevin Tsuei, Technology Practice Director, AuditOne LLC. I hope you find this article useful as we all chart a course through these troubled waters, and also please share with your colleagues having responsibilities related to pandemic response. Thank you!—Bud

COVID-19: Communication tips for a time of crisis

COVID-19 is moving fast, and so are the regulators; the FDIC is releasing guidance almost on a daily basis, including this past weekend. If you have not visited their dedicated COVID-19 webpage, it is a good centralized source for both institutions and depositors. I’m sure that you have received many e-mails on COVID-19 responses already, but I thought you might find something focused on crisis communication tips, going beyond what the regulators have put forward, helpful during these turbulent times.

Communicating with employees

Per FDIC’s FIL-14-2020 (published March 6), the regulators advised institutions to promote employee awareness, specifically, “Communicating the risks of a pandemic outbreak and discussing the steps employees can take to reduce the likelihood of contracting an illness.” However, the guidance does not provide the communication cycles or other helpful content to share. As part of executing AuditOne’s own Pandemic Response Plan, I have used several resources, including articles from Harvard Business Review (HBR).

In the HBR articles, Lead Your Business Through the Coronavirus Crisis and How to Reassure Your Team When the News Is Scary, the authors advise on frequent COVID-19 intelligence. The authors mention that in their own organization, they were communicating every 72 hours, but they have since switched to daily at the time of publication. The frequent communication provides employees confidence that the organization is actively following the issue.

As for the contents, you have probably sent updated summaries with facts and implications. At AuditOne, we have mostly cited resources from the CDC website. If your branches are in a certain geographic area, the local county or state website is often a better resource since COVID-19 is an epidemic affecting some local geographic areas more severely than others. The CDC has acknowledged in their Situation Summary dated March 21, 2020 that some communities are still in the initiation phase of CDC’s Pandemic Interval while others are in the acceleration phase.

In times of crisis such as this, infographics can often help convey important public health information more than words. Throughout our own internal communication with employees, I try to use infographics from CDC https://www.cdc.gov/coronavirus/2019-ncov/communication/graphics.html. However, World Health Organization (WHO) or our local public health websites are good sources too:  

If you have an internal website (such as Sharepoint), the authors also advise creating a living page dedicated to COVID-19 in addition to your e-mail communication. It allows employees to find updates as well as the institution’s action plans in one place.

Communicating with customers

The FDIC’s FAQs for Financial Institutions Affected by the Coronavirus (published March 18) specifically mentions to “[r]emind customers ways they can access services without physically coming to a facility, such as online/mobile banking, ATM, telephone banking. Provide information about how to use electronic payments: bill pay, and mobile remote deposit capture services.”

In addition, the regulators also recommend, “[f]inancial institutions may want to remind customers about the safety of their money in your FDIC-insured institution and discuss deposit insurance coverage.” In fact, I observed on the FDIC COVID-19 dedicated webpage that they have added a banner since last week, to give assurance to all depositors:

This image has an empty alt attribute; its file name is PandemicAdvisoryFDICHeading.png

Times like this will draw customers and perhaps non-customers too, to your website, seeking information and assurances. That makes it a good opportunity to revisit the relevance as well as the effectiveness of your site, now that it’s become the only point of contact for many of your constituents.

Similar to having a dedicated intranet page conveying COVID-19 related communication for employees, it might be a good idea to have a dedicated COVID-19 page for your customers too, reinforcing the points above and expanding on any additional resources you can provide on these alternative servicing options.

In-person interaction with customers

It is the American social norm to shake hands. However, given what we understand about COVID-19 today, any physical contact is discouraged as it violates social distancing. This might be easier said than done, especially when community banking is all about building relationships.

In the HBR article, How to Avoid Shaking Hands, by Amy Gallo, she discussed that we can advise an employee to decide ahead of time what they are comfortable with. She stated that, “having a plan will give you confidence and potentially make it less awkward.” After your employee establishes a plan, one of the best ways to defuse any discomfort is to use humor. She gave an example of how she “got used to keeping my hand in my pocket and saying, with a smile on [her] face, [saying] ‘I guess we’re not supposed to shake hands now.’”

In the same article, Ms.Gallo referenced another author, Andy Molinsky, who suggests another cue, “saying hello at a slightly farther distance and giving a quick wave before returning [your] hand to [your] pocket.” Again, it really depends on what your employee is comfortable with.  

AuditOne’s COVID-19 action plans

In closing, I hope you find these communication tips helpful for your institution. In the last few weeks, many clients have contacted us about our Pandemic Plan. Like many organizations, we are enforcing social distancing by performing audits remotely. We are fortunate that many of our audits can be performed offsite, due to our clients increasingly requesting such arrangements over many years in order to save on travel expenses. We are utilizing both Microsoft’s and Box Enterprise’s collaborative and communication tools to help provide secure remote audit services while keeping everyone safe. We have highlighted our remote audit capabilities using the infographic below:

This image has an empty alt attribute; its file name is PandemicAdvisoryAuditOneTools.png

In addition, we understand how strain human resources can be during these difficult times. At AuditOne, we have always believed in a collaborative approach, we are not here to check boxes and create audit reports, but we are here to help you. Whether this is conducting an audit around your availability or answer any questions you might have during these turbulent times, we are always here to help. I have included a quick list of contacts below for your convenience:

Sales and Marketing: Jeremy Taylor, CEO | Contact Us
Client Support Services: Angela Canda and Myra Woods | Contact Us

You may also reach out to our individual Practice Director using our website.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for an ADA Website Compliance Review, IT/Information Security/Cybersecurity audit, or Network Penetration Tests please contact Kevin Tsuei, Technology Practice Director, AuditOne LLC, at: Contact US

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com

Categories
News

Advisory January 2020

AuditOne Advisory

From Bud Genovese, Chairman

This advisory contains our first BSA Bulletin.  Our intention is to publish the Bulletin on a semiannual basis so as to provide BSA professionals with a timely resource for changes in the BSA/AML environment.  Our BSA Practice Director, Kevin K. Watson, will summarize recent regulatory communications and also share our insights obtained by extensive and ongoing experience providing BSA audit and AML system validation services to a sizable client base of financial institutions.  I hope you find this article useful – please share with your colleagues having responsibilities related to BSA/ AML compliance in this area, thank you, – Bud

BSA BULLETIN – JANUARY 2020

This document summarizes recent regulatory communications pertaining to The Bank Secrecy Act and other Anti-Money Laundering laws, regulations and guidelines.  The types of entities that are generally covered by those communications are presented in italics where applicable.  We also present our observations of recent trends in the industry based on our experience reading examination reports and enforcement orders, discussions with clients and industry professionals and keeping tabs on industry publications and media events.

Regulatory Communications

  • Kenneth Blanco, FinCEN Director, Presentation at the American Bankers Association/ American Bar Association Conference on Financial Crimes Enforcement, December 2019
  • Emphasis was placed on the increasing trend of SAR filings associated with convertible virtual currency (CVC).  FIN-2019-A003 addresses those in significant detail.  Some of the more prominent are as follows.
  • Virtual currency exchanges identifying potential unregistered, foreign located MSBs, particularly Venezuela based peer to peer exchangers.
  • Customers conducting transactions with CVC addresses linked to darknet marketplaces.
  • CVC kiosk operators have reported activity indicative of scam victims, particularly with new customers having limited knowledge of CVC, such as the elderly.
  • FFIEC, 12/3/19, Providing Financial Services to Customers Engaged in Hemp-Related Businesses.  (banks, credit unions and U.S. offices of foreign banks)
  • FinCEN, 11/8/19, Reissuance of Real Estate Geographic Targeting Orders for 12 Metropolitan Areas (title companies)
  • Joint Statement – CFTC, FinCEN, SEC, 10/11/19, Joint Statement on Activities Involving Digital Assets (banks, credit unions, U.S. offices of foreign banks, MSBs, broker/dealers, mutual funds)
  • 31 CFR Part 1010, 11/4/19, Imposition of Fifth Special Measure Against the Islamic Republic of Iran as a Jurisdiction of Primary Money Laundering Concern (all U.S. businesses and individuals)
  • Conference of State Bank Supervisors, 9/16/19 – CSBS Cannabis Job Aid (state chartered financial institutions)
  • FIN-2019-A006, 8/21/19 – Advisory to FIs on Illicit Financial Schemes and Methods Related to the Trafficking of Fentanyl and Other Synthetic Opioids (all financial institutions)
  • FIN-2019-A003, 5/9/19 – Advisory on Illicit Activity Involving Convertible Virtual Currency (all FinCEN regulated financial institutions)

Trends

  • We have noticed increased focus by regulatory examiners on independent testing (audit) reports and workpapers over the past few years.  Being one of the five pillars, this emphasis is understandable.  We applaud this effort as it contributes to enhanced quality of audit work and reduces the risk that a financial institution receives an audit that is not consistent with the level of risk.  Some of the major themes are as follows.
  • Enhanced due diligence of high risk customers should be sufficiently documented.  Some areas of examiner concern have been the following.
  • Inadequate coverage of complex customers
  • Lack of comparison of actual to expected activity
  • Lack of global analysis.  Review should be documented at both the account and customer (global) level.

Advice

  • Pay particular attention to regulatory pronouncements and communications as they signal those matters that will be of primary focus during upcoming examinations.  Based on that, we expect FIs to have monitoring procedures in place for suspicious CVC activity.
  • Use the CSBS Cannabis Job Aid as a reference resource for those states where your FI is operating.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our financial institution clients.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these.

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for an Automated AML System Validation or BSA/ Anti-Money Laundering Program audit please contact Kevin K. Watson, BSA Practice Director, AuditOne LLC, at: Contact Us

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com

Categories
News

AuditOne Advisory: Cannabis 2019

AuditOne Advisory

From Bud Genovese, Chairman

This advisory summarizes regulations and guidelines related to banking cannabis related businesses (CRB) and also suggests a means for your institution to comply with FinCEN’s third pillar of an effective BSA Program (independent testing) as it pertains to CRB customers.  Our BSA Practice Director, Kevin K. Watson, will review our audit approach to determine your institution’s compliance.  I hope you find this article useful – please share with your colleagues having responsibilities related to BSA/ AML compliance in this area, thank you, — Bud

According to a recent periodical by the Meredith Corporation, George Washington and Thomas Jefferson were cannabis farmers.  Apparently, the cannabis grown by our two former presidents was only of the hemp variety and cultivated for the purpose of producing cloth as opposed to the marijuana strain that can be smoked or ingested to relieve pain or induce mind altered experiences.  Interestingly, President Jefferson made the business decision to discontinue hemp farming at Monticello in 1815.  His reasoning is said to be based on the cost and benefit as the process to convert hemp to cloth was laborious and also led his enslaved laborers to complain about the hardships.  Cotton, tobacco and other crops were easier to harvest.1

The modern day problem for American society and financial institutions (FI) is how to bring the cannabis related business (CRB) into the federally insured financial services market.  The issue has been that, with cannabis being a Schedule I drug under the Controlled Substances Act, federally regulated institutions could not accept deposits without great risk.  That is despite more than 30 states having legalized cannabis for one or more uses such as for medicinal use, recreational use or for hemp and hemp derived products.  As a result, transactions have been typically conducted in cash or crypto currency outside the banking system.  The social costs of that have been high, with significant money laundering and violent crime associated with doing business in the black market.

Marijuana related businesses (MRB) and hemp related businesses (HRB) pose different concerns for a FI.  Thankfully, with the passage of the Farm Act in December 2018, the low-THC (tetrahydrocannabinol) cannabis variety, commonly known as hemp, is very near to being completely legal.  THC is the chemical ingredient that causes psychoactive effects and cannabis with levels less than .3% are considered to be hemp rather than marijuana.  Although federally legalized by the December 2018 Farm Act, cultivation and interstate sales of hemp are not technically protected unless a) grown under one of the federal pilot programs, b) the USDA has created its own plan, or c) the USDA has a separate plan for the state where the business operates from.  That hasn’t stopped many states from licensing hemp farmers.  Also, the USDA has issued an interim final rule on October 29, 2019. With the legalization of hemp cultivation and sales, processed hemp, known as CBD (Cannabidiol), is also legalized, but not as an ingredient in food or drink even though it has THC levels lower than 0.3%.  CBD products are thought to have therapeutic benefits for a variety of ailments and so are available in a variety of non-food forms such as ointments, capsules and tinctures.

Cannabis related businesses (CRB) represent unique challenges for the AML Pillars of Independent Testing and Customer Due Diligence (CDD).   As an audit firm, our responsibility pertaining to CRB is to independently test whether the FI exercises appropriate due diligence and ongoing monitoring over those customers.  This article presents our approach to that testing.  But first, it is useful to summarize the current regulatory environment.  The important regulations and guidelines are as follows.

  • Controlled Substance Act
  • U.S. Justice Department Cole Memorandum (rescinded, but still referenced by regulators)
  • FIN-2014-G001: “BSA Expectations Regarding Marijuana-Related Businesses,” FinCEN, February 14, 2014.
  • State laws2
  • The Farm Acts of 2014 and 2018

Our audit approach is to determine compliance with the most significant requirements or guidelines within those documents.  To do that we organize our test procedures as follows.

Risk assessment

Verify that the overall AML Risk Assessment considers the following pertaining to cannabis:

  • The FI’s state CRB regulatory setup (extent of legality for medicinal marijuana, recreational marijuana, and hemp or CBD)
  • Specific risks (e.g., not operating under federal regulations; hemp or CBD product inadvertently  > 0.3% THC; co-mingling or front for illegal activity; violation of one of the Cole Memo objectives)
  • Activity levels
  • Mitigating controls such as for policies and procedures, customer due diligence, and monitoring

Policies and procedures

Assess the appropriateness of policies and procedures, especially to the extent the following are addressed:

Customer Due Diligence (CDD)

For a sample of MRB and HRB customers, we verify that basic CDD processes are in place at account opening and are updated on a periodic basis, including customer identification, beneficial owner identification, expected activity documentation and customer risk rating.  There is no universal standard for risk rating cannabis related businesses, though certainly Tier I or II would be high risk in most any circumstance, FIs might want to classify most hemp/CBD and MRB Tier III as high risk so that they can be sure to conduct appropriate Enhanced Due Diligence (EDD) on  those businesses, especially suspicious activity monitoring.

We also verify that Enhanced Due Diligence (EDD) procedures described in the 2014 FinCEN Guidance on MRBs have been completed by the FI.  Those include the following:

  • Verification of appropriate and current license
  • Review of the license application
  • Consideration of information on the business from the applicable state (such as inspection reports)
  • Ongoing monitoring of public information (negative news searches)

Ongoing Monitoring

The FinCEN Guidance also requires risk based ongoing transaction monitoring for suspicious activity.    Assess whether ongoing monitoring is appropriately risk-based.  Many FIs utilize a tier classification system with businesses actually touching marijuana as Tier I and others as Tier II or III.  HRB should be its own classification.  At the very least, we expect all transactions for Tier I companies to be reviewed.  Many FIs also collect supplemental information from MRBs such as daily sales and purchasing registers and inventory reports.  As a consequence, it is typical that a specialized automated system is implemented to monitor Tier I businesses.

Suspicious Activity Reporting

The FinCEN Guidelines have specific instructions for the filing of regular SARs or limited SARs for marijuana businesses.  They do distinguish between marijuana and hemp, so we would expect that limited SARs be filed on hemp businesses, until such time as there is official guidance on how it should be treated for SAR purposes.  Our test procedure is to review a sample of marijuana and hemp businesses and assess whether SARs have been appropriately filed in compliance with the FinCEN Guidelines. 

The independent testing approach described above might alert directors, managers and BSA personnel to the most critical compliance concerns pertaining to offering financial services to CRBs.  In our opinion, cannabis banking presents a unique opportunity for community FIs in this era when deposit relationships are so difficult to develop.  With a robust control program, an associated deposit pricing mechanism and an appropriate independent testing program, the cannabis business just might take your FI to a higher place.

Sources:

  1. “History: Marijuana, Meredith Corporation”, 2019.
  2. “Cannabis Job Aid”, Conference of State Bank Supervisors (CSBS), September 2019.
  3. “Defining Marijuana Related Businesses”, Steven Kemmerling, ACAMS Today, September 20, 2016.

AuditOne LLC – Company Overview

AuditOne LLC is a leading provider of risk management services to financial institutions in the Western US and nationally.  Our sole focus enables us to deliver effective and efficient internal audit and credit review services.  This exclusive focus translates into exceptional benefits to our clients, including regional and community banks, credit unions and other financial institutions.  We have experience with all regulatory authorities and offer a full selection of audit services comprising BSA/ Anti-Money Laundering Program, Automated AML System Validation, Asset/Liability Management (ALM) and IRR Audits, ADA Website Compliance Reviews, IT/Information Security/Cybersecurity, Network Penetration Tests, Credit Review/ALLL, ACH Rules Compliance, Operations, Trust Audits, SOX/FDICIA Testing, and many specialty areas within each of these. 

Our deep expertise is your edge.  For more information on this article, or to receive a proposal for an  Automated AML System Validation or BSA/ Anti-Money Laundering Program audit please contact Kevin K. Watson, BSA Practice Director, AuditOne LLC, at: Contact Us.

For information on how our services can help reduce risk at your institution, contact Jeremy Taylor, CEO, at Contact Us.  Also, for more information about AuditOne LLC and all our audit services see www.AuditOneLLC.com.