CFPB Amends HMDA Rule

By: William J. Showalter, CRCM, CRP; Senior Consultant

The Consumer Financial Protection Bureau (CFPB) issued a final rule making several technical corrections and clarifications to the expanded data collection under Regulation C, which implements the Home Mortgage Disclosure Act (HMDA). The regulation is also being amended to temporarily raise the threshold at which banks are required to report data on home equity lines of credit (HELOC).

These amendments take effect on January 1, 2018, along with compliance for most other provisions of the newly expanded Regulation C.

Since the mid-1970s, HMDA has provided the public and public officials with information about mortgage lending activity within communities by requiring financial institutions to collect, report, and disclose certain data about their mortgage activities. The Dodd-Frank Act amended HMDA, transferring rule-writing authority to the CFPB and expanding the scope of information that must be collected, reported, and disclosed under HMDA, among other changes.

In October 2015, the CFPB issued the 2015 HMDA Final Rule implementing the Dodd-Frank Act amendments to HMDA. The 2015 HMDA Final Rule modified the types of institutions and transactions subject to Regulation C, the types of data that institutions are required to collect, and the processes for reporting and disclosing the required data. In addition, the 2015 HMDA Final Rule established transactional thresholds that determine whether financial institutions are required to collect data on open-end lines of credit or closed-end mortgage loans.

The CFPB has identified a number of areas in which implementation of the 2015 HMDA Final Rule could be facilitated through clarifications, technical corrections, or minor changes. In April 2017, the agency published a notice of proposed rulemaking that would make certain amendments to Regulation C to address those areas. In addition, since issuing the 2015 HMDA Final Rule, the agency has heard concerns that the open-end threshold at 100 transactions is too low. In July 2017,  the CFPB published a proposal to address the threshold for reporting open-end lines of credit. The agency is now publishing final amendments to Regulation C pursuant to the April and July HMDA proposals.

HELOC Threshold
Under the rule as originally written, banks originating more than 100 HELOCs would have been generally required to report under HMDA, but the final rule temporarily raises that threshold to 500 HELOCS for data collection in calendar years 2018 and 2019, allowing the CFPB time to assess whether to make the adjusted threshold permanent.

In addition, the final rule corrects a drafting error by clarifying both the open-end and closed-end thresholds so that only financial institutions that meet the threshold for two years in a row are required to collect data in the following calendar years. With these amendments, financial institutions that originated between 100 and 499 open-end lines of credit in either of the two preceding calendar years will not be required to begin collecting data on their open-end lending (HELOCs) before January 1, 2020.

Technical Amendments and Clarifications
The final rule establishes transition rules for two data points – loan purpose and the unique identifier for the loan originator. The transition rules require, in the case of loan purpose, or permit, in the case of the unique identifier for the loan originator, financial institutions to report “not applicable” for these data points when reporting certain loans that they purchased and that were originated before certain regulatory requirements took effect. The final rule also makes additional amendments to clarify certain key terms, such as “multifamily dwelling,” “temporary financing,” and “automated underwriting system.” It also creates a new reporting exception for certain transactions associated with New York State consolidation, extension, and modification agreements.

In addition, the 2017 HMDA Final Rule facilitates reporting the census tract of the property securing or, in the case of an application, proposed to secure a covered loan that is required to be reported by Regulation C. The CFPB plans to make available on its website a geocoding tool that financial institutions may use to identify the census tract in which a property is located. The final rule establishes that a financial institution would not violate Regulation C by reporting an incorrect census tract for a particular property if the financial institution obtained the incorrect census tract number from the geocoding tool on the agency’s website, provided that the financial institution entered an accurate property address into the tool and the tool returned a census tract for the address entered.

Finally, the final rule also makes certain technical corrections. These technical corrections include, for example, a change to the calculation of the check digit and replacement of the word “income” with the correct word “age” in one comment.

The HMDA final rule is available at

Updated HMDA Resources
The CFPB also has updated its website to include resources for financial institutions required to file HMDA data. The updated resources include filing instruction guides for HMDA data collected in 2017 and 2018, and HMDA loan scenarios. They are available at

For More Information
For more information on this article, contact Bill Showalter at 330-422-3473 or

For information about Young & Associates, Inc.’s newly updated HMDA Reporting
policy, click here. In addition, we are currently updating our HMDA Toolkit.

To be notified when the HMDA Toolkit is available for purchase, contact Bryan
Fetty at

HMDA 2018

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance and Adam Witmer, CRCM, Senior Consultant

Beginning in 2018, you will be faced with two major changes to Home Mortgage Disclosure Act (Regulation C 12 CFR § 1003). They are:

  1. Changes to the existing rules
  2. Addition of new rules

While the new rules will be challenging to navigate, the changes to the existing rules could prove to be extremely challenging, as long-established procedures and understandings are going to change. The following are a list of some of the biggest modifications.

Reporting Changes
Loan Volume Test. The new rules have two separate loan volume tests, one for closed-end and one for open-end.
The closed-end test is 25 covered loans. If your bank originates 25 “covered” loans (defined as not excluded closed-end loans or open-end loans), you will then report closed-end loans.

The open-end test is 100 covered loans. If your bank originates 100 open-end covered loans, then you will report open-end loans. There is a regulatory proposal to change this to 500 open-end for a couple of years, and we expect that to occur. The challenge here relates to business purpose loans.

All consumer purpose loans (generally HELOCs) will count, but business purposes loans may also count. Excluded loans will be open-end loans (such as an equity loan for operating expenses) that are not for a purchase, refinance, or home improvement purpose. But open-end loans such as this are refinanced, and will become reportable.

If your financial institution only meets one test, you only report the type of loans for the test you meet. This means some institutions will only report closed-end loans. Some will only report open-end loans. And others will report both.

Dwelling Secured. Under prior HMDA rules, one definition of Home Improvement included loans that were not secured by a dwelling. Under the new rules, only loans secured by a dwelling will be reportable.

Temporary Financing. The rules now only talk about financing that will be replaced by new financing. The old rules specifically excluded construction and bridge loans.

Agricultural Loans. The new rules now exempt all agricultural loans. In the past, the agricultural loan exemption only applied to purchases, which meant that when an agricultural loan was refinanced, it required HMDA reporting. Now, all agricultural purpose loans are exempt.

Preapproval Requests. Preapproval requests that are approved but not accepted are now required reporting rather than optional reporting.

Submission Process. The CFPB is going to use a cloud-based program for HMDA submissions. This means that reporters using the FFIEC software are going to have a much more difficult time. You will want to think about software options. If you are not using third-party software already, you will need to work out logistics of using the new reporting system.

Items to Consider
Our training manual for our live HMDA presentation runs 210 pages, so this is just an overview of some of the items that must be considered. Time is growing short. If your institution is going to be subject to the new rules, then training for everybody involved in the process is necessary. And for most readers, this will include more than one person.

For the future, if you are not subject to the HMDA regulation, be careful of expansion. If you open a branch in an MSA, suddenly HMDA will become part of your life. So beware of a good deal on the land or the lease – the costs of HMDA could easily dwarf the savings. If you are a HMDA reporter already, remember that any compliance requirement only gets paid for one of two ways – the applicants/customers pay for it, or it comes out of the stockholder’s pocket. Fee changes may be in your future.

HMDA Tools – Coming Soon
Young & Associates, Inc. is currently developing a HMDA Toolkit which will be available shortly, as well as a customizable HMDA policy. As there is HMDA text that the CFPB is changing and correcting (due out soon, we hope), we are not ready for release just yet. But we hope to keep the timetable reasonable. The HMDA policy will be available to purchase September 1, 2017.

We will also be offering an off-site HMDA Review beginning in 2018. We will review as many or as few loans as you would like to make sure you are on track. Billing will be based on the number of files reviewed, so you will control your costs.

Detailed information for all of these items will be available soon. If you are interested in the HMDA toolkit, HMDA policy, or HMDA reviews, we will be happy to discuss these products and services with you at any time.

Good luck – we will all need it. For more information on this article or how Young & Associates, Inc. can assist you in this process, contact us at or 330.422.3450.

Mary Green Earns CAFP Designation

Young & Associates, Inc. is pleased to announce that Mary Green, Consultant, has earned the industry designation of Certified AML and Fraud Professional (CAFP) by the Institute of Certified Bankers, a subsidiary of the American Bankers Association (ABA). This certification demonstrates the ability to detect, prevent, monitor, and report current and emerging money laundering and fraud risks.

Regulatory Compliance Update

By: Bill Elliott, Senior Consultant and Manager of Compliance

We usually try to use this space to share information that will help you prepare for what has been released, and for what will be required in the coming months. However, at this writing we find ourselves in a unique position; almost nothing (at least in the near term) is changing is the world of compliance. That does not mean that we can relax too much, just that we have a little time to catch up and get ready for the next round of changes.

Here is a sampling of where we are today: ƒƒ

  • Expedited Funds Availability (Regulation CC) Update: The CFPB promised it for late last fall, but have not yet released it. (Note: this is maybe their fifth release date.) They have been working on it for about 6 years.
  • Privacy (Regulation P) Update: This was also promised for last fall, but it has not yet appeared. In the interim, the prudential regulators have stated that banks that do not share (and therefore have no opt out) can follow the new privacy law. This means no annual privacy notice mailings of any kind, unless your privacy notice has to change. If you do change your notice and/or start to share, you will have to mail the new notice to all customers annually, so you may want to think about the mailing expense before you make any changes that would require the annual mailing.
  • Prepaid Cards Update: The new prepaid card rule has been delayed for six months (April 2018) to allow for the changes that will essentially turn all prepaid cards that have the ability to be reloaded into an “account.” They will then have rights similar to an account holder; they can ask for transaction histories, dispute items, etc. This is probably going to make these cards more expensive and therefore less attractive to your customers, and may end up not being a profitable item for many banks.
  • TRID Update: They have published a proposal, but we will have to wait to see what the final rule looks like. It will be a number of months at least before anything is finalized on this subject.
  • Home Mortgage Disclosure Act Update: The major item on the compliance agenda for 2017 is the Home Mortgage Disclosure Act. Management needs to assure that staff training occurs – and soon. We created a manual for our live seminars that runs 210 pages. We also created a listing of every possible code that might be needed, and that runs 33 pages in Excel. So this will not be an easy transition, and waiting until December to think about it does not seem like a good idea. If you do not have an LEI number and you are a HMDA bank, you should get it very soon. It will be required for 2018. We should also mention that the CFPB published a 150-page update with changes and corrections to the HMDA rule. These changes should be final by the first of the year.

Stay Tuned
We will continue to use the newsletter to keep you informed as the CFPB finally publishes updates and new regulations. But in the near term, the staff can work on absorbing what already has been issued. If we can help in any way, please feel free to call Karen Clower at 330.422.3444 for assistance. She can also be reached at 

New Prepaid Rule

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance

On October 5, 2016, the CFPB issued a final rule amending Regulations E and Z to create comprehensive consumer protections for prepaid financial products. The result of this rule is that many of you may not continue to offer these accounts, and those of you who do not currently offer the accounts may not want to start. The purpose of this article is not to talk you into or out of these products, but to give you the basic facts so that you can make the best decision for your institution.

The Prepaid Rule runs 1,501 pages, so we can only do an overview in this article. You may also want to look at the following:

Another site worth your time might be:

Prepaid Accounts
The Prepaid Rule adds the term “prepaid account” to the definition of “account” in Regulation E. Payroll card accounts and government benefit accounts are prepaid accounts under the Prepaid Rule’s definition. Additionally, a prepaid account includes a product that is either of the following, unless a specific exclusion in the Prepaid Rule applies:

  1. An account that is marketed or labeled as “prepaid” and is redeemable upon presentation at multiple, unaffiliated merchants for goods and services or usable at automated teller machines (ATMs); or
  2. An account that meets all of the following:
    1. Is issued on a prepaid basis in a specified amount or is capable of being loaded with funds after issuance
    2. Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, to conduct transactions at ATMs, or to conduct person-to-person (P2P) transfers
    3. Is not a checking account, a share draft account, or a negotiable order of withdrawal (NOW) account

There are exceptions to the rule. Under the existing definition of account in Regulation E, an account is subject to Regulation E if it is established primarily for a personal, household, or family purpose. Therefore, an account established for a commercial purpose is not a prepaid account.

Pre-Acquisition Disclosures
The Prepaid Rule contains pre-acquisition disclosure requirements for prepaid accounts. The requirements are detailed. However, there often will be a reseller of these products, meaning that the seller must prepare this disclosure for you. This “short form” disclosure includes general information about the account.

Outside but in close proximity to the short form disclosure, a financial institution must disclose its name, the name of the prepaid account program, any purchase price for the prepaid account, and any fee for activating the prepaid account.

There is also a long form disclosure which sets forth comprehensive fee information as well as certain other key information about the prepaid account.

The Prepaid Rule includes a sample form for the long form disclosure. The long form disclosure must include a long laundry list of items that details every nook and cranny of the account’s use. The Prepaid Rule also requires financial institutions to make disclosures on the access device for the prepaid account, such as a card. If the financial institution
does not provide a physical access device for the prepaid account, it must include these disclosures on the website, mobile application, or other entry point the consumer uses to electronically access the prepaid account.

All these disclosures are in addition to your standard Regulation E initial disclosure. The initial disclosures must include all of the information required to be disclosed in the pre-acquisition long form disclosure.

Error Resolution and Limitations on Liability
Prepaid accounts must comply with Regulation E’s limited liability and error resolution requirements, with some modifications. This may or may not be your problem, depending on who owns the account. But if your third-party vendor must give the customer these rights, the cost will likely go up, possibly making selling these cards a problem.

Periodic Statements and the Periodic Statement Alternative
The Prepaid Rule requires financial institutions to provide periodic statements for prepaid accounts, such as payroll accounts. However, a financial institution is not required to provide periodic statements for a prepaid account if it makes certain information available to a consumer, such as:

  • Account balance information by telephone
  • ƒElectronic account transaction histories for the last 12 months
  • ƒƒWritten account transaction histories for the last 24 months

Overdraft Credit Features
The Prepaid Rule amends Regulations E and Z to regulate overdraft credit features that are offered in connection with prepaid accounts. It adds the term “hybrid prepaid credit card” to Regulation Z and sets forth specific requirements
that apply to hybrid prepaid-credit cards. Doing something like this will materially increase your costs. Of course, there are many more rules on the subject that we cannot include in this article.

Effective Dates
The Prepaid Rule is generally effective on October 1, 2017.

What Should You Do?
Over the next few months, you need to talk with any existing companies that you do business with for this kind of product. They may still be struggling with how they are going to approach this, so you may not get all your answers immediately. But you need to know what your role is going to be after October 1, 2017 so that you can make the best decision for your institution. And all new product offerings, whether internal or external, need to be examined carefully to make sure that you can comply with the rules.

For more information about this article, contact Bill Elliott at 1.800.525.9775



New Customer Due Diligence (CDD) Requirements for Banks

Effective DATES: The final rules are effective July 11, 2016. Banks must comply  with these rules by May 11, 2018 (Applicability Date).

Banks have not been required to know the identity of the individuals who own or control their legal entity customers (also known as beneficial owners). This is viewed as a weakness of the system that they are trying to correct.

FinCEN believes that there are four core elements of CDD:
1. Customer identification and verification
2. Beneficial ownership identification and verification
3. Understanding the nature and purpose of customer relationships to develop a customer risk profile
4. On-going monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information

Banks must now identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted). A bank may rely on the beneficial ownership information supplied by the customer, provided that it has no knowledge of facts that would call into question the reliability of the information. The identification and verification procedures for beneficial owners are very similar to those for individual customers under a bank’s customer identification program (CIP), except that for beneficial owners, the institution may rely on copies of identity documents. Banks are required to maintain records of the beneficial ownership information they obtain, and may rely on another bank for the performance of these requirements, in each case to the same extent as under their CIP rule.

The AML program requirement for banks now explicitly includes risk-based procedures for conducting ongoing customer due diligence, to include understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile.

A customer risk profile refers to the information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting. This may include self-evident information such as the type of customer or type of account, service, or product. The profile may, but need not, include a system of risk ratings or categories of customers.

In addition, CDD also includes conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information. For these purposes, customer information shall include information regarding the beneficial owners of legal entity customers. The regulation requires that banks conduct monitoring
to identify and report suspicious transactions. Because this includes transactions that are not of the sort the customer would be normally expected to engage, the customer risk profile information is used (among other sources) to identify such transactions. This information may be integrated into the bank’s automated monitoring system, and may be used after a potentially suspicious transaction has been identified, as one means of determining whether or not the identified activity is suspicious.

When a bank detects information (including a change in beneficial ownership information) about the customer in the course of its normal monitoring that is relevant to assessing or reevaluating the risk posed by the customer, it must update the customer information, including beneficial ownership information. Such information could include, e.g., a significant and unexplained change in the customer’s activity, such as executing cross-border wire transfers for no apparent reason or a significant change in the volume of activity without explanation. This applies to all legal entity
customers, including those existing on the Applicability Date.

This provision does not impose a categorical requirement that banks must update customer information, including beneficial ownership information, on a continuous or periodic basis. Rather, the updating requirement is event-driven, and occurs as a result of normal monitoring.

Your Response
This is going to entail changes mostly in the deposit area. Your loan area probably already collects most of this information, as they require guarantees. Also note that we stated at the beginning of this article that the mandatory date is not until 2018. It is likely that there will be changes so an immediate response to this rule does not seem reasonable. Please, however, do not lose sight of this timetable to make sure you have it in place in plenty of time before the mandatory dates. If we can help in any way, please let us know. We will also be happy to assist in any other way to help you meet your BSA and compliance needs. This could include hands-on assistance and/or consulting assistance depending upon your needs. For more information, contact us at 1.800.525.9775 or

The World of Overdraft

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance

For some time now, I have been saying in seminars that the federal government will not rest until there are no overdraft fees. On February 3, 2016, the Consumer Financial Protection Bureau (CFPB) stated that they wish to improve checking account access. They sent a letter to the 25 largest retail banks encouraging them to make available and widely market lower-risk deposit accounts that help consumers avoid overdrafts. Of course, anyone can avoid overdrafts by managing the account properly, but this was not mentioned in the letter.

As a companion item, the CFPB also issued a bulletin warning banks and credit unions that failure to meet accuracy obligations when they report negative account histories to credit reporting companies could result in Bureau action. For the industry, this seems to be of more interest.

The CFPB reminded all banks to “establish and implement reasonable written policies and procedures regarding the accuracy of the deposit account information provided to the consumer reporting companies.” Make sure that you can show an accurate and fully functioning system to your examiners at their next visit. This means policies, procedures, and practices to accurately report information and also a system to handle consumer disputes about these issues.

This is not a new requirement – just a reminder of existing requirements. Mistakes do happen, but we need to be very careful with all reports to all types of credit reporting agencies. This is obviously something that the CFPB is going to be pushing very hard. They are all about the consumer, and do not spend much time worrying about the financial services industry. But if we do our jobs correctly, there really is no issue here. If the correct information results in a decline of a deposit account, the consumer will have to deal with the result.

The CFPB is providing consumers with resources to help navigate the deposit account system. CFPB Director Richard Cordray stated, “Consumers should not be sidelined out of the basic banking services they need because of the flaws and limitations in a murky system. People deserve to have more options for access to lower-risk deposit accounts that can better fit their needs.” Many bankers would find fault with that statement, as there is a percentage of customers who just cannot manage their checking account. But this seems to be the direction the CFPB is going. Their notice on this issue stated, “the CFPB is weighing what additional consumer protections are necessary for overdraft and related services.”

This following section is a direct quote from the CFPB’s notice about these issues, and is something that we should keep in mind for the future.

Screening Accuracy Improvements
The bulletin issued by the CFPB today warns banks and credit unions that they must have systems in place regarding accuracy when they pass on information, such as negative account histories, to checking account reporting or other credit reporting companies. The consumer reporting companies focused on checking accounts typically generate reports on charge-off amounts, past non-sufficient funds activity, unpaid or outstanding bounced checks, overdrafts, involuntary account closures, and fraud.The CFPB is concerned about inaccuracies and inconsistent information provided by the financial institutions to the reporting companies. In a recent Supervisory Highlights, the CFPB noted that examiners found that one or more financial institutions failed to “establish and implement reasonable written policies and procedures regarding the accuracy of the deposit account information provided to the consumer reporting companies.” Examiners also found that at least one entity violated its federal obligation to handle consumer disputes about these issues.Banks should expect accurate information from checking account reporting companies to make fair assessments of deposit account applicants. If the system is tainted with incomplete, inconsistent, and inaccurate information, banks and credit unions cannot make informed decisions.”

This is one of the many areas that is concerning the CFPB, which means that it needs to concern us as well. If you need any assistance in this or any other area of compliance, contact us at 1.800.525.9775 or

Compliance Reviews and the Impact of Technology

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance

When I was working in a bank, we had a conference room available for meetings for up to about 10 people. As with most institutions, there was always a battle regarding who could use the room when, as there was only the one room for meetings. So you had to sign up quickly or you had to camp out in there to make sure you had the room when you needed it. Of course, most of the time there was no hope – safety and soundness examiners, compliance examiners, IT examiners, internal auditors, external auditors, consultants, etc., were already in there, and the bank’s meetings would have to move somewhere else. All of you know the feeling – someone seems to be in your shop almost every day examining something.

Benefits of Off-Site Reviews
The days of having every portion of any examination, audit, or review on-site have come to an end. While some institutions still rely mostly on paper, many have a great deal of the required information in an electronic form. And if it is available electronically, much of what needs to be done can now be completed off-site.

There are clear advantages in an off-site review that go beyond freeing up a conference room. Whoever is coming into your shop will have expenses, sometimes significant expenses, such as food, mileage, lodging, etc. So every day that they do not have to be there saves you money. From the standpoint of the examiner, auditor, or consultant, every day that they are not on the road is a plus. Both parties benefit from off-site work.

Off-Site Compliance Reviews
As the head of our compliance division, I will put this in the context of compliance reviews. I can see no reason for a deposit review to ever be completed 100% on-site. Even if your bank has no technology, which is unlikely, Truth in Savings disclosures could be snail-mailed to wherever they need to go with no risk, as there is no customer information on those documents. Some banks can make many other portions of the review materials available electronically, further reducing the on-site time. We generally still have to come on-site for certain portions of the review, such as Regulation E error resolution reviews and Regulation CC hold notice reviews, as most banks do not store that information electronically, at least not yet. But the policy review portion of Regulation E and Regulation CC reviews can certainly be done off-site.

On the loan side, we at Young & Associates, Inc. are doing more and more loan compliance reviews off-site or partially off-site. As technology continues its relentless advance, we can do the necessary review work easily and efficiently. If all we are doing is loan file review, we can complete many of these reviews without ever appearing at the bank. Exit meetings are done via telephone, and with all of the other communication methods available today, there just is not a need to physically come to the bank.

We now have several clients with monthly or quarterly review schedules who see us on-site one time per year. And they have seen significant cost savings due to the reduced travel. By the way, if the work is being completed off-site, ask for a discount in the fee when you can. You do not have to ask for a discount for retainer engagements from Young & Associates, Inc. Every retainer engagement we send automatically has a discount feature built in that ranges from 5 percent to 15 percent depending on several factors, including the amount of consultant time that will be saved by not having to travel to your location.

We offer other services electronically as well. Our Virtual Compliance Consultant (VCC) program, which offers tremendous compliance support via a monthly compliance conference call for compliance discussions or training, compliance policy assistance, and access to all of our compliance-related products, is all electronic. We also offer board of director training live, using electronic methods. And the list will continue to grow.

As you contemplate this type of change, make sure that you involve your IT department to assure the information stays secure. Neither you nor your examiner/auditor/consultant need to have a breach. But it can be done, and your bottom line will be better off as a result.

To hear more about any of the compliance services mentioned in this article, or for more information on what Young & Associates, Inc.’s compliance department can offer your bank, contact Bill Elliott at 1.800.525.9775 or click here to send an email.

5 Ways to Create Compliance Depth

By: Adam Witmer, CRCM, Compliance Consultant

As football season is now in full swing, many die-hard fans find themselves viewing the player roster of their favorite teams. They do this because they are curious, not about the obvious starters, but about those who are there to back up the starters. Football fans are often interested in the depth of skill their team has retained.

Just like an NFL team has a depth chart of skilled back-up players, it is important to have compliance “depth” within our financial institutions. This is especially true today as examiners have been shifting their expectations of compliance from a one-person dictatorship approach to a fully functioning “compliance management system” (CMS).

With so many new rule changes coming out by the Consumer Financial Protection Bureau, financial institutions can no longer depend on a single individual to be the sole person knowledgeable of compliance regulations. Having a depth of compliance knowledge ̶ both in quantity (number of employees) and quality (individual knowledge) ̶ is more important today than ever before. Therefore, financial institution leaders should consider building greater depth of compliance within their teams.

The following are five ways that every financial institution can build depth into the compliance function of their organizations.

A Formal Compliance Management System (CMS) Model
One of the best ways to infuse compliance depth into a financial institution is to develop a formal compliance management system (CMS) model which ultimately steers the institution’s compliance activities. While most financial institutions have some sort of compliance management system in place – a risk assessment, training, audit and/or monitoring, designating a compliance officer, and managing complaints – we have found that many of these programs are often informal in nature and don’t always establish depth in the overall program.

A formal CMS model is an intentionally designed program that goes above and beyond the core elements of a compliance management system – the model acts as the infrastructure for a compliance program. Generally, a CMS model will produce certain results:

  • Continuity of compliance, regardless of change
  • Pro-active compliance management
  • Clear communication of the CMS to examiners, directors, and additional parties
  • Integration of compliance into applicable job functions of the organization
  • Early detection of compliance issues
  • Strong regulatory change management

The idea is that a formal CMS model helps to ensure that systems, controls, and procedures are effectively implemented and maintained, which helps to naturally build depth into the compliance structure of an organization.

Another way any financial institution can create compliance depth is to proactively integrate compliance into applicable job functions of the organization. Years ago, compliance could often be approached as an add-on or after-thought to the main task at hand. For example, prior to the late 1960’s and 1970’s, creditors didn’t really have to worry about lending fairly among minorities, protected classes, or even different income levels. Over the years, however, fair lending has evolved so much that organizations that don’t have effective systems, procedures, and controls to ensure fair lending compliance can easily place themselves in a high-risk position for fair lending violations.

Integration can occur in a number of ways. First, policies and procedures can be enhanced to include compliance components. Secondly, controls and testing can include applicable compliance elements. Finally, compliance can become an essential part of employee expectations, such as the requirement of training and even consideration in performance evaluations.

When a financial institution integrates compliance into each applicable job function, a depth of compliance is naturally infused into the organization. This is exactly why many financial institutions are adopting a formal CMS model under which they operate.

Compliance Council
For well over a decade now, we at Young and Associates, Inc. have been advocating for the creation of a Compliance Council in many of our client financial institutions. A compliance council is a group of employees, often middle to senior management, who come together on a regular basis to provide oversite of the compliance function of the organization. While only a few financial institutions operate with just a compliance council (rather than having a designated compliance officer), many of those that do have a designated compliance officer also operate with a compliance council.

There are several reasons why a financial institution will operate with a compliance council in addition to having a designated compliance officer. First, the compliance council helps to provide support for the compliance officer. In today’s regulatory environment, it is often unreasonable for any financial institution to place all responsibility of regulatory compliance on the shoulders of one compliance officer. Therefore, a compliance council can help to distribute the compliance burden and help support the compliance officer.

In addition to providing support, a compliance council also helps to enhance communication in relation to compliance activities. While different departments within a financial institution often operate somewhat independently, a compliance council can help to bring various department managers together while focusing on a uniform goal of compliance.

A compliance council can be an integral component for building compliance depth and this is why many CMS models have a compliance council at the center of their model.

Succession Planning
Just as every NFL team has a depth chart that outlines who is ready to play a certain position, financial institutions can create compliance depth by establishing and maintaining a formal
succession plan for each applicable compliance function. While a compliance succession plan doesn’t need to be complex or even robust, having a clearly designated back-up person for each major compliance function helps to establish greater depth.

To establish depth, a succession plan should designate a back-up person for each significant area of compliance and outline who would assume responsibility in the event that the primary employee responsible for that area is unable to perform their duties. When a back-up person is formally designated and appropriately cross-trained, a CMS model will effectively continue without any major breaches in continuity, meaning that a greater depth of compliance is established.

The final and probably most obvious way to create compliance depth is to conduct enhanced compliance training. Compliance depth can be added through training in two main ways: organizational training and individual training.
First, organizational training can be expanded to integrate compliance into the training rather than treating compliance as an afterthought. Therefore, compliance components should be included in new employee orientations, annual training initiatives, and even sales and other employee specific training sessions.

Secondly, training can increase compliance depth when employees, other than just the compliance team, receive in-depth training on compliance regulations that affect their job functions. For example, a loan processor manager may be able to greatly benefit from in-depth training on Regulation Z, while a lender may benefit on training specific to Regulation O.

Regardless of the type, training is a tool that helps to build compliance depth within an organization.

Creating compliance depth is going to become an even more important strategy for financial institutions as regulatory expectations continue to expand and evolve. In creating compliance depth, organizations will enhance their overall compliance posture by ensuring compliance continuity when employee positions change, providing better communication regarding the compliance function, infusing necessary components of compliance into each job function, and providing better communication to affected parties regarding the organizations compliance program.

Just as every sports team works to ensure that they have a depth of skilled players, financial institutions who establish compliance depth – through steps like establishing a formal CMS model – are going to fair much better in the long run than those who do not.