Skip to main content

Author: admin

Vendor due diligence evaluations

Written by admin on . Posted in Risk Management.

By Michael Gerbick; president, Young & Associates

Do you have a due diligence packet?

Can you answer these questions for our due diligence?

Our outsourced vendor relationship manager will be reaching out to you for due diligence information.

As a trusted vendor to many clients, we receive requests/comments like these every day from our customers and it brings to light the large disparity between what is requested and what is understood from the information. We are trusted with personal, identifiable information daily, and it is our responsibility to do our best to protect that information. No one can guarantee foolproof protection as it’s not “if” but “when” security breaches will occur. We can, however, adhere to industry standards that assist in reducing these risks significantly. This is important when looking internally at our own systems and processes as well as our critical vendors.

There are several areas to consider in the due diligence evaluation. I have highlighted a few of these areas below to assist you in choosing a trustworthy vendor.

Vendor purpose

Knowing how a vendor will be leveraged will begin to shape the risk analysis needed for the remaining due diligence areas. Think about if they will need access to your environment, if they will need access to your confidential information, and/or if they will provide a service that you could not otherwise handle without them. How long have they been in business? Have they declared bankruptcy? Your risk profile will start to take shape regarding strategic and reputational risk and will direct the due diligence areas you focus on going forward.

Information access

At a most basic level, how will your vendor access your information? Remotely from anywhere, with unbridled access to your core system? Onsite via paper documents with 24-hour oversight by your staff? Or will the service be executed in a hybrid fashion (onsite and remote)? In addition to access, will you allow the vendor to save the information outside of your environment? Will you send information electronically to the vendor and if so, how will you communicate? Vendors that do not have direct access to your core or large repositories of confidential information may still touch non-public information.

You may consider a business email compromise for your vendor and its impact to your organization as a scenario when you approach sharing non-public information through either email or a secure file transfer. Thinking about how the information will be accessed, transferred, and used will help in your due diligence process and help ensure that you’ve done your best to get the valuable service from your vendor with a method of accessing confidential information you are most comfortable with.

Information and system controls

This is more than just passwords. It’s about if the vendor’s systems are updated frequently with the latest patching, data center security (SOC 1 and 2 reports), the encryption on devices, the MFA (Multifactor Authentication) in place at the account and device level, the antivirus, antimalware, protection from ransomware and MDR (Managed Detection and Response), where your information is accessed and that all the system controls are monitored. Every week, there are news reports of another ‘hack’ and ransom of individuals’ sensitive information. The only constant here is that this is reality, and the protections and attacks are ever-changing and evolving.

There is a lot to unpack here, and you can ask thousands of questions of your provider. Ultimately, you need to decide if the information you share with them is held in an environment that meets your expectations of safety and security. An informed and trusted IT leader on your team can help make sense of this space for your organization and identify those areas that apply to you. At a minimum a complete set of robust questions or list of requests will help you immediately highlight those vendors that can help you from those that may just introduce risk to your organization.

Business continuity, incident response plan, and disaster recovery

An event will happen. Plans in place that are reviewed and tested regularly will minimize the negative impact. Ask your vendor if they have these plans and discuss with them to understand how robust they are. Gain a comfort level that the vendor cares about managing the inevitable event as much as you do. If they are a critical vendor and something happens, you should expect them to have a plan to mitigate risk.

Confidential information

In addition to specific language in your vendor contract and the methods of accessing confidential or non-public information, ask about cybersecurity-specific insurance coverage in case of an incident. If their staff is touching your information, ask about their hiring practices. Also ask about the expertise of their personnel, confidentiality agreements and background checks.

Conclusion

There are many talented vendors out there to assist your organization. A consistent approach with a defined leader on your team will elevate the quality of the vendors your organization chooses to do business with. The few areas discussed above help manage risk when something goes wrong. The more prepared your vendor and you are for those inevitabilities, the less impact it will have.

If you want to find out more about vendor due diligence or need help improving or starting your vendor due diligence program, please contact Michael Gerbick at mgerbick@younginc.com or 330.422.3482. Young & Associates can help you every step of the way.

In loving memory – Kyle Curtis

Written by admin on . Posted in Announcements.

May 5, 1961 – January 7, 2023

With great sadness, we announce that Kyle Curtis, of Chandler, AZ, passed away unexpectedly on January 7, 2023. Born on May 5, 1961, Kyle had more than 30 years of diverse banking experience in financial reporting, lending, credit authority and administration, and senior management level positions. He spent his entire career as a banker in Arizona, starting at the entry level and working his way up to serving in several executive leadership positions before becoming a banking consultant.

At Young & Associates, Kyle was a dedicated leader, manager, mentor, and teammate for over 11 years. He was a vital part of the lending and management divisions of the company and served as the Director Management Services since 2019. He assisted his clients through the de novo formation process, those under regulatory enforcement agreements, management and board of director assessments, appraisal reviews, loan reviews and ALLL/CECL methodology reviews, loan portfolio stress testing, and policy development and implementation.

Jerry Sutherin, President & CEO at Young & Associates, reflected on Kyle’s passing and contribution to the company…

“Kyle’s work ethic and understanding of the banking industry were unparalleled. He was always willing to assist co-workers and clients by conveying this knowledge with logic and occasionally humor. However, more important than our peer-to-peer relationships that we all maintained with Kyle, he was a dear friend to everyone. He will be missed by everyone that he met.”

Kyle is survived by his loving wife, Mary; son, Ryan (Alycia) Curtis; daughters, Sara (Nick) McCord, Katelyn (Jonathan) Curtis; and granddaughter, Ella Curtis.

Both personally and professionally, Kyle’s talent, dedication, leadership, and friendship will be greatly missed by our corporate family here at Young & Associates, as well as so many bankers across the country.

Loan underwriting issues in a shrinking market

Written by admin on . Posted in Commercial Underwriting.

By Ollie Sutherin, chief financial officer, Young & Associates

It is no secret that community banking is shrinking at an increasing rate across the entire United States. At the close of Q4 2022, there were approximately 4,548 community banks across all 50 states. This is a net decrease of about 200 active charters since the FDIC completed its Community Banking Study in 2020. Of these 4,548 active charters, nearly 50 percent of the community banks are in counties with a population of 50,000 individuals or less, and all these institutions combined make up about 97 percent of the banking industry as a whole.

Challenges for community-focused lenders

Despite their market share, the fact that nearly 50 percent of the community banks serve counties with less than 50,000 people presents risks and difficulties for them to continue their missions as community-centered institutions.

One of the primary difficulties is the ability to hire and retain quality talent needed to maintain good practices and good standing with regulatory bodies. This is especially evident in the banks that serve 50,000 people or less, as populations in rural areas continue to decrease.

Furthermore, the increasing burden of inflation and wages adds another layer of complexity to the mix. Many community-focused institutions are not willing or able to pay top rate for talent, which is understandable given the need and focus to remain competitive among the larger regional and national banks that continue to acquire and/or out-compete them.

Outsource excellence for your credit underwriting

One of Young & Associates, Inc.’s primary missions is to serve community financial institutions across the country. Recognizing the risks and difficulties stated above, we have formed an independent affiliate, Y&A Credit Services, LLC.

As an independent entity, Y&A Credit Services offers the same exceptional service, expertise, and integrity you’ve learned to expect from Young & Associates, Inc. Our team members are experts in credit services and the financial industry and include former chief credit officers and senior credit analysts from both community and regional banks and provide full outsourced credit department services to our clients, keeping their costs low so they can remain competitive in their markets. This creates less risk with respect to the regulatory bodies as our seasoned credit professionals boast a combined 100+ years of experience in credit administration.

Finding talent is one issue, but affording it is another issue. By outsourcing credit responsibilities such as underwriting, annual reviews, and spreading financials, Y&A Credit Services can complete the work of several full-time employees at rates far less than the bank’s full-time employee.

In summary, you can trust Y&A Credit Services to handle all your credit needs, ranging from simple commercial real estate transactions to the most complex C&I deals. Furthermore, Y&A Credit Services can complete this work in your preferred format using our advanced credit software. We recognize the risk of deviating from years of good practice and strive to ensure that we are meeting your standards. We also recognize that we are here to assist you in every way possible and will provide you with recommendations and good practices gleaned from extensive experience dealing with credit departments across the entire country and the regulatory bodies overseeing them.

For more information on Y&A Credit Services and how we can assist you with your credit underwriting needs, contact me at osutherin@younginc.com or 330. 422.3453. I look forward to discussing how we can assist your organization with your credit underwriting needs.

The purpose of BSA/AML model validation – Common findings

Written by admin on . Posted in Compliance & Regulations.

By: Edward Pugh, CAMS, CAMS-Audit, AAP, CFE, Consultant

For many financial institutions, the concept of a BSA/AML Model Validation is new. In the past, model validations were in the domain of larger financial institutions, typically with $1 Billion or more in assets. In general, model validations are a component of model risk management (MRM), and the guidance for MRM doesn’t easily conform to AML models, particularly models purchased from vendors. To rectify this, the regulatory agencies released an Interagency Statement of Model Risk management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance in April 2021. We have found that subsequent to the release of this guidance, examiners are frequently requesting that model validations be completed for financial institutions of all sizes.

The purpose of Anti-Money Laundering (AML) model validation is to evaluate the effectiveness and accuracy of an AML model in identifying potentially suspicious transactions and preventing money laundering and terrorist financing activities.

A BSA/AML model validation consists primarily of three components:

  • Conceptual soundness – This entails (among other considerations) the review of documentation and empirical evidence used and variables selected for the model. Much of this information is found in the implementation documentation.
  • Ongoing monitoring – This component confirms that the model is appropriately implemented and is performing as intended. Additionally, the processes and procedures for changes to the model are evaluated. For example, when an agent is added or thresholds are changed, what is the process leading up to the change?
  • System/outcome analysis – This verifies that the alerts generated are indeed valid. On the flip side, is the model missing transactions due to parameter settings or data issues?

Common findings

As more financial institutions are having model validations performed, we have found some common findings, both in validation reports and examination reports. Below are some of the most common findings. Reviewing these findings may help a financial institution prepare for its first validation. These include:

  • Data quality issues – Appropriate data is not flowing to the model. This often includes monetary instrument information, wire information, ATM activity, and NAICS codes. A particular concern is 314(a) lists – data from closed accounts and non-customer transactions (such as monetary instrument purchases) is not included in the searches.
  • Inadequate model governance – This includes lack of model documentation, lack of proper oversight and controls, and lack of model testing.
  • Lack of documentation of filtering thresholds – This includes documentation as to why thresholds were selected, as well as why/how any subsequent changes were made.
  • Missing or incomplete mapping documentation – Mapping documentation demonstrates how inputs from various systems flow into the AML Model. This information is usually included in the implementation documentation, though issues often arise when new products and services are introduced.
  • No reconciliation procedure – Institutions should periodically reconcile the data between the system feeding the data into the model and the model. This ensures that transactions are appropriately monitored.

While this list is not exhaustive, it does shed some light as to what auditors and examiners are looking for when it comes to model performance. Addressing these issues prior to a model validation or examination can help the process go more smoothly.

In conclusion

BSA/AML model validation is essential for both financial institutions and regulatory bodies to ensure that AML models are working as intended and regulatory requirements are being met. Young & Associates performs customized BSA/AML Validations and Reviews and collaborates with many of the AML software providers throughout the validation and review to provide a seamless process for our clients. If you would like more information on this article, or on how we can assist your organization, please contact me at epugh@younginc.com or 330.422.3475.

Penetration tests and vulnerability scans: What’s the difference?

Written by admin on . Posted in Information Technology.

By: Brian Kienzle, CISSP, OSCP and Mike Detrow, CISSP

As we discuss technical testing techniques with financial institutions, we still see a lot of confusion about the difference between a vulnerability scan and a penetration test (pen test). In the past, and even nowadays, these two terms are sometimes used interchangeably. However, a true pen test is quite different from a simple vulnerability scan.

A vulnerability scan is an assessment performed by running a scanning application like Nessus or Qualys. With these applications, the assessor inputs the target IP address ranges or DNS names, clicks scan, and then waits for the results. Scans are important tools for detecting and mitigating several types of vulnerabilities; however, they are limited, since they generally rely on fingerprints of known vulnerabilities.

A pen test, on the other hand, can be thought of as a highly technical audit. A pen tester will use a wide variety of techniques and tools, often including vulnerability scanners, to discover and exploit vulnerabilities. The tools that are used will be different depending on what network services and device types are encountered.

One of the biggest differences between a scan and a pen test is that a pen test will exploit vulnerabilities. This minimizes false positives and lets you know exactly what a vulnerability’s real impact is in your unique environment.

Are vulnerability scans worthless? No, but it is important to understand their strengths and weaknesses. Scanning software cannot think; it can only discover what it has been programmed to discover. It is valuable for finding low-hanging fruit, but its inherent design limitations prevent it from detecting certain vulnerabilities, such as vulnerabilities requiring custom exploitation, fuzzing, or guided brute-force attacks. Discovery and exploitation of these vulnerabilities requires investigation by an experienced security professional.

How do you tell which one you’re getting?

It takes a hacker to know how a hacker will try to exploit the devices on your network. Unlike vulnerability scans, pen tests require a lot of time and expertise. These are not perfect indicators, but can be helpful in determining what type of service is being performed:

  • The proposal should give some detail about the overall penetration testing. True penetration testing by its nature is somewhat open-ended but should always involve manual investigation and exploitation of any discovered vulnerabilities.
  • Engagement price can be an indicator. If the cost of your penetration test is very low, that could mean the pen test is simply a vulnerability scan. It would not make business sense to sell such a skill and time-intensive engagement so cheaply.
  • If the findings do not include step-by-step instructions to exploit the specific vulnerability, that could be an indicator that the findings are automatically generated.
  • Hackers and penetration testers are often self-taught, so certifications may not be strictly necessary. However, if this is an area of consideration, more weight should be given to certifications whose exam processes are practical exploitation tests, rather than multiple-choice exams. Certifications like this include Offensive Security Certified Professional (OSCP) and Licensed Penetration Tester (LPT).

When should you get penetration tests or vulnerability scans?

Vulnerability scans and pen tests are different types of tools and therefore should be applied in different situations. Because of the lower cost and time restraints of vulnerability scans, they should be conducted more frequently. Regular vulnerability scans help to identify vulnerabilities in a timely manner, which allows IT staff to limit the time that these vulnerabilities remain exploitable on the network by remediating the vulnerabilities soon after they are discovered.

Vulnerability scans can even be performed by financial institution staff or by the financial institution’s Managed Service Provider (MSP). This is typically more cost-effective than hiring an independent party to perform frequent scans. However, it is still important to have an independent party perform an annual vulnerability scan to verify that the financial institution’s vulnerability management processes are effective.

Pen test frequency will typically vary based on a financial institution’s network infrastructure and vulnerability management practices. External pen tests may commonly be performed annually. However, a financial institution may choose to perform internal pen tests annually, biennially, or even less frequently. Management should use a risk-based approach to determine the frequency of pen tests by considering the following factors:

  • Significance of data stored on internal systems
  • Frequency of network infrastructure changes
  • Complexity of network infrastructure or network operating system
  • Any network services or applications developed in-house, such as intranet sites
  • Demand from examiners

If you have any questions about the differences between vulnerability scans and pen tests, or you would like to get more information about the testing services that Young & Associates has to offer, please contact Mike Detrow, Director of IT, at mdetrow@younginc.com or 330.422.3447. We look forward to helping you maximize the return on your technology investments.

HMDA alert – Smaller mortgage producers may have to comply in 2023

Written by admin on . Posted in Compliance & Regulations, HMDA.

By Bill Elliott, CRCM; director of compliance education, Young & Associates

On September 23, 2022, the United States District Court for the District of Columbia issued an order vacating (canceling) the 2020 Home Mortgage Disclosure Act (HMDA) Final Rule. That final rule changed the limits for closed-end mortgage loans. At the time, that final rule raised the “minimum” for mandatory reporting from 25 to 100 closed-end mortgage loans in each of the two preceding years.

HMDA changes

The court vacated that change, and so the threshold for HMDA reporting in the regulation for 2023 and into the future has been reset back to 25 closed-end loans. Banks that have been able to avoid HMDA because they made fewer than 100 loans are required to comply in 2023. A blog entry issued by the Consumer Financial Protection Bureau (CFPB) on December 8, 2022 stated that the CFPB (and we presume the prudential regulators) will not require backfiling, nor would they cite banks for the absence of 2020, 2021, and 2022 filing data, but said nothing about 2023. Therefore, if your bank made more than 25 closed-end mortgage loans in 2021 and 2022, HMDA is now a requirement for closed-end mortgage loan reporting for your institution – starting January 1, 2023.

We are unsure why the CFPB waited about 10 weeks to inform us. But you will need to dust off those old policies, procedures, systems, and operations to come into compliance, or perhaps create new policies, procedures, and operations in a hurry. Additionally, there may be applications from 2022 that do not have the government monitoring information in file, because it would have been a violation for non-HMDA banks to collect that information. We believe that your institution needs to go back and collect that information for all loans that had an application in 2022, but that close in 2023.

The 25 vs. 100 threshold was a decision made by the CFPB, and that was reversed. The partial exemption changes – impacting a number of the data elements required to be collected – were the result of a change in law, so the partial exemption remains unaffected by this reversal.

HMDA review

Do you need a validation of your HMDA data prior to the 3/1/23 filing deadline? Young & Associates offers an off-site compliance review of your institution’s HMDA data. Using our secure file transfer system, we will validate your HMDA data to detect errors and issues before the filing deadline. For more information on our HMDA Review service, click here or contact Karen Clower, Director of Compliance, at 330.422.3444 or kclower@younginc.com.

The importance of documentation to support your information security program

Written by admin on . Posted in Cybersecurity & Information Security, Information Technology.

By: Mike Detrow, CISSP, and Brian Kienzle, CISSP, OSCP

Written records are generally more trustworthy than human memory. Examiners and auditors typically take the following stance: if it isn’t formally documented, it didn’t happen. It is usually not possible to accurately recall all the details from an activity that we performed six months to a year ago. That is why it is important to formally document your monitoring activities to ensure that the specific details about any work performed is available for your reference and for examiners and auditors to review.

Common documentation gaps

Proper documentation has generally improved in recent years; however, there are still some areas where we commonly see documentation gaps. Some of these areas where we continue to note weaknesses in documentation during our IT Audit engagements include:

User access reviews

We commonly see a checklist or spreadsheet that identifies various systems/applications and the date(s) that the user access was reviewed. While this format can help to provide a summary of the dates when system/application user access was reviewed, it does not allow an examiner/auditor to understand what was reviewed, any exceptions that were found, nor any changes that were made because of the review. A better approach is to document the review on the actual system reports or screenshots, or to document the review process in a write-up that identifies the review process and any noted exceptions or changes made as a result of the review.

Vendor monitoring

We still see some instances where ongoing vendor reviews are not formally documented using a checklist or a formal write-up of the details associated with the review and any exceptions that were noted. In these cases, the institution may only have a spreadsheet where they indicate that various vendor documents were reviewed on a specific date. However, this does not allow an examiner/auditor to understand the details about the review, nor does it identify any exceptions that were noted. This same issue occurs with the review of the complementary user entity controls that are identified in vendor SOC reports. Institutions should ensure that they formally document their implementation of each complementary user entity control.

Firewall audits

Often we see a simple statement in minutes or in an email chain that indicates that a firewall audit was performed. However, this isn’t enough information to know if the firewall audit was comprehensive enough to know if the firewall is properly configured. At a bare minimum, a firewall audit should include a review of all firewall access rules for appropriateness and a review of security services, such as intrusion prevention, and web content filtering. Documentation of this review, showing all areas of the firewall configuration that were reviewed is an essential piece of documentation.

E911 testing

Voice over IP (VoIP) telephone systems communicate with emergency services differently than traditional phone lines. If an IP phone is moved to a different physical location, but the corresponding address information is not updated, then incorrect address information could be seen by emergency responders when that phone is used to dial 911. E911 testing ensures that proper address information is seen by emergency responders. We check that this testing is occurring during our IT audits, and documentation of this testing is the primary method we use to verify this.

While it can sometimes seem like the time spent to formally document your activities is unproductive, especially when some institutions are working with limited staffing, it is critical to maintain this documentation to allow examiners/auditors and the board to have confidence that the institution’s information systems are being managed and monitored appropriately.

Young & Associates offers a variety of IT consulting services to help your financial institution comply with regulations, protect against vulnerabilities, and provide seamless IT service to your customers For more information on this article, or to learn more about how Young & Associates can assist you with your IT needs, visit our website at www.younginc.com or contact us at mgerbick@younginc.com.

Why banks should QC in-portfolio loans

Written by admin on . Posted in Mortgage Quality Control.

By Donald Stimpert, manager of secondary market QC, Young & Associates

As a result of higher mortgage interest rates and inflation continuing to weigh on affordability, Fannie Mae revised downward their forecast for 2022 single-family mortgage market originations. Fannie Mae now expects 2022 single-family mortgage market originations of $2.3 trillion. This is a 49 percent decrease from 2021. Approximately 70 percent of activity for the full year of 2022 is expected to come from purchase originations.

Fannie Mae currently projects a further decline in single-family mortgage market originations in 2023, to $1.7 trillion. 77 percent of that activity comes from purchase originations. The organization expects that multifamily mortgage market originations for 2022 will be between $400 billion and $430 billion. This is down from the $475 billion estimated at the start of this year. This is due primarily to rising interest rates and a slowing in multifamily property sales.

How Young & Associates can help

As a result of the higher mortgage interest rates, more lenders are holding on to their loans and keeping them as in-house portfolio loans. Y&A currently works with several clients to conduct not only residential secondary market loans, but in-house portfolio loans as well. By reviewing in-house portfolio loans, Young & Associates will provide the same QC services as we do on the residential secondary market loans while providing financial institutions with the peace of mind that underwriting standards are maintained in accordance with policy directives.

Organizations with a commitment to quality control recognize that loan quality begins before an application is taken. It then continues throughout the entire mortgage origination process. Young & Associates has provided education, outsourcing, and a wide variety of consulting services to community financial institutions for over 44 years. We are committed to your bank’s future success and look forward to assisting you to ensure or enhance that success. Please click here to learn more, or contact me directly at 1.330.442.3459 or dstimpert@younginc.com.

Brushing up on disclosures for ARMs

Written by admin on . Posted in Mortgage Quality Control.

By: William J. Showalter, CRCM, CRP, Senior Consultant

Now that interest rates are moving up, many bankers are blowing the dust off their adjustable-rate mortgages (ARMs) loan offerings. Interest rates for fixed-rate loans have been so low for quite some time, which made them much more appealing to mortgage loan customers. But now with rates increasing, the lower initial rates of ARM loans are beginning to look more appealing to at least some borrowers.

The problem is that many of us are so out of practice at making ARMs that we need a refresher to remind us of what we need to do. This article will serve as a primer to help us re-learn how to meet disclosure requirements for ARM loans.

Different types of ARMs

When we think of an adjustable-rate mortgage, the first thing that comes to mind is likely the classic loan with an interest rate that can change at some regular interval based on the movement of some external index. There is a wide variety of initial time periods for which the rate is fixed and later intervals for rate changes over the life of the loan. Common initial fixed periods are one, three, five, seven, or 10 years, while probably the most common interval for later rate changes is one year.

But that is not where the variety of ARMs ends. The Official Staff Commentary on Regulation Z discusses a number of other loan structures that are considered to be variable-rate transactions subject to the ARM disclosure requirements.

These additional loan structures are:

  • Renewable balloon-payment loans where the creditor is both unconditionally obligated to renew the balloon-payment loan at the consumer’s option (or is obligated to renew subject to conditions within the consumer’s control) and has the option of increasing the interest rate at the time of renewal
  • Preferred-rate loans where the terms of the legal obligation provide that the initial underlying rate is fixed but will increase upon the occurrence of some event (e.g., an employee leaving the employ of the creditor, or an automatic payment arrangement being ended) and the note reflects the preferred rate (though a number of the ARM disclosures are not required for preferred-rate loans)
  • “Price-level-adjusted mortgages” or other indexed mortgages that have a fixed rate of interest but provide for periodic adjustments to payments and the loan balance to reflect changes in an index measuring prices or inflation (again a number of the ARM disclosures are not required for price-level-adjusted loans)

It is important to note that graduated-payment mortgages and step-rate transactions without a variable-rate feature are not considered variable-rate transactions under Regulation Z. This is likely because changes over the term of the loan are known at the outset – specified payment and/or interest rate increases.

Application disclosures

Two ARM disclosures must be given to applicants for such loans at the time an application form is provided or before the consumer pays a non-refundable fee, whichever is earlier. There is an exception allowing the disclosures to be delivered or placed in the mail not later than three business days following receipt of a consumer’s application when the application reaches the creditor by telephone or through an intermediary agent or broker.

For an application that is accessed by the consumer in electronic form – including an online application portal – the required ARM disclosures may be provided to the consumer in electronic form on or with the application.

These two early ARM disclosures are:

  • The booklet titled Consumer Handbook on Adjustable-Rate Mortgages (CHARM booklet), or a suitable substitute, and
  • A loan program disclosure for each variable-rate program in which the consumer expresses an interest (each comprised of 12 specified pieces of information about the ARM program)

TRID disclosures

The Loan Estimate (LE) and Closing Disclosure (CD) both require some additional disclosures for ARMs. The LE must be provided to an applicant no later than the third business day after their application is received by the lender, while the CD must be provided no later than three business days before consummation. (There are also situations permitting or requiring these disclosures to be revised, but that’s a subject for another time.)

The particular TRID (TILA-RESPA Integrated Disclosures) items impacted by a loan being an ARM are:

  • “Interest Rate” in the “Loan Terms” section – If the interest rate at consummation is not known, the rate disclosed must be the fully-indexed rate, which means the interest rate calculated using the index value and margin at the time of consummation. The lender also should disclose “Yes” for the question “Can this amount increase after closing?” In addition, disclose the frequency of interest rate adjustments, the date when the interest rate may first adjust, the maximum interest rate, and the first date when the interest rate can reach the maximum interest rate, followed by a reference to the Adjustable Interest Rate (AIR) Table (discussed below).
  • “Monthly Principal & Interest Payment” in the “Loan Terms” section – If the initial periodic payment is not known because it will be based on an interest rate at consummation that is not known at the time the LE must be provided, for example, if it is based on an external index that may fluctuate before consummation, this disclosure must be based on the fully-indexed rate disclosed above. The lender also should disclose “Yes” for the question “Can this amount increase after closing?” In addition, disclose the scheduled frequency of adjustments to the periodic principal and interest payment, the due date of the first adjusted principal and interest payment, the maximum possible periodic principal and interest payment, and the date when the periodic principal and interest payment may first equal the maximum principal and interest payment.
  • “Principal & Interest” payment in the “Projected Payments” section – The table of payments (principal and interest, mortgage insurance, etc.) will include more than one column due to the possible (projected) changes in the interest rate, up to a maximum of four columns. The maximum principal and interest payment amounts (in each column) are determined by assuming that the interest rate in effect throughout the loan term is the maximum possible interest rate, and the minimum amounts are determined by assuming that the interest rate in effect throughout the loan term is the minimum possible interest rate. If the ARM has a negative amortization feature, the maximum payment amounts must reflect this feature, as spelled out in Regulation Z.
  • “Adjustable Interest Rate (AIR) Table” – An ARM must disclose a separate table in the “Closing Cost Details” section on the LE and the “Additional Information About This Loan” section on the CD, under the heading “Adjustable Interest Rate (AIR) Table,” that contains specified information about the index and margin, increases in the interest rate, initial interest rate, minimum and maximum interest rate, frequency of adjustments, and limits on interest rate changes.
  • “Annual Percentage Rate (APR)” and “Total Interest Percentage (TIP)” in the “Comparisons” section on the LE and the Loan Calculations section on the CD – Calculation of both these values must account for variations in the interest rate permitted for the ARM.

Interest rate/payment change notices

The creditor, assignee, or servicer of an ARM secured by a borrower’s principal dwelling must provide consumers with written notices in connection with the adjustment of interest rates in accordance with the loan contract that results in a corresponding adjustment to the payment.  These notices must be separate from any other disclosures or notices.

There are exemptions for the following:

ARMs with a term of one year or less; first interest rate adjustment to an ARM if the first payment at the adjusted level is due within 210 days after consummation and the new interest rate disclosed at consummation was not an estimate; or when the lender/servicer is subject to the Fair Debt Collection Practices Act (FDCPA) for the loan and the customer has sent a notice to cease communications.

The content for these change notices is spelled out in detail in Regulation Z and the timing depends on whether the rate/payment change is the first one to occur for the ARM loan or a subsequent change.

  • The initial adjustment notice must be provided to consumers at least 210 days (but no more than 240 days) before the first payment at the adjusted level is due. If the first payment at the adjusted level is due within the first 210 days after consummation, the disclosures must be provided at consummation.
  • All subsequent adjustment notices generally must be provided to consumers at least 60 day (but no more than 120 days) before the first payment at the adjusted level is due. The disclosures must be provided to consumers at least 25 days (but no more than 120 days) before the first payment at the adjusted level is due for ARMs with uniformly scheduled interest rate adjustments occurring every 60 days or more frequently and for ARMs originated prior to January 10, 2015 in which the loan contract requires the adjusted interest rate and payment to be calculated based on the index figure available as of a date that is less than 45 days prior to the adjustment date.

Periodic statements

If your bank has taken advantage of the “coupon book” exception from periodic statements for mortgage loans with fixed rates, you will have to begin producing periodic statements when you begin originating ARMs. Or, you will need to expand your statement output as more of the bank’s loan production shifts to ARMs from fixed-rate loans (if you still want to use the coupon books exception for your fixed-rate lending).

Conclusion

If your institution is like many community banks and has not been making ARMs for some time, you likely have some work to do to ramp ARM lending back up. Systems and disclosures need to be updated and/or activated. Disclosures need to be procured or prepared. Staff needs to be trained, at least some refresher training.  Good luck re-ARMing up.

2023 Rescission Reference Chart

Written by admin on . Posted in Compliance & Regulations.

View and download the Young & Associates 2023 Rescission Reference Chart to assist your lenders in preparing the Notice of Right to Cancel. Please forward this document to someone in your organization who will use this helpful tool.

For 44 years, Young & Associates has provided consulting, training, and practical tools for the banking industry. Thank you for the opportunity to serve your needs.


Looking for the latest calendar? Click here to access the 2025 Rescission Reference Chart!

Ensure your advertising is complete, clear, and compliant

Written by admin on . Posted in Compliance & Regulations.

In today’s competitive environment, getting the word out about your products and services is crucial. Do your ads meet regulatory expectations, include all advertising terms, and clearly explain what your products and services are to your customers and potential customers?

Get peace of mind with Young & Associates’ Advertising Review Service.

It’s easy!

As part of the advertising review engagement, Young & Associates will:

  • Review all print and electronic advertising material provided by the bank. *
  • Respond to each submitted item in writing within 2 business days, presenting any compliance issues that may be present in the ad.
  • There is no minimum or maximum number of advertisements in a year. Submit advertisements that require that “second look.”
    * The review will not include verification of any APR or APY.

Trusted guidance

Young & Associates provides an unmatched depth of practical expertise. Our compliance consultants are comprised of former banking executives, compliance regulators, and tenured finance professionals. We’re uniquely qualified to understand and solve your challenges, because we have personally experienced those same issues. For more information on this service, contact Karen Clower at kclower@younginc.com or 330.422.3444.

To submit your ad for review click here.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question