Skip to main content

OFAC Extends Record Retention Requirements

By Veronica Madsen; Consultant, Young & Associates

On March 21, 2025, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published its final rule to adopt the interim final rule extending certain recordkeeping requirements from five to 10 years. This extension is consistent with the statute of limitations for violations of certain sanctions administered by OFAC and became effective on the date of publication in the Federal Register.

The final rule also extended the period during which civil monetary penalties may accrue for late filing of reports required to be submitted to OFAC (e.g., blocked property and reject reports or reporting required under specific licenses), from five years to 10 years. The potential penalty amounts did not change.

The changes stemmed from the 21st Century Peace through Strength Act (Public Law 118-50), signed into law on April 24, 2024, which extended the statute of limitations for civil and criminal violations of the International Emergency Economic Powers Act (50 U.S.C. 1701), and the Trading with the Enemy Act (50 U.S.C. 4301), from five years to 10 years.

OFAC published an interim final rule on September 13, 2024, and requested public comment. Despite the concern financial institutions needed more time to acquire additional resources and storage capacity, and to adjust their current recordkeeping practices to conform to the new recordkeeping requirements, OFAC finalized the rule as written due to the length of time provided since the law was passed.

What Records Must Be Retained Longer?

Under the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, transactions subject to the extended record retention requirement relate to the full and accurate record of each rejected transaction, including all reports submitted to OFAC. For blocked property (including blocked transactions), records must be maintained for the period the property is blocked and for 10 years after the date the property is unblocked.

How Should Banks Prepare for this Change?

Because the rule became effective upon publication, banks that have not already prepared for this change should ensure their systems are updated to retain these documents longer; policies, procedures and the OFAC risk assessment are amended to reflect the new retention requirement and extended risk of penalties associated with late filings; prepare or amend training content; and prepare for potentially increased compliance costs.

Conclusion

Navigating this kind of regulatory shift can feel overwhelming, especially when it demands swift operational changes and long-term strategic planning. That’s where Young & Associates can help. Our compliance experts are ready to assist with updating your OFAC programs, reviewing risk assessments, and supporting your team in building a sustainable, compliant approach to record retention. Contact us today to ensure your institution is fully prepared for this new 10-year horizon.

Compliance – 2025 & Beyond

By Bill Elliott, CRCM; Director of Compliance Education, Young & Associates

Over the last few years we have dealt with changes to regulation, followed by lawsuits, followed by resolution (in some cases).

The original intent of the CFPB was to have a governmental department that was independent of the rest of the federal government. The leader of the CFPB. would not be a political appointment. For good or ill, that has changed due to decisions by the Supreme Court. As a result, this agency has become part of each administration, and experiences changes in direction based on the results of elections.

Some of the discussion below includes other agencies, as they are part of the same trend.

CRA

The new CRA rule was published and was due to be implemented in part last year. However, there is a lawsuit  pending, challenging the regulation. That lawsuit still has not reached the resolution stage, and all federal regulators have said publicly that they are going to follow the old CRA regulation until resolution occurs.

The intent of the new CRA regulation was to try to take as much examiner judgment out of the rating system as possible, with the result of fairer reviews for banks. While an excellent goal, I am not sure that the pending regulation accomplishes this. In any event, all banks and regulators will follow the existing regulation until the court battles have concluded. The CFPB is not part of the new CRA rule, just the primary regulators, but this is part of the same trend.

Beneficial Ownership

Congress passed the Corporate Transparency Act requiring that beneficial ownership information be collected by the federal government. That process began in 2024, and required your smaller commercial customers to share a lot of information with the federal government.

The federal government said that compliance was actually going well. But late in 2024, once again in response to a lawsuit, everything ground to a halt. Your customers who have not yet complied may have to comply at some point in the future, and are welcome to comply now, but currently do not have to comply.

The lawsuit generally is regarding  the issue of whether a law such as this could be passed by Congress in the first place. We do not know where it will go from here, and because of the issue, we may have to wait for the Supreme Court to rule on it. Another example of the current environment.

1071

1071 (Regulation B, Subpart B)  is perhaps the regulation that will create the greatest problems for banks and their customers. Although implementation is a year or more in the future for many banks, the current regulation will be considered invasive by your customers. Amongst other things, the regulation requires banks to ask small business owners their sexual preferences, orientations, etc. Many of your customers will consider this none of the government’s business. And this particular information is not required under the Dodd Frank Act.

While a small business owner could be discriminated because of their LGBTQ+ status, we would hope that that would not happen. This is a rule with good intentions, however, the approach in  the regulation will create more difficulties for banks and their small commercial  customers than we would like. We will see what happens with the change in administration and CFPB leadership.

Conclusion

There are other rules pending. For instance, privacy is becoming a bigger and bigger issue as we get more and more electronic. These sorts of regulations are probably going to be useful. but we will have to wait and see how the final regulations read, and then maybe wait through lawsuits once again.

A regulatory environment that was less chaotic would be better for all of us, but that does not appear to be something that we can count on. Enjoy the ride.

In this ever-changing environment, having a knowledgeable compliance partner is essential. At Young & Associates, we specialize in helping financial institutions interpret, implement, and manage compliance requirements with confidence. Whether you need regulatory guidance, risk assessments, or compliance program reviews, our team is here to support you.

Reach out to Young & Associates today to discuss your compliance needs and ensure your institution is prepared for the road ahead.

Checking Your BSA Program Is More Important Than Ever

By William J. Showalter, CRCM; Senior Consultant, Young & Associates

Over the past year, we have seen at least 27 Bank Secrecy Act (BSA) enforcement actions from an array of financial institution supervisory agencies.  Banks of all sizes, including community banks, continue to be hit with cease and desist (C&D) orders, formal agreements, consent orders, and even civil money penalties (CMP).  Five of these actions involved monetary penalties of some sort totaling nearly $4 billion – all but about $109 million coming from one case with four federal agency actions against one bank, and one $100,000 CMP imposed against an individual for BSA noncompliance.  These enforcement actions remind us that even community banks and thrifts must have thorough and well-managed BSA compliance programs.

The enforcement actions do not spell out specifics of what the agencies found at each institution, but they do give us important insights into what the regulators will expect during your next BSA compliance exam.

Community banks should evaluate their BSA compliance programs in light of the corrective actions that these institutions are required to take.

Another important issue that financial institution management should remember is that the USA PATRIOT Act made BSA compliance as important as Community Reinvestment Act (CRA) compliance in getting an application approved.  The act adds BSA as a factor for consideration in merger transactions. The agency must take into consideration “the effectiveness of any insured depository institution involved in the proposed merger transaction in combating money laundering activities.”  This means that banks and thrifts must have more than a written BSA program.  They must be able to demonstrate that the program works.

BSA Compliance Programs

All insured banks and thrifts are required to develop, administer, and maintain a program that assures and monitors compliance with the BSA and its implementing regulations, including recordkeeping and reporting requirements. Such a program can help protect a bank against possible criminal and civil penalties and asset forfeitures.

At a minimum, a bank’s internal compliance program must be written, approved by the board of directors, and noted as such in the board meeting minutes. The program must include at least the following elements:

  • A system of internal controls to assure ongoing compliance
  • Independent testing of compliance
  • Daily coordination and monitoring of compliance by a designated person
  • Training for appropriate personnel
  • Risk-based customer due diligence/beneficial ownership procedures

Internal Controls

Senior management is responsible for assuring an effective system of internal controls for the BSA, including suspicious activity reporting, and must demonstrate its commitment to compliance by:

  • Establishing a comprehensive program and set of controls, including account opening, monitoring, and currency reporting procedures
  • Requiring that senior management be kept informed of compliance efforts, audit reports, identified compliance deficiencies, and corrective action taken – to assure ongoing compliance
  • Making BSA compliance a condition of employment
  • Incorporating compliance with the BSA and its implementing regulations into job descriptions and performance evaluations of bank personnel

Independent Testing of Compliance

The bank’s internal or external auditors should be able to:

  • Attest to the overall integrity and effectiveness of management systems and controls, and BSA technical compliance
  • Test transactions in all areas of the bank with emphasis on high-risk areas, products, and services to assure the bank is following prescribed regulations
  • Assess employees’ knowledge of regulations and procedures
  • Assess adequacy, accuracy, and completeness of training programs
  • Assess adequacy of the bank’s process for identifying suspicious activity

Internal review or audit findings should be incorporated after each assessment into a board and senior management report and reviewed promptly.  Appropriate follow up should be assured.

Regulators increasingly expect the BSA audit or testing program to also include these elements:

  • Confirmation of the integrity and accuracy of management information reports used in the AML compliance program
  • Overall integrity and effectiveness of the program
  • Evaluation of management’s efforts to resolve violations deficiencies
  • Evaluation of the effectiveness of the suspicious activity monitoring systems
  • Review of the BSA risk assess­ment for reasonableness given the bank’s risk profile

BSA Compliance Officer

A bank or thrift must designate a qualified bank employee as its BSA compliance officer, who has day-to-day responsibility for managing all aspects of the BSA compliance program and compliance with all BSA regulations.  The BSA compliance officer may delegate certain BSA compliance duties to other employees, but not compliance responsibility.

The bank’s board of directors and senior management must assure that the BSA compliance officer has sufficient authority and resources – time, funding, staffing – to administer effectively a comprehensive BSA compliance program.  And, the BSA officer must have a direct reporting channel to the board of directors.

Board of Directors

The board must ensure that it exercises supervision and direction of the BSA/AML program.  This involves making sure that the institution develops sound BSA/AML policies, procedures, and processes that are approved by the board and implemented by management.  The board also has to ensure that the bank maintains a designated BSA officer with qualifications commensurate with the bank’s situation.  As noted above, the BSA officer must report directly to the board and be vested with sufficient authority, time, and resources.  The board must provide for an adequate independent testing of BSA/AML compliance.  The board should bear in mind that it has the ultimate responsibility for the institution’s BSA compliance.

Training

Financial institutions must ensure that appropriate bank personnel are trained in all aspects of the regulatory requirements of the BSA and the bank’s internal BSA compliance and anti-money laundering (AML) policies and procedures.

An effective training program includes provisions to assure that all bank personnel, including senior management, who have contact with customers (whether in person or by phone), who see customer transaction activity, or who handle cash in any way, receive appropriate training.  Board members also need to receive regular BSA/AML training, though at a much higher level with less detail than institution line employees.

The training needs to be ongoing and incorporate current developments and changes to the BSA, AML laws, and agency regulations.  New and different money laundering schemes involving customers and financial institutions should be addressed.  It also should include examples of money laundering schemes and cases, tailored to the audience, and the ways in which such activities can be detected or resolved.

Another focus of the training should be on the consequences of an employee’s failure to comply with established policy and procedures (e.g., fines or termination).  These programs also should provide personnel with guidance and direction in terms of bank policies and available resources.

Beneficial Ownership Procedures

The beneficial ownership rule contains three core requirements:

  • Identifying and verifying the identity of the beneficial owners of companies opening accounts
  • Understanding the nature and purpose of customer relationships to develop customer risk profiles, and
  • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information

A beneficial owner is an individual who owns more than 25 percent of the equity interest in a company or is the single individual who exercises control.  Also subject to these requirements is the one person who has control of each legal entity customer.

Beyond the Basics

BSA enforcement actions continue to raise the bar for all financial institutions.  BSA compliance programs must meet additional standards in order to be considered adequate to meet the ever-evolving challenges that arise over time.

  • Customer due diligence (CDD). Verifying a customer’s name, address, date of birth and identification number will satisfy the basic BSA customer identification requirements.  However, these four pieces of information will not be enough to help an institution deter­mine a customer’s typical account activity.  The recent C&D orders make clear that regulators expect community bank managers to use information collected as part of the institution’s CDD process to predict the type, dollar amount, and volume of transactions that a customer is likely to conduct.  This expectation goes beyond the new beneficial ownership rule to extend CDD expectations to the broader customer base.Several institutions subject to the recent round of enforcement actions were directed to develop specific procedures to describe how the institu­tion will conduct customer due diligence.  As computer and software technology has improved, regulators have come to expect small and large banks to gather and review information about the normal range of a customer’s banking activities.  They view the CDD processes and analysis as providing the framework that enables institutions to comply with suspicious activity reporting requirements.
  • Account & transaction monitoring. A number of institutions that received the most recent orders did not have adequate, or any, procedures for detecting and reporting suspi­cious activities. The enforcement actions make clear that community banks must specify in writing how the institu­tion will analyze and use customer information to detect suspicious activities.  As this area gets more complex, it becomes more difficult to try to maintain an adequate suspicious activity monitoring regimen without some form of automated monitoring.

Conclusion

The costs of being subject to an enforce­ment action go beyond extra regulatory scrutiny in subsequent examinations.  Institutions under the latest round of actions must report the enforcement action in communications with their shareholders and spend significant sums of money to hire outside consultants to train employees, audit the revised BSA programs and backfile required reports.  They also must submit planned actions to the regulators involved for prior approval, as well as report regularly (usually quarterly) on their progress in remediating the deficiencies that led to their particular enforcement action.

An interagency BSA enforcement policy statement clarifies that formal enforcement actions will not be issued for minor BSA infractions.  These enforcement actions are levied against financial institutions – including community banks – with significant breakdowns in their BSA compliance systems.  The consent and other orders illustrate that all banks are ex­pected to have very specific procedures for how they will collect customer information, predict customer account ac­tivity, utilize transaction monitoring reports, and train and manage employees with BSA-related responsibilities.

Be sure that you are not an object lesson for your banking fellows.  If we can help, contact us today.

The Future of Mortgage Loan Buybacks

Mitigating Repurchase Risk Before It’s Too Late

By Donald Stimpert, Manager of Secondary Market QC, Young & Associates

Understanding the Rising Risk of Loan Buybacks

The secondary mortgage market is evolving rapidly, and with it, lenders face increasing pressure to maintain strict quality control (QC) standards. Loan buybacks—once considered an occasional risk—have become a growing concern as investors, government-sponsored enterprises (GSEs), and regulatory bodies scrutinize loan origination and underwriting processes more closely.

Recent economic uncertainty, fluctuating interest rates, and regulatory changes have only amplified repurchase risks, making it imperative for financial institutions to adopt proactive strategies to mitigate potential buybacks before they impact profitability.

Why Are Mortgage Buybacks Increasing?

Several factors contribute to the rise in loan repurchase demands, including:

1. Heightened Investor Scrutiny

With a more volatile lending environment, investors and GSEs such as Fannie Mae and Freddie Mac are intensifying post-closing reviews to identify underwriting errors, miscalculations, and misrepresentations.

2. Rising Interest Rates and Loan Performance Issues

As interest rates climb, borrowers with recent mortgages may be at a higher risk of delinquency. A worsening performance trend in loans increases investor caution, leading them to revisit underwriting quality and enforce buybacks when defects are found.

3. Evolving Regulatory Standards

The Consumer Financial Protection Bureau (CFPB) and other regulators continue to refine lending requirements, particularly around fair lending, borrower income verification, and compliance with TRID (TILA-RESPA Integrated Disclosure) rules. Lenders who fail to maintain strict adherence to these standards may see increased buyback requests.

4. Defect Trends in Loan Underwriting

Recent QC reports indicate a surge in defects related to:

  • Income calculation errors
  • Debt-to-income (DTI) miscalculations
  • Missing documentation
  • Undisclosed liabilities
  • Misrepresentation of borrower information

Even minor discrepancies can trigger a repurchase demand, highlighting the need for enhanced QC measures.

Strategies to Minimize Repurchase Risk

To reduce exposure to loan buybacks, lenders must strengthen their QC frameworks and proactively address risk areas before loans reach the secondary market.

1. Strengthen Pre-Funding and Post-Closing QC Reviews

Implementing a robust pre-funding QC process helps catch potential defects before loans are sold, significantly reducing repurchase risk. Post-closing audits should be conducted consistently, ensuring that any issues are corrected before investor scrutiny.

2. Enhance Data Validation and Borrower Verification

Investors are increasingly focused on data integrity. Lenders must adopt advanced verification tools to cross-check borrower information, income, employment history, and undisclosed debts, minimizing the risk of fraud and errors.

3. Implement Targeted Sampling for QC Reviews

Rather than relying solely on random sampling, lenders should integrate risk-based QC sampling that focuses on high-risk loan categories, such as self-employed borrowers, non-traditional income sources, or jumbo loans.

4. Maintain Open Communication with Investors and GSEs

Establishing proactive dialogue with investors, servicers, and GSEs can help lenders identify evolving QC expectations and regulatory shifts, allowing them to adjust policies before issues escalate into buyback requests.

5. Conduct Regular Staff Training and Compliance Refreshers

Underwriting and QC staff should receive continuous training on updated investor guidelines, industry best practices, and regulatory changes. Well-informed teams are less likely to overlook critical details that lead to defects.

A More Proactive Approach to Mortgage QC

The risk of loan buybacks is unlikely to disappear, but financial institutions that take a proactive approach to mortgage quality control will be better positioned to minimize losses, maintain strong investor relationships, and protect their bottom line.

By integrating technology-driven audits, enhanced borrower validation, and risk-based QC sampling, lenders can significantly reduce repurchase exposure and navigate the evolving secondary market with confidence.

Is your institution prepared to mitigate repurchase risk? Young & Associates offers customized Mortgage QC solutions designed to enhance your quality control processes and protect your loan portfolio. Contact us today to learn how we can help safeguard your secondary market loan sales.

Key Insights from CFPB Supervisory Highlights, Winter 2024

As the regulatory environment continues to evolve, the CFPB’s latest Supervisory Highlights offer crucial insights for financial institutions navigating an increasingly complex landscape. Issue 37 shines a spotlight on deposit operations, credit furnishing practices, and the burgeoning short-term lending market, while also addressing significant enforcement actions and new rules. Here’s what community banks need to learn—and act on.


Overdraft Fees: A Continuing Challenge

For years, overdraft and non-sufficient funds (NSF) fees have drawn regulatory scrutiny. This issue of Supervisory Highlights confirms that some practices—such as re-presentment NSF fees and Authorize-Positive Settle-Negative (APSN) overdraft fees—remain problematic. Despite progress, core processors often set fee structures to charge these fees by default unless institutions actively intervene.

Takeaway for Community Banks
It’s time to re-evaluate fee structures. Ensure that your core processor’s systems are configured to align with updated regulatory expectations. Educate staff and consumers about these changes to build trust and avoid regulatory pitfalls.


Furnishing Data: Accuracy Matters

Banks that furnish data to credit reporting agencies are under the microscope. The CFPB found widespread failures to maintain procedures for identity theft notifications, conduct thorough investigations of disputes, and ensure data accuracy. This isn’t just about compliance—it’s about your reputation.

Actionable Insight
Community banks should strengthen internal controls and train employees on handling credit disputes. Investing in accurate, consumer-friendly data practices not only mitigates risk but also reinforces your institution’s credibility.


Short-Term Lending: Transparency is Key

The Supervisory Highlights also scrutinize the exploding popularity of Buy Now, Pay Later (BNPL) programs and paycheck advance products. Findings revealed deceptive marketing practices, delayed dispute resolutions, and loan denials tied to trivial payment processing errors.

Why It Matters
Even if your bank doesn’t offer these products, they’re reshaping consumer expectations. Transparency in terms and processes isn’t optional—it’s a competitive necessity.


Technology Pitfalls: Lessons from Enforcement Actions

This issue features notable enforcement actions, including a $1.5 million penalty against VyStar Credit Union for botching the launch of an online banking platform. Consumers faced months of restricted access to their accounts, incurring fees and frustration.

A Word of Caution
Digital transformation is critical for community banks to stay relevant, but poorly executed rollouts can damage trust. Rigorous testing and a solid contingency plan can safeguard against consumer harm and regulatory penalties.


New Rules to Watch

The CFPB issued a final rule governing overdraft practices at large institutions, capping fees unless they are minimal. Additionally, supervisory authority now extends to digital payment platforms processing over 50 million transactions annually.

What’s Next for Community Banks?
Stay proactive in monitoring new rules and adapting processes. Even if you’re not directly impacted by these changes, they signal the regulatory trends shaping the future.


Final Thoughts: Protecting Your Institution

The themes in this issue of Supervisory Highlights boil down to a central lesson: consumer protection is non-negotiable. Whether it’s ensuring accurate reporting, transparent lending, or seamless technology implementation, community banks must prioritize their customers’ experience.

By addressing these areas, you’re not just avoiding penalties—you’re fortifying your role as a trusted partner in your community. For tailored guidance, connect with Young & Associates, your partner in navigating the ever-changing regulatory landscape. Contact us for tailored solutions to support your institution’s goals.

U.S. Industrial Transition: Insights for Metro Areas and Community Banks

The FDIC’s analysis of U.S. industrial transitions between 1970 and 2019 reveals the profound effects of economic shifts on metro areas and the community banks serving them. These transitions, driven by the decline of manufacturing and the rise of service-based economies, created challenges and opportunities for local economies and financial institutions. Below, we explore the key findings from this study and their implications for community banks.


The Decline of Manufacturing and Economic Shifts

Over five decades, the national economy moved away from manufacturing, with industries like steel, textiles, and machinery experiencing steep employment declines. Metro areas heavily reliant on these sectors, particularly in the Northeast and Midwest, faced significant economic stagnation. For example, cities like Youngstown, OH, and Flint, MI, struggled to replace lost industries, leading to slower population growth, aging demographics, and economic contraction. Meanwhile, metro areas in the South and West benefited from population inflows and economic diversification, fostering stronger economic growth.


Challenges for Community Banks in High-Transition Metros

Community banks in metros with high levels of industrial transition faced significant challenges. These banks experienced weaker deposit and branch growth compared to their counterparts in other regions. Their loan portfolios were heavily concentrated in single-family residential loans, with less exposure to business-related lending, which limited their growth potential. Despite these challenges, community banks in high-transition metros showed resilience during periods of economic stress, such as the Savings and Loan Crisis and the Great Financial Crisis, with lower failure rates than banks in other regions.


Strategies for Success: High-Performing Banks

Amid these challenges, a subset of high-performing community banks in high-transition metros found success through strategic adaptability. These banks diversified their loan portfolios, expanded operations beyond their local metro areas, and emphasized commercial lending. By focusing on growth opportunities outside their immediate regions and strengthening their balance sheets, these banks outperformed both their local peers and many banks in more stable metros. Their success underscores the importance of innovation and diversification in navigating economic transitions.


The Role of Metro Diversification

Larger, more industrially diversified metros, such as San Jose, CA, demonstrated the benefits of economic adaptability. San Jose successfully transitioned from computer manufacturing to a broader technology-driven economy, supported by high-paying jobs in professional, scientific, and technical services. This highlights the critical role of industrial diversity in building resilience during times of economic change. Smaller, less diversified metros struggled to recover, illustrating the importance of proactive economic planning and investment in diverse industries.


Lessons for Future Transitions

The FDIC study offers valuable lessons for navigating future economic shifts, including those driven by climate change and clean energy transitions. Metro areas and community banks that prioritize diversification, invest in high-growth industries, and adapt to changing market demands will be better equipped to manage these transitions. By learning from past challenges, financial institutions can position themselves as resilient and innovative partners in their communities.


Supporting Community Banks Through Transition

As community banks navigate the challenges of economic shifts, Young & Associates is here to help. Our expert guidance can assist financial institutions in diversifying portfolios, expanding operations, and developing strategies for resilience. Contact us today to learn more about our tailored services, and subscribe to our newsletter for the latest insights and updates.

Understanding NCUA’s Guidance on Overdraft and NSF Fees: Key Takeaways for Credit Unions

The NCUA’s December 2024 Letter to Credit Unions (24-CU-03) sheds light on the risks and regulatory concerns surrounding overdraft and non-sufficient funds (NSF) fee practices. This guidance is crucial for federally insured credit unions aiming to mitigate compliance, reputation, and litigation risks while maintaining fair and transparent practices for their members. Below, we break down the essential points of the letter, tailored for credit union leaders.


The Problem with Unanticipated Fees

Credit unions may face significant risks if their overdraft or NSF fee policies result in fees that members cannot reasonably anticipate or avoid. These fees can lead to:

  • Substantial Member Harm: Unexpected fees strain members financially and undermine trust.
  • Regulatory Violations: Such practices may be deemed unfair or deceptive under the FTC Act and the Consumer Financial Protection Act (CFPA).
  • Heightened Risks: Credit unions expose themselves to reputational, consumer compliance, third-party, and litigation risks.

Key Risk Areas in Overdraft and NSF Fee Practices

The NCUA identified several problematic practices:

  1. Authorize Positive, Settle Negative (APSN) Fees:

    • Fees charged when a transaction is authorized with sufficient funds but settles with insufficient funds due to intervening transactions.
    • Such practices are likely unfair under federal regulations, especially if members cannot anticipate the fees.
  2. Multiple NSF Representment Fees:

    • Charging additional fees when a returned check or ACH item is presented multiple times without sufficient funds.
    • Members often cannot control or predict when items will be represented, making these fees unfair and deceptive.
  3. Returned Deposited Item (RDI) Fees:

    • Assessing fees on members for depositing checks that are returned unpaid.
    • Members typically have no way to foresee these occurrences, increasing compliance and reputational risks.
  4. Other High-Risk Practices:

    • High or No Limits on Fees: Charging excessive fees in a single day creates undue financial burdens on members.
    • Inaccurate Disclosures: Failing to clearly disclose fee practices or transaction cutoff times can mislead members and violate regulations.
    • Reordering Transactions: Prioritizing larger transactions to maximize overdraft fees is likely to be considered unfair.

Risk Management Best Practices

To address these risks, the NCUA recommends that credit unions:

  • Conduct Comprehensive Reviews:

    • Analyze all aspects of overdraft and NSF fee programs, including disclosures, processing systems, and member communications.
    • Evaluate member complaints and fee structures for fairness and transparency.
  • Mitigate Risks:

    • Eliminate fee practices that members cannot reasonably anticipate or avoid.
    • Self-identify and reimburse members for fees assessed under unfair practices.
    • Consult legal counsel to ensure compliance with applicable laws.
  • Enhance Member Support:

    • Offer alternatives such as linked savings accounts, affordable lines of credit, or short-term loans.
    • Provide educational resources to help members manage their accounts effectively.

NCUA’s Supervisory Approach

The NCUA will continue reviewing overdraft and NSF programs during examinations to ensure compliance and risk mitigation. Credit unions are encouraged to take proactive measures, as the agency will consider self-corrected violations and member reimbursements favorably during examinations. Enforcement actions may include restitution for harmed members and other penalties for non-compliance.


This guidance emphasizes the importance of transparency, fairness, and compliance in managing overdraft and NSF fee practices. By implementing the NCUA’s recommended best practices, credit unions can reduce risk exposure, enhance member trust, and align with regulatory expectations.

How We Can Help

At Young & Associates, we specialize in helping credit unions navigate complex compliance requirements. Contact us for tailored solutions to evaluate and improve your overdraft and NSF fee programs. Sign up for our newsletter to stay informed about the latest regulatory updates and best practices in the credit union industry.

The OCC 2024 Annual Report: A Summary for Financial Institutions

The OCC 2024 Annual Report provides a comprehensive overview of the federal banking system, highlighting stability, strategic priorities, and regulatory advancements. This report underscores the importance of proactive risk management, fairness in banking practices, and adapting to evolving technology and environmental challenges.

The report reaffirms the strength of the federal banking system, noting that 99% of banks are well-capitalized and that 92% maintain strong capital adequacy, asset quality, and management. These metrics reflect the resilience of financial institutions in the face of economic uncertainties.


Strategic Priorities for the Federal Banking System

The OCC’s strategic priorities for 2024 focus on four critical areas:

  • Guarding Against Complacency: Banks are encouraged to remain vigilant and manage both traditional and emerging risks effectively.
  • Promoting Fairness: Efforts to reduce lending inequities and biases in financial practices continue to be a priority.
  • Adapting to Digitalization: The integration of financial technologies and artificial intelligence must be managed responsibly to ensure security and trust.
  • Addressing Climate Risks: Large banks are expected to develop frameworks to mitigate climate-related risks, both physical and transitional.

Key Focus Areas for Financial Institutions

  1. Fraud Prevention and Cybersecurity:
    • Rising threats, including AI-driven fraud, call for advanced detection systems and secure authentication processes.
    • The increasing reliance on fintech partnerships highlights the need for robust third-party risk management frameworks.
  2. Operational Resilience:
    • Operational resilience, including robust recovery planning, is critical to maintaining financial stability.
    • Recent regulatory updates require banks with over $100 billion in assets to expand recovery planning and testing.
  3. Regulatory Modernization:
    • Enhanced transparency in bank mergers aims to foster competition and benefit underserved communities.
    • Updates to the Community Reinvestment Act (CRA) strengthen fair lending practices and promote financial inclusion.
  4. Digital Innovation:
    • Artificial intelligence and automation are reshaping the banking landscape. The OCC emphasizes fairness, accountability, and transparency in AI applications.
    • Open banking and real-time payment systems present growth opportunities, but they must be implemented with customer trust and regulatory compliance in mind.

Financial System Resilience

The federal banking system demonstrated financial resilience in 2024, but challenges persist:

  • Revenue Growth: The OCC’s revenue increased by 2.8% in FY 2024, totaling $1.22 billion, driven by higher interest earnings and bank assessments.
  • Profitability Pressures: Declines in net interest margins and rising credit costs affected profitability, particularly for community banks.

Operational resilience remains a cornerstone of financial stability. The OCC highlights the importance of maintaining adequate liquidity, robust capital levels, and strategic recovery planning to mitigate risks.


The OCC’s 2024 Annual Report emphasizes the importance of adaptability, fairness, and resilience in navigating an increasingly complex financial landscape. Financial institutions must align their strategies with these priorities to ensure compliance, enhance customer trust, and foster long-term stability.

Learn More:
Young & Associates offers expert guidance in compliance, risk management, and operational resilience. Contact us for tailored solutions to support your institution’s goals. Sign up for our newsletter to stay informed about the latest industry trends and insights.

Key Insights from the OCC Semiannual Risk Perspective (Fall 2024)

Top Trends in Banking Risks

The OCC’s report emphasizes maintaining sound risk management practices to address growing challenges:

  • Fraud Activity: External fraud schemes targeting consumers and banks are rising. Sophisticated tactics, including AI-driven fraud, demand enhanced detection and prevention measures.
  • Credit Risks: Commercial real estate (CRE) remains a focal point, with stress in office and luxury multifamily segments. Retail credit risks are stable but show signs of increased delinquencies in auto loans and credit cards.
  • Operational Risks: Cybersecurity and third-party risks are elevated, reflecting the increasing complexity of the banking environment.
  • Compliance Pressures: Adapting to dynamic regulatory changes and addressing data governance gaps are critical to ensuring compliance.

Fraud and Cybersecurity: A Call for Action

Fraudulent activities targeting the banking system have surged, driven by innovative schemes such as:

  • Wire Transfer Fraud: Fraudsters impersonate trusted entities to steal funds.
  • Check Fraud: Criminals manipulate stolen checks or sell them on dark web platforms.
  • AI-Driven Attacks: Deepfakes and AI-enhanced social engineering pose new threats.

What Banks Can Do:

  • Implement advanced fraud detection systems.
  • Educate customers about fraud prevention.
  • Strengthen authentication and transaction monitoring systems.

Credit Risk: Stabilizing but Uneven

The report identifies pockets of credit risk:

  • Commercial Real Estate (CRE): Stress is evident in the office sector, with rising costs and valuation declines. Multifamily CRE faces challenges from oversupply and increased regulatory expenses.
  • Retail Credit: Stable overall but experiencing increased delinquencies in credit cards and auto loans.

What Banks Can Do:

  • Conduct regular stress testing for CRE portfolios.
  • Enhance monitoring and adjust allowances for credit losses based on emerging risks.

Operational Resilience and Technology Adoption

The banking sector is rapidly digitizing, adopting new technologies to meet evolving customer needs. However, these advancements come with heightened risks:

  • Third-Party Risks: Increased reliance on fintech partnerships expands the cyberattack surface.
  • Legacy System Challenges: Aging infrastructure complicates modernization efforts.
  • AI Adoption: Compliance risks are significant as banks explore advanced AI applications.

What Banks Can Do:

  • Strengthen third-party risk management frameworks.
  • Invest in post-quantum encryption and legacy system upgrades.
  • Implement comprehensive governance for AI-based tools.

Market and Climate-Related Financial Risks

Banks face dual pressures from market dynamics and climate-related risks:

  • Net Interest Margins (NIM): Higher funding costs are compressing margins, requiring strategic adjustments.
  • Climate Impact: Increased natural disasters highlight the importance of climate risk management frameworks.

What Banks Can Do:

  • Focus on liquidity stress testing and modeling depositor behavior.
  • Engage with clients to manage climate-related transition risks effectively.

Economic Outlook: Challenges Ahead

The U.S. economy remains resilient but shows signs of slowing:

  • Housing Market: Affordability issues and “rate lock-in” effects are dampening demand.
  • Consumer Spending: Despite strong spending in 2024, rising costs and a cooling labor market could create headwinds.

Preparation Tips:

  • Monitor consumer credit health closely.
  • Adapt lending standards to evolving economic conditions.

Staying Ahead in a Dynamic Environment

The OCC’s Fall 2024 Semiannual Risk Perspective outlines a roadmap for navigating complex risks in the federal banking system. Financial institutions should prioritize robust fraud prevention, proactive credit risk management, and strategic technology adoption. By addressing these challenges, banks can safeguard their operations and thrive in an ever-changing economic landscape.

Explore More:
Discover how Young & Associates can help your institution mitigate risks, strengthen compliance, and enhance operational resilience. Contact us today for tailored solutions to navigate these challenges effectively. Sign up for our newsletter to stay informed about industry insights and updates.

2025 Rescission Calendar – Free Download Now Available

The right of rescission, governed by Regulation Z under the Truth in Lending Act (TILA), remains a cornerstone of consumer protection in the lending industry. For financial institutions, ensuring compliance with rescission rules is not only a regulatory requirement but also a reflection of their commitment to protecting borrowers’ rights. However, the intricacies of rescission—covering timing, disclosure requirements, and exceptions—can make this area of compliance challenging for many lenders.

To support your institution in navigating these complexities, Young & Associates is proud to offer a free downloadable Rescission Reference Chart, designed to simplify compliance with rescission rules.

 

What Is the 3 Day Right of Rescission?

The right of rescission provides consumers with the ability to cancel certain credit transactions that involve a lien on their principal dwelling. This cooling-off period, typically three business days, is intended to allow borrowers time to evaluate the terms of their transaction without pressure. While the concept is straightforward, compliance involves navigating strict rules related to timing, notification, and disclosure.

Does Presidential Inauguration Day Affect Rescission Periods?

No. While federal employees in the Washington, DC area are granted a holiday on Presidential Inauguration Day (January 20th), this holiday applies only to those “employed in” the designated Inauguration Day Area and does not affect rescission periods.

According to § 1026.2(a)(6) of Regulation Z, a “business day” for rescission purposes is defined as all calendar days except Sundays and the legal public holidays listed in 5 U.S.C. 6103(a), such as New Year’s Day, Martin Luther King Jr. Day, Washington’s Birthday, and others. Inauguration Day is not among these specified legal public holidays and therefore does not impact rescission timelines.

Common Challenges in Rescission Compliance

Despite its importance, rescission often presents challenges for financial institutions. Here are some common issues:

  1. Identifying Covered Transactions
    Not all transactions are subject to rescission. Determining whether a loan qualifies—such as refinances or home equity lines of credit—requires careful evaluation of loan terms and lien positions.
  2. Proper Timing of the Rescission Period
    The rescission period must be calculated accurately, taking into account business days and excluding holidays. Miscalculations can result in compliance violations.
  3. Providing Accurate and Timely Disclosures
    Borrowers must receive clear and complete rescission notices and required disclosures at the time of closing. Any inaccuracies can extend the rescission period or expose the lender to liability.
  4. Handling Rescission Notices
    If a borrower exercises their right to rescind, lenders must act swiftly to return funds and terminate the lien within 20 calendar days. Delays or errors in this process can lead to penalties.

How Do You Calculate a 3 Day Rescission Period?

The rescission period typically begins the business day following the signing of loan documents and ends at midnight on the third business day.

How the Rescission Calendar Can Help

Young & Associates’ Rescission Reference Chart is a comprehensive tool that simplifies the complexities of rescission compliance. This chart provides:

  • A clear breakdown of covered and exempt transactions.
  • Guidelines for accurately calculating the rescission period.
  • Tips for ensuring proper disclosure and handling rescission notices.

Whether you’re training new staff or refreshing your understanding of rescission rules, this chart offers a practical and easy-to-use resource to enhance your compliance program.

Why Rescission Matters

Non-compliance with rescission rules can result in extended rescission periods, regulatory scrutiny, or even legal action. By ensuring your institution has a solid grasp of rescission requirements, you not only avoid potential risks but also reinforce your reputation as a trusted and reliable lender.

Download Your Free Rescission Reference Chart Today

Young & Associates is dedicated to helping financial institutions like yours maintain compliance while streamlining operations. Our Rescission Reference Chart is just one of the many tools we offer to support your success. Equip your team with the knowledge and tools they need to navigate rescission with confidence. With Y&A by your side, you can focus on serving your customers while staying compliant with ease.

Managing Customer Complaints Is Important to an Effective CMS

By William J. Showalter, CRCM, Senior Consultant, Young & Associates

Financial institution supervisory agencies view a formal process for managing complaints from bank customers as an important element in an effective compliance management system (CMS). In fact, the second 2024 issue of the Consumer Compliance Outlook publication from the Federal Reserve Board (FRB) includes three articles on this subject.

The FRB is quoted in one of these articles in an unequivocal statement on this issue:

“Consumer complaints are a critical component of the risk-focused supervisory program. The Federal Reserve uses data on consumer complaint activity in its supervisory processes when monitoring financial institution, scoping and conducting examinations, and analyzing applications.”

The other federal agencies agree with this viewpoint. So, banks and thrifts have found that, if they do not handle customer complaints in a formal, consistent manner, their CMS will be viewed with a more critical eye.

Benefits of Managing Complaints

One positive aspect of proactively managing the customer complaint process is there is no real downside. The only “downside” is that such a process shines a light on the extent of complaints, and their underlying causes. But, this disadvantage is actually an advantage. What you don’t know really can hurt you.

The positive results from complaint management can include:

  • Uncovering and dealing with shortcomings in product features, bank processes, customer service, and other issues at an early stage, before they grow to a point that they present real threats to the institution
  • Improving customer satisfaction with the bank, and enhancing the bank’s efforts to serve the banking needs of its community
  • Resolving fair treatment issues at an early stage
  • Realigning bank products, processes, and services with regulatory requirements and expectations
  • Heading off potential UDAAP (unfair, deceptive, or abusive acts and practices) issues
  • Reducing the institution’s reputation risk.

Managing Customer Complaints

The bank already has formal processes, with assigned responsibilities, for handling errors/disputes asserted by customers related to electronic banking (Regulation E, EFTA), open-end credit (Regulation Z, TILA), and mortgage loan servicing (HUD Regulation X, RESPA). Appropriate treatment of complaints in these areas are mandated by the respective regulations.

However, a formal process to address customer complaints in other areas – both those received directly from customers and those referred by the regulators – is considered an industry best practice, as well as a necessary component of an effective CMS by regulators. The structure of this program will vary depending on the culture of the bank and other internal factors. But, there are some common elements that form the basis of any sound customer complaint program, including:

  • Define what is considered as a “complaint.” This is considered as crucial to success in this area, so defining “complaint” broadly is usually seen as a sound practice.
  • Make sure everyone knows how important it is to respond promptly and accurately to any customer complaints. This is a basis for giving good customer service.
  • Appoint a central point (an individual or an office) to be in charge of your complaint response program, especially those referred by the regulators – and make sure that all bank staff is aware of how to handle complaints, including where to refer them. Branch managers can be charged with handling customer service issues occurring at their branches that do not involve regulatory issues (fair lending, EFTA, etc.). However, they should report on these complaints and resolutions to the central complaint point for tracking of any trends that may arise.
  • Establish uniform standards and timeframes for investigating customer complaints. The time limits you set should be reasonable and probably not significantly longer than those set by regulations for some error resolutions (EFTA, TILA).
  • Ensure that the process includes determining the root cause of complaints being investigated.
  • Document your investigation (e.g., copies of relevant documents and reports) of each customer complaint and the bank response.
  • Ensure that regulators are informed promptly of the results of investigations of any complaints referred by regulatory agencies.
  • Maintain a database of your customer complaints, either manually or using some spreadsheet or database software. This step allows you to mine the data related to this process for information about problems with your products, customer service, potential fair treatment/lending issues, and so forth.

Results

The database discussed in the final bullet above can provide a wealth of information about how customers view your bank, your product mix, your service levels, and many other facets of your business. It also provides you with an opportunity to discern trends in their infancy, allowing you to deal with negative issues early or enhance the benefits from positive developments.

A proactive approach to customer complaint management derives many benefits for the bank, not the least of which is reducing conflicts with customers, enhancing the bank’s public image, improving bank relations with regulators, and creating a competitive advantage for the bank.

The Newest Supervisor

For the past decade or so, there has been a more active and visible regulatory presence in this area – the Consumer Financial Protection Bureau (CFPB). The CFPB established a complaint database to which consumers can submit complaints about financial service providers, have their complaints forwarded to the providers for response, and give the public a window on this process and its outcomes.

The CFPB also periodically analyses the results of this process, usually for one or another particular financial service area – student loans one time, mortgage servicing another, yet another financial service another time. The other agencies, as noted earlier, analyze data related to consumer complaints that are handled through each of them.

The agencies often view data about consumer complaints to be an indicator of a need for future regulations. This view is reinforced by provisions in the Dodd-Frank Act of 2010.

The purpose of the CFPB database is to provide consumers with one central point through which they can submit complaints about financial service providers, without having to search through the maze of regulatory agencies first, and follow the results. Another purpose is to provide a gauge for how well financial service providers are serving their particular customer bases.

While the CFPB database can be a useful tool, financial institutions should have a goal of trying to deal with their own customers’ complaints and concerns themselves, before customers become so frustrated that they feel the need to turn to supervisory agencies.

At Young & Associates, we understand the critical role that managing customer complaints plays in building an effective compliance management system. Our full suite of regulatory compliance consulting and advisory services is tailored to the unique needs of community financial institutions, ensuring you can navigate complex regulatory requirements with confidence. Whether you need compliance outsourcing, assistance through our Virtual Compliance Consultant Program, compliance management reviews, or risk assessment facilitation, we’re here to help. Let us simplify your compliance processes so you can focus on achieving your strategic goals. For more information, please contact us today

Internal Audit: Your Third Line of Defense in Third-Party Risk Management

By Jeanette McKeever, CCBIA, Director of Internal Audit, Young & Associates

In today’s financial landscape, banks and credit unions increasingly rely on third-party vendors to meet regulatory demands, leverage technological advancements, and maintain competitive edges. However, these relationships introduce various types of risks in internal audit, from compliance and operational risks to reputational and strategic risks. Amidst economic uncertainty, increased digitalization, and growing supervisory attention, many financial institutions are reviewing their third-party risk management (TPRM) frameworks to ensure they are robust and comprehensive.

Here, the role of internal audit becomes indispensable. Internal audit’s role in TPRM goes beyond mere compliance. By leveraging their unique skills and perspectives, internal auditors can help institutions identify, monitor, and control risks while achieving strategic goals.

Understanding Third-Party Risk in Banking

Third-party relationships and their associated risks require careful management. Ineffective oversight of the complex operational, financial, technological, and legal agreements governing these extended business relationships can lead to brand or reputation damage, data security breaches, and significant financial losses. Additionally, such oversight failures can result in errors in financial reporting, compounding the challenges and potential impacts on the institution.

Financial institutions are entrusting an increasing percentage of their operations to third parties, prompting regulators to scrutinize these relationships more closely. The updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC) outlines the regulatory expectations for managing third-party risks throughout the relationship lifecycle: planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination.

Monitoring vendor performance is also a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) specifies the criteria for assessing vendor performance in their 2007 supervisory letter SL No. 07-01, “Evaluating Third-Party Relationships.” This guidance emphasizes key areas for third-party relationship management, including risk assessment and planning, due diligence, risk management, monitoring, and control.

The Role of Internal Audit in Third-Party Risk Management

Though Chief Risk Officers are typically responsible for managing third-party risks, internal audit plays a crucial role as the third line of defense. Internal auditors bring essential skills, capabilities, and perspectives to thoroughly examine TPRM programs, identifying gaps or areas for improvement that might have been missed by the second line of defense. The board relies on internal auditors as an extra layer of security to ensure that third-party risks are properly identified and assessed, appropriate internal controls are in place, and timely risk intelligence is generated to inform decision-making.

Leveraging Internal Audit to Improve Third-Party Risk Controls

Internal audit can contribute significantly to managing third-party risks through various areas:

  • Pinpointing Critical Contracts: Internal auditors can assist in identifying high-risk third parties and ensure they receive more frequent scrutiny. This can help with prioritizing risk management efforts.
  • Assessing Risk Management Programs: They can evaluate the effectiveness of third-party due diligence processes and controls, conducting research to gauge the risk level and reputation of third parties.
  • Reviewing Compliance with Governance Standards: Internal auditors can verify if the financial institution’s processes for selecting and managing third parties adhere to governance requirements and include necessary risk and compliance clauses in contracts.
  • Evaluating and Improving Risk Controls: They can assess the effectiveness of risk management controls, ensure regulatory compliance, and check for “right to audit” clauses in third-party agreements.
  • Facilitating Informed Decision-Making: Auditors offer valuable insights into third-party risks. They also evaluate decision-making and contract management processes. This ensures that these processes align with the bank or credit union’s strategic objectives. Additionally, auditors verify that the processes provide sufficient risk protection.
  • Assessing Performance and Identifying Opportunities: They review global third-party performance, detect inconsistencies, and recommend best practices for effective risk and performance management.

Integrating Internal Audit into Third-Party Risk Management Strategies

1. Independent Vendor Risk Assessment and Identification

Conducting a risk assessment is essential for the initial decision-making process regarding whether to establish a third-party relationship. Internal auditors bring an independent perspective to the assessment and identification of third-party risks. They can perform thorough risk assessments to identify all third-party relationships and associated risks. This independent evaluation helps ensure no significant risk is overlooked, and it provides a holistic view of the financial institution’s third-party risk landscape.

2. Vendor Due Diligence and Selection Oversight

The due diligence process equips management with the necessary information to evaluate both the qualitative and quantitative aspects of potential third parties, determining whether a relationship will support the financial institution’s strategic and financial goals while mitigating identified risks.

If your financial institution has its own internal audit team, involving them in the due diligence process for vetting potential third-party relationships can be highly beneficial. Though not prevalent practice in community banks and credit unions yet, leveraging your institution’s third line of defense can enhance third-party risk management processes and provide an extra layer of protection.

Internal audit teams can provide oversight during the due diligence and selection phases of third-party relationships. They can assess the processes used for selecting third parties to confirm that the institution has effective policies and procedures in place. By ensuring thorough due diligence, internal auditors help identify potential risks early on. Their oversight includes evaluating the third party’s operational quality, compliance capabilities, risk profile, and long-term viability.

3. Contract Management and Compliance

Financial institution management should ensure that the specific expectations and obligations of both the financial institution and the third party are clearly defined in a written contract before finalizing the arrangement. Board or committee approval is required for many material third-party relationships, and significant contracts should be reviewed by appropriate legal counsel before finalization. The level of detail in contract provisions will depend on the scope and risks associated with the third-party relationship. Effective contract management is crucial for mitigating third-party risks. This involves not just due diligence but also thorough processes in agreement formation, publication, activation, compliance with service delivery, analysis, optimization, and offboarding.

The internal audit function can engage in contract management in two key areas:

  1. Auditing the overall contract management process.
  2. Reviewing active contracts with critical vendors.

Auditing the Contract Management Process

An effective contract management process is crucial for maintaining strong performance across your institution. Even minor inefficiencies can lead to significant issues, particularly when your financial institution aims to grow and scale. A robust contract management system contributes to a thriving institution.

Regular audits of your contract management lifecycle can reveal hidden costs and growth opportunities. These audits should assess process deficiencies, compliance issues, and historical management practices. Start by identifying key stages in your process and setting benchmarks for measurement. Key stages often include planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination, as outlined in regulatory guidance.

Evaluate your management practices within each stage. Is the contract management process clearly defined? Are roles and responsibilities assigned? Who ensures compliance with service-level agreements (SLAs)? Addressing these questions through a contract management audit can help identify risks and gaps, ensuring a more effective and efficient process.

Reviewing Active Contracts with Critical Vendors

Begin by inventorying and segmenting critical vendors based on risk levels to identify those most critical to audit. Incorporate audits of high-risk and important service provider contracts into your annual audit plan. Gain an understanding of the key risks associated with each service provider and thoroughly review their contracts.

Internal auditors can review critical third-party contracts to ensure they include comprehensive risk and compliance clauses. This includes verifying that contracts have “right to audit” provisions, which allow the institution to monitor third-party compliance continuously. Once you’ve established your audit rights, you can start the contract audit by assessing key legal and business risks. Look for deficiencies and compliance issues in the contract, and consider conducting on-site reviews if your audit rights permit. An efficiency audit may also be warranted to ensure services are delivered as per the contract and service level agreements.

After completing the audit, validate the results, identify root causes, and propose solutions. Finally, communicate the results to the contract owner and key stakeholders, ensuring they are informed of the findings and recommended actions.

4. Ongoing Monitoring and Reporting

Once a third-party relationship is established, continuous monitoring is essential to manage evolving risks. Internal audit can play a vital role in developing and implementing monitoring frameworks that track third-party performance, compliance, and risk exposure. Regular audits and reviews can provide senior management with timely risk intelligence, enabling informed decision-making and ensuring that effective internal controls are in place.

5. Internal Audit Collaboration with Risk Management Functions

Internal audit of third-party risk management becomes more effective when auditors and risk managers collaborate and share information, leveraging each other’s abilities and tools. By working closely with risk, compliance, and other departments, internal auditors can ensure that third-party governance policies and procedures are consistently applied across the bank or credit union.

By integrating third-party risk assessments with audit plans, both auditors and risk management teams can eliminate redundancies in the risk evaluation processes. This approach also helps standardize the risk language used and offers management teams and boards a comprehensive view of the financial institution’s third-party risk profile. This collaboration integrates TPRM into the overall risk management strategy, enhancing the institution’s ability to manage third-party risks.

Building a Robust Third-Party Risk Management Framework

To effectively manage third-party risks, financial institutions should establish a comprehensive TPRM framework. TPRM necessitates a framework that holds the board of directors and senior management accountable, requiring them to adjust the principles based on the size, scope, and criticality of the products or services provided by third parties. This framework should be consistently applied across the institution and integrated into its operational, risk, and compliance management activities. As discussed, key components of a robust TPRM framework include:

  • Defining and Inventorying Third-Party Vendors: Internal audit can assist in identifying and inventorying all third-party relationships, categorizing them by risk level and criticality.
  • Risk Appetite Assessment: Assessing the bank or credit union’s risk appetite concerning third-party relationships, particularly those in high-risk locations or industries.
  • Enhanced Vendor Due Diligence: Conducting enhanced due diligence for critical third-party relationships, ensuring alignment with the institution’s risk profile and regulatory requirements.
  • Ongoing Monitoring and Performance Standards: Establishing and maintaining rigorous monitoring and performance standards for third-party relationships, ensuring continuous compliance and risk management.
  • Training and Awareness: Providing training for stakeholders on TPRM processes and the importance of effective third-party risk management.

Risk-Based Internal Audit for Financial Institutions

With regulatory bodies calling for enhanced third-party oversight, the imperative for thorough risk and assurance functions has never been greater. These functions must delve deeply into the third-party network to ensure that critical risks and compliance requirements are diligently managed and monitored. Internal auditors are pivotal in this endeavor and should seek to broaden their role in fortifying third-party risk management.

At Young & Associates, we understand the critical importance of robust TPRM processes and offer expert consulting services to help banks and credit unions strengthen their internal audit functions, risk management, and more. By leveraging our expertise, financial institutions can enhance their third-party risk management frameworks, ensuring compliance, mitigating risks, and achieving strategic objectives. Ultimately, effective TPRM is not just about regulatory compliance; it’s about creating a resilient and thriving financial institution.

For more information on how Young & Associates can support your internal audit needs, click here.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question