Skip to main content

Ensuring compliance in a BSA/AML compliance program: Independent testing

Written by admin on . Posted in Compliance & Regulations.

By: Edward Pugh, AAP, CAMS, CAMs-Audit, CFE

One of the key components of a financial institution’s compliance with BSA/AML regulatory requirements is independent testing of the BSA/AML Program. Independent testing may be performed by an institution’s internal audit department, outside auditors, consultants, or other qualified independent parties. There is no regulatory requirement establishing the frequency of BSA/AML independent testing; rather, the frequency should be commensurate with the money laundering/terrorism financing risk profile of the institutions. Many institutions conduct independent testing every 12 to 18 months, increasing frequency if there are any significant changes in the risk profile, such as changes in systems, compliance staff, products, mergers/acquisitions, or an institution’s size. Significant errors or deficiencies may also warrant more frequent independent testing to validate mitigating or remedial measures.

Often, the need for a truly independent assessment, combined with limitations in staffing capacity, prompts institutions to engage an external entity to conduct a comprehensive evaluation of their BSA/AML program compliance. Thus, it is critical to ensure that the independent review provides an unbiased assessment of an institution’s BSA/AML compliance efforts, identifies potential risks or weaknesses, and offers recommendations for improvement. Some key components of a satisfactory BSA/AML independent program audit or testing include the following:

  • Scoping and planning: The scope of the review should be based on a risk assessment of the institution’s products, services, customers, and geographic locations. The scoping and planning phase often relies on the institution’s own BSA/AML risk assessment, but if it is inadequate, the external auditor may determine the scope. Additionally, any changes in the business or regulatory environment, as well as any issues identified in previous audits or examinations, should be taken into account.
  • Independence: The audit/testing should be conducted by individuals who are independent of the BSA/AML compliance program. While internal auditors may be acceptable, a BSA Officer or assistant would not be. This ensures that any findings are objective and unbiased.
  • Qualifications and training of auditors: Persons conducting the independent testing should have sufficient knowledge and understanding of the BSA, AML, and related regulations. They should be trained in auditing principles and procedures and understand the various risks financial institutions face.
  • Review of the BSA/AML compliance program: The audit should include a comprehensive review of the BSA/AML Compliance Program, including its policies and procedures, risk assessment, internal controls, training programs, and the role and performance of the BSA Officer.
  • Transaction testing: Thorough transaction testing should be conducted to verify compliance with BSA/AML requirements, such as customer identification, suspicious activity reporting, customer due diligence, currency transaction reporting, and record keeping requirements.
  • Assessment of training programs: The institution’s BSA/AML training programs should be reviewed to ensure they are adequate, up-to-date, and effective in educating employees about the BSA/AML responsibilities. The Board of Directors training should also be reviewed.
  • Reporting: An audit report should be produced that clearly communicates findings, including any weaknesses or deficiencies in the compliance program. Appropriate recommendations for improvement should also be provided where necessary.

A comprehensive and effective BSA/AML independent program audit is essential for financial institutions to ensure compliance with the various laws and regulations pertaining to BSA/AML. Some issues pertaining to independent testing that are frequently found in Reports of Examination include lack of independence on the part of the auditor(tester), insufficient scope, and insufficient transaction testing. A comprehensive and independent audit of an institution’s BSA/AML compliance program not only facilitates regulatory adherence, but also pinpoints and highlights any existing program deficiencies.

Additional Resources: FFIEC BSA/AML Assessing the BSA/AML Compliance Program – BSA/AML Independent Testing

Young & Associates works with financial institutions of all sizes to help them avoid regulatory pitfalls and develop strong BSA/AML compliance programs. For more information, contact me at epugh@younginc.com or 330.422.3475.

The purpose of BSA/AML model validation – Common findings

Written by admin on . Posted in Compliance & Regulations.

By: Edward Pugh, CAMS, CAMS-Audit, AAP, CFE, Consultant

For many financial institutions, the concept of a BSA/AML Model Validation is new. In the past, model validations were in the domain of larger financial institutions, typically with $1 Billion or more in assets. In general, model validations are a component of model risk management (MRM), and the guidance for MRM doesn’t easily conform to AML models, particularly models purchased from vendors. To rectify this, the regulatory agencies released an Interagency Statement of Model Risk management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance in April 2021. We have found that subsequent to the release of this guidance, examiners are frequently requesting that model validations be completed for financial institutions of all sizes.

The purpose of Anti-Money Laundering (AML) model validation is to evaluate the effectiveness and accuracy of an AML model in identifying potentially suspicious transactions and preventing money laundering and terrorist financing activities.

A BSA/AML model validation consists primarily of three components:

  • Conceptual soundness – This entails (among other considerations) the review of documentation and empirical evidence used and variables selected for the model. Much of this information is found in the implementation documentation.
  • Ongoing monitoring – This component confirms that the model is appropriately implemented and is performing as intended. Additionally, the processes and procedures for changes to the model are evaluated. For example, when an agent is added or thresholds are changed, what is the process leading up to the change?
  • System/outcome analysis – This verifies that the alerts generated are indeed valid. On the flip side, is the model missing transactions due to parameter settings or data issues?

Common findings

As more financial institutions are having model validations performed, we have found some common findings, both in validation reports and examination reports. Below are some of the most common findings. Reviewing these findings may help a financial institution prepare for its first validation. These include:

  • Data quality issues – Appropriate data is not flowing to the model. This often includes monetary instrument information, wire information, ATM activity, and NAICS codes. A particular concern is 314(a) lists – data from closed accounts and non-customer transactions (such as monetary instrument purchases) is not included in the searches.
  • Inadequate model governance – This includes lack of model documentation, lack of proper oversight and controls, and lack of model testing.
  • Lack of documentation of filtering thresholds – This includes documentation as to why thresholds were selected, as well as why/how any subsequent changes were made.
  • Missing or incomplete mapping documentation – Mapping documentation demonstrates how inputs from various systems flow into the AML Model. This information is usually included in the implementation documentation, though issues often arise when new products and services are introduced.
  • No reconciliation procedure – Institutions should periodically reconcile the data between the system feeding the data into the model and the model. This ensures that transactions are appropriately monitored.

While this list is not exhaustive, it does shed some light as to what auditors and examiners are looking for when it comes to model performance. Addressing these issues prior to a model validation or examination can help the process go more smoothly.

In conclusion

BSA/AML model validation is essential for both financial institutions and regulatory bodies to ensure that AML models are working as intended and regulatory requirements are being met. Young & Associates performs customized BSA/AML Validations and Reviews and collaborates with many of the AML software providers throughout the validation and review to provide a seamless process for our clients. If you would like more information on this article, or on how we can assist your organization, please contact me at epugh@younginc.com or 330.422.3475.

HMDA alert – Smaller mortgage producers may have to comply in 2023

Written by admin on . Posted in Compliance & Regulations, HMDA.

By Bill Elliott, CRCM; director of compliance education, Young & Associates

On September 23, 2022, the United States District Court for the District of Columbia issued an order vacating (canceling) the 2020 Home Mortgage Disclosure Act (HMDA) Final Rule. That final rule changed the limits for closed-end mortgage loans. At the time, that final rule raised the “minimum” for mandatory reporting from 25 to 100 closed-end mortgage loans in each of the two preceding years.

HMDA changes

The court vacated that change, and so the threshold for HMDA reporting in the regulation for 2023 and into the future has been reset back to 25 closed-end loans. Banks that have been able to avoid HMDA because they made fewer than 100 loans are required to comply in 2023. A blog entry issued by the Consumer Financial Protection Bureau (CFPB) on December 8, 2022 stated that the CFPB (and we presume the prudential regulators) will not require backfiling, nor would they cite banks for the absence of 2020, 2021, and 2022 filing data, but said nothing about 2023. Therefore, if your bank made more than 25 closed-end mortgage loans in 2021 and 2022, HMDA is now a requirement for closed-end mortgage loan reporting for your institution – starting January 1, 2023.

We are unsure why the CFPB waited about 10 weeks to inform us. But you will need to dust off those old policies, procedures, systems, and operations to come into compliance, or perhaps create new policies, procedures, and operations in a hurry. Additionally, there may be applications from 2022 that do not have the government monitoring information in file, because it would have been a violation for non-HMDA banks to collect that information. We believe that your institution needs to go back and collect that information for all loans that had an application in 2022, but that close in 2023.

The 25 vs. 100 threshold was a decision made by the CFPB, and that was reversed. The partial exemption changes – impacting a number of the data elements required to be collected – were the result of a change in law, so the partial exemption remains unaffected by this reversal.

HMDA review

Do you need a validation of your HMDA data prior to the 3/1/23 filing deadline? Young & Associates offers an off-site compliance review of your institution’s HMDA data. Using our secure file transfer system, we will validate your HMDA data to detect errors and issues before the filing deadline. For more information on our HMDA Review service, click here or contact Karen Clower, Director of Compliance, at 330.422.3444 or kclower@younginc.com.

2023 Rescission Reference Chart

Written by admin on . Posted in Compliance & Regulations.

View and download the Young & Associates 2023 Rescission Reference Chart to assist your lenders in preparing the Notice of Right to Cancel. Please forward this document to someone in your organization who will use this helpful tool.

For 44 years, Young & Associates has provided consulting, training, and practical tools for the banking industry. Thank you for the opportunity to serve your needs.


Looking for the latest calendar? Click here to access the 2025 Rescission Reference Chart!

Ensure your advertising is complete, clear, and compliant

Written by admin on . Posted in Compliance & Regulations.

In today’s competitive environment, getting the word out about your products and services is crucial. Do your ads meet regulatory expectations, include all advertising terms, and clearly explain what your products and services are to your customers and potential customers?

Get peace of mind with Young & Associates’ Advertising Review Service.

It’s easy!

As part of the advertising review engagement, Young & Associates will:

  • Review all print and electronic advertising material provided by the bank. *
  • Respond to each submitted item in writing within 2 business days, presenting any compliance issues that may be present in the ad.
  • There is no minimum or maximum number of advertisements in a year. Submit advertisements that require that “second look.”
    * The review will not include verification of any APR or APY.

Trusted guidance

Young & Associates provides an unmatched depth of practical expertise. Our compliance consultants are comprised of former banking executives, compliance regulators, and tenured finance professionals. We’re uniquely qualified to understand and solve your challenges, because we have personally experienced those same issues. For more information on this service, contact Karen Clower at kclower@younginc.com or 330.422.3444.

To submit your ad for review click here.

Considering anti-money laundering software for your institution

Written by admin on . Posted in Compliance & Regulations, Information Technology.

By: Edward Pugh, CAMS, consultant

For many financial institutions, one of the most impactful purposes of the Anti-Money Laundering Act of 2020 is the encouragement of technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism. While a requirement to adopt technology in the AML space is not spelled out, the encouragement is being meted out in regulatory exams. Industry professionals have noted that the asset-size thresholds for scrutiny of the adoption of technology (or lack thereof) is decreasing.

AML advantages

Aside from regulatory expectations, there are many advantages in adopting AML technology solutions, which include better detection capability, more efficient workflows, better information flow, and many others. There is a plethora of providers in the marketplace offering a wide range of products and capabilities. However, the aim of this article is to lay out some considerations once the decision to adopt new technologies has been made.

Here are some things to consider:

  • Risk Assessment. Your institution’s BSA/AML risk assessment should drive the technology selection process. It is important to be able to demonstrate that the technology does in fact mitigate the risks that were assessed. The risk assessment can also serve as a guide in determining the sophistication of the software needed; a lot of products in the market may offer many features and options that may not be necessary.
  • Data. Data quality is the most important aspect of implementing AML software technology. Any implementation will require time to be devoted to data cleansing and mapping. Most vendors offer varying levels of assistance depending on your needs. Whether this part of the process is handled in-house or through a vendor, there will be costs associated with data preparation.
  • Future-proof. While no technology can be “future-proof,” it is important to have a platform that is robust and can handle upgrades or changes in your institution’s core software and any ancillary systems that may be feeding data into the AML software. There should also be a clear process for updates as regulations, laws, and criminal typologies change or are discovered.
  • Maintenance. BSA/AML evolves constantly. Financial institutions and their customers continually change. Over time, fine-tuning scenarios and thresholds is an important periodic activity. Some software allows the institution to conduct changes to the model while others require more vendor involvement. It’s an important area to consider when choosing between the numerous options.
  • Efficiency. Properly implemented, quality AML platforms will reduce the compliance burden in your institution. However, it is important to note that there will be “growing pains” in the beginning. One of the most common surprises is the often-dramatic increase in alerts generated. This is usually due to new scenarios being monitored, and much more transaction data being monitored. It can also be due to data quality issues that can arise during implementation. This surge in alerts is temporary. The efficiency comes as the system is fine-tuned and staff becomes more acquainted with the platform and its capabilities.

More on AML

One final thought: Think big, start small. AML platforms can be customized and upgraded. For many institutions, the choices are overwhelming. Of course, there are many other factors that must be taken into account, especially cost. Having a clear understanding of the above-mentioned considerations will help weigh the cost considerations in choosing between the many options available in the marketplace.

For more information on the selection of AML software, contact us at mgerbick@younginc.com or 330.422.3482. And if your institution has AML software in place, please read the following article, AML Validation & Review, to learn more about how we can assist your financial institution in the validation and review of your existing AML software. Our BSA team is uniquely qualified to guide you through this often complicated and technical process, and we look forward to working with you to achieve your goals.

AML validation & review

Written by admin on . Posted in Compliance & Regulations, Information Technology.

The increasing sophistication of Anti-Money Laundering/Combating the Funding of Terrorism (AML/CFT) software and modeling techniques and the broader application of these models have played an undeniable role in the enhanced effectiveness of AML/CFT programs in financial institutions.

The regulatory agencies are utilizing more analytical and statistical specialists in BSA examinations. Additionally, recent BSA examinations demonstrate that the de facto threshold for regulatory scrutiny of AML models continues to decrease. All AML models must follow the guidance of OCC Bulletin 2011-12 and the subsequent Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (4/9/21), which outline the expectations for model risk management, especially the need for independent review and model validations.

Young & Associates can assist you with our AML validation and review

Customized for your institution and as required by the regulators, our AML validation and review addresses:

  • Conceptual Soundness. We focus on the design, methodology, and construction of the model. This includes analysis and review of the model documentation, assumptions and limitations, data quality and completeness, and implementation
  • Ongoing Monitoring. We make sure that the model is working efficiently and as intended to meet your institution’s business objectives, and ensure that it is tailored to the institution’s Risk Assessment (AML Program Management). This includes model tuning and calibration, which is driven by several Key Performance Indicators (KPIs).
  • Outcomes Analysis. We examine the model’s output, including alerts generated from transaction monitoring, along with the supporting information used for investigation. Above-the-line and below-the-line testing ensures that alerts are accurate and complete. The team also assesses monitoring rules and parameters.

Young & Associates collaborates with many of the AML software providers throughout the validation and review to make the process as seamless to your institution as possible.

Trusted guidance in BSA/AML compliance

Young & Associates provides an unmatched depth of practical expertise. Our BSA compliance team includes former banking executives, compliance regulators, and tenured finance professionals who hold the CAMS (Certified Anti-Money Laundering Specialist) designation. We’re uniquely qualified to understand and solve your challenges, because we have personally experienced those same issues. We can assist you with your AML validation and review, contact us at mgerbick@younginc.com or 330.422.3482.

The UDAAP hammer drops

Written by admin on . Posted in Compliance & Regulations.

By: William J. Showalter, CRCM, CRP, Senior Consultant

In our last issue, we discussed what UDAAP is and how to set up a program in your bank to avoid trouble in this important area. Our title admonished you, “Don’t Let UDAAP Spook You, Take Control.” If you have not yet taken control of UDAAP compliance, you may have been spooked by developments over the past 12 months or so. There have been three big UDAAP enforcement actions involving three financial service providers of all sizes during that time.

Background

Section 5 of the Federal Trade Commission (FTC) Act has been around for over 70 years and prohibits “unfair or deceptive acts or practices” (UDAP), the predecessor to UDAAP. Banking regulators have had the responsibility to enforce bank and thrift compliance with UDAP rules, while the FTC had the authority to interpret the statute and write any rules. The Federal Reserve Board (FRB) was given interpretive and rule-writing authority when this part of the FTC Act was amended in 1975 but continued largely to defer to the FTC.

Title X of the Dodd-Frank Act (DFA) codified UDAP law specifically for financial institutions, eliminated the FRB’s rule-writing authority, added an “abusive” standard, and moved rule-writing authority to the CFPB. The acronym became UDAAP – unfair, deceptive, or abusive acts or practices.

What are we dealing with?

All these standards or characteristics are quite subjective. The elements of unfairness and deception have been established by statute, as well as interpretation over the years by the FTC in various enforcement actions and interpretive documents. The element of being abusive was established, in general terms, in statute by the DFA.

An act or practice is unfair if it causes or is likely to cause substantial injury to consumers that they cannot reasonably avoid or that countervailing benefits do not outweigh. Substantial harm usually involves monetary harm, including a small monetary harm to each of a large number of consumers. A three-part test determines whether a representation, omission, act, or practice is deceptive. First, the representation, omission, act, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the deception must be reasonable under the circumstances.

Lastly, the misleading representation, omission, act, or practice must be material. “Material” means that it is likely to affect a consumer’s decision regarding a product or service. An abusive act or practice materially interferes with the ability of the consumer to understand a term or condition of a consumer financial product or service. Such an act or practice also includes one that takes unreasonable advantage of: the consumer’s lack of understanding of material risks, costs, or conditions of a product or service; the consumer’s inability to protect his interests in selecting or using a financial product or service; or the consumer’s reasonable reliance on the “covered person” (including a banker) to act in the interests of the consumer.

Recent UDAAP enforcement actions

In about the year 2000, banks first saw significant enforcement of UDAP (now UDAAP) from the banking agencies when the Office of the Comptroller of the Currency (OCC) took the lead. The OCC concluded that it had authority to address a violation of the FTC Act even when a challenged practice was not specifically prohibited by regulation.

The three bank-related UDAAP enforcement actions to which we referred above are:

  • The Consumer Financial Protection Bureau (CFPB) issued a Consent Order to Discover Bank (Greenwood, DE) and two subsidiaries ordering Discover to pay at least $10 million in consumer redress and a civil money penalty (CMP) of $25 million for violating a 2015 CFPB Order, the Electronic Fund Transfer Act, and the Consumer Financial Protection Act of 2010. The 2015 Order was based on the CFPB’s finding that Discover misstated the minimum amounts due on billing statements as well as tax information consumers needed to get federal income tax benefits. The agency also found that Discover engaged in illegal debt collection practices. The 2015 Order required Discover to refund $16 million to consumers, pay a penalty, and fix its unlawful servicing and collection practices.
  • However, more recently the CFPB found that Discover violated the 2015 order’s requirements in several ways – misrepresenting minimum loan payments owed, amount of interest paid, and other material information. Discover also did not provide all the consumer redress the 2015 Order required.
  • In addition, the CFPB found that Discover engaged in unfair acts and practices by withdrawing payments from more than 17,000 consumers’ accounts without valid authorization and by cancelling or not withdrawing payments for more than 14,000 consumers without notifying them. The agency also found that Discover engaged in deceptive acts and practices in violation of the CFPA by misrepresenting to more than 100,000 consumers the minimum payment owed and to more than 8,000 consumers the amount of interest paid. Some consumers ended up paying more than they owed, others became late or delinquent because they could not pay the overstated amount, while others may have filed inaccurate tax returns
  • The Federal Deposit Insurance Corporation (FDIC) issued an order to Umpqua Bank (Roseburg, OR) that the bank pay a CMP of $1,800,000 following the FDIC’s determination that the bank engaged in violations of Section 5 of the Federal Trade Commission Act in the commercial finance and leasing products issued by its wholly owned subsidiary, Financial Pacific Leasing, Inc. According to the FDIC, these violations included engaging in deceptive and/or unfair practices related to certain collection fees and collection practices involving excessive or sequential calling, disclosure of debt information to nonborrowers, and failure to abide by requests to cease and desist continued collection calls.
  • The FDIC also issued an order to pay a CMP of $129,800 to Bank of England (England, AR). The bank consented to the order without admitting or denying the violations of law or regulation.
    The FDIC determined that the bank violated Section 5 of the Federal Trade Commission Act because bank loan officers located in the Bloomfield, MI loan production office (LPO) misrepresented to consumers that certain Veterans Administration (VA) refinance loan terms were available when they were not, and that the bank’s misrepresentations at the Bloomfield LPO regarding terms for VA refinancing loans were deceptive, in violation of Section 5.

How to deal with these issues

As we advised in our previous article, banks and thrifts should be proactive in addressing areas prone to UDAAP issues. You can anticipate potential problems by, in part, tracking enforcement actions as indicators of where regulators are looking for issues (and finding them).

The steps we spelled out to help in this proactive approach are:

  • Establish a positive compliance culture by positive words, actions, and attitudes from the top down.
  • Enforce compliance performance which, coupled with the overt support from the top, makes it clear to all that this is a crucial element in the success of the organization and any related individual rewards (bonuses, raises, promotions, etc.)
  • Involve compliance early in product design, marketing planning, and so forth.
  • Focus on vulnerable customers in your community, including the young, less educated, immigrants, and elderly, and pay particular attention to how you direct your marketing, product recommendations, and disclosures to such populations.

It is much easier – and less expensive – to plan and lay appropriate groundwork to avoid problems than it is to repair damages after inappropriate and illegal actions blow up. The reactive approach can cause the bank immeasurable reputation harm, which is much more costly than any monetary penalties, and much more difficult to recover from.

For more information on how the Young & Associates compliance team can assist with your UDAAP compliance, contact us at mgerbick@younginc.com or 330-422-3482.

Don’t let UDAAP spook you, take control

Written by admin on . Posted in Compliance & Regulations.

The Consumer Financial Protection Bureau (CFPB) celebrated Halloween in 2012 by releasing its updated Supervision and Examination Manual (version 2.0). The manual includes updated examination procedures for assessing compliance with Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) rules. The updated examination procedures give bankers a guide for what their examiners will be looking for in terms of UDAAP compliance, including the then-new “abusive” standard.

Background

Section 5 of the Federal Trade Commission (FTC) Act has been around for over 70 years and prohibits “unfair or deceptive acts or practices” (UDAP), the predecessor to UDAAP. Banking regulators have had the responsibility to enforce bank and thrift compliance with UDAP rules, while the FTC had the authority to interpret the statute and write any rules. The Federal Reserve Board (FRB) was given interpretive and rule-writing authority when this part of the FTC Act was amended in 1975 but continued largely to defer to the FTC.

It was not until the year 2000 that banks saw significant enforcement of UDAP from the banking agencies when the Office of the Comptroller of the Currency (OCC) took the lead. The OCC concluded that it had authority to address a violation of the FTC Act even regarding a challenged practice that was not specifically prohibited by regulation.

Then, Title X of the Dodd-Frank Act (DFA) codified UDAP law specifically for financial institutions, eliminated the FRB’s rule-writing authority, added the “abusive” standard, and moved rule-writing authority to the CFPB.

What is UDAAP?

All of these standards or characteristics are quite subjective. The elements of unfairness and deception have been established by statute, as well as interpretation over the years by the FTC in various enforcement actions and interpretive documents. The element of being abusive was established, in general terms, in statute by the DFA.

In brief, these standards are:

  • Unfair. To be unfair, an act or practice must cause or be likely to cause substantial injury to consumers, harm that the consumers cannot reasonably avoid or that is not outweighed by countervailing benefits. Substantial harm usually involves monetary harm, including a small monetary harm to each of a large number of consumers.
  • Deceptive. A three-part test is used to determine whether a representation, omission, act, or practice is deceptive. First, the representation, omission, act, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the representation, omission, act, or practice must be reasonable under the circumstances. And lastly, the misleading representation, omission, act, or practice must be material. “Material” means that it is likely to affect a consumer’s decision regarding a product or service.
  • Abusive. An abusive act or practice materially interferes with the ability of the consumer to understand a term or condition of a consumer financial product or service. Such an act or practice also includes one that takes unreasonable advantage of: the consumer’s lack of understanding of material risks, costs, or conditions of a product or service; the consumer’s inability to protect his interests in selecting or using a financial product or service; or the consumer’s reasonable reliance on the banker (or other “covered person”) to act in the interests of the consumer.

How to handle UDAAP

Banks and thrifts need to make sure their consumer compliance programs are proactive in addressing areas prone to UDAAP issues. Anticipate potential problems; do not wait for problems to arise because by then it may be too late to prevent serious consequences.

A few steps that can help establish a proactive compliance regime are:

  • Establish a positive compliance culture. Senior management and the board need to make it clear that compliance is a fundamental element of the institution’s business – both compliance with the technical requirements (disclosures, computations, etc.) and, at least equally important, with the underlying spirit or fundamental principles of the consumer protection laws.
  • Enforce compliance performance. To succeed, the bank needs to make compliance important to its officers and staff – by not only ensuring overt support from the top, but also by making it an integral part of how employees’ performance is measured and rewarded (or not). For example, an officer with high loan production with high compliance error rates or fairness issues, should not be rewarded for one (production) without being penalized for the other (compliance failures).
  • Involve compliance early. Compliance cannot be an exercise in looking for violations and other problems after the fact. To be truly effective and efficient, compliance must be integrated into the business processes – involved in product design, marketing planning, etc., at the ground level.
  • Focus on vulnerable customers. An important way to avoid UDAAP problems is to pay particular attention to those customers, or potential customers, who might be more vulnerable to unfair, deceptive, or abusive acts or practices. Examples of such potentially vulnerable populations might include the young, less educated, immigrants, elderly, and so forth. The bank should be particularly sensitive to how it couches its marketing, product recommendations, disclosures, etc., to such populations.

Benefits of a regime

Such a positive, proactive compliance regime can help the bank prevent most UDAAP (and other compliance) problems before they even arise. This approach is much more cost-efficient than running what a compliance officer I knew years ago called a “fix-it shop,” having to try to fix compliance problems after they have occurred. Years ago, such an approach was not desirable, but might have been survivable. However, today, it could prove disastrous – especially with the rise of UDAAP.

Contact Y&A today

For more information on this article or how Young & Associates can assist your organization with UDAAP compliance, contact Dave Reno at 330.422.3455 or dreno@younginc.com.

The value of internal audit through a fresh set of eyes

Written by admin on . Posted in Compliance & Regulations.

There is risk in every aspect of the banking industry and the regulatory environment seems to continually change. As to the governance and control functions of the industry, it may be refreshing to the board of directors, audit committee, and executive management to have their internal audit function re-assessed and validated through a fresh set of eyes to assure that the controls in place are functioning as intended.

Why consider an internal audit?

A strong internal control system, including an independent and effective internal audit function, is part of sound corporate governance. The board of directors, audit committee, senior management, and supervisors must be satisfied with the effectiveness of the internal audit function, that policies and practices are followed, and that management takes appropriate and timely corrective action in response to internal control weaknesses identified by internal auditors. An internal audit function provides vital assurance to a board of directors (who ultimately remains responsible for the internal audit function, whether in-house or outsourced) as to the quality of the internal control system. In doing so, the function helps reduce the risk of loss, regulatory criticism, and reputational damage to the organization.

All internal auditors (whether in-house or outsourced) must have integrity and professional competence, including the knowledge and experience of each internal auditor and of team members collectively. This is essential to the effectiveness of the internal audit function. We encourage internal auditors to comply with and to contribute to the development of national professional standards, such as those issued by the Institute of Internal Auditors, and to promote due consideration of prudent issues in the development of internal audit standards and practices.

Every activity of the organization (including outsourced activities) should fall within the scope of the internal audit function. The scope of the internal audit function’s activities should ensure adequate coverage of matters of regulatory interest within the audit plan. Regular communication by the audit committee, management, and affected personnel is crucial to identify the weaknesses and risk associated to assure that timely remedial actions are taken.

How Young & Associates can help

Young & Associates can independently assess the effectiveness and efficiency of the organization’s internal control, risk management, and governance systems and processes to provide assurance that the internal control structure in place operates according to sound principles and standards. For more information on how we might provide internal audit services specific to your organization’s needs, whether it is outsourced or co-sourced, please contact Dave Reno at 330.422.3455 or email to dreno@younginc.com.

SAFE Act a decade on

Written by admin on . Posted in Compliance & Regulations, Lending & Loan Review.

By: William J. Showalter, CRCM, CRP, Senior Consultant

We have been dealing with the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) since 2010, and yet questions surface or confusion still exists over SAFE Act requirements.

“A loan clerk quotes loan rates from a non-public rate schedule, along with payment amounts for inquiring consumers. Should she be registered?” (Maybe, she is performing a function of a mortgage loan originator, MLO.)

“Our head of lending is our SAFE Act Officer. He also handles some mortgage loans, with his name on loan documents. However, his background is in commercial lending and he has never been registered with the NMLSR. Do we have a problem?” (Yes, if he is involved in more than five mortgage loans per year, he must be registered.)

“How often do we have to get criminal background checks for our MLOs? How about when their fingerprints expire?” (Criminal background checks are required only on initial registration. The fingerprint expiration date is only relevant for existing MLOs who are coming into the bank as new employees. No updating of fingerprints for ongoing MLOs is required.)

These queries reveal that confusion still exists over what the requirements are and how they impact banks and thrifts.

A little background

Congress enacted the SAFE Act in July 2008 to require states to establish minimum standards for the licensing and registration of state-licensed mortgage loan originators, and to provide for the establishment of a nationwide mortgage licensing system and registry for the residential mortgage industry.

The SAFE Act required all states to provide for a licensing and registration regime for mortgage loan originators who are not employed by federal agency-regulated institutions within one year of enactment (or two years for states whose legislatures meet biennially).

In addition, the SAFE Act required the federal banking agencies, through the Federal Financial Institutions Examination Council (FFIEC), and the Farm Credit Administration (FCA) to develop and maintain a system for registering mortgage loan originators employed by agency-regulated institutions.

The Dodd-Frank Act moved responsibility for the SAFE Act rules to the Consumer Financial Protection Bureau (CFPB), which rolled these rules into its Regulation G (12 CFR 1007).

Licensing vs. registration

Most of the confusion at the outset seemed to center on the issue of licensing versus registration of mortgage loan originators (MLOs). The issue is really deceptively simple.

  • MLOs that work for federally supervised banks, thrifts, and credit unions (as well as FCA lenders) must register with the national registry (NMLSR).
  • MLOs employed by other mortgage lenders (mortgage companies, etc.) must navigate the state licensing and registry system, a much more time consuming, expensive, and burdensome process which also carries a continuing education requirement.

Coverage

A “mortgage loan originator” is an individual who both takes residential mortgage loan applications and offers or negotiates terms of a residential mortgage loan for compensation or gain.

The term “mortgage loan originator” does not include individuals that perform purely “administrative or clerical tasks” (the receipt, collection, and distribution of information common for the processing or underwriting of a loan in the mortgage industry) and communication with a consumer to obtain information necessary for the processing or underwriting of a residential mortgage loan. Also excluded are individuals that perform only real estate brokerage activities and are duly licensed, individuals or entities solely involved in extensions of credit related to timeshare plans, employees engaged in loan modifications or assumptions, and employees engaged in mortgage loan servicing.

“Compensation or gain” includes salaries, commissions, other incentives, or any combination of these types of payments.

MLO registration

An MLO must be federally registered if the individual is an employee of a depository institution, an employee of any subsidiary owned and controlled by a depository institution and regulated by a federal banking agency, or an employee of an institution regulated by the FCA.

The final rule, as required by the SAFE Act, prohibits an individual who is an employee of an agency-regulated institution from engaging in the business of a loan originator without registering as a loan originator with the national registry, maintaining that registration annually, and obtaining a unique identifier through the registry. Employer financial institutions must require adherence to this rule by their employee MLOs.

MLOs may submit their registration information individually or their employer institution may do it for them (by a non-MLO employee). The decision of which approach to take should be made by management to ensure consistency within the institution, especially since there is prescribed institution information that also must be submitted to the registry.

This MLO information must include financial services-related employment history for the 10 years before the date of registration or renewal, including the date the employee became an employee of the bank – not just the time they have worked for their current employer.

MLOs and their employers need to remember that registrations have to be renewed annually for as long as an individual operates as an MLO. The renewal period opens on November 1 and ends on December 31 each year. If an MLO or bank registration lapses, it may be reinstated during a reinstatement period that opens on January 2 and closes on February 28 each year.

Other requirements

Bank and thrift managers also should remember that there are specific requirements in this rule for the institution to have policies and procedures to implement SAFE Act requirements, as well as regarding the use of a unique identifier (NMLS number) by MLOs.

At a minimum, the bank’s SAFE Act policies and procedures must:

  • Establish a process for identifying which employees have to be registered MLOs
  • Require that all employees who are MLOs are informed of the SAFE Act registration requirements and be instructed on how to comply with those requirements and procedures
  • Establish procedures to comply with the unique identifier requirements
  • Establish reasonable procedures for confirming the adequacy and accuracy of employee registrations, including updates and renewals, by comparisons with its own records
  • Establish reasonable procedures and tracking systems for monitoring compliance with registration and renewal requirements and procedures
  • Provide for independent testing for compliance with this part to be conducted at least annually by covered financial institution personnel or by an outside party
  • Provide for appropriate action in the case of any employee who fails to comply with SAFE Act registration requirements or the bank’s related policies and procedures, including prohibiting such employees from acting as MLOs or other appropriate disciplinary action
  • Establish a process for reviewing SAFE Act employee criminal history background reports, taking appropriate action consistent with applicable federal law, and maintaining records of these reports and actions taken with respect to applicable employees, and
  • Establish procedures designed to ensure that any third party with which the bank has arrangements related to mortgage loan origination has policies and procedures to comply with the SAFE Act, including appropriate licensing and/or registration of individuals acting as MLOs

The bank or thrift also must make the unique identifiers (NMLS numbers) of its registered MLOs available to consumers “in a manner and method practicable to the institution.” The bank has latitude in implementing this requirement.

It may choose to make the identifiers available in one or more of the following ways:

  • Directing consumers to a listing of registered MLOs and their unique identifiers on its website
  • Posting this information prominently in a publicly accessible place, such as a branch office lobby or lending office reception area, and/or
  • Establishing a process to ensure that bank personnel provide the unique identifier of a registered MLO to consumers who request it from employees other than the MLO

In addition, a registered MLO must provide his or her unique identifier to a consumer:

  • Upon request
  • Before acting as a mortgage loan originator, and
  • Through the MLO’s initial written communication with a consumer, if any, whether on paper or electronically (often by incorporating it into the signature information for standard letter and e-mail formats)

Banks, thrifts, and their registered MLOs often also make their NMLS numbers available in other ways – such as including them in advertising or on business cards.

As with any compliance rule, banks and thrifts need to make sure that they have systems in place to ensure compliance with SAFE Act requirements, including appropriate training for employees involved in the mortgage origination process.

For information on how Young & Associates can assist your bank with the SAFE Act requirements, contact Dave Reno at 330.422.3455 and dreno@younginc.com.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question