Skip to main content

AML validation & review

Written by admin on . Posted in Compliance & Regulations, Information Technology.

The increasing sophistication of Anti-Money Laundering/Combating the Funding of Terrorism (AML/CFT) software and modeling techniques and the broader application of these models have played an undeniable role in the enhanced effectiveness of AML/CFT programs in financial institutions.

The regulatory agencies are utilizing more analytical and statistical specialists in BSA examinations. Additionally, recent BSA examinations demonstrate that the de facto threshold for regulatory scrutiny of AML models continues to decrease. All AML models must follow the guidance of OCC Bulletin 2011-12 and the subsequent Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (4/9/21), which outline the expectations for model risk management, especially the need for independent review and model validations.

Young & Associates can assist you with our AML validation and review

Customized for your institution and as required by the regulators, our AML validation and review addresses:

  • Conceptual Soundness. We focus on the design, methodology, and construction of the model. This includes analysis and review of the model documentation, assumptions and limitations, data quality and completeness, and implementation
  • Ongoing Monitoring. We make sure that the model is working efficiently and as intended to meet your institution’s business objectives, and ensure that it is tailored to the institution’s Risk Assessment (AML Program Management). This includes model tuning and calibration, which is driven by several Key Performance Indicators (KPIs).
  • Outcomes Analysis. We examine the model’s output, including alerts generated from transaction monitoring, along with the supporting information used for investigation. Above-the-line and below-the-line testing ensures that alerts are accurate and complete. The team also assesses monitoring rules and parameters.

Young & Associates collaborates with many of the AML software providers throughout the validation and review to make the process as seamless to your institution as possible.

Trusted guidance in BSA/AML compliance

Young & Associates provides an unmatched depth of practical expertise. Our BSA compliance team includes former banking executives, compliance regulators, and tenured finance professionals who hold the CAMS (Certified Anti-Money Laundering Specialist) designation. We’re uniquely qualified to understand and solve your challenges, because we have personally experienced those same issues. We can assist you with your AML validation and review, contact us at mgerbick@younginc.com or 330.422.3482.

The UDAAP hammer drops

Written by admin on . Posted in Compliance & Regulations.

By: William J. Showalter, CRCM, CRP, Senior Consultant

In our last issue, we discussed what UDAAP is and how to set up a program in your bank to avoid trouble in this important area. Our title admonished you, “Don’t Let UDAAP Spook You, Take Control.” If you have not yet taken control of UDAAP compliance, you may have been spooked by developments over the past 12 months or so. There have been three big UDAAP enforcement actions involving three financial service providers of all sizes during that time.

Background

Section 5 of the Federal Trade Commission (FTC) Act has been around for over 70 years and prohibits “unfair or deceptive acts or practices” (UDAP), the predecessor to UDAAP. Banking regulators have had the responsibility to enforce bank and thrift compliance with UDAP rules, while the FTC had the authority to interpret the statute and write any rules. The Federal Reserve Board (FRB) was given interpretive and rule-writing authority when this part of the FTC Act was amended in 1975 but continued largely to defer to the FTC.

Title X of the Dodd-Frank Act (DFA) codified UDAP law specifically for financial institutions, eliminated the FRB’s rule-writing authority, added an “abusive” standard, and moved rule-writing authority to the CFPB. The acronym became UDAAP – unfair, deceptive, or abusive acts or practices.

What are we dealing with?

All these standards or characteristics are quite subjective. The elements of unfairness and deception have been established by statute, as well as interpretation over the years by the FTC in various enforcement actions and interpretive documents. The element of being abusive was established, in general terms, in statute by the DFA.

An act or practice is unfair if it causes or is likely to cause substantial injury to consumers that they cannot reasonably avoid or that countervailing benefits do not outweigh. Substantial harm usually involves monetary harm, including a small monetary harm to each of a large number of consumers. A three-part test determines whether a representation, omission, act, or practice is deceptive. First, the representation, omission, act, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the deception must be reasonable under the circumstances.

Lastly, the misleading representation, omission, act, or practice must be material. “Material” means that it is likely to affect a consumer’s decision regarding a product or service. An abusive act or practice materially interferes with the ability of the consumer to understand a term or condition of a consumer financial product or service. Such an act or practice also includes one that takes unreasonable advantage of: the consumer’s lack of understanding of material risks, costs, or conditions of a product or service; the consumer’s inability to protect his interests in selecting or using a financial product or service; or the consumer’s reasonable reliance on the “covered person” (including a banker) to act in the interests of the consumer.

Recent UDAAP enforcement actions

In about the year 2000, banks first saw significant enforcement of UDAP (now UDAAP) from the banking agencies when the Office of the Comptroller of the Currency (OCC) took the lead. The OCC concluded that it had authority to address a violation of the FTC Act even when a challenged practice was not specifically prohibited by regulation.

The three bank-related UDAAP enforcement actions to which we referred above are:

  • The Consumer Financial Protection Bureau (CFPB) issued a Consent Order to Discover Bank (Greenwood, DE) and two subsidiaries ordering Discover to pay at least $10 million in consumer redress and a civil money penalty (CMP) of $25 million for violating a 2015 CFPB Order, the Electronic Fund Transfer Act, and the Consumer Financial Protection Act of 2010. The 2015 Order was based on the CFPB’s finding that Discover misstated the minimum amounts due on billing statements as well as tax information consumers needed to get federal income tax benefits. The agency also found that Discover engaged in illegal debt collection practices. The 2015 Order required Discover to refund $16 million to consumers, pay a penalty, and fix its unlawful servicing and collection practices.
  • However, more recently the CFPB found that Discover violated the 2015 order’s requirements in several ways – misrepresenting minimum loan payments owed, amount of interest paid, and other material information. Discover also did not provide all the consumer redress the 2015 Order required.
  • In addition, the CFPB found that Discover engaged in unfair acts and practices by withdrawing payments from more than 17,000 consumers’ accounts without valid authorization and by cancelling or not withdrawing payments for more than 14,000 consumers without notifying them. The agency also found that Discover engaged in deceptive acts and practices in violation of the CFPA by misrepresenting to more than 100,000 consumers the minimum payment owed and to more than 8,000 consumers the amount of interest paid. Some consumers ended up paying more than they owed, others became late or delinquent because they could not pay the overstated amount, while others may have filed inaccurate tax returns
  • The Federal Deposit Insurance Corporation (FDIC) issued an order to Umpqua Bank (Roseburg, OR) that the bank pay a CMP of $1,800,000 following the FDIC’s determination that the bank engaged in violations of Section 5 of the Federal Trade Commission Act in the commercial finance and leasing products issued by its wholly owned subsidiary, Financial Pacific Leasing, Inc. According to the FDIC, these violations included engaging in deceptive and/or unfair practices related to certain collection fees and collection practices involving excessive or sequential calling, disclosure of debt information to nonborrowers, and failure to abide by requests to cease and desist continued collection calls.
  • The FDIC also issued an order to pay a CMP of $129,800 to Bank of England (England, AR). The bank consented to the order without admitting or denying the violations of law or regulation.
    The FDIC determined that the bank violated Section 5 of the Federal Trade Commission Act because bank loan officers located in the Bloomfield, MI loan production office (LPO) misrepresented to consumers that certain Veterans Administration (VA) refinance loan terms were available when they were not, and that the bank’s misrepresentations at the Bloomfield LPO regarding terms for VA refinancing loans were deceptive, in violation of Section 5.

How to deal with these issues

As we advised in our previous article, banks and thrifts should be proactive in addressing areas prone to UDAAP issues. You can anticipate potential problems by, in part, tracking enforcement actions as indicators of where regulators are looking for issues (and finding them).

The steps we spelled out to help in this proactive approach are:

  • Establish a positive compliance culture by positive words, actions, and attitudes from the top down.
  • Enforce compliance performance which, coupled with the overt support from the top, makes it clear to all that this is a crucial element in the success of the organization and any related individual rewards (bonuses, raises, promotions, etc.)
  • Involve compliance early in product design, marketing planning, and so forth.
  • Focus on vulnerable customers in your community, including the young, less educated, immigrants, and elderly, and pay particular attention to how you direct your marketing, product recommendations, and disclosures to such populations.

It is much easier – and less expensive – to plan and lay appropriate groundwork to avoid problems than it is to repair damages after inappropriate and illegal actions blow up. The reactive approach can cause the bank immeasurable reputation harm, which is much more costly than any monetary penalties, and much more difficult to recover from.

For more information on how the Young & Associates compliance team can assist with your UDAAP compliance, contact us at mgerbick@younginc.com or 330-422-3482.

Don’t let UDAAP spook you, take control

Written by admin on . Posted in Compliance & Regulations.

The Consumer Financial Protection Bureau (CFPB) celebrated Halloween in 2012 by releasing its updated Supervision and Examination Manual (version 2.0). The manual includes updated examination procedures for assessing compliance with Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) rules. The updated examination procedures give bankers a guide for what their examiners will be looking for in terms of UDAAP compliance, including the then-new “abusive” standard.

Background

Section 5 of the Federal Trade Commission (FTC) Act has been around for over 70 years and prohibits “unfair or deceptive acts or practices” (UDAP), the predecessor to UDAAP. Banking regulators have had the responsibility to enforce bank and thrift compliance with UDAP rules, while the FTC had the authority to interpret the statute and write any rules. The Federal Reserve Board (FRB) was given interpretive and rule-writing authority when this part of the FTC Act was amended in 1975 but continued largely to defer to the FTC.

It was not until the year 2000 that banks saw significant enforcement of UDAP from the banking agencies when the Office of the Comptroller of the Currency (OCC) took the lead. The OCC concluded that it had authority to address a violation of the FTC Act even regarding a challenged practice that was not specifically prohibited by regulation.

Then, Title X of the Dodd-Frank Act (DFA) codified UDAP law specifically for financial institutions, eliminated the FRB’s rule-writing authority, added the “abusive” standard, and moved rule-writing authority to the CFPB.

What is UDAAP?

All of these standards or characteristics are quite subjective. The elements of unfairness and deception have been established by statute, as well as interpretation over the years by the FTC in various enforcement actions and interpretive documents. The element of being abusive was established, in general terms, in statute by the DFA.

In brief, these standards are:

  • Unfair. To be unfair, an act or practice must cause or be likely to cause substantial injury to consumers, harm that the consumers cannot reasonably avoid or that is not outweighed by countervailing benefits. Substantial harm usually involves monetary harm, including a small monetary harm to each of a large number of consumers.
  • Deceptive. A three-part test is used to determine whether a representation, omission, act, or practice is deceptive. First, the representation, omission, act, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the representation, omission, act, or practice must be reasonable under the circumstances. And lastly, the misleading representation, omission, act, or practice must be material. “Material” means that it is likely to affect a consumer’s decision regarding a product or service.
  • Abusive. An abusive act or practice materially interferes with the ability of the consumer to understand a term or condition of a consumer financial product or service. Such an act or practice also includes one that takes unreasonable advantage of: the consumer’s lack of understanding of material risks, costs, or conditions of a product or service; the consumer’s inability to protect his interests in selecting or using a financial product or service; or the consumer’s reasonable reliance on the banker (or other “covered person”) to act in the interests of the consumer.

How to handle UDAAP

Banks and thrifts need to make sure their consumer compliance programs are proactive in addressing areas prone to UDAAP issues. Anticipate potential problems; do not wait for problems to arise because by then it may be too late to prevent serious consequences.

A few steps that can help establish a proactive compliance regime are:

  • Establish a positive compliance culture. Senior management and the board need to make it clear that compliance is a fundamental element of the institution’s business – both compliance with the technical requirements (disclosures, computations, etc.) and, at least equally important, with the underlying spirit or fundamental principles of the consumer protection laws.
  • Enforce compliance performance. To succeed, the bank needs to make compliance important to its officers and staff – by not only ensuring overt support from the top, but also by making it an integral part of how employees’ performance is measured and rewarded (or not). For example, an officer with high loan production with high compliance error rates or fairness issues, should not be rewarded for one (production) without being penalized for the other (compliance failures).
  • Involve compliance early. Compliance cannot be an exercise in looking for violations and other problems after the fact. To be truly effective and efficient, compliance must be integrated into the business processes – involved in product design, marketing planning, etc., at the ground level.
  • Focus on vulnerable customers. An important way to avoid UDAAP problems is to pay particular attention to those customers, or potential customers, who might be more vulnerable to unfair, deceptive, or abusive acts or practices. Examples of such potentially vulnerable populations might include the young, less educated, immigrants, elderly, and so forth. The bank should be particularly sensitive to how it couches its marketing, product recommendations, disclosures, etc., to such populations.

Benefits of a regime

Such a positive, proactive compliance regime can help the bank prevent most UDAAP (and other compliance) problems before they even arise. This approach is much more cost-efficient than running what a compliance officer I knew years ago called a “fix-it shop,” having to try to fix compliance problems after they have occurred. Years ago, such an approach was not desirable, but might have been survivable. However, today, it could prove disastrous – especially with the rise of UDAAP.

Contact Y&A today

For more information on this article or how Young & Associates can assist your organization with UDAAP compliance, contact Dave Reno at 330.422.3455 or dreno@younginc.com.

The value of internal audit through a fresh set of eyes

Written by admin on . Posted in Compliance & Regulations.

There is risk in every aspect of the banking industry and the regulatory environment seems to continually change. As to the governance and control functions of the industry, it may be refreshing to the board of directors, audit committee, and executive management to have their internal audit function re-assessed and validated through a fresh set of eyes to assure that the controls in place are functioning as intended.

Why consider an internal audit?

A strong internal control system, including an independent and effective internal audit function, is part of sound corporate governance. The board of directors, audit committee, senior management, and supervisors must be satisfied with the effectiveness of the internal audit function, that policies and practices are followed, and that management takes appropriate and timely corrective action in response to internal control weaknesses identified by internal auditors. An internal audit function provides vital assurance to a board of directors (who ultimately remains responsible for the internal audit function, whether in-house or outsourced) as to the quality of the internal control system. In doing so, the function helps reduce the risk of loss, regulatory criticism, and reputational damage to the organization.

All internal auditors (whether in-house or outsourced) must have integrity and professional competence, including the knowledge and experience of each internal auditor and of team members collectively. This is essential to the effectiveness of the internal audit function. We encourage internal auditors to comply with and to contribute to the development of national professional standards, such as those issued by the Institute of Internal Auditors, and to promote due consideration of prudent issues in the development of internal audit standards and practices.

Every activity of the organization (including outsourced activities) should fall within the scope of the internal audit function. The scope of the internal audit function’s activities should ensure adequate coverage of matters of regulatory interest within the audit plan. Regular communication by the audit committee, management, and affected personnel is crucial to identify the weaknesses and risk associated to assure that timely remedial actions are taken.

How Young & Associates can help

Young & Associates can independently assess the effectiveness and efficiency of the organization’s internal control, risk management, and governance systems and processes to provide assurance that the internal control structure in place operates according to sound principles and standards. For more information on how we might provide internal audit services specific to your organization’s needs, whether it is outsourced or co-sourced, please contact Dave Reno at 330.422.3455 or email to dreno@younginc.com.

SAFE Act a decade on

Written by admin on . Posted in Compliance & Regulations, Lending & Loan Review.

By: William J. Showalter, CRCM, CRP, Senior Consultant

We have been dealing with the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) since 2010, and yet questions surface or confusion still exists over SAFE Act requirements.

“A loan clerk quotes loan rates from a non-public rate schedule, along with payment amounts for inquiring consumers. Should she be registered?” (Maybe, she is performing a function of a mortgage loan originator, MLO.)

“Our head of lending is our SAFE Act Officer. He also handles some mortgage loans, with his name on loan documents. However, his background is in commercial lending and he has never been registered with the NMLSR. Do we have a problem?” (Yes, if he is involved in more than five mortgage loans per year, he must be registered.)

“How often do we have to get criminal background checks for our MLOs? How about when their fingerprints expire?” (Criminal background checks are required only on initial registration. The fingerprint expiration date is only relevant for existing MLOs who are coming into the bank as new employees. No updating of fingerprints for ongoing MLOs is required.)

These queries reveal that confusion still exists over what the requirements are and how they impact banks and thrifts.

A little background

Congress enacted the SAFE Act in July 2008 to require states to establish minimum standards for the licensing and registration of state-licensed mortgage loan originators, and to provide for the establishment of a nationwide mortgage licensing system and registry for the residential mortgage industry.

The SAFE Act required all states to provide for a licensing and registration regime for mortgage loan originators who are not employed by federal agency-regulated institutions within one year of enactment (or two years for states whose legislatures meet biennially).

In addition, the SAFE Act required the federal banking agencies, through the Federal Financial Institutions Examination Council (FFIEC), and the Farm Credit Administration (FCA) to develop and maintain a system for registering mortgage loan originators employed by agency-regulated institutions.

The Dodd-Frank Act moved responsibility for the SAFE Act rules to the Consumer Financial Protection Bureau (CFPB), which rolled these rules into its Regulation G (12 CFR 1007).

Licensing vs. registration

Most of the confusion at the outset seemed to center on the issue of licensing versus registration of mortgage loan originators (MLOs). The issue is really deceptively simple.

  • MLOs that work for federally supervised banks, thrifts, and credit unions (as well as FCA lenders) must register with the national registry (NMLSR).
  • MLOs employed by other mortgage lenders (mortgage companies, etc.) must navigate the state licensing and registry system, a much more time consuming, expensive, and burdensome process which also carries a continuing education requirement.

Coverage

A “mortgage loan originator” is an individual who both takes residential mortgage loan applications and offers or negotiates terms of a residential mortgage loan for compensation or gain.

The term “mortgage loan originator” does not include individuals that perform purely “administrative or clerical tasks” (the receipt, collection, and distribution of information common for the processing or underwriting of a loan in the mortgage industry) and communication with a consumer to obtain information necessary for the processing or underwriting of a residential mortgage loan. Also excluded are individuals that perform only real estate brokerage activities and are duly licensed, individuals or entities solely involved in extensions of credit related to timeshare plans, employees engaged in loan modifications or assumptions, and employees engaged in mortgage loan servicing.

“Compensation or gain” includes salaries, commissions, other incentives, or any combination of these types of payments.

MLO registration

An MLO must be federally registered if the individual is an employee of a depository institution, an employee of any subsidiary owned and controlled by a depository institution and regulated by a federal banking agency, or an employee of an institution regulated by the FCA.

The final rule, as required by the SAFE Act, prohibits an individual who is an employee of an agency-regulated institution from engaging in the business of a loan originator without registering as a loan originator with the national registry, maintaining that registration annually, and obtaining a unique identifier through the registry. Employer financial institutions must require adherence to this rule by their employee MLOs.

MLOs may submit their registration information individually or their employer institution may do it for them (by a non-MLO employee). The decision of which approach to take should be made by management to ensure consistency within the institution, especially since there is prescribed institution information that also must be submitted to the registry.

This MLO information must include financial services-related employment history for the 10 years before the date of registration or renewal, including the date the employee became an employee of the bank – not just the time they have worked for their current employer.

MLOs and their employers need to remember that registrations have to be renewed annually for as long as an individual operates as an MLO. The renewal period opens on November 1 and ends on December 31 each year. If an MLO or bank registration lapses, it may be reinstated during a reinstatement period that opens on January 2 and closes on February 28 each year.

Other requirements

Bank and thrift managers also should remember that there are specific requirements in this rule for the institution to have policies and procedures to implement SAFE Act requirements, as well as regarding the use of a unique identifier (NMLS number) by MLOs.

At a minimum, the bank’s SAFE Act policies and procedures must:

  • Establish a process for identifying which employees have to be registered MLOs
  • Require that all employees who are MLOs are informed of the SAFE Act registration requirements and be instructed on how to comply with those requirements and procedures
  • Establish procedures to comply with the unique identifier requirements
  • Establish reasonable procedures for confirming the adequacy and accuracy of employee registrations, including updates and renewals, by comparisons with its own records
  • Establish reasonable procedures and tracking systems for monitoring compliance with registration and renewal requirements and procedures
  • Provide for independent testing for compliance with this part to be conducted at least annually by covered financial institution personnel or by an outside party
  • Provide for appropriate action in the case of any employee who fails to comply with SAFE Act registration requirements or the bank’s related policies and procedures, including prohibiting such employees from acting as MLOs or other appropriate disciplinary action
  • Establish a process for reviewing SAFE Act employee criminal history background reports, taking appropriate action consistent with applicable federal law, and maintaining records of these reports and actions taken with respect to applicable employees, and
  • Establish procedures designed to ensure that any third party with which the bank has arrangements related to mortgage loan origination has policies and procedures to comply with the SAFE Act, including appropriate licensing and/or registration of individuals acting as MLOs

The bank or thrift also must make the unique identifiers (NMLS numbers) of its registered MLOs available to consumers “in a manner and method practicable to the institution.” The bank has latitude in implementing this requirement.

It may choose to make the identifiers available in one or more of the following ways:

  • Directing consumers to a listing of registered MLOs and their unique identifiers on its website
  • Posting this information prominently in a publicly accessible place, such as a branch office lobby or lending office reception area, and/or
  • Establishing a process to ensure that bank personnel provide the unique identifier of a registered MLO to consumers who request it from employees other than the MLO

In addition, a registered MLO must provide his or her unique identifier to a consumer:

  • Upon request
  • Before acting as a mortgage loan originator, and
  • Through the MLO’s initial written communication with a consumer, if any, whether on paper or electronically (often by incorporating it into the signature information for standard letter and e-mail formats)

Banks, thrifts, and their registered MLOs often also make their NMLS numbers available in other ways – such as including them in advertising or on business cards.

As with any compliance rule, banks and thrifts need to make sure that they have systems in place to ensure compliance with SAFE Act requirements, including appropriate training for employees involved in the mortgage origination process.

For information on how Young & Associates can assist your bank with the SAFE Act requirements, contact Dave Reno at 330.422.3455 and dreno@younginc.com.

Regulation B Interpretive Rule on Sexual Orientation and Gender Identity

Written by admin on . Posted in Compliance & Regulations, Lending & Loan Review, News.

The Bureau of Consumer Financial Protection (Bureau) issued an interpretive rule to clarify that, with respect to any aspect of a credit transaction, the prohibition against sex discrimination in the Equal Credit Opportunity Act (ECOA) and Regulation B, which implements ECOA, encompasses sexual orientation discrimination and gender identity discrimination, including discrimination based on actual or perceived nonconformity with sex-based or gender-based stereotypes and discrimination based on an applicant’s associations.

The interpretive rule became effective upon publication in the Federal Register.

Stay compliant

At Young & Associates, we have been teaching for years that this is the correct approach. The reality is that an applicant’s sexual orientation or gender identity has absolutely nothing to do with whether they will be able to repay the loan. The focus of all bankers should be on the same things that are important in all credit decisions – cash, collateral, and credit. Nothing else really matters.

The Equal Credit Opportunity Act (ECOA) makes it “unlawful for any creditor to discriminate against any applicant, with respect to any aspect of a credit transaction,” on several enumerated bases, including “on the basis of … sex …” Likewise, Regulation B prohibits a creditor from discriminating against an applicant on a prohibited basis (including “sex”) “regarding any aspect of a credit transaction,” and from making “any oral or written statement to applicants or prospective applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application.”

Changes your institution needs to know

Before this interpretive rule, twenty states and the District of Columbia prohibited discrimination on the bases of sexual orientation and/or gender identity either in all credit transactions or in certain (e.g., housing-related) credit transactions. This interpretive rule now makes this the new national standard. Financial institutions must recognize sexual orientation and/or gender identity as protected classes and incorporate practices that prohibit discrimination on these bases.

This interpretive rule removes any remaining regulatory uncertainty under ECOA and Regulation B regarding the term “sex” to ensure fair, equitable, and nondiscriminatory access to credit for both individuals and communities and to protect consumers from discrimination. It serves a stated purpose of Regulation B, which is to “promote the availability of credit to all creditworthy applicants without regard to … sex …”

As an interpretive rule, it is exempt from the notice-and-comment rulemaking requirements of the Administrative Procedure Act.

To learn more about how we can assist your organization with your compliance efforts, contact Dave Reno, Director – Lending and Business Development, at dreno@younginc.com or 330.422.3455.

Compliance management

Written by admin on . Posted in Compliance & Regulations.

By William J. Showalter, CRCM, CRP, Senior Consultant

We have repeatedly heard over the years that we must manage compliance just like all other aspects of our business. This maxim is particularly true in today’s escalating compliance environment. So many new and changed rules have entered the mix over the past decade that we could easily feel overwhelmed if we did not proactively manage the compliance process.

Over the years, supervisory agencies have shared general outlines of compliance management systems with the financial institutions they regulate. They have quickly pointed out that no single “right” way exists to manage compliance, but every program must meet certain basic needs.

Compliance Management Systems

The Consumer Financial Protection Bureau (CFPB) and other agencies view compliance management as vital to the prevention of violations of federal consumer financial laws and the resulting harm to consumers. In its Supervisory Highlights publication, the CFPB spelled out its expectations for an effective compliance management system (CMS) – which mirror those from other supervisory agencies.

The CFPB states that it expects every entity it supervises (large financial institutions and nonbank financial firms) to have an effective CMS adapted to its business strategy and operations.

According to the CFPB, a CMS is how a supervised entity:

  • Establishes its compliance responsibilities.
  • Communicates those responsibilities to employees.
  • The program ensures that business processes incorporate responsibilities for meeting legal requirements and internal policies.
  • The compliance team reviews operations to ensure they meet legal requirements and carry out assigned responsibilities.
  • Takes corrective action.
  • Updates tools, systems, and materials, as necessary.

No agency requires financial institutions to structure their CMS in any particular manner. They recognize the differences inherent in an industry comprised of banking organizations of different sizes, differing compliance profiles, and a wide range of consumer financial products and services. In addition, some financial firms outsource functions with consumer compliance-related responsibilities to service providers, requiring adaptations in their CMS structure.

However compliance is managed, financial entities are expected by all the federal supervisory agencies to structure their CMS in a manner sufficient to comply with federal consumer financial laws and appropriately address associated risks of harm to consumers.

CFPB Findings

The CFPB has found that the majority of banks it has examined have generally had adequate CMS structures. However, several institutions have lacked one or more of the components of an effective CMS, which creates an increased risk of noncompliance with federal consumer financial laws.

The most common weakness identified during CFPB reviews of banks’ CMS is a deficient system of periodic monitoring and independent compliance audits. The CFPB has noted that an effective CMS implements an effective internal compliance review program as an integral part of an overall risk management strategy. Such a program has two components – both periodic monitoring reviews and an independent compliance audit. These two types of controls are not interchangeable. They must be complementary.

The periodic monitoring reviews are more frequent and less intensive than the audits, focusing on areas that carry the most risk – where mistakes should not be allowed to go uncorrected too long. Monitoring is an ongoing process, conducted by either the individual business lines or the compliance officer/department on a relatively frequent basis, and allows the bank to self-check its processes and ensure day-to-day compliance with federal consumer financial laws.

An independent compliance audit reviews all operations impacted by consumer laws. Auditors perform audits less frequently—usually annually—to ensure ongoing compliance, proper operation of the CMS as a whole, and board awareness of consumer compliance issues identified in these independent reviews. An independent party—either an internal auditor or an outside consultant—should perform audits.

The CFPB notes that an entity lacking periodic monitoring increases its risk that violations and weaknesses will go undetected for long periods of time, potentially leading to multiple regulatory violations and increased consumer harm.

Additionally, these entities increase the risk that:

  • Insufficiencies in the periodic monitoring process may not be identified.
  • The board is not made aware of regulatory violations or program weaknesses.
  • Practices or conduct by employees within the business lines or compliance department that are unfair, deceptive, abusive, discriminatory, or otherwise unlawful could go undetected.

CMS Elements

Although the CFPB states that it does not require any specific CMS structure, it notes that supervisory experience has found that an effective CMS commonly has four interdependent control components, elements that have been advocated by all regulatory agencies over the years:

  • Board of directors and management oversight. An effective board of directors communicates clear expectations and adopts clear policy statements about consumer compliance for both the bank itself and its service providers. The board should establish a compliance function, allocating sufficient resources and qualified staffing to that function, commensurate with the entity’s size, organizational complexity, and risk profile. The board should ensure that the compliance function has the authority and accountability necessary to implement the compliance management program, with clear and visible support from senior management, as well. Management should ensure a strong compliance function and provide recurring reports of compliance risks, issues, and resolutions to the board or to a committee of the board.
  • Compliance program. The CFPB and other federal financial institutions supervisors expect supervised entities to establish a formal, written compliance program, generally administered by a chief compliance officer. A compliance program includes the following elements: policies and procedures, training, monitoring, and corrective action.

The agencies assert that a well-planned, implemented, and maintained compliance program will prevent or reduce regulatory violations, protect consumers from noncompliance and associated harms, decrease the costs and risks of litigation affecting revenues and operational focus, and help align business strategies with outcomes.

  • Consumer complaint management program. Federal supervisory agencies expect financial service providers to respond to complaints and inquiries received from consumers. In addition, financial institutions should monitor and analyze complaints to understand and correct weaknesses in their programs that could lead to consumer risks and violations of law.

Key elements of a consumer complaint management program include establishment of channels through which to receive consumer complaints and inquiries (e.g., telephone numbers or email addresses dedicated to receiving consumer complaints or inquiries); proper and timely resolution of all complaints; recordation, categorization, and analysis of complaints and inquiries; and reviews for possible violations of federal consumer financial laws.

The agencies expect financial firms to organize, retain, and analyze complaint data to identify trends, isolate areas of risk, and identify program weaknesses in their lines of business and overall CMS.

  • Independent compliance audit. A compliance audit program allows the board of directors or its designated committees to determine whether the institution is implementing policies and standards that achieve the level of compliance and consumer protection the board has established. As noted above, an independent party — separate from both the compliance program and business functions — should conduct these audits. The auditor should report the audit results directly to the board or a board committee.

The agencies expect that the audit schedule and scope will be appropriate for the entity’s size, its consumer financial product offerings, and structure for offering these products. The compliance audit program should address compliance with all applicable federal consumer financial laws. It should also identify any significant gaps in policies and standards.

When all of these four control components are strong and well-coordinated, the CFPB states that a supervised entity should be successful at managing its compliance responsibilities and risks.

Handle ARM Adjustments with Care

Written by admin on . Posted in Compliance & Regulations, Lending & Loan Review.

By William J. Showalter, CRCM, CRP, Senior Consultant

Adjustable-rate mortgages (ARM) have not been much of an issue for many banks and thrifts in recent years since fixed rates have been so low. But they are still an important tool for serving those customers who cannot meet the secondary market qualifications applied to most fixed-rate loans. And, many institutions have a portfolio of existing ARM loans that they service. One potential complication for some lenders is the impending discontinuance of the LIBOR index. This requires lenders to find another comparable index for their ARMs.

ARMs were in the spotlight over 10 years ago because of problems in the subprime market. Many subprime products have variable interest rates, which shift the interest rate risk from lender to borrower. Besides the issues raised then over putting borrowers into inappropriate products, there also are concerns over errors in ARM rate changes.

Do an internet search for “ARM errors” or similar terms and you will come up with numerous firms offering loan audit and information services to borrowers. These firms tell borrowers that their companies can correct ARM errors, bring loans into compliance, and get the borrower a mortgage refund.

Background on adjustable-rate mortgages

The initial furor over these mistakes arose over a report on adjustable-rate mortgage adjustment errors prepared by a former Federal Savings and Loan Insurance Corporation employee in 1989. His assertions sent a tremor through the mortgage industry. The report concluded that miscalculations in periodic adjustments to rates on ARM instruments resulted in significant overcharges. He found ARM adjustment errors in about 50 percent of the loans he sampled. From these results, he estimated the potential overcharges to be up to $15 billion for ARMs nationwide at the time. This figure has been estimated as high as $50-60 billion in recent years.

The controversy was further stoked by a study from the Government Accountability Office (GAO) released in September 1991 which found between 20 and 25 percent of the ARM loans at the time contained interest rate errors. Such errors occurred when the related mortgage servicer selected the incorrect index date, used an incorrect margin, or ignored interest rate change caps.

The damaging studies kept coming. In July 1994, Consumer Loan Advocates, a non-profit mortgage auditing firm announced that as many as 18 percent of ARMs had errors costing the borrower more than $5,000 in interest overcharges. And, another government study in December 1995 concluded that 50 to 60 percent of all ARMs contained an error regarding the variable interest rate charged to the homeowner. The study estimated the total amount of interest overcharged to borrowers was in excess of $8 billion. Inadequate computer programs, incorrect completion of documents, and calculation errors were cited as the major causes of interest rate overcharges.

Even though no other government studies have been conducted into ARM interest overcharges to date, the potential issue continues to simmer below the surface and lenders need to be vigilant so that it does not erupt into a veritable super volcano of enforcement actions and lawsuits.

Types of errors

The kinds of errors lenders are said to make in implementing ARM rate and payment adjustments run the gamut from calculation mistakes to carelessness, including:

  • Mistakes in original loan set up/data input
  • Miscalculation of payment amount
  • Improper allocation of payments between interest and principal (amortization)
  • Use of the wrong index
  • Selection of incorrect index value
  • Application of incorrect interest rate caps
  • Failure to adjust in some years
  • Use of incorrect margins
  • Improper rounding methods (e.g., rounding up instead of rounding to the nearest 1/8th of 1 percent)
  • Math mistakes causing an incorrect rate
  • Use of incorrect loan balance

Banking regulators point out that these errors may be considered breaches of contract. These errors could then expose the financial institution to legal action.

Extent of errors

Since ARMs involve changing index values periodically and oftentimes complex computer calculations, they seem to attract human and software errors. Mortgage audit firms point out that leading publications such as The Wall Street Journal, MONEY, Forbes, and Newsweek have warned borrowers about miscalculations occurring in up to 50 percent of ARMs.

  • The firms get borrowers’ attention by pointing to figures of lender overcharges and borrower refunds like these:
  • Average borrower refund of over $1,500
  • 21 percent of refunds ranging from $3,500 to $10,000
  • 13 percent of errors exceeding $10,000

Reasons for errors

The calculation of ARM rate changes is a complex process and errors can occur in a variety of ways. Add to this the fact that many lenders offer, and servicers support, a variety of ARM products with different rate adjustment intervals, indices, margins, and other terms. Another potential complicating factor is the widespread practice of transferring loan servicing. This presents another opportunity for human mistakes and software mismatches to cause errors.

Some of the mortgage audit firms assert that adjustable-rate mortgage rate and payment adjustment errors have been linked to:

  • Lack of training, supervision, and experience of loan servicing personnel
  • Simple human error
  • Computer data entry or software errors
  • Clerical or calculation errors
  • Fraud
  • Sale or transfer of the loan to a different company
  • Rider, handwritten changes, or other irregularities in the note
  • Very complex calculations, use of an unusual index, or interest rate
  • Dissolution or merger of the original loan institution

How to avoid these problems

The federal banking supervisors began encouraging financial institutions back in 1991 to perform reviews of their adjustable-rate loan systems. This was to ensure that interest rate information is correctly ascertained and administered, and that rates are adjusted properly.

Banks and thrifts should have effective internal controls and procedures in place to ensure that all adjustments are made according to the terms of the underlying contracts and that complete, timely, and accurate adjustment notices are provided to borrowers. Also, a system for the ongoing testing of adjustments should be in place to ensure that adjustments continue to be made correctly.

A critical component of any successful loan servicing program, including correctly implementing rate and payment adjustments, is a thorough training regime for lending personnel involved in the process. Those involved must be given the appropriate tools – including knowledge – to succeed in their jobs.

Any review of adjustable-rate mortgage adjustments should include documentation indicating the basis for interest rate adjustments made to a lender’s adjustable-rate mortgage loans, showing whether changes have been made consistent with the underlying contracts.

If a lender finds that it has made errors in the adjustments for interest rates which have resulted in interest overcharges on ARMs, the supervisory agencies expect that you will have in place a system to correct the overcharges and properly credit the borrower’s account for any interest overcharges. In general, undercharges cannot be collected from borrowers.

Learn more about this topic and how Young & Associates, Inc. can assist your institution. Contact Bill Showalter at wshowalter@younginc.com or 330.422.3473 today.

Off-Site Reviews, Virtual/Teleconference Training, and Management Consulting Support

Written by admin on . Posted in Compliance & Regulations, Information Technology, Lending & Loan Review, Management & Planning.

Young & Associates, Inc. remains committed to keeping our employees, clients, and partners safe and healthy during the COVID-19 pandemic. During this difficult and unprecedented time, we have continued to successfully leverage technology to fulfill our commitments to our clients and partners through secure remote access for reviews, virtual/teleconference training, and other management consulting support.

Young & Associates’ commitment to virtual/teleconference training and remote access reviews date back well over five years. We see this ability as a win-win for everyone – the review and training get completed in a timely manner and the bank avoids paying any travel expenses. Concerned about security, please be assured that we use the latest secure technology.

We remain committed to helping our clients with all areas of their operations through off-site reviews and providing the most current regulatory updates through our virtual/teleconferencing training.

Contact one of our consultants today for more information about our off-site reviews or virtual/teleconferencing training:

Bill Elliott, Director of Compliance Education:
bille@younginc.com or 330.422.3450

Karen Clower, Director of Compliance:
kclower@younginc.com or 330.422.3444

Martina Dowidchuk, Director of Management Services:
mdowidchuk@younginc.com or 330.422.3449

Bob Viering, Director of Lending:
bviering@younginc.com or 330.422.3476

Kyle Curtis, Director of Lending Services:
kcurtis@younginc.com or 330.422.3445

Aaron Lewis, Director of Lending Education:
alewis@younginc.com or 330.422.3466

Dave Reno, Director – Lending and Business Development:
dreno@younginc.com or 330.422.3455

Ollie Sutherin, Manager of Secondary Market QC Services:
osutherin@younginc.com or 330.422.3453

Jeanette McKeever, Director of Internal Audit:
jmckeever@younginc.com or 330.422.3468

Mike Detrow: Director of Information Technology Audit/Information Technology:
mdetrow@younginc.com or 330.422.3447

Young & Associates, Inc.’s consultants provide a level of expertise gathered over 42 years. In our consulting engagements, we closely monitor the regulatory environment and best practices in the industry, develop customized solutions for our clients’ needs, and prepare detailed and timely audit reports to ease implementation moving forward. Our consultants have backgrounds and experience in virtually all areas of the financial services industry.. Many of our consultants and trainers have come to the company directly from positions in financial institutions or regulatory agencies where they worked to resolve many of the issues that our clients face daily.

We look forward to working with you as you work to obtain your goals in 2021 and beyond.

Assessing your Compliance Training

Written by admin on . Posted in Compliance & Regulations.

By Bill Elliott, CRCM, Director of Compliance Education

Last fall, the Consumer Financial Protection Bureau (CFPB) updated their Regulatory Agenda for the next few months. As has been the reality for a while, there does not seem to be any particular rush to accomplish many final rules. The Economic Growth, Regulatory Relief and Consumer Protection Act (EGRRCP Act) was signed into law in May 2018. In that law, there are a number of required changes that should be fairly easy to implement – if the CFPB would just do so. But in the short term, there appears little likelihood that the changes dictated by the law (or many other changes) will be placed into regulation. But change is still in our future – it is just a question of the timing.

Part of the problem is the regulatory process. Although all banks are not subject to the Home Mortgage Disclosure Act, it is an excellent example. The “new version” of Regulation C was published as a final rule, effective January 2018. Before the 2018 date, the CFPB changed the regulation. With the passage of the EFRRCP Act, many of the new required fields were eliminated for smaller reporters. Although a fairly simple series of changes were necessary, many months passed before the regulation was updated (October 2019). And when those changes were made final, there were still some outstanding issues in HMDA that needed to be addressed, and remain open at this writing. So even with all the changes, it is not “final” yet. The latest Small Entity Guide for HMDA (which will have to be modified again) is Version 4.

Importance of compliance training

This complicates the life of any bank, regardless of size. When the regulatory process is poor and disjointed, it makes training and implementation more difficult. But the reality is that regardless of how confusing the regulatory process is, banks still have to comply.

Training is a necessary expense, as a failure to train, especially when things are in flux, opens the bank to regulatory scrutiny and/or fines for non-compliance. And keeping your policies and procedures current with the latest changes is always a challenge.

Banks should assess how information is disseminated throughout the bank as these changes occur to assure that training dollars are spent effectively. And the time to assess is now, while things are relatively “calm.” Many banks have delegated training to electronic or web-based systems, and there are many good choices available. But, because of the nature of this type of training, they focus on the facts and requirements, but usually do not include information on what to expect of your employees, or the implementation strategies of your bank. Be wary of buying a training system and then assuming all your training needs are met.

How we can help with your compliance training program

We do not market electronic or web-based systems. But Young & Associates, Inc. offers a wide variety of personalized training opportunities, including:

  • Live seminars with some of our state association partners
  • Live in-bank training
  • Conference calls
  • Private webinars
  • Virtual Compliance Consultant program, which includes a monthly telephone call that can be used for compliance support and/or training sessions as well as policy support, and any other personalized training that you may need

In this period of relative quiet, take this time to assess your training methods and your training needs for the future. Eventually the regulators will begin to issue more regulation, and Young & Associates, Inc. stands ready to assist. To discuss how we can help, please contact Karen Clower at 330.422.3444 or kclower@younginc.com.

Liquidity Risk Management

Written by admin on . Posted in Compliance & Regulations, Management & Planning.

By Martina Dowidchuk, Director of Management Services and Senior Consultant

Does your liquidity management meet the standards of increased regulatory scrutiny? Regulators are gradually reviewing what they once deemed acceptable more rigidly, and financial institutions need to be prepared to show that their liquidity risk oversight complies with both supervisory guidance and sound industry practices.

Community banks may not view liquidity risk as an immediate concern given the abundance of liquidity in the banking industry today. However, the history shows that liquidity reserves can change quickly and the changes may occur outside of management’s control. A bank’s liquidity position may be adequate under certain operating environments, yet be insufficient under adverse environments. Adequate liquidity governance is considered as important as the bank’s liquidity position. While the sophistication of the liquidity measurement tools varies with the bank’s complexity and risk profiles, all institutions are expected to have a formal liquidity policy and contingency funding plan that are supported by liquidity cash flow forecast, projected liquidity position analysis, stress testing, and dynamic liquidity metrics customized to match the bank’s balance sheets.

Some of the common liquidity risk management pitfalls found during annual independent reviews include:

Cash Flow Plan:

  • Lack of projected cash flow analysis
  • Inconsistencies between liquidity cash flow assumptions and the strategic plan/budget
  • Lack of documentation supporting liquidity plan assumptions
  • Overdependence on outdated, static liquidity ratios and lack of forward-looking metrics
  • Lack of back-testing of the model

Stress Scenarios:

  • Stress-testing of projected cash flows not performed
  • Stress tests focusing on a single stress event rather than a combination of stress factors
  • Stress tests lacking the assessment of a liquidity crisis impact on contingent funding sources
  • Insufficient severity of stress tests

Contingency Funding Plan Document:

  • Contingency funding plan failing to address certain key components, such as the identification of early warning indicators, alternative funding sources, crisis management team, and action plan details
  • Lack of metrics defined to assess the adequacy of primary and contingent funding sources in the baseline and stressed scenarios

Liquidity Policy:

  • Inadequate risk limits or lack of acceptable levels of funding concentrations defined in the liquidity policy
  • Liquidity policy failing to address responsibilities for maintenance of the cash flow model, model documentation, periodic assumption review, and model validation

Management Oversight:

  • ALCO discussions related to liquidity management not containing sufficient detail and not reflected appropriately in the ALCO meeting minutes
  • Lack of periodic testing of the stand-by funding lines
  • Lack of liquidity model assumption review or documentation of such review
  • Lack of periodic independent reviews of the liquidity risk management process

If you want an independent review of your existing liquidity program and a model validation, or need assistance developing a contingency funding plan, liquidity cash flow plan, and liquidity stress testing, please contact me at 330.422.3449 or mdowidchuk@younginc.com. Young & Associates, Inc. offers an array of liquidity products and services that can help you to ensure compliance with the latest regulatory expectations.

Banks as Federal Contractors, A Brief History

Written by admin on . Posted in Compliance & Regulations, Management & Planning.

By: Mike Lehr, HR Consultant

Unless legal counsel says otherwise, if FDIC covers a bank’s deposits, it’s best to assume it’s a federal contractor. That not only means the bank likely needs an affirmative action plan if it issues fifty or more different W2s in a year, but the federal government holds the bank to higher employment standards.

Still, as human resources professionals know, bank CEOs, presidents, and other senior executives often want to know, “What law says so?” After all, when we think of a “federal contractor,” we often think huge employers with thousands of employees.

For banks with only a few hundred (if that) employees, this all seems very unnecessary. Yet, the short answer is that a reinterpretation of existing law after the 2008 financial crisis made most banks federal contractors if they obtained federal deposit insurance.

Reviewing the way our government works and the history of banks as federal contractors can clarify this answer. After all, the law is not clear. It hasn’t changed much in over twenty years.

This review begins by reminding others that federal laws change in three main ways:

    1. Congress passes or revises laws.
    2. Executive branch reinterprets existing laws.
    3. Courts rule on and clarify regulations causing disagreements among parties.

While Congress neither passed nor revised any law specifically stating banks are federal contractors, the Department of Labor (DOL) reinterpreted the law. Until the 2008 financial crisis, the Office of Federal Contract Compliance Programs (OFCCP), an agency of the DOL, mainly interpreted the law to say FDIC made banks contractors. The DOL, its boss so to speak, never accepted this however.

So, until 2008, unless a bank clearly acted as “an issuing and paying agent for U.S. savings bonds and notes” or “a federal fund depository,” in a substantial manner, the DOL likely didn’t consider it a federal contractor.

Until 2008, FDIC payouts to banks were rare, almost non-existent. This crisis though saw many sizeable payouts. As a result, the DOL accepted OFCCP’s interpretation of the law. The crisis forced the DOL to see FDIC coverage as doing business with the federal government. So now, by its “boss” agreeing, the OFCCP has more authority to enforce its regulations such as affirmative action plans on banks.

Again, a reinterpretation of existing law after the 2008 financial crisis increased dramatically the likelihood that a bank is a federal contractor. This brief history has helped human resources professionals answer questions related to “what law says so?”

For more guidance and support on complying as a federal contractor, you can reach Mike Lehr at mlehr@younginc.com. Mike Lehr is not an attorney. As such, the content in this article should not be construed as providing legal advice. For specific decisions on compliance with OFCCP regulations, readers should consult with their legal counsel.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question