Skip to main content

The Importance of Documentation to Support Your Information Security Program

By: Mike Detrow, CISSP, and Brian Kienzle, CISSP, OSCP

Written records are generally more trustworthy than human memory. Examiners and auditors typically take the following stance: if it isn’t formally documented, it didn’t happen. It is usually not possible to accurately recall all the details from an activity that we performed six months to a year ago. That is why it is important to formally document your monitoring activities to ensure that the specific details about any work performed is available for your reference and for examiners and auditors to review.

Common Documentation Gaps

Proper documentation has generally improved in recent years; however, there are still some areas where we commonly see documentation gaps. Some of these areas where we continue to note weaknesses in documentation during our IT Audit engagements include:

User Access Reviews

We commonly see a checklist or spreadsheet that identifies various systems/applications and the date(s) that the user access was reviewed. While this format can help to provide a summary of the dates when system/application user access was reviewed, it does not allow an examiner/auditor to understand what was reviewed, any exceptions that were found, nor any changes that were made because of the review. A better approach is to document the review on the actual system reports or screenshots, or to document the review process in a write-up that identifies the review process and any noted exceptions or changes made as a result of the review.

Vendor Monitoring

We still see some instances where ongoing vendor reviews are not formally documented using a checklist or a formal write-up of the details associated with the review and any exceptions that were noted. In these cases, the institution may only have a spreadsheet where they indicate that various vendor documents were reviewed on a specific date. However, this does not allow an examiner/auditor to understand the details about the review, nor does it identify any exceptions that were noted. This same issue occurs with the review of the complementary user entity controls that are identified in vendor SOC reports. Institutions should ensure that they formally document their implementation of each complementary user entity control.

Firewall Audits

Often we see a simple statement in minutes or in an email chain that indicates that a firewall audit was performed. However, this isn’t enough information to know if the firewall audit was comprehensive enough to know if the firewall is properly configured. At a bare minimum, a firewall audit should include a review of all firewall access rules for appropriateness and a review of security services, such as intrusion prevention, and web content filtering. Documentation of this review, showing all areas of the firewall configuration that were reviewed is an essential piece of documentation.

E911 Testing

Voice over IP (VoIP) telephone systems communicate with emergency services differently than traditional phone lines. If an IP phone is moved to a different physical location, but the corresponding address information is not updated, then incorrect address information could be seen by emergency responders when that phone is used to dial 911. E911 testing ensures that proper address information is seen by emergency responders. We check that this testing is occurring during our IT audits, and documentation of this testing is the primary method we use to verify this.

While it can sometimes seem like the time spent to formally document your activities is unproductive, especially when some institutions are working with limited staffing, it is critical to maintain this documentation to allow examiners/auditors and the board to have confidence that the institution’s information systems are being managed and monitored appropriately.

Young & Associates offers a variety of IT consulting services to help your financial institution comply with regulations, protect against vulnerabilities, and provide seamless IT service to your customers For more information on this article, or to learn more about how Young & Associates can assist you with your IT needs, visit our website at www.younginc.com or contact us at mgerbick@younginc.com.

Why Banks Should QC In-Portfolio Loans

By: Donald Stimpert, Consultant and Manager of Secondary Market QC Services

As a result of higher mortgage interest rates and inflation continuing to weigh on affordability, Fannie Mae revised downward their forecast for 2022 single-family mortgage market originations. Fannie Mae now expects 2022 single-family mortgage market originations of $2.3 trillion, a 49% decrease from 2021, with approximately 70% of activity for the full year of 2022 expected to come from purchase originations.

Fannie Mae currently projects a further decline in single-family mortgage market originations in 2023, to $1.7 trillion, with 77% of that activity coming from purchase originations. Fannie Mae expects that multifamily mortgage market originations for 2022 will be between $400 billion and $430 billion, down from the $475 billion estimated at the start of this year, due primarily to rising interest rates and a slowing in multifamily property sales.

As a result of the higher mortgage interest rates, more lenders are holding on to their loans and keeping them as in-house portfolio loans. Young & Associates is currently working with several clients to conduct not only residential secondary market loans, but in-house portfolio loans as well. By reviewing in-house portfolio loans, Young & Associates will provide the same QC services as we do on the residential secondary market loans while providing financial institutions with the peace of mind that underwriting standards are maintained in accordance with policy directives.

Organizations with a commitment to quality control recognize that loan quality begins before an application is taken and continues throughout the entire mortgage origination process. Young & Associates has provided education, outsourcing, and a wide variety of consulting services to community financial institutions for over 44 years. We are committed to your bank’s future success and look forward to assisting you to ensure or enhance that success. Please click here to learn more, or contact me directly at 1.330.442.3459 or dstimpert@younginc.com.

Brushing Up on Disclosures for ARMs

By: William J. Showalter, CRCM, CRP, Senior Consultant

Now that interest rates are moving up, many bankers are blowing the dust off their adjustable-rate mortgage (ARM) loan offerings. Interest rates for fixed-rate loans have been so low for quite some time, which made them much more appealing to mortgage loan customers. But now with rates increasing, the lower initial rates of ARM loans are beginning to look more appealing to at least some borrowers.

The problem is that many of us are so out of practice at making ARMs that we need a refresher to remind us of what we need to do. This article will serve as a primer to help us re-learn how to meet disclosure requirements for ARM loans.

Different Types of ARMs

When we think of an adjustable-rate mortgage, the first thing that comes to mind is likely the classic loan with an interest rate that can change at some regular interval based on the movement of some external index. There is a wide variety of initial time periods for which the rate is fixed and later intervals for rate changes over the life of the loan. Common initial fixed periods are one, three, five, seven, or 10 years, while probably the most common interval for later rate changes is one year.

But that is not where the variety of ARMs ends. The Official Staff Commentary on Regulation Z discusses a number of other loan structures that are considered to be variable-rate transactions subject to the ARM disclosure requirements. These additional loan structures are:

  • Renewable balloon-payment loans where the creditor is both unconditionally obligated to renew the balloon-payment loan at the consumer’s option (or is obligated to renew subject to conditions within the consumer’s control) and has the option of increasing the interest rate at the time of renewal
  • Preferred-rate loans where the terms of the legal obligation provide that the initial underlying rate is fixed but will increase upon the occurrence of some event (e.g., an employee leaving the employ of the creditor, or an automatic payment arrangement being ended) and the note reflects the preferred rate (though a number of the ARM disclosures are not required for preferred-rate loans)
  • “Price-level-adjusted mortgages” or other indexed mortgages that have a fixed rate of interest but provide for periodic adjustments to payments and the loan balance to reflect changes in an index measuring prices or inflation (again a number of the ARM disclosures are not required for price-level-adjusted loans)

It is important to note that graduated-payment mortgages and step-rate transactions without a variable-rate feature are not considered variable-rate transactions under Regulation Z. This is likely because changes over the term of the loan are known at the outset – specified payment and/or interest rate increases.

Application Disclosures

Two ARM disclosures must be given to applicants for such loans at the time an application form is provided or before the consumer pays a non-refundable fee, whichever is earlier. There is an exception allowing the disclosures to be delivered or placed in the mail not later than three business days following receipt of a consumer’s application when the application reaches the creditor by telephone or through an intermediary agent or broker.

For an application that is accessed by the consumer in electronic form – including an online application portal – the required ARM disclosures may be provided to the consumer in electronic form on or with the application.

These two early ARM disclosures are:

  • The booklet titled Consumer Handbook on Adjustable-Rate Mortgages (CHARM booklet), or a suitable substitute, and
  • A loan program disclosure for each variable-rate program in which the consumer expresses an interest (each comprised of 12 specified pieces of information about the ARM program)

TRID Disclosures

The Loan Estimate (LE) and Closing Disclosure (CD) both require some additional disclosures for ARMs. The LE must be provided to an applicant no later than the third business day after their application is received by the lender, while the CD must be provided no later than three business days before consummation. (There are also situations permitting or requiring these disclosures to be revised, but that’s a subject for another time.)

The particular TRID (TILA-RESPA Integrated Disclosures) items impacted by a loan being an ARM are:

  • “Interest Rate” in the “Loan Terms” section – If the interest rate at consummation is not known, the rate disclosed must be the fully-indexed rate, which means the interest rate calculated using the index value and margin at the time of consummation. The lender also should disclose “Yes” for the question “Can this amount increase after closing?” In addition, disclose the frequency of interest rate adjustments, the date when the interest rate may first adjust, the maximum interest rate, and the first date when the interest rate can reach the maximum interest rate, followed by a reference to the Adjustable Interest Rate (AIR) Table (discussed below).
  • “Monthly Principal & Interest Payment” in the “Loan Terms” section – If the initial periodic payment is not known because it will be based on an interest rate at consummation that is not known at the time the LE must be provided, for example, if it is based on an external index that may fluctuate before consummation, this disclosure must be based on the fully-indexed rate disclosed above. The lender also should disclose “Yes” for the question “Can this amount increase after closing?” In addition, disclose the scheduled frequency of adjustments to the periodic principal and interest payment, the due date of the first adjusted principal and interest payment, the maximum possible periodic principal and interest payment, and the date when the periodic principal and interest payment may first equal the maximum principal and interest payment.
  • “Principal & Interest” payment in the “Projected Payments” section – The table of payments (principal and interest, mortgage insurance, etc.) will include more than one column due to the possible (projected) changes in the interest rate, up to a maximum of four columns. The maximum principal and interest payment amounts (in each column) are determined by assuming that the interest rate in effect throughout the loan term is the maximum possible interest rate, and the minimum amounts are determined by assuming that the interest rate in effect throughout the loan term is the minimum possible interest rate. If the ARM has a negative amortization feature, the maximum payment amounts must reflect this feature, as spelled out in Regulation Z.
  • “Adjustable Interest Rate (AIR) Table” – An ARM must disclose a separate table in the “Closing Cost Details” section on the LE and the “Additional Information About This Loan” section on the CD, under the heading “Adjustable Interest Rate (AIR) Table,” that contains specified information about the index and margin, increases in the interest rate, initial interest rate, minimum and maximum interest rate, frequency of adjustments, and limits on interest rate changes.
  • “Annual Percentage Rate (APR)” and “Total Interest Percentage (TIP)” in the “Comparisons” section on the LE and the Loan Calculations section on the CD – Calculation of both these values must account for variations in the interest rate permitted for the ARM.

Interest Rate/Payment Change Notices

The creditor, assignee, or servicer of an ARM secured by a borrower’s principal dwelling must provide consumers with written notices in connection with the adjustment of interest rates in accordance with the loan contract that results in a corresponding adjustment to the payment.  These notices must be separate from any other disclosures or notices.

There are exemptions for the following: ARMs with a term of one year or less; first interest rate adjustment to an ARM if the first payment at the adjusted level is due within 210 days after consummation and the new interest rate disclosed at consummation was not an estimate; or when the lender/servicer is subject to the Fair Debt Collection Practices Act (FDCPA) for the loan and the customer has sent a notice to cease communications.

The content for these change notices is spelled out in detail in Regulation Z and the timing depends on whether the rate/payment change is the first one to occur for the ARM loan or a subsequent change.

  • The initial adjustment notice must be provided to consumers at least 210 days (but no more than 240 days) before the first payment at the adjusted level is due. If the first payment at the adjusted level is due within the first 210 days after consummation, the disclosures must be provided at consummation.
  • All subsequent adjustment notices generally must be provided to consumers at least 60 day (but no more than 120 days) before the first payment at the adjusted level is due. The disclosures must be provided to consumers at least 25 days (but no more than 120 days) before the first payment at the adjusted level is due for ARMs with uniformly scheduled interest rate adjustments occurring every 60 days or more frequently and for ARMs originated prior to January 10, 2015 in which the loan contract requires the adjusted interest rate and payment to be calculated based on the index figure available as of a date that is less than 45 days prior to the adjustment date.

Periodic Statements

If your bank has taken advantage of the “coupon book” exception from periodic statements for mortgage loans with fixed rates, you will have to begin producing periodic statements when you begin originating ARMs. Or, you will need to expand your statement output as more of the bank’s loan production shifts to ARMs from fixed-rate loans (if you still want to use the coupon books exception for your fixed-rate lending).

Conclusion

If your institution is like many community banks and has not been making ARMs for some time, you likely have some work to do to ramp ARM lending back up. Systems and disclosures need to be updated and/or activated. Disclosures need to be procured or prepared. Staff needs to be trained, at least some refresher training.  Good luck re-ARMing up.

Key Elements of Effective Credit Underwriting

By: Ollie Sutherin, Principal, Y&A Credit Services

The focus of this article is to provide an overview of what Y&A Credit Services, LLC views as key elements during the underwriting process. While there are many variables needed to effectively underwrite credits, below are the primary focal points of any quality credit presentation that we underwrite or review.

Cash is King
“Cash is king” is a saying that we use often as it translates to, “if you don’t have the cash to repay, you shouldn’t have the loan.” So often we are presented with transactions that aren’t the strongest, don’t show cash flow, and the underlying organization has no business being lent money. Lenders often try to form complex explanations regarding the guarantor’s wherewithal, global cash flow, etc., and they lose sight of the actual company, its financial condition, and its ability to service the debt on a stand-alone basis. Every analysis should begin with the subject company and its ability to service debt. If it is a real estate holding company and the note is secured by a specific property, what is the cash flow of that property? If the most recent tax return statement, compiled, audited, etc., does not evidence the ability to service debt, what is the trend of the company? What are they doing to improve from the previous year and what is the YTD revenue/expenses compared to the prior year?

Eventually, we take into consideration the guarantor’s wherewithal and how it impacts the cash flow; however, the primary focus should always be on the company itself (the primary repayment source). If a transaction is being presented where repayment is heavily reliant on the guarantor, then the following questions must be asked: What is their character like? Have all of the assets and liabilities been verified on their personal financial statement(s)? Are other contingent liabilities factored in as well? So often, mistakes are caught when analysts simply say, “John Doe has $1,000,000 in cash and is clearly able to service the subject note should it be needed” without doing the proper due diligence verifying the source of the cash.

Quality of Information
If the cash flow of the company is the backbone of the transaction, then the quality of information is the legs, providing the necessary base for everything. We are always looking at the reliability of this information as it minimizes the risks of inaccuracy and subsequently the risk of default. For example, if borrowers only give internal statements that are hastily prepared and communicate lease details in one-two sentences in an email, this poses a much greater risk than detailed property information in the actual tax return and actual signed lease agreements provided for review. Furthermore, as it pertains to C&I transactions, internally prepared statements rarely reconcile, which makes performing a UCA Cash Flow analysis much more difficult. Tax returns and audited or compiled statements always reconcile, providing an accurate analysis.

Collateral Values
As it relates to the property or equipment securing an obligation, an appraisal is always going to be the safest way to measure the value. Too often, internal evaluations or estimates are utilized to justify a request during underwriting. To meet regulatory standards, the collateral securing an obligation must support the amount being considered and obtaining the appraisal during the underwriting phase can potentially save a significant amount of work if the value is insufficient to support the debt. For existing credits that are being refinanced, another important aspect of collateral valuations includes site visits by the account officers. Having photos and notes from the site visit will provide added support to the collateral pledged for the transactions.

Stress Testing
Stress testing individual loans during underwriting is becoming increasingly necessary, especially in today’s rising rate environment. This was a regulatory focus back in the late 2010s as there was a rising interest rate environment. Variable rate notes, property values, vacancy rates and ultimately cash flow for debt service were adversely impacted. At the beginning of the pandemic in March 2020, rates dropped markedly and remained flat until just recently. To curb inflation, the Federal Reserve began increasing rates and the extent of the impact on variable rate loans has yet to be determined.

Stressing individual loans at origination provides the institution with a tool to better understand the impact of rate increases on cash flow, property values, and vacancy rates in different scenarios. The result is a more informed credit decision during the underwriting phase. Ultimately, these variables help determine the breakeven point of a business’s cash flow and provide great insight to the actual strength of the primary borrower.

Projections / Proformas
These are something that all lenders should request from a borrower/potential borrower to justify the strength of a transaction. However, often these projections will paint an excellent picture of the company and a stellar cash flow that is more than adequate to service the underlying transaction. The intent of requesting and analyzing projections is to compare them to historical results, in many instances where the projected cash flow is higher than historical results. This is typically due to the borrower understating expenses which leads to overstated cash flow and debt service coverage. Given all of this, it is still important to obtain projections and to compare them to actual statements when available. Should they vary significantly, it will open the door to questions and force a deeper look into smaller details such as management of the company.

Y&A Credit Services, LLC
Over the past few years, a defined need has developed in the community financial institution industry. Specifically, it has been difficult for financial institutions to hire and retain quality credit professionals, especially in rural areas, to underwrite loans and perform other necessary tasks necessary for adequate credit administration. This need has led Young & Associates, Inc. to create a wholly-owned subsidiary (Y&A Credit Services, LLC) to meet the needs of these organizations. Y&A Credit Services, LLC has the mission of filling the voids of clients who have limited or even no credit staff to perform these necessary tasks. If your organization has a need for credit services, please feel free to contact us at 330.422.3482. Our services include spread sheet analyses, annual reviews, full credit underwriting and review of prepared presentations along with a full complement of other credit-related services through Young & Associates, Inc.

AML Validation & Review

The increasing sophistication of Anti-Money Laundering/Combating the Funding of Terrorism (AML/CFT) software and modeling techniques and the broader application of these models have played an undeniable role in the enhanced effectiveness of AML/CFT programs in financial institutions.

The regulatory agencies are utilizing more analytical and statistical specialists in BSA examinations. Additionally, recent BSA examinations demonstrate that the de facto threshold for regulatory scrutiny of AML models continues to decrease. All AML models must follow the guidance of OCC Bulletin 2011-12 and the subsequent Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (4/9/21), which outline the expectations for model risk management, especially the need for independent review and model validations.

Young & Associates can assist you with our AML Validation and Review.
Customized for your institution and as required by the regulators, our AML validation and review addresses:

  • Conceptual Soundness. We focus on the design, methodology, and construction of the model. This includes analysis and review of the model documentation, assumptions and limitations, data quality and completeness, and implementation
  • Ongoing Monitoring. We make sure that the model is working efficiently and as intended to meet your institution’s business objectives, and ensure that it is tailored to the institution’s Risk Assessment (AML Program Management). This includes model tuning and calibration, which is driven by several Key Performance Indicators (KPIs).
  • Outcomes Analysis. We examine the model’s output, including alerts generated from transaction monitoring, along with the supporting information used for investigation. Above-the-line and below-the-line testing is conducted to ensure that alerts are accurate and complete. Monitoring rules and parameters are also assessed.

Young & Associates collaborates with many of the AML software providers throughout the validation and review to make the process as seamless to your institution as possible.

Trusted Guidance in BSA/AML Compliance
Young & Associates provides an unmatched depth of practical expertise. Our BSA compliance team includes former banking executives, compliance regulators, and tenured finance professionals who hold the CAMS (Certified Anti-Money Laundering Specialist) designation. We’re uniquely qualified to understand and solve your challenges, because we have personally experienced those same issues. For more information on how we can assist you with your AML validation and review, contact us at mgerbick@younginc.com or 330.422.3482.

The UDAAP Hammer Drops

By: William J. Showalter, CRCM, CRP, Senior Consultant

In our last issue, we discussed what UDAAP is and how to set up a program in your bank to avoid trouble in this important area. Our title admonished you, “Don’t Let UDAAP Spook You, Take Control.” If you have not yet taken control of UDAAP compliance, you may have been spooked by developments over the past 12 months or so. There have been three big UDAAP enforcement actions involving three financial service providers of all sizes during that time.

Background
Section 5 of the Federal Trade Commission (FTC) Act has been around for over 70 years and prohibits “unfair or deceptive acts or practices” (UDAP), the predecessor to UDAAP. Banking regulators have had the responsibility to enforce bank and thrift compliance with UDAP rules, while the FTC had the authority to interpret the statute and write any rules. The Federal Reserve Board (FRB) was given interpretive and rule-writing authority when this part of the FTC Act was amended in 1975 but continued largely to defer to the FTC.

Title X of the Dodd-Frank Act (DFA) codified UDAP law specifically for financial institutions, eliminated the FRB’s rule-writing authority, added an “abusive” standard, and moved rule-writing authority to the CFPB. The acronym became UDAAP – unfair, deceptive, or abusive acts or practices.

What are We Dealing With?
All these standards or characteristics are quite subjective. The elements of unfairness and deception have been established by statute, as well as interpretation over the years by the FTC in various enforcement actions and interpretive documents. The element of being abusive was established, in general terms, in statute by the DFA.

To be unfair, an act or practice must cause or be likely to cause substantial injury to consumers that the consumers cannot reasonably avoid or that is not outweighed by countervailing benefits. Substantial harm usually involves monetary harm, including a small monetary harm to each of a large number of consumers. A three-part test is used to determine whether a representation, omission, act, or practice is deceptive. First, the representation, omission, act, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the deception must be reasonable under the circumstances. And, lastly, the misleading representation, omission, act, or practice must be material. “Material” means that it is likely to affect a consumer’s decision regarding a product or service. An abusive act or practice materially interferes with the ability of the consumer to understand a term or condition of a consumer financial product or service. Such an act or practice also includes one that takes unreasonable advantage of: the consumer’s lack of understanding of material risks, costs, or conditions of a product or service; the consumer’s inability to protect his interests in selecting or using a financial product or service; or the consumer’s reasonable reliance on the “covered person” (including a banker) to act in the interests of the consumer.

Recent UDAAP Enforcement Actions
In about the year 2000, banks first saw significant enforcement of UDAP (now UDAAP) from the banking agencies when the Office of the Comptroller of the Currency (OCC) took the lead. The OCC concluded that it had authority to address a violation of the FTC Act even regarding a challenged practice that was not specifically prohibited by regulation.

The three bank-related UDAAP enforcement actions to which we referred above are:

  • The Consumer Financial Protection Bureau (CFPB) issued a Consent Order to Discover Bank (Greenwood, DE) and two subsidiaries ordering Discover to pay at least $10 million in consumer redress and a civil money penalty (CMP) of $25 million for violating a 2015 CFPB Order, the Electronic Fund Transfer Act, and the Consumer Financial Protection Act of 2010. The 2015 Order was based on the CFPB’s finding that Discover misstated the minimum amounts due on billing statements as well as tax information consumers needed to get federal income tax benefits. The agency also found that Discover engaged in illegal debt collection practices. The 2015 Order required Discover to refund $16 million to consumers, pay a penalty, and fix its unlawful servicing and collection practices.
    However, more recently the CFPB found that Discover violated the 2015 order’s requirements in several ways – misrepresenting minimum loan payments owed, amount of interest paid, and other material information. Discover also did not provide all the consumer redress the 2015 Order required. In addition, the CFPB found that Discover engaged in unfair acts and practices by withdrawing payments from more than 17,000 consumers’ accounts without valid authorization and by cancelling or not withdrawing payments for more than 14,000 consumers without notifying them. The agency also found that Discover engaged in deceptive acts and practices in violation of the CFPA by misrepresenting to more than 100,000 consumers the minimum payment owed and to more than 8,000 consumers the amount of interest paid. Some consumers ended up paying more than they owed, others became late or delinquent because they could not pay the overstated amount, while others may have filed inaccurate tax returns
  • The Federal Deposit Insurance Corporation (FDIC) issued an order to Umpqua Bank (Roseburg, OR) that the bank pay a CMP of $1,800,000 following the FDIC’s determination that the bank engaged in violations of Section 5 of the Federal Trade Commission Act in the commercial finance and leasing products issued by its wholly owned subsidiary, Financial Pacific Leasing, Inc. According to the FDIC, these violations included engaging in deceptive and/or unfair practices related to certain collection fees and collection practices involving excessive or sequential calling, disclosure of debt information to nonborrowers, and failure to abide by requests to cease and desist continued collection calls.
  • The FDIC also issued an order to pay a CMP of $129,800 to Bank of England (England, AR). The bank consented to the order without admitting or denying the violations of law or regulation.
    The FDIC determined that the bank violated Section 5 of the Federal Trade Commission Act because bank loan officers located in the Bloomfield, MI loan production office (LPO) misrepresented to consumers that certain Veterans Administration (VA) refinance loan terms were available when they were not, and that the bank’s misrepresentations at the Bloomfield LPO regarding terms for VA refinancing loans were deceptive, in violation of Section 5.

How to Deal with These Issues
As we advised in our previous article, banks and thrifts should be proactive in addressing areas prone to UDAAP issues. You can anticipate potential problems by, in part, tracking enforcement actions as indicators of where regulators are looking for issues (and finding them).

The steps we spelled out to help in this proactive approach are:

  • Establish a positive compliance culture by positive words, actions, and attitudes from the top down.
  • Enforce compliance performance which, coupled with the overt support from the top, makes it clear to all that this is a crucial element in the success of the organization and any related individual rewards (bonuses, raises, promotions, etc.)
  • Involve compliance early in product design, marketing planning, and so forth.
  • Focus on vulnerable customers, including the young, less educated, immigrants, elderly, etc., within your community, paying particular attention to how your marketing, product recommendations, and disclosures are directed to such populations

It is much easier – and less expensive – to plan and lay appropriate groundwork to avoid problems than it is to repair damages after inappropriate and illegal actions blow up. The reactive approach can cause the bank immeasurable reputation harm, which is much more costly than any monetary penalties, and much more difficult to recover from.
For more information on how the Young & Associates compliance team can assist with your UDAAP compliance, contact us at mgerbick@younginc.com or 330-422-3482.

Young & Associates Introduces Y&A Credit Services, LLC

We are proud to introduce a new line of business through an affiliated organization of Young & Associates, Inc.: Y&A Credit Services, LLC.

Y&A Credit Services is a full-service provider of outsourced underwriting and credit services and offers various commercial underwriting and credit services such as:

  • Commercial Credit Underwriting and Credit Approval Presentations
  • Annual Underwriting Reviews
  • Financial Statement Spreading and Analysis
  • Approval and Underwriting package reviews

“Y&A Credit Services understands the challenges that financial institutions nationwide face with locating and retaining skilled credit department staff who can efficiently produce trustworthy credit risk management results while supporting an increasing volume of workflow,” said Jerry Sutherin, President & CEO of Young & Associates. “We offer an effective solution to this dilemma by employing our experienced staff, technology, and proven processes to enhance your credit administration process, mitigate credit risk, and ensure continued profitable loan portfolio growth and performance.”

Completely independent from Young & Associates, Inc. and with a name you trust, Y&A Credit Services can help large and small financial institutions increase the quality, accuracy and speed of their lending while mitigating risks in a highly regulated industry. “We are an independent entity, but we offer the same exceptional service, expertise, and integrity you’ve learn to expect from Young & Associates,” says Ollie Sutherin, Principal of Y&A Credit Services.

Visit yacreditservices.com to learn more about the new company and explore the website. And if our services sound like a viable solution to your current challenges, contact Ollie Sutherin by email at osutherin@younginc.com or phone at (330) 422-3453. We would be happy to discuss how we can help your credit department and institution achieve its objectives.

The Purpose of Quality Control − Loan Origination Volume

Fannie Mae predicts $2.72 trillion in mortgage originations in 2021 and $2.47 trillion in 2022. They anticipate purchase volume to go from $1.53 trillion in 2020 to $1.6 trillion in 2021 and $1.64 trillion in 2022.

The U.S. mortgage industry earned an average profit of $4,202 per loan on its way to record volume and a record $4.4 trillion in new loans originated in 2020, according to the Mortgage Bankers Association — and the perfect storm of low interest rates and high home values has kept the gold rush going in 2021. In other words, high volumes of mortgage loans are a big profit for banks, credit unions, etc.

Contrary to popular thought, most of the time when a bank originates a mortgage loan, it is sold on what is called the “secondary market” to provide the banks with instant profits/liquidity (cash). This is done simply because smaller banks/credit unions, which are the main players in the secondary market, incur costs associated with servicing or managing the loans on their books. This is where Fannie Mae, Freddie Mac, Mortgage Partnership Finance, and many other companies come into play.

Fannie and Freddie purchase home loans made by private firms, banks, and credit unions (provided the loans meet strict size, credit, and underwriting standards), package those loans into mortgage-backed securities, and guarantee the timely payment of principal and interest on those securities to outside investors. Fannie and Freddie also hold some home loans and mortgage securities in their own investment portfolios.

How Can Young & Associates Assist?
Loans eligible for purchase by Fannie Mae and Freddie Mac must adhere to strict size, credit, and underwriting standards. Fannie Mae and Freddie Mac require that all loans meet these standards and then require a certain randomized sample to undergo a “Quality Control” review ̶ which is what Young & Associates does.

We are an industry leader and provider of QC services for over 44 years and provide mortgage quality control services to meet government-sponsored enterprise and agency requirements. As a high-level definition, our QC consultants review a 10% sample of all loans originated in a period for a client (month/quarter) and reassure that it adheres to Fannie Mae and Freddie Mac Guidelines.

There are also other investors and Guarantors (two different terms), such as the Federal Department of Housing and Urban Development (HUD). HUD consists of FHA and VA loans. While Fannie Mae and Freddie Mac require the reviews to be done within 90 days of the prior period-end, HUD requires the reviews to be done in 60 days.

Superior Results at a Lower Cost
Maintaining the mortgage QC function in-house can be difficult given the time, staffing, and expertise required. Control the risks of noncompliance and reduce your costs by outsourcing your quality control to Young & Associates.

Our mortgage QC services include:
• Quality Control Plan Development
• Quality Control Reviews − approved, denied, and defaulted file reviews
• FHA Branch Audits
• Early Payment Default Review
• FHA/VA Denied Loan Review
• Pre-closing QC Reviews
• Reverse Audits

Organizations with a commitment to quality control recognize that quality begins before an application is taken and continues throughout the entire mortgage origination process.

Young & Associates is committed to your organization’s future success and we look forward to assisting you to ensure or enhance that success. Please visit our website, www.younginc.com, to learn more about us or contact Dave Reno at 330.442.3455 or dreno@younginc.com.

Don’t Let UDAAP Spook You, Take Control

The Consumer Financial Protection Bureau (CFPB) celebrated Halloween in 2012 by releasing its updated Supervision and Examination Manual (version 2.0). The manual includes updated examination procedures for assessing compliance with Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) rules. The updated examination procedures give bankers a guide for what their examiners will be looking for in terms of UDAAP compliance, including the then-new “abusive” standard.

Background
Section 5 of the Federal Trade Commission (FTC) Act has been around for over 70 years and prohibits “unfair or deceptive acts or practices” (UDAP), the predecessor to UDAAP. Banking regulators have had the responsibility to enforce bank and thrift compliance with UDAP rules, while the FTC had the authority to interpret the statute and write any rules. The Federal Reserve Board (FRB) was given interpretive and rule-writing authority when this part of the FTC Act was amended in 1975 but continued largely to defer to the FTC.

It was not until the year 2000 that banks saw significant enforcement of UDAP from the banking agencies when the Office of the Comptroller of the Currency (OCC) took the lead. The OCC concluded that it had authority to address a violation of the FTC Act even regarding a challenged practice that was not specifically prohibited by regulation.

Then, Title X of the Dodd-Frank Act (DFA) codified UDAP law specifically for financial institutions, eliminated the FRB’s rule-writing authority, added the “abusive” standard, and moved rule-writing authority to the CFPB.

What is UDAAP?
All of these standards or characteristics are quite subjective. The elements of unfairness and deception have been established by statute, as well as interpretation over the years by the FTC in various enforcement actions and interpretive documents. The element of being abusive was established, in general terms, in statute by the DFA.

In brief, these standards are:

  • Unfair. To be unfair, an act or practice must cause or be likely to cause substantial injury to consumers, harm that the consumers cannot reasonably avoid or that is not outweighed by countervailing benefits. Substantial harm usually involves monetary harm, including a small monetary harm to each of a large number of consumers.
  • Deceptive. A three-part test is used to determine whether a representation, omission, act, or practice is deceptive. First, the representation, omission, act, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the representation, omission, act, or practice must be reasonable under the circumstances. And lastly, the misleading representation, omission, act, or practice must be material. “Material” means that it is likely to affect a consumer’s decision regarding a product or service.
  • Abusive. An abusive act or practice materially interferes with the ability of the consumer to understand a term or condition of a consumer financial product or service. Such an act or practice also includes one that takes unreasonable advantage of: the consumer’s lack of understanding of material risks, costs, or conditions of a product or service; the consumer’s inability to protect his interests in selecting or using a financial product or service; or the consumer’s reasonable reliance on the banker (or other “covered person”) to act in the interests of the consumer.

How to Handle UDAAP
Banks and thrifts need to make sure their consumer compliance programs are proactive in addressing areas prone to UDAAP issues. Anticipate potential problems; do not wait for problems to arise because by then it may be too late to prevent serious consequences.

A few steps that can help establish a proactive compliance regime are:

  • Establish a positive compliance culture. Senior management and the board need to make it clear that compliance is a fundamental element of the institution’s business – both compliance with the technical requirements (disclosures, computations, etc.) and, at least equally important, with the underlying spirit or fundamental principles of the consumer protection laws.
  • Enforce compliance performance. To succeed, the bank needs to make compliance important to its officers and staff – by not only ensuring overt support from the top, but also by making it an integral part of how employees’ performance is measured and rewarded (or not). For example, an officer with high loan production with high compliance error rates or fairness issues, should not be rewarded for one (production) without being penalized for the other (compliance failures).
  • Involve compliance early. Compliance cannot be an exercise in looking for violations and other problems after the fact. To be truly effective and efficient, compliance must be integrated into the business processes – involved in product design, marketing planning, etc., at the ground level.
  • Focus on vulnerable customers. An important way to avoid UDAAP problems is to pay particular attention to those customers, or potential customers, who might be more vulnerable to unfair, deceptive, or abusive acts or practices. Examples of such potentially vulnerable populations might include the young, less educated, immigrants, elderly, and so forth. The bank should be particularly sensitive to how it couches its marketing, product recommendations, disclosures, etc., to such populations.

Such a positive, proactive compliance regime can help the bank prevent most UDAAP (and other compliance) problems before they even arise. This approach is much more cost-efficient than running what a compliance officer I knew years ago called a “fix-it shop,” having to try to fix compliance problems after they have occurred. Years ago, such an approach was not desirable, but might have been survivable. However, today, it could prove disastrous – especially with the rise of UDAAP.

For more information on this article or how Young & Associates can assist your organization with UDAAP compliance, contact Dave Reno at 330.422.3455 or dreno@younginc.com.

The Value of Internal Audit Through a Fresh Set of Eyes

There is risk in every aspect of the banking industry and the regulatory environment seems to continually change. As to the governance and control functions of the industry, it may be refreshing to the board of directors, audit committee, and executive management to have their internal audit function re-assessed and validated though a fresh set of eyes to assure that the controls in place are functioning as intended.

A strong internal control system, including an independent and effective internal audit function, is part of sound corporate governance. The board of directors, audit committee, senior management, and supervisors must be satisfied with the effectiveness of the internal audit function, that policies and practices are followed, and that management takes appropriate and timely corrective action in response to internal control weaknesses identified by internal auditors. An internal audit function provides vital assurance to a board of directors (who ultimately remains responsible for the internal audit function, whether in-house or outsourced) as to the quality of the internal control system. In doing so, the function helps reduce the risk of loss, regulatory criticism, and reputational damage to the organization.

All internal auditors (whether in-house or outsourced) must have integrity and professional competence, including the knowledge and experience of each internal auditor and of team members collectively. This is essential to the effectiveness of the internal audit function. We encourage internal auditors to comply with and to contribute to the development of national professional standards, such as those issued by the Institute of Internal Auditors, and to promote due consideration of prudent issues in the development of internal audit standards and practices.

Every activity of the organization (including outsourced activities) should fall within the scope of the internal audit function. The scope of the internal audit function’s activities should ensure adequate coverage of matters of regulatory interest within the audit plan. Regular communication by the audit committee, management, and affected personnel is crucial to identify the weaknesses and risk associated to assure that timely remedial actions are taken.

Young & Associates can independently assess the effectiveness and efficiency of the organization’s internal control, risk management, and governance systems and processes to provide assurance that the internal control structure in place operates according to sound principles and standards. For more information on how we might provide internal audit services specific to your organization’s needs, whether it is outsourced or co-sourced, please contact Dave Reno at 330.422.3455 or email to dreno@younginc.com.

Focus on Affirmative Action, Equity, Diversity, and Inclusion (ED&I)

By: Gina Sherock, Senior Consultant, and
Rachel Disko, SHRM-CP, Senior HR Business Partner

Over the past several years, there has been an increased and sustained focus on workplace diversity. If this has not been something focal to business strategy in the past, leaders are wondering where they should start and why. The answer to this depends on several factors, but the evidence is becoming impossible to ignore − an intentional workplace diversity effort is critical.

Banks and financial institutions covered by FDIC insurance are considered government contractors and therefore must develop a formal Affirmative Action Plan (AAP) to ensure equal employment opportunity for race, gender, disability, and protected veteran status if they have at least 50 employees. These requirements are enforced by the Office of Federal Contract Compliance Programs (OFCCP) to comply with Executive Order 11246 (covers race and gender); Section 503 of the Rehabilitation Act of 1973 (covers individuals with disabilities); and the Vietnam Era Veterans’ Readjustment Assistance Act of 1974, aka VEVRAA (covers protected veterans).

For those organizations that must do so to remain in compliance, the case for developing a formal AAP is clear. However, even for organizations not required to do so, there is a strong business case for ensuring equal opportunity and embracing diversity and inclusion.

Relevant Laws and Risk Management
Having a workforce that lacks diversity could increase risk from a legal standpoint. Discriminating against a job applicant or an employee because of the person’s race, color, religion, sex (including pregnancy, transgender status, and sexual orientation), national origin, age (40 or older), disability, or genetic information is illegal. Even if discrimination was not intended toward an applicant or employee, poor optics can lead to a complaint being filed with the Equal Employment Opportunity Commission (EEOC) and a potential lawsuit. If that happens, an organization risks a loss of productivity, incurring legal fees (including compensatory damages), and its reputation as an employer. Without strong documentation as evidence that discrimination did not actually occur, intentions are left open to interpretation and the organization could be at a disadvantage.

Lack of workforce exposure to a diverse population can also inadvertently lead to implicit bias among employees, leaders, and other decision makers. Implicit bias occurs when a person holds an unconscious prejudice, attitude, or opinion about others. This type of thinking increases the risk of a discrimination lawsuit, even if harm was not intended.

Benefits of ED&I
Many of us know there should be diversity and inclusion in the workplace, but not necessarily the benefits associated with a focus on diversity. Here are some reasons why equity, diversity, and inclusion are beneficial to not only businesses but also their employees.

Businesses with more diversity generally thrive when compared to companies that are less diverse. Employees from different demographic groups have different talents, experiences, and skill sets; and are therefore more beneficial for companies to increase creativity and innovation. Increasing the diversity of leadership teams can help improve financial performance. According to a Boston Consulting group study, “companies with above-average diversity on their leadership teams receive a greater payoff from innovation and higher EBIT (Earnings Before Interest and Taxes) margins.” Additionally, diversity also helps to attract and retain talent for the organization by promoting that you are an organization that prioritizes ED&I in the workplace. A study from Washington State University states, “by 2025, 75% of the workforce will be millennials, 32% of millennials and Gen Z believe businesses should try to improve their diversity.” Finally, workplace diversity boosts a company’s reputation, brand, and overall morale. This helps the organization to increase employee engagement and ensures a well-rounded culture.

The benefits of diversity do not stop at the employer level. Employees are proven to benefit from a diverse workforce as well. Workplace diversity can lead to better decision-making. According to Washington State University, “a study that analyzed 600 business decisions made by 200 teams found that the decision making of diverse teams outperforms individual decision-making up to 87% of the time.” Along with better decision making, diversity is proven to lead to faster problem-solving. A study published by the Harvard Business Review found that higher comprehensible diversity correlates with better performance. Additionally, diversity in the workplace may increase employee engagement and help employees to feel more included.

Whether through a formal Affirmative Action Plan or other ED&I initiatives, employers are seeing the benefits both in meeting compliance obligations and increasing the overall bottom line with a more diverse workforce. We are seeing more businesses become aware of ED&I in the workplace because candidates wonder how they will fit into an organization, if they will be given equal opportunity, and if they will feel included and welcomed.

While developing an Affirmative Action Plan or ED&I initiative may be difficult to navigate, Young and Associates is here to help. We offer a wide range of HR services for banks and financial institutions to take the guess work away. For more information on this article or how Young & Associates can assist with your HR efforts, contact Dave Reno at 330.422.3455 or dreno@younginc.com.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question