Skip to main content

Tag: lending regulations

Dealing with Pandemic Disruption

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliot, CRCM, Director of Compliance Education, and William J. Showalter, CRCM, CRP, Senior Consultant, Young & Associates, Inc., Kent, Ohio

For years banks have had pandemic policies, and have done some level of testing, but never really thought the day would come when it would represent more than another examiner-required policy. Then came COVID-19, and in a matter of days, our world changed.

Managing Bank Policies and Procedures
When we teach in live seminars, we always ask, “How many of you believe that your policies are up to date?” That always gets some hands, but not 100 percent of attendees. Then we ask, “How many of you believe that your procedures are up to date?” Seldom does anyone raise their hand. These two situations are revealing.

Keeping policies current is the easier of the two. But many banks rubber stamp policies that could be much more effective. If it is a Regulation B policy, it usually follows the regulation and indicates that the bank intends to comply. But other policies, notably operations and loan policies, need to do more than restate a regulation – they need to be a document that can be read and used. And, a pandemic policy needs to cover a wide range of subjects and issues.

Given the current situation, it might be time to review these types of policies and add significant language as to how you will address situations such as we have now – lobbies closed or restricted, limited staff, staff working from home, and the same job to be completed. At a minimum, these policies should address:

  • How jobs are done in an off-site world
  • How electronic solutions are to be used
  • Safeguards that must be used to protect customer data
  • What types of paper documents can be used “at home” by staff working off site
  • Proper disposal and the safekeeping of any documents that are off site, and
  • Other protections, such as how the computers being used at home are protected from intrusion

With a little brainstorming, we are sure that you can add to this list.

Procedures are more difficult to maintain. A consultant from our company was recently in a bank and was examining procedures. Most of the procedures could be summed up as “Bill takes care of that.” As long as Bill is there, things probably work well. But if Bill is out sick, on vacation, or no longer there, how does someone accomplish the task?

Procedures are always changing. It is far too easy to tell the three people that need to know about the change and then make a mental note to “update the procedures someday.” That elusive “someday” often never materializes. We believe that each bank should have a formal procedures review at least annually, and for some areas, maybe more often. For many banks, the inadequate procedure manuals that they have will not offer sufficient information for anyone to complete a task correctly.

Many banks have switched to imaging all files. The banks that have made that decision generally are in a little better shape for off-site work, as it is easier to send employees home and still get the work done in a timely manner. If your bank has not made the transition to electronic files, this may be your cue to consider the advantages of this technology.

As the world becomes more electronic, and the cost of maintaining offices and buildings continues to increase, this may also be a time to reconsider the locations from which employees work. This may be especially critical if your brick and mortar buildings are getting close to capacity. Many tasks, with the right equipment and software, can easily be done from home, saving wear and tear on your building, perhaps reducing occupancy costs, and maybe, as a side benefit, resulting in happier and more productive employees.

Regulators and COVID-19 Loan Modifications
On March 22, 2020, all of the prudential banking regulators, along with other agencies, released the
Interagency Statement on Loan Modifications and Reporting for Financial Institutions Working with Customers Affected by the Coronavirus. The full text can be found on many websites, however, the Federal Deposit Insurance Corporation (FDIC) has it at:

https://www.fdic.gov/news/news/press/2020/pr20038a.pdf

The document states, “The agencies understand that this unique and evolving situation could pose temporary business disruptions and challenges that affect banks…businesses, borrowers, and the economy. The agencies encourage financial institutions to work prudently with borrowers who are or may be unable to meet their contractual payment obligations because of the effects of COVID-19. The agencies view loan modification programs as positive actions that can mitigate adverse effects on borrowers due to COVID-19. The agencies will not criticize institutions for working with borrowers and will not direct supervised institutions to automatically categorize all COVID-19 related loan modifications as troubled debt restructurings (TDRs).”

The agencies also offered comments on the issue of TDRs. They state that, “Modifications of loan terms do not automatically result in TDRs…The agencies have confirmed with staff of the Financial Accounting Standards Board (FASB) that short-term modifications made on a good faith basis in response to COVID- 19 to borrowers who were current prior to any relief, are not TDRs. This includes short-term (e.g., six months) modifications such as payment deferrals, fee waivers, extensions of repayment terms, or other delays in payment that are insignificant. Borrowers considered current are those that are less than 30 days past due on their contractual payments at the time a modification program is implemented.”

Many banks have in place or are considering modifications to meet the needs of their customer base. It would appear that the regulators are going to react positively, provided the actions of the bank are reasonable and logical. The pronouncement states, “The agencies’ examiners will exercise judgment in reviewing loan modifications, including TDRs, and will not automatically adversely risk rate credits that are affected by COVID-19, including those considered TDRs. Regardless of whether modifications result in loans that are considered TDRs or are adversely classified, agency examiners will not criticize prudent efforts to modify the terms on existing loans to affected customers.”

The pronouncement also discusses Past Due Reporting, Nonaccrual Status and Charge-offs, and Discount Window Eligibility. You should consult the Interagency Statement for details.

When implementing your program to deal with this crisis, compliance cannot be ignored. Regulations that need to be considered include:

  • Regulation B (Equal Credit Opportunity Act) – This applies to both consumer and commercial loans.
  • Flood insurance regulations – If you extend maturity dates, a new determination may be required. This also applies to both consumer and commercial loans.
  • Regulation O (Loans to Insiders) – If anyone who is an “insider” is requesting payment or other forms of relief.
  • Regulation X (Real Estate Settlement Procedures Act) – You need to consider the impact of non-payment into required escrow accounts.

CRA Credit Possible
The Community Reinvestment Act (CRA), in part, requires banks to take good care of the credit needs in their communities. Keeping good records of exactly what you did during this crisis could certainly be shared with your CRA examiners at your next CRA examination. While it may not directly impact the examination, remember that the CRA rating is at least partly based on their opinion of your bank.

The FDIC, Federal Reserve Board (FRB), and Office of the Comptroller of the Currency (OCC) issued a Joint Statement on March 19 stating that the agencies will favorably consider retail banking services and retail lending activities in a financial institution’s assessment area(s) that are responsive to the needs of low- and moderate-income (LMI) individuals, small businesses, and small farms affected by COVID-19 and that are consistent with safe and sound banking practices. The agencies emphasize that prudent efforts to modify the terms on new or existing loans for affected LMI customers, small businesses, and small farms will receive CRA consideration and not be subject to examiner criticism.

Impact of Accommodating Distressed Customers
There will be long-term consequences for any decision you make to alter a contract. For instance, if you allow a customer to skip a payment completely and do not change the maturity date, you will have a balloon at maturity. And since interest continues to accrue for that extra month(s), the principal/interest calculation will likely not be quite correct. So even if you do extend a maturity date, you may have a balloon simply because of the principal and interest calculation.

Having that discussion with your customer now seems preferable to fighting about it in a few years. The only real solution to assure that the loan amortizes correctly is to do the analysis to determine what payment amount will be required to avoid a balloon. And even then, things may still go awry at maturity.

Future Developments
As with many things today, this whole issue continues to evolve. The agencies had planned to present a webinar on this interagency statement on March 27, but have postponed it as of this writing. Keep on the lookout for further word from the agencies on when this will be available.

There is also a Frequently Asked Questions (FAQ) document available at https://www.fdic.gov/coronavirus/faq-fi.pdf, to provide some clarification regarding the interagency statement.

Conclusion
We hope that this article helps you to address these issues. We encourage you to consider what your situation will be post-crisis, as it will likely have lasting impacts on your bank. Try to assure that the lasting impacts are positive, as we all learn from the experience how to handle future disruptions (should they occur) with even more professionalism.

Agencies Amend Real Estate Appraisal Regulations (September 27, 2019)

Written by admin on . Posted in Lending & Loan Review.

By: Kyle Curtis, Director of Lending Services

The OCC, Board, and FDIC adopted a final rule to amend the regulations requiring appraisals of real estate for residential real estate transactions. The rule increases the threshold level at or below which appraisals are not required for residential real estate transactions from $250,000 to $400,000.

The rule defines a residential real estate transaction as a real estate-related financial transaction that is secured by a single 1-to-4 family residential property. For residential real estate transactions exempted from the appraisal requirement as a result of the revised threshold, regulated institutions must obtain an evaluation of the real property collateral that is consistent with safe and sound banking practices.

The requirements for an evaluation are set forth in the 2010 Appraisal Guidelines, and are more extensive than what many smaller institutions do for evaluations. Readers may wish to review the requirements in that document and determine whether changes need to be made regarding your evaluation practices.

The rule also amends the agencies’ appraisal regulations to require regulated institutions to subject appraisals for federally related transactions to appropriate review for compliance with the Uniform Standards of Professional Appraisal Practice.

Effective Dates
The provisions of much of this final rule will be effective by the time you read this; however, the evaluation requirement for transactions exempted by the rural residential appraisal exemption and the requirement to review appraisals for compliance with the Uniform Standards of Professional Appraisal Practice are effective on January 1, 2020.

Incorporation of the Rural Residential Appraisal Exemption
Congress amended Title XI to add a rural residential appraisal exemption. Under this exemption, a financial institution need not obtain a Title XI appraisal if the property is located in a rural area; the transaction value is less than $400,000; the financial institution retains the loan in portfolio, subject to exceptions; and not later than three days after the Closing Disclosure Form is given to the consumer, the financial institution or its agent has contacted not fewer than three state-certified or state-licensed appraisers, as applicable, and has documented that no such appraiser was available within five business days beyond customary and reasonable fee and timeliness standards for comparable appraisal assignments.

Given the general rule increase to $400,000, essentially these requirements become moot.

Addition of the Appraisal Review Requirement
The Dodd-Frank Act amended Title XI to require that the agencies’ appraisal regulations include a requirement that Title XI appraisals be subject to appropriate review for compliance with USPAP.

Appraisal review is consistent with safe and sound banking practices, and should be employed as part of the credit approval process to ensure that appraisals comply with USPAP, the appraisal regulations, and a financial institution’s internal policies. Appraisal reviews help ensure that an appraisal contains sufficient information and analysis to support the decision to engage in the transaction. We recently had a discussion with a banker who did not review an appraisal. When they “got around to it” they discovered that the appraisal was “not even close,” and ordered a new appraisal. Based on the new appraisal, their LTV was over 130%.

Many financial institutions may already have review processes in place for these purposes. Evaluations need not comply with USPAP. While financial institutions should continue to conduct safety and soundness reviews of evaluations to ensure that an evaluation contains sufficient information and analysis to support the decision to engage in the transaction, the USPAP review requirement in Title XI does not apply to such a review.

The agencies decided to implement the requirement that financial institutions review appraisals for federally related transactions for compliance with USPAP. The agencies encourage regulated institutions to review their existing appraisal review policies and incorporate additional procedures for subjecting appraisals for federally related transactions to appropriate review for compliance with USPAP, as needed.

Conclusion
Readers who wish to read the entire 80-page document as prepared by the regulators can find it at:
https://www.fdic.gov/news/board/2019/2019-08-20-notice-sum-b-fr.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery

Young & Associates, Inc. can offer assistance with appraisal review, and any other compliance topics. Please feel free to contact me for information regarding these services at kcurtis@younginc.com or (330) 422.3445.

Avoid Getting Swept Away in the Flood of Enforcement Actions

Written by admin on . Posted in Compliance & Regulations.

By: William J. Showalter, CRCM, CRP, Senior Consultant

We seem to be in a bit of a lull in flood insurance rule enforcement by the financial institution regulators. There were only 15 enforcement actions with civil money penalties (CMP) totaling $523,961 in 2018. So far this year, we have had only two such enforcement actions, with total CMPs of $10,550. But, we probably should not expect this trend to continue, especially with all the flooding events we have seen recently, including our unfortunate neighbors along the Missouri River. These events tend to get the attention of Congress and the supervisory agencies.

Keep in mind that enforcement of many rules, including those involving flood insurance, seem to run in cycles. After another apparent lull in flood insurance enforcement actions a couple years ago, the Federal Reserve Board (FRB) issued an Order for a Civil Money Penalty in late May 2017 against SunTrust Bank for $1,501,000 to enforce requirements of the regulations implementing the National Flood Insurance Act. This is thought to be the largest CMP for flood insurance shortcomings. Coupled with 11 other much smaller enforcement actions by the FRB, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC), the total civil money penalties assessed for flood insurance rule violations by mid-year 2017 totaled nearly $1.8 million – and by the end of that year, we had seen 29 enforcement actions with a total of nearly $2.8 million in CMPs.

Background
The original National Flood Insurance Act was passed in 1968, and established the National Flood Insurance Program (NFIP). The Flood Disaster Protection Act of 1974 (FDPA) was enacted to strengthen the NFIP by involving lending institutions in the insurance process.

The NFIP was developed as a way to reduce federal expenditures related to disasters caused by flooding. The program consists of floodplain management plans that affected communities must implement and a flood insurance program to protect properties in flood hazard areas. The intent of the NFIP is to reduce federal outlays for disaster assistance by making those who choose to develop properties in flood-prone areas bear some cost to protect against the flood risks involved, rather than allowing them to rely solely on federal aid.

Part of the NFIP is a system of requirements and restrictions on federal assistance of all kinds to flood-prone areas. This assistance ranges from direct federal lending to loan guarantees, to insurance for deposit accounts. The latter is the connection for many mortgage lenders with the NFIP.

The National Flood Insurance Reform Act of 1994 (NFIRA) comprehensively revised the two federal flood statutes – the NFIA and FDPA – and required federal supervisory agencies to revise their flood insurance regulations. The objective of the changes was to increase compliance with flood insurance requirements and participation in the NFIP, and to decrease the financial burden on the federal government, taxpayers, and flood victims.

The NFIRA authorizes the regulators to impose civil money penalties when a pattern or practice of violations under the NFIA is found. The act requires that civil money penalties be imposed of up to $350 for each violation in such cases. The civil money penalty cap was increased significantly by the Biggert-Waters Flood Insurance Reform Act of 2012, enacted July 6, 2012. The former $350 per violation maximum was raised to $2,000 per violation. Lenders should remember that there can be multiple violations for each covered loan.

Consent Orders
The regulators charged that the financial institutions targeted by the 15 enforcement actions last year were engaged in patterns or practices of violations of various provisions of the flood insurance regulations. Most of the orders give us at least some picture of the violations found by regulatory personnel. These violations of flood insurance rules include failures to:

  • Provide notice about availability of and requirement for flood insurance
  • Provide timely notice about availability of and requirement for flood insurance
  • Require flood insurance coverage
  • Require adequate flood insurance coverage
  • Maintain flood insurance (allowing it to lapse)
  • Escrow premiums (when other property costs are escrowed)
  • Comply with force placement requirements
  • Provide notice regarding lapse and force-placed coverage
  • Provide timely notice regarding lapse and force-placed coverage
  • Obtain force-placed coverage

Avoiding Problems
What can you do to keep your bank or thrift off the ever-growing list of financial institutions being hit with flood insurance enforcement actions? One important way is to establish an effective flood insurance compliance program and make sure that lending staff follows it. Hold them accountable for failures.

At a minimum, your flood insurance compliance program should:

  • Ensure that there is an effective process in place for determining the flood hazard status for improved real property or mobile homes securing any loans, both consumer and commercial, whether the process be one of in-house readings of up-to-date flood maps or outsourced determinations by a professional firm that guarantees its results.
  • Ensure that your institution has performed appropriate due diligence in selecting its flood hazard determination vendor and monitors its performance, and that the vendor guarantees its results and uses the current Special Flood Hazard Determination Forms (SFHDF) to document its determinations.
  • Order or perform flood determinations early in the loan process. This can be done soon after the lender decides to approve the loan.
    Ensure that loan files contain complete and current SFHDF and acknowledged customer flood notices, where applicable.
  • Ensure that collateral properties are insured in the proper amount before loan closing, including appropriate coverage for any senior mortgagees.
  • Remain current on flood map and hazard determination changes, and stay insured throughout the life of the loan.
  • Ensure that coverage is maintained for subsequent financings (increase, extension, renewal, refinancing) of the subject properties.
  • Train all affected staff in their responsibilities under the bank’s flood insurance compliance program, assign appropriate accountability, and enforce staff responsibilities.

This last point is especially important. Training is the foundation for implementing and maintaining a strong flood program. Ensure that all appropriate staff is trained in the requirements of the flood insurance laws and rules that impact their jobs and provide them with refreshers periodically.

Establishing and maintaining a strong flood insurance compliance program can help your bank or thrift stay afloat during any flood of enforcement actions. For more information on this article and/or how Young & Associates, Inc. can assist you in this area, contact Bill Showalter at 330.678.0524 or wshowalter@younginc.com.

New Prepaid Rule

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance

On October 5, 2016, the CFPB issued a final rule amending Regulations E and Z to create comprehensive consumer protections for prepaid financial products. The result of this rule is that many of you may not continue to offer these accounts, and those of you who do not currently offer the accounts may not want to start. The purpose of this article is not to talk you into or out of these products, but to give you the basic facts so that you can make the best decision for your institution.

The Prepaid Rule runs 1,501 pages, so we can only do an overview in this article. You may also want to look at the following: http://www.consumerfinance.gov/policy-compliance/guidance/implementation-guidance/prepaid

Another site worth your time might be: http://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/prepaid-accounts-under-electronic-fund-transfer-act-regulation-e-and-truth-lending-act-regulation-z/

Prepaid Accounts
The Prepaid Rule adds the term “prepaid account” to the definition of “account” in Regulation E. Payroll card accounts and government benefit accounts are prepaid accounts under the Prepaid Rule’s definition. Additionally, a prepaid account includes a product that is either of the following, unless a specific exclusion in the Prepaid Rule applies:

  1. An account that is marketed or labeled as “prepaid” and is redeemable upon presentation at multiple, unaffiliated merchants for goods and services or usable at automated teller machines (ATMs); or
  2. An account that meets all of the following:
    1. Is issued on a prepaid basis in a specified amount or is capable of being loaded with funds after issuance
    2. Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, to conduct transactions at ATMs, or to conduct person-to-person (P2P) transfers
    3. Is not a checking account, a share draft account, or a negotiable order of withdrawal (NOW) account

There are exceptions to the rule. Under the existing definition of account in Regulation E, an account is subject to Regulation E if it is established primarily for a personal, household, or family purpose. Therefore, an account established for a commercial purpose is not a prepaid account.

Pre-Acquisition Disclosures
The Prepaid Rule contains pre-acquisition disclosure requirements for prepaid accounts. The requirements are detailed. However, there often will be a reseller of these products, meaning that the seller must prepare this disclosure for you. This “short form” disclosure includes general information about the account.

Outside but in close proximity to the short form disclosure, a financial institution must disclose its name, the name of the prepaid account program, any purchase price for the prepaid account, and any fee for activating the prepaid account.

There is also a long form disclosure which sets forth comprehensive fee information as well as certain other key information about the prepaid account.

The Prepaid Rule includes a sample form for the long form disclosure. The long form disclosure must include a long laundry list of items that details every nook and cranny of the account’s use. The Prepaid Rule also requires financial institutions to make disclosures on the access device for the prepaid account, such as a card. If the financial institution
does not provide a physical access device for the prepaid account, it must include these disclosures on the website, mobile application, or other entry point the consumer uses to electronically access the prepaid account.

All these disclosures are in addition to your standard Regulation E initial disclosure. The initial disclosures must include all of the information required to be disclosed in the pre-acquisition long form disclosure.

Error Resolution and Limitations on Liability
Prepaid accounts must comply with Regulation E’s limited liability and error resolution requirements, with some modifications. This may or may not be your problem, depending on who owns the account. But if your third-party vendor must give the customer these rights, the cost will likely go up, possibly making selling these cards a problem.

Periodic Statements and the Periodic Statement Alternative
The Prepaid Rule requires financial institutions to provide periodic statements for prepaid accounts, such as payroll accounts. However, a financial institution is not required to provide periodic statements for a prepaid account if it makes certain information available to a consumer, such as:

  • Account balance information by telephone
  • ƒElectronic account transaction histories for the last 12 months
  • ƒƒWritten account transaction histories for the last 24 months

Overdraft Credit Features
The Prepaid Rule amends Regulations E and Z to regulate overdraft credit features that are offered in connection with prepaid accounts. It adds the term “hybrid prepaid credit card” to Regulation Z and sets forth specific requirements
that apply to hybrid prepaid-credit cards. Doing something like this will materially increase your costs. Of course, there are many more rules on the subject that we cannot include in this article.

Effective Dates
The Prepaid Rule is generally effective on October 1, 2017.

What Should You Do?
Over the next few months, you need to talk with any existing companies that you do business with for this kind of product. They may still be struggling with how they are going to approach this, so you may not get all your answers immediately. But you need to know what your role is going to be after October 1, 2017 so that you can make the best decision for your institution. And all new product offerings, whether internal or external, need to be examined carefully to make sure that you can comply with the rules.

For more information about this article, contact Bill Elliott at 1.800.525.9775
or compliance@younginc.com.

 

 

Dealing with Adverse Impact and Compensation Disparities in Affirmative Action Plans

Written by admin on . Posted in Management & Planning.

By: Mike Lehr, Human Resources Consultant

When clients see adverse impacts in their Affirmative Action Plans (AAP), it is not unusual for them to say, “So Mike, does this mean I have to hire more females and minorities?” This is the wrong question. It should be, “How do we look into this more?”

AAPs are similar to insurance policies. They help us identify risk in our recruiting, hiring, compensation, promotion, and termination policies and practices. If the Equal Employment Opportunity Commission or the Civil Rights Commission investigate a complaint, they will very likely want to see our AAPs. As with insurance, good plans afford us more protection than bad ones do.

When adverse impacts arise with clients, I automatically look at two areas first:

1. Employment practices and activities
2. The plan’s statistics

Employment Practices and Activities
I review employment practices and activities in affected areas first for two reasons. First, too often what should happen differs from what actually happens. There might not be anything wrong with the policy or practice. It just isn’t being followed well. Why change it? This often happens with policies regarding the acceptance of applications and completion of self-identification disclosures.

The second reason why I look at employment practices and activities first is that they give me ideas on where better recordkeeping might help produce better statistics. This makes revisiting the statistics easier and more directed.

This happens often when we dive into the specifics of a job. Since community bankers often wear many hats, weighting the job against several census codes rather than just one is better. Also, since many community banks serve rural communities, the census sample for a job might be too small to be representative. A next best code can come into play then.

Plan Statistics
When it comes to the plan’s statistics, too often they are based on what is easy to track and figure. This shows up most in the job groups used to categorize jobs, the availability of candidates for openings (promoting from within versus hiring from outside), and the census codes used to compare banks’ jobs with the outside world.

I’m not a fan of redoing calculations after the results. I am a fan of saying, “In order to understand this and our options better, how can we improve our data collection for next year?” It’s similar to analyzing a credit. If there are questionable items, we ask for more information.

As an example, I often recommend dividing up the Professional job group (2) into Lending Professionals (2.1) and Administrative Professionals (2.2). Lending and credit jobs can be in the first group, and accounting, finance, marketing, trust, and other non-lending related jobs can be in the second.

Since lending is a specialized skill to banking and is often sales-related, it frequently creates adverse impacts and compensation disparities for the Professional job group. This can happen if census data is small but not enough so to justify alternative census codes.

Granted, the adverse impact might not disappear. Knowing it’s focused on lending or administrative professionals does help though. Rather than carefully monitoring practices in the entire Professional Job Group, we might only need to focus on a sub-set of it.

Additionally, for the same reasons, I often recommend splitting up the Administrative Support Group (5.0) into three groups such as Ancillary (or Executive) Administrative Support (5.1), Operational Support (5.2), and Retail Administrative Support (5.3).

Often, 75 percent of the jobs in Retail Administrative Support are tellers. They are introductory jobs often filled from outside. More promotions-from-within occur with the other administrative support groups. This pattern affects availability and compensation calculations.

Compensation
From a statistical perspective, I also focus on compensation because it’s grayer than clients often think it is. Even The Code of Federal Regulations (see § 1620.13 through § 1620.19) admits that what is equal pay for equal work “cannot be precisely defined.”

Furthermore, “‘equal’ does not mean ‘identical.’” It is defined by the job’s requirements in terms of skill, effort, and responsibility, not the qualifications of the person unless they specifically impact those requirements. That means two jobs with different titles could be “equal.” That means having better qualifications does not matter unless those qualifications are important to the job.

That is why it helps to begin compensation analyses with job groups, not jobs with the same title. The latter could easily give a false sense of security. Starting at the global level and working down forces us to really look at what makes jobs unequal. AAPs with workable job groups and census codes can help prioritize the jobs and the job descriptions we need to rework or revisit with legal counsel.

Conclusion
Returning to the original question, AAPs have many ways for us to look into adverse impacts and compensation disparities more. A good plan not only provides us good insurance against adverse actions, it guides and prioritizes us. This saves our time and money.

For more information on Affirmative Action Plans, contact Mike Lehr at 1.800.525.9775 or click here to send an email.

Do You Know Where Your Data Went Last Night?

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Maybe your data went to a football game on an employee’s smart phone. Or, perhaps your data met some international friends at an offsite backup location used by one of your service providers. In either case, if you do not know how your data moves and where your data is stored, you cannot protect it.

During our IT Audit engagements, it is not uncommon to see bank employees storing or transferring non-public information (NPI) using services such as Google Drive or Dropbox. This creates a very dangerous situation if one of these services suffers a data breach or the data is synchronized to personal devices infected with malware. In most of these cases, senior management does not understand how employees are handling NPI.

The importance of understanding and controlling NPI data flow and data storage is emphasized in the newly released version of the FFIEC’s Information Technology Management Handbook, as well as in the declarative statements to meet the Baseline maturity level within the Cybersecurity Assessment Tool. This article will discuss a process that can be used to document the data flow and data storage locations used within your institution and those used by your third-party service providers.

Here’s a way this could be used to illustrate the way that an institution can document data flow and data storage. You will first identify each Service or Application that uses NPI. Some examples of these services and applications include: core processing, lending platform, internet banking, and online loan applications. Next, you will identify the Vendor(s) associated with each service or application. The Process Type is used to identify the various processes that are performed using the specific service or application that may use different methods for accessing the data or result in data being transmitted through different connectivity types. An example of different process types can be illustrated with internet banking where data may flow between the core processing system and the internet banking system through a dedicated circuit, but customers access the internet banking system through a home internet connection. The Type of Data will most often be customer NPI, but may also include proprietary institution data. Data can be accessed in numerous ways including: institution workstations, institution servers, employee mobile devices, customer PCs, and customer mobile devices. The Connectivity Type may include: dedicated circuits, virtual private networks (VPN), local area networks (LAN), wide area networks (WAN), wireless networks, or the internet. Controls in Transit may include: encryption, firewall rules, patch management, and intrusion prevention systems (IPS). The Primary Storage Location(s) should include known locations where the data is stored such as: application or database servers, data backup devices, service provider datacenters, and service provider backup locations. The Optional Storage Location(s) should consider other places where data can be stored such as: removable media, an employee’s workstation, mobile devices, Dropbox, and Google Drive. Identifying the Optional Storage Location(s) may take a significant amount of time, as this step will involve discussions with application administrators to understand the options for exporting data and discussions with employees to understand their processes for transferring and storing data. A review of this information may lead to the implementation of additional controls to block the use of unapproved sharing and storage services.

Controls at Rest may include: encryption, physical security, and environmental controls. The Access Rights column should identify who can access the data at any point in time, which may include institution employees, service provider employees, and subcontractors used by a service provider.

This may seem like a daunting task to complete, and it may take a significant amount of time depending on the size and complexity of your institution. One option for implementing this process is to start with your annual vendor review process rather than trying to complete the process for all of your services and applications at one time. When you are gathering and reviewing documentation from each service provider, complete the table shown above for the service or application provided by that service provider. Documentation for internally managed systems and applications can also be completed over a period of time.

Upon completion of this process, you should have a full understanding of how your data moves between devices and where the data is stored. This information will allow you to justify the risk ratings within your information security risk assessment and identify additional controls that need to be implemented to properly protect your data.

For more information on this article, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

5 Ways to Create Compliance Depth

Written by admin on . Posted in Compliance & Regulations.

By: Adam Witmer, CRCM, Compliance Consultant

As football season is now in full swing, many die-hard fans find themselves viewing the player roster of their favorite teams. They do this because they are curious, not about the obvious starters, but about those who are there to back up the starters. Football fans are often interested in the depth of skill their team has retained.

Just like an NFL team has a depth chart of skilled back-up players, it is important to have compliance “depth” within our financial institutions. This is especially true today as examiners have been shifting their expectations of compliance from a one-person dictatorship approach to a fully functioning “compliance management system” (CMS).

With so many new rule changes coming out by the Consumer Financial Protection Bureau, financial institutions can no longer depend on a single individual to be the sole person knowledgeable of compliance regulations. Having a depth of compliance knowledge ̶ both in quantity (number of employees) and quality (individual knowledge) ̶ is more important today than ever before. Therefore, financial institution leaders should consider building greater depth of compliance within their teams.

The following are five ways that every financial institution can build depth into the compliance function of their organizations.

A Formal Compliance Management System (CMS) Model
One of the best ways to infuse compliance depth into a financial institution is to develop a formal compliance management system (CMS) model which ultimately steers the institution’s compliance activities. While most financial institutions have some sort of compliance management system in place – a risk assessment, training, audit and/or monitoring, designating a compliance officer, and managing complaints – we have found that many of these programs are often informal in nature and don’t always establish depth in the overall program.

A formal CMS model is an intentionally designed program that goes above and beyond the core elements of a compliance management system – the model acts as the infrastructure for a compliance program. Generally, a CMS model will produce certain results:

  • Continuity of compliance, regardless of change
  • Pro-active compliance management
  • Clear communication of the CMS to examiners, directors, and additional parties
  • Integration of compliance into applicable job functions of the organization
  • Early detection of compliance issues
  • Strong regulatory change management

The idea is that a formal CMS model helps to ensure that systems, controls, and procedures are effectively implemented and maintained, which helps to naturally build depth into the compliance structure of an organization.

Integration
Another way any financial institution can create compliance depth is to proactively integrate compliance into applicable job functions of the organization. Years ago, compliance could often be approached as an add-on or after-thought to the main task at hand. For example, prior to the late 1960’s and 1970’s, creditors didn’t really have to worry about lending fairly among minorities, protected classes, or even different income levels. Over the years, however, fair lending has evolved so much that organizations that don’t have effective systems, procedures, and controls to ensure fair lending compliance can easily place themselves in a high-risk position for fair lending violations.

Integration can occur in a number of ways. First, policies and procedures can be enhanced to include compliance components. Secondly, controls and testing can include applicable compliance elements. Finally, compliance can become an essential part of employee expectations, such as the requirement of training and even consideration in performance evaluations.

When a financial institution integrates compliance into each applicable job function, a depth of compliance is naturally infused into the organization. This is exactly why many financial institutions are adopting a formal CMS model under which they operate.

Compliance Council
For well over a decade now, we at Young and Associates, Inc. have been advocating for the creation of a Compliance Council in many of our client financial institutions. A compliance council is a group of employees, often middle to senior management, who come together on a regular basis to provide oversite of the compliance function of the organization. While only a few financial institutions operate with just a compliance council (rather than having a designated compliance officer), many of those that do have a designated compliance officer also operate with a compliance council.

There are several reasons why a financial institution will operate with a compliance council in addition to having a designated compliance officer. First, the compliance council helps to provide support for the compliance officer. In today’s regulatory environment, it is often unreasonable for any financial institution to place all responsibility of regulatory compliance on the shoulders of one compliance officer. Therefore, a compliance council can help to distribute the compliance burden and help support the compliance officer.

In addition to providing support, a compliance council also helps to enhance communication in relation to compliance activities. While different departments within a financial institution often operate somewhat independently, a compliance council can help to bring various department managers together while focusing on a uniform goal of compliance.

A compliance council can be an integral component for building compliance depth and this is why many CMS models have a compliance council at the center of their model.

Succession Planning
Just as every NFL team has a depth chart that outlines who is ready to play a certain position, financial institutions can create compliance depth by establishing and maintaining a formal
succession plan for each applicable compliance function. While a compliance succession plan doesn’t need to be complex or even robust, having a clearly designated back-up person for each major compliance function helps to establish greater depth.

To establish depth, a succession plan should designate a back-up person for each significant area of compliance and outline who would assume responsibility in the event that the primary employee responsible for that area is unable to perform their duties. When a back-up person is formally designated and appropriately cross-trained, a CMS model will effectively continue without any major breaches in continuity, meaning that a greater depth of compliance is established.

Training
The final and probably most obvious way to create compliance depth is to conduct enhanced compliance training. Compliance depth can be added through training in two main ways: organizational training and individual training.
First, organizational training can be expanded to integrate compliance into the training rather than treating compliance as an afterthought. Therefore, compliance components should be included in new employee orientations, annual training initiatives, and even sales and other employee specific training sessions.

Secondly, training can increase compliance depth when employees, other than just the compliance team, receive in-depth training on compliance regulations that affect their job functions. For example, a loan processor manager may be able to greatly benefit from in-depth training on Regulation Z, while a lender may benefit on training specific to Regulation O.

Regardless of the type, training is a tool that helps to build compliance depth within an organization.

Summary
Creating compliance depth is going to become an even more important strategy for financial institutions as regulatory expectations continue to expand and evolve. In creating compliance depth, organizations will enhance their overall compliance posture by ensuring compliance continuity when employee positions change, providing better communication regarding the compliance function, infusing necessary components of compliance into each job function, and providing better communication to affected parties regarding the organizations compliance program.

Just as every sports team works to ensure that they have a depth of skilled players, financial institutions who establish compliance depth – through steps like establishing a formal CMS model – are going to fair much better in the long run than those who do not.

Compliance Reviews in These Uncertain Times

Written by admin on . Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Director of Compliance Education

The world of regulatory compliance is in turmoil. Rules are announced, approved, “kind of” enforced, and then the regulators back away and say, “just kidding.” Perhaps the most recent example of this is the OCC’s decision to back away from their interpretation of the Community Reinvestment Act. They have suspended their version of CRA (issued in mid-2020) and decided to join with the Federal Reserve and the FDIC in a rulemaking to update the regulation. Clearly, this is what should have happened initially, but it did not. While this situation only impacted national banks, federal savings associations, and federal branches of foreign banks, it is an example of the ongoing turmoil that takes place in Washington D.C.

This makes the process of compliance much more difficult, as financial institutions do not know necessarily which set of rules will apply and for how long. The result is great difficulty in navigating the world of compliance and deciding what areas should be addressed in any compliance audit/review. When the regulations are in flux as they are now, uncertainty increases the risks of noncompliance.

Focus on Risk

When deciding on compliance audit/review topics, whether they are accomplished internally or externally, financial institutions must assure they focus on their largest risk items. Back in the early 2000s, the Federal Reserve posted a list of regulations by the most important to the least important. If you look at that list today, it would be clear that the world of compliance has changed dramatically, and financial institutions need to prepare and adjust. It sometimes seems as if this happens continuously.

For loans, Regulations Z and flood are probably at the top of the review list. On the deposit side, Regulation E seems to be the most important regulation, due to the tremendous volume of electronic transactions in financial institutions. We should note that Regulation E is far removed from our current electronic reality, making the process even more difficult.

Whether management is working with an internal auditor, external auditors or consultants, it is important to assure that attention is focused on those areas that are most critical and determine what resources should be expended on other compliance subjects.

The regulator that walks in your door to do an exam is in the same turmoil you are, and it is not their fault. Nonetheless, they must do the best they can to examine your institution based on the current regulatory environment. The more complete your internal or external compliance reviews/audits are, the easier their job will be. And regulators always appreciate an assist, as they are experiencing limited resource issues as well.

So, when preparing for reviews in 2022 and beyond, you need to assure that any compliance reviews that are completed focus on the subjects discussed earlier, as well as the following:

  1. New products
  2. New services
  3. Regulatory issues that you have had in the past, to assure that they are properly addressed prior to the exam

Only after these items are addressed should financial institutions include other regulations. That does not mean that financial institutions should ignore any regulation. For instance, Regulation DD (Truth in Savings) has not materially changed in over 20 years. However, it has been number two based on number of violations (behind Regulation Z) on the FDIC violation list for the past two years. So, management should never equate “no change” with “no risk.”

Not focusing appropriately results in potential difficulties. First, financial institutions can experience a colossal waste of time and money by continually reviewing insignificant items that are low risk. Secondly, the decision to cover a wide variety of compliance topics may mean less time and effort on those areas that need the most attention – and of course these are the most critical for your institution.

Our Approach

At Young & Associates, we always try to work with financial institutions to assure coverage that gives the institution the maximum protection for the dollar amount spent. This approach should be used whether you are using an external firm or internal auditors. Doing something merely because “we have always done it” is often not the best approach.

If we can be of any assistance in planning and executing your compliance reviews, please contact Dave Reno, Director – Lending and Business Development. He can be reached at 330.422.3455 and dreno@younginc.com.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question