Tag: lending regulations

New Prepaid Rule

Written by admin on November 10, 2016. Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Senior Consultant and Manager of Compliance

On October 5, 2016, the CFPB issued a final rule amending Regulations E and Z to create comprehensive consumer protections for prepaid financial products. The result of this rule is that many of you may not continue to offer these accounts, and those of you who do not currently offer the accounts may not want to start. The purpose of this article is not to talk you into or out of these products, but to give you the basic facts so that you can make the best decision for your institution.

The Prepaid Rule runs 1,501 pages, so we can only do an overview in this article. You may also want to look at the following: http://www.consumerfinance.gov/policy-compliance/guidance/implementation-guidance/prepaid

Another site worth your time might be: http://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/prepaid-accounts-under-electronic-fund-transfer-act-regulation-e-and-truth-lending-act-regulation-z/

Prepaid Accounts
The Prepaid Rule adds the term “prepaid account” to the definition of “account” in Regulation E. Payroll card accounts and government benefit accounts are prepaid accounts under the Prepaid Rule’s definition. Additionally, a prepaid account includes a product that is either of the following, unless a specific exclusion in the Prepaid Rule applies:

An account that is marketed or labeled as “prepaid” and is redeemable upon presentation at multiple, unaffiliated merchants for goods and services or usable at automated teller machines (ATMs); or
An account that meets all of the following:
1. Is issued on a prepaid basis in a specified amount or is capable of being loaded with funds after issuance
2. Whose primary function is to conduct transactions with multiple, unaffiliated merchants for goods or services, to conduct transactions at ATMs, or to conduct person-to-person (P2P) transfers
3. Is not a checking account, a share draft account, or a negotiable order of withdrawal (NOW) account

There are exceptions to the rule. Under the existing definition of account in Regulation E, an account is subject to Regulation E if it is established primarily for a personal, household, or family purpose. Therefore, an account established for a commercial purpose is not a prepaid account.

Pre-Acquisition Disclosures
The Prepaid Rule contains pre-acquisition disclosure requirements for prepaid accounts. The requirements are detailed. However, there often will be a reseller of these products, meaning that the seller must prepare this disclosure for you. This “short form” disclosure includes general information about the account.

Outside but in close proximity to the short form disclosure, a financial institution must disclose its name, the name of the prepaid account program, any purchase price for the prepaid account, and any fee for activating the prepaid account.

There is also a long form disclosure which sets forth comprehensive fee information as well as certain other key information about the prepaid account.

The Prepaid Rule includes a sample form for the long form disclosure. The long form disclosure must include a long laundry list of items that details every nook and cranny of the account’s use. The Prepaid Rule also requires financial institutions to make disclosures on the access device for the prepaid account, such as a card. If the financial institution
does not provide a physical access device for the prepaid account, it must include these disclosures on the website, mobile application, or other entry point the consumer uses to electronically access the prepaid account.

All these disclosures are in addition to your standard Regulation E initial disclosure. The initial disclosures must include all of the information required to be disclosed in the pre-acquisition long form disclosure.

Error Resolution and Limitations on Liability
Prepaid accounts must comply with Regulation E’s limited liability and error resolution requirements, with some modifications. This may or may not be your problem, depending on who owns the account. But if your third-party vendor must give the customer these rights, the cost will likely go up, possibly making selling these cards a problem.

Periodic Statements and the Periodic Statement Alternative
The Prepaid Rule requires financial institutions to provide periodic statements for prepaid accounts, such as payroll accounts. However, a financial institution is not required to provide periodic statements for a prepaid account if it makes certain information available to a consumer, such as:

Account balance information by telephone
Electronic account transaction histories for the last 12 months
Written account transaction histories for the last 24 months

Overdraft Credit Features
The Prepaid Rule amends Regulations E and Z to regulate overdraft credit features that are offered in connection with prepaid accounts. It adds the term “hybrid prepaid credit card” to Regulation Z and sets forth specific requirements
that apply to hybrid prepaid-credit cards. Doing something like this will materially increase your costs. Of course, there are many more rules on the subject that we cannot include in this article.

Effective Dates
The Prepaid Rule is generally effective on October 1, 2017.

What Should You Do?
Over the next few months, you need to talk with any existing companies that you do business with for this kind of product. They may still be struggling with how they are going to approach this, so you may not get all your answers immediately. But you need to know what your role is going to be after October 1, 2017 so that you can make the best decision for your institution. And all new product offerings, whether internal or external, need to be examined carefully to make sure that you can comply with the rules.

For more information about this article, contact Bill Elliott at 1.800.525.9775
or compliance@younginc.com.

Dealing with Adverse Impact and Compensation Disparities in Affirmative Action Plans

Written by admin on February 18, 2016. Posted in Management & Planning.

By: Mike Lehr, Human Resources Consultant

When clients see adverse impacts in their Affirmative Action Plans (AAP), it is not unusual for them to say, “So Mike, does this mean I have to hire more females and minorities?” This is the wrong question. It should be, “How do we look into this more?”

AAPs are similar to insurance policies. They help us identify risk in our recruiting, hiring, compensation, promotion, and termination policies and practices. If the Equal Employment Opportunity Commission or the Civil Rights Commission investigate a complaint, they will very likely want to see our AAPs. As with insurance, good plans afford us more protection than bad ones do.

When adverse impacts arise with clients, I automatically look at two areas first:

1. Employment practices and activities
2. The plan’s statistics

Employment Practices and Activities
I review employment practices and activities in affected areas first for two reasons. First, too often what should happen differs from what actually happens. There might not be anything wrong with the policy or practice. It just isn’t being followed well. Why change it? This often happens with policies regarding the acceptance of applications and completion of self-identification disclosures.

The second reason why I look at employment practices and activities first is that they give me ideas on where better recordkeeping might help produce better statistics. This makes revisiting the statistics easier and more directed.

This happens often when we dive into the specifics of a job. Since community bankers often wear many hats, weighting the job against several census codes rather than just one is better. Also, since many community banks serve rural communities, the census sample for a job might be too small to be representative. A next best code can come into play then.

Plan Statistics
When it comes to the plan’s statistics, too often they are based on what is easy to track and figure. This shows up most in the job groups used to categorize jobs, the availability of candidates for openings (promoting from within versus hiring from outside), and the census codes used to compare banks’ jobs with the outside world.

I’m not a fan of redoing calculations after the results. I am a fan of saying, “In order to understand this and our options better, how can we improve our data collection for next year?” It’s similar to analyzing a credit. If there are questionable items, we ask for more information.

As an example, I often recommend dividing up the Professional job group (2) into Lending Professionals (2.1) and Administrative Professionals (2.2). Lending and credit jobs can be in the first group, and accounting, finance, marketing, trust, and other non-lending related jobs can be in the second.

Since lending is a specialized skill to banking and is often sales-related, it frequently creates adverse impacts and compensation disparities for the Professional job group. This can happen if census data is small but not enough so to justify alternative census codes.

Granted, the adverse impact might not disappear. Knowing it’s focused on lending or administrative professionals does help though. Rather than carefully monitoring practices in the entire Professional Job Group, we might only need to focus on a sub-set of it.

Additionally, for the same reasons, I often recommend splitting up the Administrative Support Group (5.0) into three groups such as Ancillary (or Executive) Administrative Support (5.1), Operational Support (5.2), and Retail Administrative Support (5.3).

Often, 75 percent of the jobs in Retail Administrative Support are tellers. They are introductory jobs often filled from outside. More promotions-from-within occur with the other administrative support groups. This pattern affects availability and compensation calculations.

Compensation
From a statistical perspective, I also focus on compensation because it’s grayer than clients often think it is. Even The Code of Federal Regulations (see § 1620.13 through § 1620.19) admits that what is equal pay for equal work “cannot be precisely defined.”

Furthermore, “‘equal’ does not mean ‘identical.’” It is defined by the job’s requirements in terms of skill, effort, and responsibility, not the qualifications of the person unless they specifically impact those requirements. That means two jobs with different titles could be “equal.” That means having better qualifications does not matter unless those qualifications are important to the job.

That is why it helps to begin compensation analyses with job groups, not jobs with the same title. The latter could easily give a false sense of security. Starting at the global level and working down forces us to really look at what makes jobs unequal. AAPs with workable job groups and census codes can help prioritize the jobs and the job descriptions we need to rework or revisit with legal counsel.

Conclusion
Returning to the original question, AAPs have many ways for us to look into adverse impacts and compensation disparities more. A good plan not only provides us good insurance against adverse actions, it guides and prioritizes us. This saves our time and money.

For more information on Affirmative Action Plans, contact Mike Lehr at 1.800.525.9775 or click here to send an email.

Do You Know Where Your Data Went Last Night?

Written by admin on December 18, 2015. Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Maybe your data went to a football game on an employee’s smart phone. Or, perhaps your data met some international friends at an offsite backup location used by one of your service providers. In either case, if you do not know how your data moves and where your data is stored, you cannot protect it.

During our IT Audit engagements, it is not uncommon to see bank employees storing or transferring non-public information (NPI) using services such as Google Drive or Dropbox. This creates a very dangerous situation if one of these services suffers a data breach or the data is synchronized to personal devices infected with malware. In most of these cases, senior management does not understand how employees are handling NPI.

The importance of understanding and controlling NPI data flow and data storage is emphasized in the newly released version of the FFIEC’s Information Technology Management Handbook, as well as in the declarative statements to meet the Baseline maturity level within the Cybersecurity Assessment Tool. This article will discuss a process that can be used to document the data flow and data storage locations used within your institution and those used by your third-party service providers.

Here’s a way this could be used to illustrate the way that an institution can document data flow and data storage. You will first identify each Service or Application that uses NPI. Some examples of these services and applications include: core processing, lending platform, internet banking, and online loan applications. Next, you will identify the Vendor(s) associated with each service or application. The Process Type is used to identify the various processes that are performed using the specific service or application that may use different methods for accessing the data or result in data being transmitted through different connectivity types. An example of different process types can be illustrated with internet banking where data may flow between the core processing system and the internet banking system through a dedicated circuit, but customers access the internet banking system through a home internet connection. The Type of Data will most often be customer NPI, but may also include proprietary institution data. Data can be accessed in numerous ways including: institution workstations, institution servers, employee mobile devices, customer PCs, and customer mobile devices. The Connectivity Type may include: dedicated circuits, virtual private networks (VPN), local area networks (LAN), wide area networks (WAN), wireless networks, or the internet. Controls in Transit may include: encryption, firewall rules, patch management, and intrusion prevention systems (IPS). The Primary Storage Location(s) should include known locations where the data is stored such as: application or database servers, data backup devices, service provider datacenters, and service provider backup locations. The Optional Storage Location(s) should consider other places where data can be stored such as: removable media, an employee’s workstation, mobile devices, Dropbox, and Google Drive. Identifying the Optional Storage Location(s) may take a significant amount of time, as this step will involve discussions with application administrators to understand the options for exporting data and discussions with employees to understand their processes for transferring and storing data. A review of this information may lead to the implementation of additional controls to block the use of unapproved sharing and storage services.

Controls at Rest may include: encryption, physical security, and environmental controls. The Access Rights column should identify who can access the data at any point in time, which may include institution employees, service provider employees, and subcontractors used by a service provider.

This may seem like a daunting task to complete, and it may take a significant amount of time depending on the size and complexity of your institution. One option for implementing this process is to start with your annual vendor review process rather than trying to complete the process for all of your services and applications at one time. When you are gathering and reviewing documentation from each service provider, complete the table shown above for the service or application provided by that service provider. Documentation for internally managed systems and applications can also be completed over a period of time.

Upon completion of this process, you should have a full understanding of how your data moves between devices and where the data is stored. This information will allow you to justify the risk ratings within your information security risk assessment and identify additional controls that need to be implemented to properly protect your data.

For more information on this article, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

5 Ways to Create Compliance Depth

Written by admin on November 10, 2015. Posted in Compliance & Regulations.

By: Adam Witmer, CRCM, Compliance Consultant

As football season is now in full swing, many die-hard fans find themselves viewing the player roster of their favorite teams. They do this because they are curious, not about the obvious starters, but about those who are there to back up the starters. Football fans are often interested in the depth of skill their team has retained.

Just like an NFL team has a depth chart of skilled back-up players, it is important to have compliance “depth” within our financial institutions. This is especially true today as examiners have been shifting their expectations of compliance from a one-person dictatorship approach to a fully functioning “compliance management system” (CMS).

With so many new rule changes coming out by the Consumer Financial Protection Bureau, financial institutions can no longer depend on a single individual to be the sole person knowledgeable of compliance regulations. Having a depth of compliance knowledge ̶ both in quantity (number of employees) and quality (individual knowledge) ̶ is more important today than ever before. Therefore, financial institution leaders should consider building greater depth of compliance within their teams.

The following are five ways that every financial institution can build depth into the compliance function of their organizations.

A Formal Compliance Management System (CMS) Model
One of the best ways to infuse compliance depth into a financial institution is to develop a formal compliance management system (CMS) model which ultimately steers the institution’s compliance activities. While most financial institutions have some sort of compliance management system in place – a risk assessment, training, audit and/or monitoring, designating a compliance officer, and managing complaints – we have found that many of these programs are often informal in nature and don’t always establish depth in the overall program.

A formal CMS model is an intentionally designed program that goes above and beyond the core elements of a compliance management system – the model acts as the infrastructure for a compliance program. Generally, a CMS model will produce certain results:

Continuity of compliance, regardless of change
Pro-active compliance management
Clear communication of the CMS to examiners, directors, and additional parties
Integration of compliance into applicable job functions of the organization
Early detection of compliance issues
Strong regulatory change management

The idea is that a formal CMS model helps to ensure that systems, controls, and procedures are effectively implemented and maintained, which helps to naturally build depth into the compliance structure of an organization.

Integration
Another way any financial institution can create compliance depth is to proactively integrate compliance into applicable job functions of the organization. Years ago, compliance could often be approached as an add-on or after-thought to the main task at hand. For example, prior to the late 1960’s and 1970’s, creditors didn’t really have to worry about lending fairly among minorities, protected classes, or even different income levels. Over the years, however, fair lending has evolved so much that organizations that don’t have effective systems, procedures, and controls to ensure fair lending compliance can easily place themselves in a high-risk position for fair lending violations.

Integration can occur in a number of ways. First, policies and procedures can be enhanced to include compliance components. Secondly, controls and testing can include applicable compliance elements. Finally, compliance can become an essential part of employee expectations, such as the requirement of training and even consideration in performance evaluations.

When a financial institution integrates compliance into each applicable job function, a depth of compliance is naturally infused into the organization. This is exactly why many financial institutions are adopting a formal CMS model under which they operate.

Compliance Council
For well over a decade now, we at Young and Associates, Inc. have been advocating for the creation of a Compliance Council in many of our client financial institutions. A compliance council is a group of employees, often middle to senior management, who come together on a regular basis to provide oversite of the compliance function of the organization. While only a few financial institutions operate with just a compliance council (rather than having a designated compliance officer), many of those that do have a designated compliance officer also operate with a compliance council.

There are several reasons why a financial institution will operate with a compliance council in addition to having a designated compliance officer. First, the compliance council helps to provide support for the compliance officer. In today’s regulatory environment, it is often unreasonable for any financial institution to place all responsibility of regulatory compliance on the shoulders of one compliance officer. Therefore, a compliance council can help to distribute the compliance burden and help support the compliance officer.

In addition to providing support, a compliance council also helps to enhance communication in relation to compliance activities. While different departments within a financial institution often operate somewhat independently, a compliance council can help to bring various department managers together while focusing on a uniform goal of compliance.

A compliance council can be an integral component for building compliance depth and this is why many CMS models have a compliance council at the center of their model.

Succession Planning
Just as every NFL team has a depth chart that outlines who is ready to play a certain position, financial institutions can create compliance depth by establishing and maintaining a formal
succession plan for each applicable compliance function. While a compliance succession plan doesn’t need to be complex or even robust, having a clearly designated back-up person for each major compliance function helps to establish greater depth.

To establish depth, a succession plan should designate a back-up person for each significant area of compliance and outline who would assume responsibility in the event that the primary employee responsible for that area is unable to perform their duties. When a back-up person is formally designated and appropriately cross-trained, a CMS model will effectively continue without any major breaches in continuity, meaning that a greater depth of compliance is established.

Training
The final and probably most obvious way to create compliance depth is to conduct enhanced compliance training. Compliance depth can be added through training in two main ways: organizational training and individual training.
First, organizational training can be expanded to integrate compliance into the training rather than treating compliance as an afterthought. Therefore, compliance components should be included in new employee orientations, annual training initiatives, and even sales and other employee specific training sessions.

Secondly, training can increase compliance depth when employees, other than just the compliance team, receive in-depth training on compliance regulations that affect their job functions. For example, a loan processor manager may be able to greatly benefit from in-depth training on Regulation Z, while a lender may benefit on training specific to Regulation O.

Regardless of the type, training is a tool that helps to build compliance depth within an organization.

Summary
Creating compliance depth is going to become an even more important strategy for financial institutions as regulatory expectations continue to expand and evolve. In creating compliance depth, organizations will enhance their overall compliance posture by ensuring compliance continuity when employee positions change, providing better communication regarding the compliance function, infusing necessary components of compliance into each job function, and providing better communication to affected parties regarding the organizations compliance program.

Just as every sports team works to ensure that they have a depth of skilled players, financial institutions who establish compliance depth – through steps like establishing a formal CMS model – are going to fair much better in the long run than those who do not.

Compliance Reviews in These Uncertain Times

Written by admin on January 1, 1970. Posted in Compliance & Regulations.

By: Bill Elliott, CRCM, Director of Compliance Education

The world of regulatory compliance is in turmoil. Rules are announced, approved, “kind of” enforced, and then the regulators back away and say, “just kidding.” Perhaps the most recent example of this is the OCC’s decision to back away from their interpretation of the Community Reinvestment Act. They have suspended their version of CRA (issued in mid-2020) and decided to join with the Federal Reserve and the FDIC in a rulemaking to update the regulation. Clearly, this is what should have happened initially, but it did not. While this situation only impacted national banks, federal savings associations, and federal branches of foreign banks, it is an example of the ongoing turmoil that takes place in Washington D.C.

This makes the process of compliance much more difficult, as financial institutions do not know necessarily which set of rules will apply and for how long. The result is great difficulty in navigating the world of compliance and deciding what areas should be addressed in any compliance audit/review. When the regulations are in flux as they are now, uncertainty increases the risks of noncompliance.

Focus on Risk

When deciding on compliance audit/review topics, whether they are accomplished internally or externally, financial institutions must assure they focus on their largest risk items. Back in the early 2000s, the Federal Reserve posted a list of regulations by the most important to the least important. If you look at that list today, it would be clear that the world of compliance has changed dramatically, and financial institutions need to prepare and adjust. It sometimes seems as if this happens continuously.

For loans, Regulations Z and flood are probably at the top of the review list. On the deposit side, Regulation E seems to be the most important regulation, due to the tremendous volume of electronic transactions in financial institutions. We should note that Regulation E is far removed from our current electronic reality, making the process even more difficult.

Whether management is working with an internal auditor, external auditors or consultants, it is important to assure that attention is focused on those areas that are most critical and determine what resources should be expended on other compliance subjects.

The regulator that walks in your door to do an exam is in the same turmoil you are, and it is not their fault. Nonetheless, they must do the best they can to examine your institution based on the current regulatory environment. The more complete your internal or external compliance reviews/audits are, the easier their job will be. And regulators always appreciate an assist, as they are experiencing limited resource issues as well.

So, when preparing for reviews in 2022 and beyond, you need to assure that any compliance reviews that are completed focus on the subjects discussed earlier, as well as the following:

New products
New services
Regulatory issues that you have had in the past, to assure that they are properly addressed prior to the exam

Only after these items are addressed should financial institutions include other regulations. That does not mean that financial institutions should ignore any regulation. For instance, Regulation DD (Truth in Savings) has not materially changed in over 20 years. However, it has been number two based on number of violations (behind Regulation Z) on the FDIC violation list for the past two years. So, management should never equate “no change” with “no risk.”

Not focusing appropriately results in potential difficulties. First, financial institutions can experience a colossal waste of time and money by continually reviewing insignificant items that are low risk. Secondly, the decision to cover a wide variety of compliance topics may mean less time and effort on those areas that need the most attention – and of course these are the most critical for your institution.

Our Approach

At Young & Associates, we always try to work with financial institutions to assure coverage that gives the institution the maximum protection for the dollar amount spent. This approach should be used whether you are using an external firm or internal auditors. Doing something merely because “we have always done it” is often not the best approach.

If we can be of any assistance in planning and executing your compliance reviews, please contact Dave Reno, Director – Lending and Business Development. He can be reached at 330.422.3455 and dreno@younginc.com.