Regulators Weigh In: Highlights From Our Regulatory Panel
by Angela Lucas, Sterling Compliance
How do you keep your fingers on the pulse of the compliance world? How do you learn from others and get a sense for the priorities of the coming year? We’ve got a regulatory panel for that! Hands down, the most anticipated events of the year are the regulatory panels in which we gather examiners from the OCC, FDIC and Federal Reserve to discuss common issues they have been seeing in their examinations, supervisory priorities for the coming year and to answer your most burning questions. To memorialize the discussion, we’ve provided the following highlights. First, however, we would like to again thank each examiner who took part in the panels in Pittsburgh and Columbus. Your participation and candid discussion were the apex of each meeting, and we much appreciate your insight.
Common Examination Findings & Supervisory Priorities
Each regulator specifically spoke to their common examination findings and supervisory priorities, which differed slightly among the group. As such, we have broken down the discussion by regulator.
As indicated by the OCC’s semi-annual risk perspective published earlier this year, bank risk management of cybersecurity threats currently ranks as #1 on the agency’s priority list. However, the agency has several other priorities specifically related to compliance and BSA. Complex money laundering and terrorist financing threats continually challenge bank BSA programs and resources. Specifically, you should be paying attention to how customers are moving money and how they are opening accounts. Cryptocurrency has been one such method observed.
Compliance risk remains elevated. As noted above, it is difficult for community banks to manage money laundering risk in our environment. Amendments to regulations over the last few examination cycles have challenged bank compliance management systems. Implementing policies and procedures is key and you must ensure that changes – when made – are included in policies and procedures. Additionally, new delivery channels present elevated risks and resource needs. Mobile banking and mobile deposit make your services more accessible to your customers. However, fraud risk has increased with these services and the regulators have seen evolving criminal methodologies utilizing these technologies. If there is a vulnerability in your technology, it can create an inroad for criminals.
The examiner from the FDIC indicated that FDIC-supervised banks are doing well overall from a compliance perspective; most have a good infrastructure in place. Risk assessments are performed by the examiners offsite to scope each examination. One interesting thing that they are finding is that attention to critical areas can wane over time. For example, when TRID was first implemented, the regulators saw significant attention and resources paid to this area. However, as time went on, audits have been delayed, are falling behind, or there is no ongoing audit process in place. The breakdown in this control has resulted in deficiencies and violations being cited.
In both regulatory panels, the FDIC specifically addressed the criticality of Fair Lending. This is one area that will never be scoped out of a compliance examination. You must ensure that you are paying attention to how you grow and the controls you have implemented to address that growth. For example, if you acquire or develop a loan production office (LPO), you must be mindful of the distribution of loans originated and not originated (i.e. withdrawn, denied, etc.) out of that LPO. Are there gaps in lending activity within your reasonably expected market area (REMA)? Are you showing a sufficient distribution of lending within majority-minority and integrated-minority census tracts? You will want to address, account for and assess changes in your market, staffing, underwriting standards, pricing, compensation, products and services, and control structure within your Fair Lending Risk Assessment.
UDAAP has been an area in which common findings have been cited and continues to be a priority risk area. Violations can either impact a large number of customers affected by small dollars or a small number of customers affected by large dollars. Add-on products have been a primary contributing factor to UDAAP violations. Benefits that have been disclosed but not received are one of the key issues that have arisen. You will want to make sure that your disclosures match your practices and rigorous testing is conducted, particularly when a change has occurred. You will also want to make sure that all marketing materials are reviewed comprehensively prior to publication or posting. As a reminder, UDAAP violations can and will impact your CRA rating.
Effective third-party vendor management remains critical. Be proactive and effectively manage and monitor your vendor relationships. Make sure contracts with vendors include service level agreements and that you have access to complaint information that the vendor receives and/or addresses on your behalf.
There has been focus on third-party lending. The FRB indicated that you should exercise caution in this area. Vendor relationships may vary by institution (i.e. the same vendor may have different contracts or services tailored to each institution), so you cannot assume that because one institution uses a vendor, that vendor would pass muster for your own. You need to risk-assess what you are getting into.
Sales incentives – how you incent your lenders and CSRs – are a looked at closely. After the Wells Fargo debacle a few years ago, there’s no wonder why. The Loan Originator Compensation Rule guides compensation for your mortgage loan originators, but what about the others? You’ll want to monitor compensation and incentive programs for any suspicious behaviors.
Crossing over into the BSA/AML realm, the FRB specifically mentioned human trafficking. The emphasis of this discussion was that it is not a big city issue; it can – and does – happen in small towns. In many cases, people are being brought across the border with the promise of jobs, only to be taken to remote areas where they are put to work essentially as indentured servants. But, how can you spot this? In the regulatory panel in Ohio, the examiner from the OCC provided a scenario: The bank had, as its customer, a man who was employed as a pizza delivery man. He consistently transacted in cash, but they noticed that he didn’t have any direct deposits coming in, such as paychecks from the pizza shop. The bank also noticed that he purchased tickets to Las Vegas frequently – and in many cases, purchased more than one ticket but only one was round-trip. When it came down to it, he was trafficking people between his small town and Las Vegas, all the while posing as a pizza delivery man. This is a perfect example of how effective monitoring processes can identify transactions or activity that does not add up given the customer’s occupation or nature of business.
Q. Do you have any insight on whether the NFIP will actually expire on November 30, 2018?
A. There is no current indication of whether the NFIP will be allowed to expire or whether it will be again reauthorized.
Q. Are we required to have compliance reviews for military protections (i.e. Servicemembers Civil Relief Act and Military Lending Act)?
A. It depends. The frequency within which this topic is reviewed or audited is risk-based. If you are not changing markets or geographies and your risk has not changed, it may be appropriate for compliance with military protections assessed on an 18-month cycle. One caution: You should have sufficient testing in place to ensure you are complying with SCRA and MLA requirements. These are two areas where many community banks do not have a lot of activity and the less you do something in the normal course of business, the more likely processes are not followed when a covered circumstance presents itself. Remember, complacency is not your friend.
Q. If we qualify as a small creditor, and are therefore exempt from HPML requirements, do we still need to determine HPML status during underwriting?
A. If you are a HMDA reporter, you will still need to determine a rate spread if you are not eligible for the partial exemption. Similarly, if you are selling your loans on the secondary market, you will also need to determine HPML status. However, if neither report HMDA nor sell your loans on the secondary market, you would not be required to determine HPML status as a small creditor.
Q. How often should an automated AML model be validated, and are there specific factors on which you base the frequency? Would the guidance recently published about collaboration of BSA resources extend to model validation?
A. Once you have enough data and run the model for 12-18 months to get information to compare the automated model to the old system (which should run on a parallel track for the initial period), the automated model should be validated. You want to make sure that you are not missing anything by fully integrating the automated model.
The OCC published Bulletin 2011-12
that addresses sound model risk management practices. Specifically, we refer you to Section V that outlines significant changes to a model. When there are significant changes to a model, changes to scenarios or changes to the input, the model should be validated. If there are no changes to the model, scenarios, input or your risk profile, it may be appropriate to validate the model every 18-24 months. To date, there has not been a known case of collaboration on validation. However, this may be something we will see going forward.
Q. If we have a BSA monitoring system n place, how should be monitoring higher risk customers? Should we still be conducting quarterly targeted reviews, or could we set up specific alerts to monitor them on an ongoing basis?
A. It depends on how the alert system is written. The OCC specifically mentioned that the agency is more of a proponent of looking at the customers on a targeted basis rather than relying upon artificial intelligence.
Q. What is expected in terms of addressing HIDTAs and HIFCAs within our market?
A. An analysis of your exposure to HIDTAs and HIFCAs should be incorporated within the following components of your risk assessment: products, services, geographies and customers.
Q. Are we required to provide full SAR information to the Board?
A. No. You are not required to provide copies of the SAR or SAR details to the Board. Most commonly, the BSA Officer will only provide summary information to the Board to maintain confidentiality of SAR contents.
Q. Do you have any thoughts on whether new or revised overdraft guidance will be issued?
A. Examiners from the FDIC indicated that this topic has been discussed at length internally; however, none of the three agencies anticipate guidance to be issued in the next 12 months.
Q. Can we require a police report, written affidavit, or written complaint in response to a customer’s report of unauthorized transactions under Regulation E?
A. You cannot require a police report; however, you may request a police report. You must get enough information from the customer to identify the transaction, the customer, the account and a description of the unauthorized activity, which can be obtained verbally or in writing.
Q. Do you anticipate changes funds availability provisions of Regulation CC in the next 12 months?
A. There are no plans for changes to Regulation CC currently underway.
Q. Do you draw a line of distinction between banking customers who are involved in CBD oils, hemp and other marijuana-related businesses?
A. It depends on State law. In some states, CBD, hemp and marijuana (medical and/or recreational) are treated in the same way as they are derived from the same plant. However, other states make a distinction between the products and the businesses. You should consult your state’s laws to make the determination of the businesses that should be defined as marijuana-related businesses (MRBs) and identified, monitored, managed and reported as such.
Q. If we put controls in place to ensure compliance with FinCEN guidance and the Cole Memo, can we bank MRBs? Would banking MRBs automatically trigger enforcement action or would you take into consideration the adequacy of our controls and monitoring?
A. We would look at the infrastructure and controls you have established to determine whether you have processes in place to address and monitor the risks outlined in the FinCEN guidance and Cole Memo. The approach would be risk-focused; simply banking MRBs would not trigger an automatic enforcement action.
Q. Do you have any plans to release guidance on developing a compliance risk assessment that goes beyond operational risk?
A. The FRB has developed risk-based guidance. The largest issue the examiners are seeing is a lack of understanding between inherent risk and controls (e.g. rating inherent risk lower because of controls).
Q. What is expected in terms of identifying and documenting private banking customers?
A. Typically, private banking or trust customers are kept separate from banking partners. If you are doing true private banking, rather than simply managing higher net worth customers, there are specific rules you must follow and manage those private banking customers appropriately. If you have such customers, you may consider contacting your regulator’s trust examiners for specific guidance.
CDs and FinCEN’s exceptive relief…AGAIN
Another little nuance of Exceptive Relief has revealed itself. Last month we discussed how the narrow definition of certificates of deposits within the guidance excludes no-penalty CDs or those in which deposits may be made during the term of the CD. To reiterate: If you offer a no-penalty CD or allow deposits during the term of the CD, your product would not qualify for the exceptive relief and you would have to address beneficial ownership requirements for those established prior to May 11, 2018 and those originated thereafter. Discussion of this exclusion led us to another question: What if you have a CD that has an early withdrawal penalty and the customer cannot make deposits during its term, BUT the customer can make a deposit during the grace period between maturity and renewal? Would that product qualify for exceptive relief? No. Even if the customer does not make a deposit during that grace period, the simple fact that your product allows for it excludes it from exceptive relief.