Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 9, the Federal Reserve Board announced that it entered into a cease and desist order on December 30 with a Texas state-chartered bank due to “significant deficiencies” in the bank’s Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance program that were discovered in its latest examination of the bank. The requirements set out for the bank in the order include:
- Board oversight. The bank must submit a board-approved, written plan to improve oversight of BSA/AML requirements.
- BSA/AML compliance program. The bank must submit a written BSA/AML compliance program that includes BSA/AML training; independent testing of the compliance program; management of the program by a qualified compliance officer with adequate staffing support; BSA/AML compliance internal controls; and a BSA/AML risk assessment of the bank, its products and services, and its customers.
- Customer due diligence. The bank must submit a revised customer due diligence program that includes policies and procedures to ensure accurate client account information; a plan to bring existing accounts into compliance with due diligence requirements; a method to assign risk ratings to account holders; policies and procedures to ensure proper customer information is obtained according to the risk of the account holder; and risk-based monitoring procedures and updates to accounts.
- Suspicious activity monitoring and reporting. The bank must submit a written suspicious activity monitoring and reporting program that includes a documented process for establishing monitoring rules; policies and procedures for review of monitoring rules; customer and transaction monitoring; and policies and procedures for the review of suspicious activity.
In January, the NCUA issued a letter to board of directors and chief executive officers at federally insured credit unions outlining the agency’s 2020 supervisory priorities. Top supervisory priorities include:
- Bank Secrecy Act/Anti-Money Laundering (BSA/AML). Examinations will continue to focus on customer due diligence and beneficial ownership requirements. The NCUA will also collaborate with law enforcement and banking regulators on initiatives such as updates to the FFIEC’s BSA/AML examination manual and enforcement guidelines, guidance concerning politically exposed persons, and measures for improving suspicious activity and currency transaction report filing procedures.
- Consumer Financial Protection. Based on a rotating regulation review cycle, NCUA examiners will review compliance (at a minimum) with the following regulations: the Electronic Fund Transfer Act, Fair Credit Reporting Act, Gramm-Leach-Bailey (Privacy Act), Payday Alternative Lending and other small dollar lending, Truth in Lending Act, Military Lending Act, and the Servicemembers Civil Relief Act.
- Cybersecurity. In 2020 the NCUA will continue conducting cybersecurity maturity assessments for credit unions with assets over $250 million and will begin to assess those with assets over $100 million. In addition, the NCUA intends to pilot new procedures—scaled to an institution’s size and risk profile—to evaluate critical security controls during examinations between maturity assessments.
- LIBOR Cessation Planning. Examiners will assess credit unions’ planning related to the discontinuation of LIBOR. According to the NCUA, credit unions should “proactively transition away from instruments using LIBOR as a reference rate.”
Other areas of focus include credit risk, current expected credit losses, liquidity risk, and modernization updates. The extended examination cycle will continue to apply to qualifying credit unions.
On December 9, the CFPB released a special edition of its fall 2019 Supervisory Highlights, focusing on recent supervisory findings in the areas of consumer reporting and information furnishing to consumer reporting companies (CRCs). This is the second special edition to focus on consumer reporting issues, and follows a report that the Bureau released in March 2017 covered by InfoBytes here. According to the Bureau, recent supervisory reviews of FCRA and Regulation V compliance have identified new violations as well as compliance management system (CMS) weaknesses at CFPB-supervised institutions. However, the Bureau noted that examiners have also observed significant improvements, such as continued investment in FCRA-related CMS.
Highlights of the supervisory findings include:
- Recent examples of CMS weaknesses and FCRA/Regulation V violations (where corrective action has either been taken or is currently being taken) in which one or more (i) mortgage loan furnishers did not maintain policies and procedures “appropriate to the nature, size, complexity, and scope of the furnisher’s activities”; (ii) auto loan furnishers’ policies and procedures failed to provide sufficient guidance for investigating indirect disputes containing allegations of identity theft; (iii) debt collection furnishers’ policies and procedures failed to differentiate between FCRA disputes, FDCPA disputes, or validation requests, leading to a lack of consideration for applicable regulatory requirements when handling these matters; and (iv) deposit account furnishers lacked written policies and procedures for furnishing or validating the information provided to specialty CRCs.
- Examiners found that one or more furnishers provided information they knew, or had reasonable cause to believe, was inaccurate. Examples include inaccurate derogatory status codes due to coding errors and unclear addresses for consumers to submit disputes.
- Examiners discovered several instances where furnishers failed to send prompt notifications to CRCs after determining that information previously furnished was inaccurate, including situations where furnishers failed to promptly update or correct information after consumers paid charged-off balances in full or discharged them in bankruptcy.
- Examiners found that some furnishers reported the incorrect date of the first delinquency in connection with their responsibility to provide notice of delinquent accounts to CRCs.
- Examiners found several instances where furnishers failed to investigate disputes, complete investigations in a timely manner, or notify consumers of certain determinations related to “frivolous or irrelevant” disputes.
The Bureau also discussed supervisory observations concerning CRC compliance with FCRA provisions, and commented that CRCs continue to (i) improve procedures concerning the accuracy of information contained in consumer reports; (ii) implement improvements to prevent consumer reports from being furnished to users who lack a permissible purpose; (iii) strengthen procedures to “block information that a consumer has identified as resulting from an alleged identity theft”; and (iv) investigate and respond to consumer disputes.
On August 14, HUD published revisions in the Federal Register to the Federal Housing Administration’s (FHA) lender certification requirements originally issued in May. (Previously covered by InfoBytes here.) In response to comments received on its initial proposal, HUD released a proposed streamlined FHA Annual Lender Certification, which removes a broad statement regarding lenders certifying compliance with all HUD requirements in order to maintain FHA approval. Commenters generally recommended HUD: “(1) Rescind the annual certification statements since the National Housing Act does not require certification of compliance with FHA eligibility requirements or completion of an annual certification; or (2) revise the annual certification statements to a general acknowledgement of the existence of policies and procedures that are reasonably designed to ensure material compliance.” Comments are due September 13.
On July 17, the CFPB issued an updated advisory to financial institutions with information on the financial exploitation of older Americans and recommendations on how to prevent and respond to such exploitation. The update urges financial institutions to report to the appropriate authorities whenever they suspect that an older adult is the target or victim of financial exploitation, and recommends that they also file Suspicious Activity Reports (SARs) with the Financial Crimes Enforcement Network (FinCEN). The update builds on an advisory that was previously released by the Bureau in March 2016 (covered by InfoBytes here), which included recommended best practices to help prevent and respond to elder financial exploitation, such as (i) establish protocols for ensuring staff compliance with the Electronic Fund Transfer Act; (ii) train staff to detect the warning signs of financial exploitation and respond appropriately to suspicious events; and (iii) maintain fraud detection systems that provide analyses of the types of products and account activity associated with elder financial exploitation. With the release of the update, Director Kraninger noted that, “[t]he Bureau stands ready to work with federal, state and local authorities and financial institutions to protect older adults from abusive financial practices that rob them of their financial security.”
As previously covered by InfoBytes, in February, the CFPB’s Office of Financial Protection for Older Americans, released a report studying the financial abuse reported in SARs, discussing key facts and trends revealed after the Bureau analyzed 180,000 elder exploitation SARs filed with the FinCEN from 2013 to 2017. Key findings of the report included, (i) SARs filings on elder financial abuse quadrupled from 2013 to 2017, with 63,500 SARs reporting the abuse in 2017; (ii) the average amount of loss to an elder was $34,200, while the average amount of loss to a filer was $16,700; and (iii) more than half of the SARs involved a money transfer.
On July 8, the SEC and the Financial Industry Regulatory Authority (FINRA) issued a joint statement in response to compliance questions received from broker-dealer participants who handle digital asset securities. While recognizing that the application of federal securities law and FINRA rules to digital asset securities, as well as related innovative technologies, “raise novel and complex regulatory and compliance questions and challenges,” the joint statement encourages “reasonably practicable” efforts to address these issues. Among other things, the guidance emphasizes that broker-dealer participants who try to maintain custody of clients’ digital asset securities must comply with the SEC’s Customer Protection Rule to safeguard customers’ assets and prevent investor loss or harm. In situations involving noncustodial digital asset securities activities, relevant laws, rules, and requirements must also be followed, even if these activities generally do not raise the same level of concern. The SEC and FINRA also acknowledge that compliance with these rules may be challenging as technological enhancements and situations unique to digital asset securities continue to develop, and emphasize that they will continue to engage with broker-dealer participants as the marketplace evolves.
Agencies adopt final rules excluding community banks from the Volcker Rule; simplify regulatory capital rules
On July 9, the Federal Reserve Board (Fed), CFTC, FDIC, OCC, and SEC adopted a final rule implementing sections of the Economic Growth, Regulatory Relief, and Consumer Protection Act to grant an exclusion for community banks from the Volcker Rule, which generally restricts banking entities from engaging in proprietary trading and from owning, sponsoring, or having certain relationships with hedge funds or private equity funds. Qualifying financial institutions must have fewer than $10 billion in total consolidated assets and total trading assets, as well as liabilities that are equal to or less than five percent of their total consolidated assets. The rule also permits, under certain circumstances, a hedge fund or private equity fund organized and offered by a banking entity to share a name with a banking entity that is its investment advisor that is not an insured bank or bank holding company. The rule will take effect upon publication in the Federal Register.
The same day, the Fed, FDIC, and OCC also finalized a rule “intended to simplify and clarify a number of the more complex aspects of the agencies’ existing regulatory capital rules” for banks with less than $250 billion in total consolidated assets and less than $10 billion in total foreign exposure. Among other changes, the rule alters the capital treatment for mortgage servicing assets, certain deferred tax assets, as well as investments in the capital instruments of unconsolidated financial institutions. The final rule will be effective as of April 1, 2020, for the amendments to simplify capital rules, and as of October 1, 2019 for revisions to the pre-approval requirements for the redemption of common stock and other technical amendments.
On June 28, the CFPB updated its Small Entity Compliance Guide for the Payday Lending Rule, which covers the payment-related requirements of the Rule. In addition to technical corrections, the update reflects the delayed compliance date for the mandatory underwriting provisions of the Rule. As previously covered by InfoBytes, on June 6, the Bureau released a final rule to delay the August 19, 2019 compliance date for the mandatory underwriting provisions of the Rule. Compliance with these provisions is now required by November 19, 2020.
On June 24, the Conference of State Bank Supervisors (CSBS) announced that financial regulators from 23 states have now agreed to a multi-state compact that will offer a streamlined licensing process for money services businesses (MSB), including fintech firms. As previously covered by InfoBytes, in February 2018, the original agreement included seven states. According to the announcement, 15 companies are currently involved in the initiative, and as of June 20, they have received 72 licenses. The 23 states participating in the MSB licensing agreement are: California, Connecticut, Georgia, Iowa, Idaho, Illinois, Kansas, Kentucky, Louisiana, Massachusetts, Mississippi. North Carolina, North Dakota, Nebraska, Ohio, Rhode Island, South Dakota, Texas, Tennessee, Utah, Vermont, Washington, and Wyoming.
On June 4, the OCC extended the deadline for national banks and federal savings associations (FSAs) with consolidated assets between $100 billion and $250 billion to comply with the Dodd-Frank stress test (DFAST) requirements to November 25. In December 2018, the OCC issued a letter noting that prior DFAST exams and OCC supervision have indicated that qualifying banks with consolidated assets within these thresholds have adopted effective stress testing programs and integrated them into their general risk management tools, and as such, “requiring DFAST submissions for these banks in 2019 would provide limited supervisory value.” According to the OCC, the extension is consistent with the Economic Growth, Regulatory Relief, and Consumer Protection Act’s goal of reducing regulatory burden for applicable national banks and FSAs.
- Andrew W. Schilling to moderate "Expectations of in-house counsel from their law firm partners" at the ACI's 7th Annual Advanced Forum on False Claims and Qui Tam
- Sasha Leonhardt to discuss "Cybersecurity basics for compliance staff" at a NAFCU webinar
- Buckley Webcast: Tips for navigating changes to the FHA recertification process
- Daniel P. Stipano to discuss "A 20/20 view on 2020’s legislative and regulatory outlook" at the ACAMS Anti-Financial Crime and Public Policy Conference
- Kari K. Hall and Michelle L. Rogers to discuss "Overdrafts and regulatory trends" at the CLE Alabama Banking Law Update
- Kathryn L. Ryan to discuss "Industry open forum session on NMLS usage" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to discuss "Regulating innovative consumer lending products" at the NMLS Annual Conference & Training
- Daniel P. Stipano to moderate "Washington update" at the 17th Puerto Rican Symposium of Anti Money Laundering 2020 conference
- Melissa Klimkiewicz to discuss "Private flood insurance updates" at the MBA's Servicing Solutions Conference & Expo 2020
- APPROVED Checkpoint Webcast: CFL overview
- Sasha Leonhardt to discuss "MLA & SCRA" on a NAFCU webinar
- Daniel P. Stipano to discuss "Pathway of the SARs: Tracking trajectories of suspicious activity reports from alerts to prosecution" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Which bud’s for you? A deep-dive into evolving marijuana laws" at the ACAMS moneylaundering.com 25th Annual International AML & Financial Crime Conference