Wednesday, July 24, 2024

January 2014 Legal Briefs

  • Resolutions for your bank to consider

By the OBA Compliance Team

It’s January, the time of year when many of us resolve to make positive changes in areas both personal and professional. For this edition of Legal Briefs, we offer up our own suggestions for “resolutions” for your bank to consider. Do you need to lose some compliance weight and discard old files and forms? Do you need to be more observant and listen to what employees are saying to customers (or what your ads and disclosures are telling customers)?, Do you need to be more vocal and point out potential issues in a quality control check before they become UDAAP issues in a marketing campaign or loan program? It’s time to get it all covered.

Here, in no particular order, are our thoughts to spur your compliance New Year’s resolutions to kickstart your 2014.

Examine all appraisals as soon as they come in, paying particular attention to whether the appraisal indicates there is a potentially flood-insurable structure you didn’t know about on the property.

Listen to your frontline employees as they chat with customers, being attuned to any misstatements that could create problems and misunderstandings, such as a teller responding to a customer’s question “When will I know if this cashier’s check is good?” by saying “The funds will be in your account tomorrow.” Reg CC mandates availability, but it doesn’t mean that the underlying item whose funds you have made available is legitimate, unaltered, and backed by good funds. Correct and retrain, where necessary.

Make sure someone in your institution reads about the multi-Billion dollar Ocwen Financial Corporation enforcement action that involves allegations of years of systemic misconduct, including unfair shortcuts, unauthorized fees, deception, illegal foreclosures, and other illegal practices. Hope that nothing sounds remotely familiar to anything your institution is doing.

Do a systematic review of all of your institution’s marketing and other customer communications to make sure your services and products deliver what you say they do. Watch out for any hidden pricing questions or incomplete information about signing up for a product or service that might mislead someone. If there are hoops the customer must jump through to obtain benefits, make sure they are clearly explained.

Ensure that your bank has a centralized control over customer complaint handling, with clear assignments of responsibility and monitoring of turnaround metrics. Be certain that all staff members can recognize a customer complaint and know how to route it properly through the organization.

Undertake a periodic review of complaint logs looking for any patterns that hint at systemic problems, potentially misleading customer-directed information, or any hint of deceptive language. Ensure transparency in all such information.

Observe and review how EFT error claims are handled by your bank’s staff. Ensure that consumers are not denied their rights under Regulation E by imposing more onerous claim requirements than required by the regulation.

Listen to customer contact employees as they explain bank policies to customers or other members of the public. Ensure they aren’t using “the PATRIOT Act” or other easy escapes to explain away policies and procedures that the bank has established for its own reasons.

Review exception holds placed on deposited checks to ensure that “reasonable doubt” holds are not being placed solely because the paying bank can’t be reached or won’t verify the check.

Examine what you’re doing on the new appraisal notice requirements that take effect January 18, 2014. If you don’t make HPMLs at all, you only have to concern yourself with the Reg B appraisal provisions. Keep in mind that the Reg B requirements come into play regardless of the type of applicant or purpose of loan, so long as it would involve a first lien on a dwelling. Both open end credit and closed end are covered.

Get up to speed on the new virtual currency. Bitcoin is the biggest and most heavily publicized, but there are others and you will want to understand how they work and how they could impact you.

Update your Red Flags Identity Theft Prevention Program. Begin by updating your risk assessment. There have been many new developments in this area. Identify the new threats. Examine your counter-measures. Tweak your procedures and program.

In view of the fact that the number of bank robberies in Oklahoma nearly tripled in 2013 over the previous year, review and refresh your robbery training and procedures. Elaine Dodd, who heads up the OBA fraud department, has ideas.

Review written policies and procedures for references to old regulations that have been replaced by the CFPB rules (old references to the FRB version of Regulation Z will often cite “section 226.xx,” for example. Where possible, eliminate those citations altogether, because regulations change. If you must include citations, update them to the new CFPB regulations. In most instances, you’ll simply swap the old first digit of “2” in former FRB regulations for “10” (e.g., 202.13 becomes 1002.13), but there are a few other differences. For example, don’t forget that old section 226.5a became section 1026.60 under the Bureau, and section 226.5b became section 1026.40. The Bureau also rewrote all those old Federal Reserve Regulation Z footnotes into the text of the regulation.

Another set of policies or procedures that might include outdated citations are BSA/AML documents. If you still cite Treasury’s old Part 103, it’s time to use FinCEN’s Chapter X citation translator tool or cross-reference index (both can be found at to bring those citations current. Here again, it’s better, if you can, to eliminate the citations, but update the ones you have to keep.

Make sure the actual practices in your organization truly match the policies & procedures in all areas, especially lending. Good policies and procedures that aren’t followed won’t pass a review, audit or exam.

Be responsive to customer requests to cancel or change products such as an identity theft protection plan or credit insurance. Failure to make customer-requested changes and continuing to charge for products the customers wished to cancel generated negative press for the offending institutions in 2013.

Document, document, document. Especially in the lending area. Remind all loan officers and underwritings that the reason for any exception from policy, loan pricing, etc. must be clearly and completely documented. Then go verify that it is being done. Trust, but verify.

Be certain that all customer contact staff members understand what may and may not be required when responding to customer claims of unauthorized transactions covered by Reg E. No, the regulation is not fair (to banks) …it’s a consumer protection reg.

Make sure your vendor management process is up to speed. Have all vendors been identified? Are all documents in order? Are your vendor risk assessments up to date? Ensure that your process to verify vendors are complying with all regulatory requirements is robust enough. If the vendor interacts directly with your customers, do you know what they are saying? If not, find out. You are responsible for what your vendors do, whether it is right or wrong.

Look at the types of loans being made secured by a dwelling. If the loan you are making is not going to be a “general” QM under .43(e)(2), don’t restrict yourself to a 43% debt-to-income limit or require the use of Appendix Q. You still have to comply with the ability-to-repay rules in Reg Z, but your bank sets the specifics of how you comply.

Do you offer “deposit advance products”? (If you aren’t familiar with the term, read the guidance.) Make sure your deposit advance products meet safety and soundness expectations of regulators (OCC and FDIC — state-chartered Federal Reserve member banks aren’t technically covered by this Guidance, but it’s still good advice).

Make sure the deposit advance product portfolio is handled appropriately, including meeting established credit risk standards relating to capital adequacy, reliance on fee income, adequacy of the allowance for loan and leases losses. Be sure underwriting policies and procedures are complete and include customer eligibility and ability to repay components. Do you allow a “cooling off” period of at least a 1 month statement cycle after repayment?

Have someone in your institution read the fair lending settlement between the Bureau, DOJ and Ally Bank, especially if your shop does any type of indirect lending. Allowing dealers to use discretion in pricing that impacted dealer compensation was the big issue here. Check your dealer compensation methods.

Review your business continuity plan and make sure it is in good shape. While you are at it, check the business continuity plans of your key vendors.

If you lend in states other than Oklahoma, make sure you understand each state’s laws and are properly complying with all applicable laws. You may also want to review the CFPB complaint against CashCall Inc., an online loan servicer, that found out the hard way that loans made in violation of state consumer protection laws that set limits on interest rates and fees are not valid, and to attempt to collect them is considered a UDAAP violation by the Bureau.

Investigate marketing and other areas of the bank’s ideas regarding the use of social media. Then keep the recent FFIEC guidance close to be sure your catching all the existing rules and regs that may apply to the use of social media in various circumstances.

Be sure you know who is an “insider” in your bank for Reg. O purposes. You should have an ongoing list, but the new year is a great opportunity to verify the correctness of the list. Were there officers who left or were promoted this last year? Do these new “insiders” know what their new responsibilities are, borrowing limitations and about reporting requirements? They need to be trained, perhaps with a one or two page document that they can acknowledge and return for your compliance training records, yet retain a copy of for reference. You will find reference information in §§ 215.4, 215.5.

Ensure your mortgage lenders up to speed on NMLS registration. Did anyone miss the renewal period because of vacations, the holidays or working on new regulatory requirements and allow their registration to lapse? Regardless of the reason, if there is a lapse it now has to be fixed. From the Federal Registry Resources website, “If the renewal process was not completed prior to December 31st, the MLO will have an ‘Inactive’ registration status both in NMLS and on NMLS Consumer Access. Inactive registrations must be reactivated in order to have an “Active” registration status.”

Make sure your Security Officer got the Annual Security Report done. This is still required under § 208.61(d) and can slip through the cracks, especially if you have a new Security Officer. There is a free template for this report courtesy of Dana Turner and the BankersOnline Banker Tools.

On a similar note, verify the Information Security Report under GLBA – Appendix B to 12 CFR part 30 was filed. (This cite is for national banks, if your regulator is other than the OCC you’ll have the requirement but under a different citation.) This report will describe the overall status of your information security program and compliance with the Interagency Guidelines for safeguarding customer information. After the December Target breach and renewed attention to information security, this should have moved up a notch on someone’s To Do list. Each bank has to report certain information to its board or an appropriate committee of the board annually. The report should include pertinent issues related to your program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

Verify the annual notices were completed as necessary, or are about to be, for the Reg E annual error resolution notice (if you use the annual notice, Reg E Appendix A, A-3), Privacy (§ 1016.5) and Reg Z Billing Rights (§ 1026.9(a)).

The Community Reinvestment Act Public File is to be updated by April 1, but this is one of those that is best updated as you go. Customers are not looking at this often so ensure there is no dust collecting on yours and have it updated, or at least reviewed, to know it is current.

There are six areas of training are required to be done on an annual basis. Ensure your staff has been trained on:

  1. BSA (12 CFR §21.21(c)(4) and §208.63(c)(4) Requires training for appropriate personnel.)
  2. Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii) Requires initial & periodic training)
  3. Reg CC (12 CFR §229.19(f) requires each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
  4. Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information, training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
  5. FCRA Red Flag Identity Theft program (12 CFR 222.90(e)(3) Train staff, as necessary, to effectively implement the Program and yes, this is still an FRB requirement in the citation.)
  6. Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November, 2010.

As it relates to training, resolve that your compliance program be proactive instead of reactive in 2014. Look at your audit calendar three months in advance and train on that. As an example, if in May you plan on doing a Reg CC audit, train for that in February. When you complete your audit you’ll not only be able to say training was conducted, but you can look for any pattern of violations or discrepancies and determine if they were more or less frequent before and after the training. This can validate the training that was done, or indicate what needs refinement.

Test the new disclosures and notices your vendors are providing. We are hearing of some banks that are getting disclosures very near the deadline for implementation. In a perfect world this may work but employees need training on how to fill in the blanks and the bank has to know that systemically the disclosures are correct and that the process from data collection, to disclosure, to closing, to programming, has all been addressed and everyone understands where data goes and where it comes from and that the calculations are correct. Have each of these been tested?

Rid your archives of dead weight. The New Year is when we often go through retention and destroy old documents. With all the new forms coming to the loan side of the bank, which forms can you get rid of, and which do you have to keep? Ensure you have a good inventory system so you know what stays and what goes.

Create a “forms book?” If not, we’d recommend it. Take each form used in your bank that is compliance-related and put all of them in a binder (or electronic record book if you’re able). Highlight and indicate on each form where regulatory requirements are being met. This way you know the form makes the required disclosures, and if that form or the regulation changes, you will know how you must react. If this is a project you’ll start, start with the new forms your vendors are making available to you on the new loan requirements. These are the most vulnerable areas you have right now and it will help bring you up to speed on the finer points of the new requirements.

Think Fed Wall. You probably have one wall where there are a lot federally required signs posted. This deserves an annual review to ensure things are up to date, haven’t been moved, and are visible as they should be. Were plastic trees placed in front of these or furniture that makes them hard to see? Little things matter. The BOL Bankers Tools page has several signage checklists to help on inventory control on this topic.

Review how fees are charged for overdrafts. Make sure they are all fully and completely disclosed so customers have a complete understanding and the ability to reduce or avoid fees. Be sure that daily fees are not being charged for days the bank is not open, such as Sundays or legal public holidays.

Review the customer due diligence and enhanced due diligence program to confirm that parameters do not need to be modified to identify the type of customers, type of product or service, geographic location or anticipated account activity that would trigger enhanced due diligence. Confirm all the appropriate information is collected, analyzed and retained.

Have someone review the private student loan portfolio to determine if the workout program is working effectively. Review information provided to borrowers to confirm the information explaining the options available for workouts, eligibility criteria, the process to request a modification, and contact information are clear and provided to potentially at risk (or all) student loan borrowers.

Gather and process all property that has been determined to be abandoned.

These last few resolutions are a little longer and need just a bit more explanation.

Examine where you are in terms of threshold numbers.

Has someone in your organization been keeping track of threshold numbers for you? Start with the number of consumer foreign remittance transfers your bank made during all of 2013. If you have any hope of qualifying your bank for the de minimis “safe harbor” from compliance, you need that number, and it needs to be 100 or less.

How about your bank’s asset size at the close of business on December 31, 2013? It’s important! For example, if your total assets at the end of either of 2012 or 2013 were less than $1.202 billion, you’re considered a small bank under CRA regulations. And if your assets were at least $300 million at the end of BOTH of those years were at least $300 million (and less than $1.202 billion at the end of either year), you’re an intermediate small bank.

That asset size also can affect whether a small bank needs to collect HMDA data. If your bank had assets of $43 million or less at year-end 2013, you may not need to collect HMDA data.

Check that year-end asset total to see if you may be eligible under the asset test for an exemption from the escrow requirements for Higher-Priced Mortgage Loans (HPMLs). You’ll have to meet four tests in all for this exemption, but the asset size cap just got moved up to $2.028 billion (as of year-end 2013) for the 2014 exemption. If your total assets were above this figure, and you make HPMLs, you will have to escrow.

Another “bean-counter” reminder: If you snuck in under that $2.028 billion asset cap for the HPML escrow exemption, you also need to know how many first-lien closed-end consumer credit transactions secured by a dwelling your bank made in 2013. Don’t include in your count any loans secured by a consumer’s interest in a timeshare plan. Do include any loans made by any of your affiliates. If the number is 500 or fewer, you’ve met the second test for an exemption in 2014 from the HPML escrow requirements.

Understand the new account before you open it

Ask questions and get information and ALL documentation BEFORE you open that new account.

Does the Memorandum of Trust the customer’s lawyer provided give the bank all the information needed? Who are the successor trustees and when do they have authority? If there are multiple trustees, can they act independently? What constitutes “incapacity” of a trustee? Who are the beneficiaries? (Yes, the bank needs this information for FDIC deposit insurance purposes!)

Did the custodian on the UTMA name a successor together with contact information? Does the custodian understand the funds are now to be used solely for the benefit of the minor and must be disbursed to minor at age 18 but no later than 21 no matter how the custodian feels about the minor’s ability to manage the money? Is a court order the basis for the UTMA? Get a certified copy of the order and prevent all withdrawals without court order until the minor reaches age 18!

Does the name of the partnership contain the last names of ALL the partners? If not, has the partnership filed a Certificate of Fictitious Partnership Name?

Has the corporation provided a copy of its by-laws? Is it operating under other than its legal name (the name it registered under with the Secretary of State)? If so, has it filed a Trade Name Report with the Secretary of State?

Do you have contact information for pay on death beneficiaries? You will save yourself time and aggravation if you will obtain it when the POD beneficiaries are named.

If the deposits held in sole ownership exceed $20,000 and have no POD named, perhaps the bank may wish to contact the customer regarding adding one or more PODs. Likewise, if there is a sole lessee on a safe deposit box and your bank offers the option of naming an access on death deputy, perhaps the bank may wish to contact the lessee regarding this option.

Handle tax refunds properly

There is a three year statute of limitations on Treasury checks so make sure these are indorsed by all payees. Unfortunately, it is not uncommon for John Doe to want to cash the check at the drive-through with his girlfriend sitting next to him in his pick-up, and she indorses the check as Jane Doe. Unless you want to be liable to Jane for her share of the refund, get positive ID from the passenger! If John has a sole ownership account, don’t deposit it into his account unless Jane indorses it your presence even if Jane has an account with your bank: it is still a third-party indorsement as to John’s sole ownership account.

Another situation which unfortunately cannot be prevented before it happens, is when someone who is a non-owner on the account, e.g., a child, spouse or boy/girlfriend has a refund directly deposited into the customer’s account. This is a “no-no” even if the customer is aware of it and/or the non-owner is an authorized signer on the account. The instructions for the 1040 state: “Do not request a deposit of any part of your refund to an account that is not in your name, such as your tax preparer’s account.” Further, the instructions warn the taxpayer that a direct deposit request may be rejected when the financial institution “will not allow a joint refund to be deposited into an individual account. The IRS is not responsible if a financial institution rejects a direct deposit.”

Not infrequently, the account owner is a judgment debtor or owes child support. The garnishment or child support levy hits, and the non-owner’s refund goes to the judgment creditor or DHS. While NACHA doesn’t care whose name is on the account, unfortunately, the U.S. Treasury does, whether it is a social security, veteran’s benefit or a tax refund.

Bone up on campaign accounts

On my list of FAQs is: What do we need to open a campaign account? The account will need an EIN. It is an unincorporated organization as far as classification, but non-profit association is a better choice (the IRS will provide letter, but this may take several weeks). These accounts are eligible to be NOW accounts under Reg D.

You will need the Ethics Filing Form SO-1 ( if the candidate is running for state office or Form R-1 ( if the candidate is running for county, municipal or school board office. The form will indicate who is on the campaign committee for purposes of signatory authority. For all expenditures over $50, these must be done by check signed by one of the following: the candidate, the treasurer, the deputy treasurer or the chair of the committee. Other forms with regard to campaigns, here is a link to the ethics forms page:

Watch out how you handle payment of funeral expenses

Another FAQ involves payment of funeral expenses and/or expenses of the last illness. If there is one or more pay on death beneficiaries, each is free to provide the bank with written instructions with regard to the payee of his portion. If there is no POD, then the bank may pay the funeral home if the funeral home bills the bank directly, there is no prepaid funeral insurance and the funeral is commensurate with the deceased’s station in life. If the funeral has already been paid for by family member or friend, then the funeral home can make a refund to that person, and the bank will be protected. Why? No other creditors nor heirs can claim priority of payment under either Title 58 and Title 84.

Title 58 O.S. Sec. 591:

The debts of the estate must be paid in the following order:

  1. Funeral expenses.
  2. The expenses of the last sickness.
  3. Funds necessary for the support of the family and allowed by the court pursuant to the provisions of this chapter.
  4. Taxes to the United States or the state, county, or city.
  5. Debts having preference under the laws of the United States and of this state.
  6. Judgments rendered against the decedent in his lifetime, which are liens upon his property and mortgages in the order of their date.
  7. Demands or claims which are presented to the executor or administrator for an allowance or proved within two (2) months after the first publication of notice to creditors.
  8. All other demands against the estate except those set forth in paragraph 9 of this section.
  9. Interest resulting from the extension of time for payment of federal estate or transfer taxes. Such interest shall be a cost of administration but shall not be deductible in arriving at the Oklahoma net taxable estate under Section 808 (g) of Title 68 [68-808].

Title 84 O.S. Sec. 17

No person has any power, as an executor, until he qualifies, except that, before letters have been issued, he may pay funeral charges and take necessary measures for the preservation of the estate.

On the other hand, paying expenses of the last illness are should be left to the heirs or to the personal representative in a probate since the bank would need to give notice to all claimants in this category, verify and approve the claims, and make a pro rata distribution if sufficient funds were not available to pay the claims in full in order to avoid liability.

Got it all covered? Then it should be a happy new year indeed!