Monday, October 7, 2024

February 2015 Legal Briefs

  • Being a smart bank
  • Groundhog day
  • Tweak, tweak
  • For a good read

Being a smart bank

Perhaps, like me, you are a person who likes to make decisions and plans based upon a proper understanding of all the relevant facts and circumstances. You aren’t one to SWAG it and you don’t like surprises. Hello, kindred spirit. Very little that I do is random. I choose the first stall in a public restroom because studies have shown it’s the least used and the cleanest. I obsessively check weather forecasts for destinations before I pack so I will be appropriately attired. I peruse a hotel’s website to determine whether I need to pack a robe.

How does that translate to the business of banking? It means being informed, double checking the facts and the regs, understanding not just what’s required, but why, watching out for trends, changes, warning signs. And it means learning from mistakes (our own and those made by others) and making adjustments accordingly. It means being methodical, strategic, smart.

As we enter the second month of 2015, we have taken a look back and identified some noteworthy trends that should influence your decision-making. In the interests of “eyes wide open,” in this edition, we’ll spotlight some of the trends that warrant your attention, because the only things in banking (particularly compliance) that should involve a swag are your drapes.

Bank Secrecy Act. It should be the subject of top level discussion within your institution. If you don’t have the right resources (whether human or technology), watch out. If there was ever a statement that should send chills down the spine of those in charge of the bank, it’s the one made by Comptroller of the Currency Curry in a speech in March. It echoes the whole “culture of compliance” concept for BSA that we first heard from the FinCEN director, then later from the other regulators. Curry stated, “The fact is, when we look at the issues underlying BSA infractions, they can almost always be traced back to decisions and actions of the institution’s Board and senior management.” Now that you understand where the buck stops, act accordingly. Recent BSA enforcement actions and consent orders are reflective of the trend towards hitting folks at the top of the bank’s food chain in the pocketbook. Money talks . . . as it is flying out of your pocket to pay a penalty. One more thing: Don’t just throw money at the problem. You can purchase the best software imaginable, but if it isn’t properly implemented and monitored, it won’t save you. I have had cringe-worthy conversations with bankers who have told me that their software generates all kinds of reports with all kinds of helpful information, but no one in the institution looks at them.

Insider lending. Just from anecdotal evidence, it appears that ever since credit standards tightened in the wake of the mortgage market meltdown, insiders have been more inclined to seek extensions of credit from their own institutions, rather than venturing out to an unfriendly external credit marketplace. As a result, we’re seeing enforcement actions arising from Regulation O violations. Every institution that engages in insider lending should ensure it has:

  • Properly identified its insiders and their related interests;
  • Paid special attention to who would be classified as an Executive Officer, since extensions of credit to EOs are subject to the most restrictive requirements;
  • Put in place procedures for ensuring that prior approval is obtained in circumstances where required;
  • Remembered to factor in the tangible economic benefit rule;
  • Observed the terms and creditworthiness requirements;
  • Developed a firm understanding of exactly what does – and does not – fall within the two categories that allow a bank to extend credit in “any amount” to any executive officer of the bank. You need to parse every word. For example, one of the “any amount” categories is for credit to finance the education of the executive officer’s children. If the EO’s spouse is back in school, credit to finance the spouse’s education falls outside this category and would instead be considered “other purpose” credit and would be subject to the $100,000 cap. The same would be true if the EO is working on a masters or law degree, or enrolled in the local votech. Children, people. Children. They are the only ones whose educational expenses qualify for the “any credit” financing for EOs. You also can’t skip any of the words used in the residence-related “any amount” credit category. The funds have to be used for the purchase or construction, or maintenance, or improvement of a residence of the executive officer. On top of that, the bank has to obtain a first lien on the residence. And the EO must own it. Seems obvious, but you could have a situation where the EO’s residence is a dwelling owned by the EO’s parents, for example. The EO wants the loan, the residence is unencumbered, and the parents are willing to give a mortgage on it. That’s just fine – but it isn’t eligible for the “any amount” category. It is subject to the “other purpose” credit category and the low cap. If it’s a refinancing, you have to look at what it is refinancing. If the proceeds from the refinance are being used to repay an extension of credit that was made for the purchase, construction, maintenance, or improvement of a residence of the EO, follow the proceeds. Proceeds used for that purpose, plus the closing costs of the refinancing – and any other proceeds that are going to be used for purchase, construction, maintenance or improvement of a residence of the EO will be eligible for the “any amount” category, but if some of the proceeds are used for something else (other than to finance the education of the EO’s children), you’re back under the “other purpose” cap. The bottom line is that the residence-based “any amount” category depends upon purpose for which the proceeds are being used (purchase, construction, maintenance, improvement), type of collateral (must be a residence of the EO), lien status (bank must get a first lien on the residence. Don’t fall into the trap of thinking that you can make home equity loans to EOs in any amount. If it’s not a first lien and if it’s not for one of the four purposes, it is an “other purpose” loan.

Credit cards for business use. If your bank issues credit cards to employees to use for bank-related expenses, you need to ensure you have appropriate internal controls in place. Regulators are looking at problems and issues that can arise in this context and we have seen enforcement actions for failing to implement and enforce adequate internal controls over the use of the Bank’s credit cards. Remember the old days when an employee would incur expenses on their own dime, then turn in expense reports for approval and reimbursement? I hated those days and those procedures, but I also found that it tended to keep employees on the straight and narrow. If the expense was in a gray area (or worse), reimbursement might be denied, leaving the employee holding the bag. With company credit cards, on the other hand, the saying “It’s better to seek forgiveness than permission” comes to mind. [For the record, I never did like that way of thinking, and still don’t.] The employee charges an expense that isn’t legit. If it is not discovered to have been impermissible, the employee gets away with it. The bank needs to have a well-drafted policy that has been clearly communicated to employees. Anyone who has ever “grabbed the wrong card” and inadvertently charged a personal expense on their business plastic, you know how easy can be. I’ve done it myself on more than one occasion. Sometimes I have realized it almost immediately. Other times, I have had no clue until the CFO calls and says “How is this charge at the hair salon for business purpose?” How mortifying. When you issue a credit card to an employee, it’s bank money they are spending and you have an obligation to police what the expenditures are for and whether they are appropriate and consistent with your policies and procedures. There should be no less documentation for charges made with the bank’s card than you would have expected for reimbursement requests for business expenses charged on the consumer’s personal card. These business cards should not be used to augment the employee’s personal funds.

Lending discrimination. It only takes one inadequately trained loan officer to screw up your bank’s reputation by doing something that makes a regulator’s jaw drop. Please tell me that no one in your bank would ever reverse a loan approval 24 hours before closing because they had learned one of the joint applicants was on maternity leave. Surely no one in your shop would tell a new mother to cut short her maternity leave and get back to work if she wanted to get her loan. You wouldn’t refuse to extend credit because the collateral would be located on an Indian reservation, would you? If an applicant is relying in whole or in part on disability income, your folks won’t be trying to have a conversation with his doctor, right? No napping allowed during fair lending training. Enforcement orders, consent decrees, settlements about all these forms of lending discrimination – and others – have been numerous in the last two years. By the way, when it comes to disability income, the CFPB put out guidance for lenders back in November, setting forth standards and guidelines to help ensure lenders comply with the law and provide fair and equal access to credit to recipients of Social Security disability income. It should be considered required reading.

Debt collection practices. When a borrower becomes delinquent, who pursues your collection options? Someone in-house? A collection agency? A law firm? This is a subject that the CFPB now has regulatory authority over and they will be issuing rules on the topic. In the meantime, the Fair Debt Collection Practices Act sets the standards here. Even when it is not directly applicable at this time (such as when an employee of your bank is attempting to collect on debts owed to it in its own name), deviation from its requirements and prohibitions will send you swimming into the murky waters of UDAP/UDAAP. That’s one swimming hole you can drown in, so corral your collectors, whether internal or external.

Servicemember lending issues. Speaking of debt collection practices, any time you have a delinquent borrower you need to be trying to determine if any of the obligors on the debt is protected under the Servicemembers Civil Relief Act. Keep in mind that the Act places limits on everything from foreclosures to self-help repossession. And it’s not just during the period of military service that an individual is protected. Under current law, it’s during military service and for a year thereafter. It used to not be uncommon, when a servicemember was late in making payments, for a lender to threaten to go to the servicemember’s commanding officer to report the delinquency, or imply that the lender could get the servicemember’s rank reduced or security clearance revoked. Those practices were always slimy. Now they are the subject of enforcement actions. Steer clear of such objectionable conduct.

Bad guys in the bank. How good are your frontline defenses? Do you feel confident that your procedures can detect identity thieves (whether posing as individuals or purporting to act on behalf of some sort of shell business) and keep them out of the bank? Could a scammer be using an account at your institution to suck up direct deposits stemming from tax refund fraud from multiple stolen identities? Do you have “shadow customers” piggybacking on someone else’s account in order to avoid detection when a garnishment or levy is received, concealing their deposits by never appearing as an owner, but merely an authorized signer? Are you banking scum – customers on whom you have repeatedly received complaints from other banks or others, indicating that funds your customer received were ill-gotten gains? Read the enforcement orders that talk about the fact that if your screening processes are inadequate, your Customer Identification Program procedures are not properly executed, you may be found to have opened the gate to the financial system for individuals and entities who will use that access to prey on others. If you place profits over protection, beware. The regulators may make you a poster child. In one recent enforcement action, FinCEN imposed a civil money penalty that equated to more than 3.7% of an institution’s total assets because it didn’t assess and manage the risks posed by certain high-risk customers engaged in high-risk activities. In connection with the imposition of the penalty, FinCEN’s director said, [The institution’s] “anti-money laundering failures exposed the United States financial system to significant opportunities for money laundering and terrorist financing from known high-risk jurisdictions. When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage.” [If it makes you feel any better, it was a credit union. But don’t believe for a minute the result would be any different with a bank.] Sometimes, what you may regard as a “good customer” (Wow! We’re getting lots of fee income from this entity…) is a customer that will get your bank’s name in the headlines – and not in a good way.

Add-on products. I’m a sucker for them on Amazon. When I put something into my online cart, Amazon’s crafty back-end software then plops up something on the screen to tell me something to the effect “Customers who bought this silly thing also bought these other silly things.” Smart merchandising. If I’m buying an Amazon Fire TV, I appreciate it when the screen tells me I’m going to need an HDMI cable. If I am purchasing a gadget, it doesn’t hurt to remind me that I will need batteries and ask me if I want to click to stick those in my cart, too. In the banking world, add-on products often arise in the credit card context. Common examples are identity theft monitoring services and products that will make payments if a job is lost. Those products are not inherently bad. I have used identity theft monitoring services since 2003 when my identity was stolen and for me, it’s paying a small price for piece of mind. The problem comes in when the marketing is misleading or deceptive or where the person paying for the service is not getting the benefit of the service. For example, with some of the ID theft monitoring services, a bank would have the consumer sign up and would start charging a monthly fee, but the monitoring wouldn’t actually begin until the consumer had jumped through some hoops to authorize access to his/her credit report or other steps. No one is watching to make sure the consumer understands the process and goes through it, but the charges keep coming every month. On the lost income protection product enforcement actions, discernment was not used in determining eligibility. If someone already had a condition or circumstance that would prevent them from receiving the benefit of the protection, they were paying for something that would yield them nothing. When a customer pays a fee without receiving a corresponding benefit, you’ve got trouble. The Bureau’s Director, Richard Cordray, put it this way: “Consumers deserve to be treated fairly and should not pay for services they do not receive.” What add-on products does your institution market? Go through the marketing materials with a fine tooth comb. Understand the eligibility requirements, triggers for obtaining benefits. If the initials UDAP or UDAAP start to form in your mind as you make your review, you need to buy some new vowels.

Falling through the compliance cracks. My team at BankersOnline serves as the compliance arm for the OBA. Every month we handle a large number of emails and phone calls from Oklahoma bankers. Many of those we hear from are smart as whips, well-trained, well-informed. There are others, however, that deserve their own charity, “Training for the Untrained.” They are well-intentioned, hard-working individuals trying their best to do their jobs without receiving the proper foundation or the appropriate updates. What a miserable job that would be. But “Yoohoo, senior management – screw-ups and liability are the natural consequence of inadequately trained bank employees.” They say and do the wrong things without even realizing it. That’s how you get an employee who says “We aren’t going to take your loan application or approve you for a loan because we suffered a loss when you claimed unauthorized transactions were made with your debit card.” “Hello, bank. Meet my friend, Reg B Violation.” Or they tell their commercial borrower “You’d better get that collateral back that you sold out of trust or we’re going to file a Suspicious Activity Report on you with the federal government.” “Hi, folks. Let me introduce you to a BSA CMP, and possibly jail time. Hope you like orange.” Or maybe it’s an uninformed employee who decides that the servicemember’s pre-service obligation isn’t eligible for the 6% cap because it was a business purpose. “Oh, I see. You want to experience the courtroom atmosphere.” In enforcement order after enforcement order we see results of situations where the bank employees didn’t know what they didn’t know. Consider training to be more in the nature of an investment, rather than merely an expense. It’s protection against smart people doing stupid things.

Groundhog Day

This week marks the weirdest holiday of the year, the one where a furry creature is persuaded to emerge from his hole to predict the weather by way of shadow/no shadow. The movie of the same name, starring Bill Murray, has come to be used to describe a situation (as in the movie) where the same events transpire over and over and over again. In honor of that meaning of Groundhog Day, we’re offering up more than two dozen of the shadowy compliance mistakes and operational bad practices that we find cycling through the industry repeatedly. If you make these mistakes, you will be facing a harsh regulatory “winter.” Thanks to Andy and John for their contributions to this list, too.

  1. Telling the customer he must file a police report before you can process his claim regarding an unauthorized electronic fund transfer.
  2. Using a signature card resolution for an entity – without inquiring about and confirming that the entity’s board (or partners or members, depending upon the type of entity) actually did vote to adopt such a resolution.
  3. Allowing an individual who is associated with multiple separate businesses and entities to access them all with a single set of online banking credentials and transfer funds between them without appropriate foundational authorizations from all the entities involved.
  4. Allowing a custodian on a Uniform Transfers to Minors Act account to use a UTMA CD as collateral for a personal loan to the custodian.
  5. Allowing owners of small business entities (corporations, LLCs, partnerships, etc.) to use online banking to transfer funds between personal and business accounts.
  6. Failing to adequately train tellers to finish gathering all the information they are going to need for completion of a Currency Transaction Report before they complete the underlying transaction for the customer.
  7. Issuing debit cards that only access savings accounts or MMDAs.
  8. Equating “investment” with “business” when deciding whether a loan has a consumer or business purpose. There are personal investments and business investments.
  9. Taking the “easy” way out and treating transactions as covered by Reg Z when a more thorough analysis would have ended with a determination that the application would properly be classified as business purpose or agricultural purpose.
  10. Allowing a consumer to sign on the wrong line at closing on a right of rescission notice. (Keep in mind that the regulation doesn’t even require a signature evidencing receipt of the notice of right of rescission. If you didn’t have one, these things wouldn’t happen.)
  11. Backdating notes and other legal documents. You damage the bank’s credibility. It is permissible for parties to agree to make a contract effective as of a particular date, but you cannot unilaterally alter something.
  12. Waiting until loan closing to check the identity of the borrowers. If it’s not really Johnny and Peggy Sue, then you’ve pulled their credit reports without a permissible purpose – and you have allowed the identity thieves to get farther into the process than you ever should.
  13. Accepting stop payments on cashier’s or teller’s checks. When you “help” a customer out by taking this action, you are walking on thin ice. Refusal to honor these instruments can make you liable not just for the face amount of the item, but also potentially for consequential damages. Let the remitter and payee slug it out. Don’t get put in the middle.
  14. Continuing to deal with someone who was attorney-in-fact for a now-deceased principal. The power of an attorney-in-fact under a power of attorney “dies” when the principal dies.
  15. Accepting a trustee’s personal power of attorney to allow the attorney-in-fact to sign on a trust’s accounts. Luke is trustee of Darth’s trust. Luke gives Leia a power of attorney to allow her to act on his behalf. Leia can’t legally use that POA to do anything on Darth’s trust, so don’t let her.
  16. Setting off personal debts to the bank against deposit accounts owned by an entity owned by the individual(s) and vice versa. If the business is merely a sole proprietorship, go for it. That means there is no separate legal entity and therefore no separation between the individual’s individual accounts and their sole proprietorship accounts. But if it is an entity – even a sole member LLC, hands off. The LLC is only on the hook for what the LLC owes and not what the individual owes, and vice versa.
  17. Knowingly permitting direct deposits (particularly tax refund payments) of one individual to be credited to someone else’s account. I call them “shadow customers.” Not a good thing.
  18. Not looking at the regulation and commentary for instructions on completing documents like the HUD-1. This leads to violations in exams and inconsistent use of the form. Line items entries put in the wrong place is one common issue. When the TRID rules (TILA/RESPA Integrated Disclosures) take effect in August, the level of detail and complexity for the Loan Estimate and Closing Disclosure will make a thorough understanding of the regulation AND the commentary critically important.
  19. Not applying the scope of coverage/exemptions funnel. If you have a business purpose loan, it won’t invoke the Reg Z ATR rule. If you have an unsecured loan, flood insurance won’t come into play, even if the proceeds are used to buy improved real estate.
  20. Using the wrong applications or poor procedures and collecting or not collecting GMI as needed. If the loan is not a HMDA loan (or if you aren’t a HMDA bank, if the loan isn’t one covered under Reg B 1002.13) you cannot request monitoring information. If the loan (and your bank) is one subject to HMDA or Reg B’s Section 1002.13, you MUST request GMI.
  21. Math errors and putting numbers in the wrong boxes. The TILA and RESPA the rules have existed for many years, but this is a continuing problem.
  22. “Waiving” flood insurance. Seriously?!? Simply not an option.
  23. Failure to get flood policies renewed.
  24. Securing documentation of intent to apply jointly at the time of application. Also, problems in handling joint applications – married or unmarried but living together, pulling joint or individual credit reports, all of which may become more complicated with same sex marriage recognition.
  25. Not involving management and the board in compliance actions – communicate.

Here is a newbie we will add as a predicted violation: Not paying strict attention to the limited transaction restrictions on savings accounts or ownership restrictions on NOWs because of confusion stemming from the fact that, yes, interest bearing checking accounts are real now and your bank may offer them, but they aren’t NOWs (which have eligibility and contractual requirements) or MMDAs (which have transfer and withdrawal limitations). The “old requirements that apply to NOW accounts and MMDAs still exist — just ask the person doing your Call Report.

Tweak, Tweak

When the big load of mortgage rules came out, we though the CFPB would never leave it alone. It was like a teenager with a newly pierced tongue. This time, when they issued the Integrated Disclosures rules, they learned from their past experience and the howls from bankers who kept trying to hit what was turning into a moving target back in 2013. They held back, gathered input, then proposed a big slug of changes all at once, rather than the piecemeal approach that led us all to want to take meds. Back in late October, 2014, the CFPB published a proposal to amend some of the mortgage servicing rules under Regulation X and Regulation Z. On January 20, 2015 the Bureau finalized those changes.

The recently finalized rules delay the deadline for providing a revised Loan Estimate resulting from rate locks to the third business day. That’s good news. Without the amendment, it would have had to be provided the same business day! It adds a disclosure to the Loan Estimate dealing with revised estimates for some correction loans, and it makes some small corrections to the final TRID rule. Plus, it provides that the name of the Loan Originator and the NMSLR ID#, if any, will need to be on the Loan Estimate and Closing Disclosure. The effective date of the changes coincides with the effective date of the TRID rules.

For a good read

No, I am not talking about some juicy regulatory issuance! I’m talking about excellent, eye-opening, banking-related pleasure reading.

When the Unlawful Internet Gambling Enforcement Act (UIGEA) was passed into law, many of us scratched our heads and wondered where it came from and why. A nonfiction book, “Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet” by Joseph Menn lays out the whole sordid story. Unlawful Internet gambling is not the sole focus of the book, but it’s a fascinating part of it. The book follows greedy thieves as they move from extortion-related DDos attacks on off-shore online gaming enterprises to account takeovers, with a cast of real-life characters that ranges from porn moguls to techno-prodigy school boys. For those who have to contend with Reg GG compliance, the book brings meaning to the task, providing the “Why” behind what you are being asked to do.

Often, examples from these true crime books can be incredibly useful for your training purposes, helping you provide context and meaning. Other suggestions: “The Pretender: How Martin Frankel Fooled the Financial World and Led the Feds on One of the Most Publicized Manhunts” by Ellen Pollock. “Finders Keepers: The Story of a Man Who Found $1 Million” by Mark Bowden. “No One Would Listen: A True Financial Thriller,” by Harry Markopolos. Happy reading!