By Andy Zavoina
As we put 2016 and all its compliance work behind us, it’s nice to know we are fully prepared for 2017. Uh, we are, right?
There were many changes in 2016, some very big and some maintenance items, and it becomes easy to lose sight of the little things. This is a great time to ensure all the small, back-burner items have been taken care of. If you haven’t checked this list twice, you should give it a review.
Reg P § 1016.5 – Note, the old requirement for the annual privacy notice has been modified. As a result, your bank’s procedure may have changed. The Fixing America’s Surface Transportation (FAST) Act which was enacted on December 4, 2015, amended Title V of the Gramm-Leach-Bliley Act (GLBA). The law now provides an exception so that banks meeting certain conditions are not required to send annual privacy notices to customers. On July 11, 2016, the CFPB published a proposal that would amend Regulation P to reflect this change. While the proposal is not yet final, the law behind the regulation has changed and banks should be able to follow the law at this time. The criteria for the exception is near the end of this part of this article. Not every institution will satisfy the criteria to take advantage of the exception, however.
When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. You must do this annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.
For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.
How do you plan to deliver your Privacy Notice? There are four acceptable means: hand delivery, mailing a printed copy, posting it on your web site and requiring the consumer to acknowledge receipt of the notice as a necessary step to obtain a particular financial product or service, or posting it as an ATM screen (again, requiring an acknowledgement before a transaction may advance).
It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank web site when the customer uses the web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. So, the demonstrable consent requirements and others in E-SIGN’s 101(c) section do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request, this method is acceptable.
Now, the exception criteria for not having to send annual notices under the GLBA. (Remember, Reg P will catch up but we believe you are compliant if you follow the law.)
Do you provide non-public personal information on customers to nonaffiliated third parties only as permitted by sections 1016.13, 1016.14 or 1016.15 of Regulation P?
Is it true that your institution has not changed its policies and practices on disclosing non-public personal information from the policies and practices disclosed to customers in the most recent privacy notice provided to customers?
If you answer “Yes” to BOTH of these questions your bank qualifies for the new exception.
Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement, or the longer version that is sent annually. Electronic disclosures under E-SIGN are allowed here. This may also be a good time to review §1005.7(c) and determine if any electronic fund transfer services were added, and if they were disclosed as required. (If you have an open-end credit product be sure to review Reg Z’s annual billing rights annual statement under § 1026.9.)
BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must enter into a contract requiring it to certify annually to your bank that it has implemented its AML program.
OFAC – Did you block any assets of any individual, entity, or organization under OFAC? Banks must report all blockings to OFAC within ten business days of the event and annually by September 30, concerning those assets blocked (see form TD F 90-22.50).
IRAs, IRS Notice 2002-27 – If a minimum distribution is required from an IRA for a calendar year and the IRA owner is alive at the beginning of the year, the trustee that held the IRA on the prior year-end must provide a statement to the IRA owner by January 31 of the calendar year regarding the required minimum distribution.
Reg Z and C Thresholds and Updates – Some of the amounts that trigger coverage or provide exemptions, limits on fees, limits on QM points and fees, and other requirements and prohibitions under Regulation Z and Regulation C change annually. Here is a quick rundown on the changes in amounts. These changes are effective January 1, 2017 except as noted:
– The CARD Act penalty fees safe harbor amount in section 1026.52(b)(1)(ii)(A) will remain at $27;
– The CARD Act penalty fees safe harbor amount in section 1026.52(b)(1)(ii)(B) will be $38 and this is effective June 27, 2016;
– The HOEPA total loan amount threshold that determines whether a transaction is a high cost mortgage is changed to $20,579;
– The HOEPA total points and fees dollar trigger amount is changed to $1,029;
– As of the effective date, a covered transaction is not a qualified mortgage unless the transaction’s total points and fees do not exceed 3 percent of the total loan amount for a loan amount greater than or equal to $102,894; $3,087 for a loan amount greater than or equal to $61,737 but less than $102,894; 5 percent of the total loan amount for loans greater than or equal to $20,579 but less than $61,737; $1,029 for a loan amount greater than or equal to $12,862 but less than $20,579, and 8 percent of the total loan amount for loans less than $12,862.
– The threshold used to determine small creditor status under Reg Z will be $2.069 billion in 2017. This is up from $2.052 billion in 2016. This threshold comes into play for the Ability to Repay/Qualified Mortgage rules under §1026.43 and HPML escrow accounts under §1026.35(b)(2)(iii)(C).
– The asset-size threshold used to determine HMDA (12 CFR 1003) applicability will remain unchanged from the 2016 amount. The threshold will be $44 million for 2017.
(Note, the threshold is unchanged but the test to determine if your bank will be subject to HMDA in 2017 has changed. Consult one our past editions of Legal Briefs for details about the unique coverage rules that apply in 2017.)
– The loan amount threshold used to determine whether a loan is exempt from the special appraisal requirements for Higher Priced Mortgage Loans (HPMLs) will be $25,500 for 2017. An HPML that is for amount below that threshold will not trigger the special appraisal requirements in Section 1026.35 of Regulation Z. This threshold remains unchanged from 2016.
– The threshold to exempt consumer credit from Regulation Z will be $54,600 for 2017. This remains unchanged from 2016.
Annual Escrow Statements § 1024.17 – For each consumer mortgage escrow account you have, you must disclose to the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year, whatever you have designated that to be. This need not be based on a calendar year. You must also provide the borrower with the previous year’s projection or the initial escrow account statement so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against the next year’s escrow payments.
Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions on you and, depending upon how and what you share with affiliates, can also entail opt out requirements. A consumer’s opt-out from affiliate information sharing is effective for five years and may be renewed. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?
Fair Credit Reporting Act – FACTA Red Flags Report – Section VI (b) (§ 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level. Keep in mind that that you may need to also update your Red Flags Program, depending upon what transpired during the past year in terms of new threats, countermeasures, or incidents of identity theft.
Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. An affiliate is any company of which a member bank is a subsidiary or any other subsidiary of that company. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider and verify that it continues to be accurate. Then, identify existing loans to insiders, and ensure there is a notification method to keep this list updated throughout the year.
Reg BB (CRA), Content and availability of Public File § 228.43 – Your CRA Public File is required to be updated and current as of April 1 of each year.
HMDA and CRA Notices and Recordkeeping – (This year’s HMDA reporting has not changed but you should be preparing for upcoming HMDA changes.)
HMDA and CRA data is gathered separately by covered banks but both Regs C and BB respectively have reporting requirements for the Loan Application Registers (LAR). Each must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR you should start verifying the data integrity now to avoid stressing the process at the end of February.
NACHA ACH Audit – Not directly a compliance requirement but often associated with a compliance officer’s/auditors function is the Appendix 8 requirements under the NACHA Operating Rules and Guidelines that an annual audit be completed by December 1 of each year.
Vendor Due Diligence – Like risk management, this is more an ongoing requirement, but an annual review to ensure it is current is always good. Are your vendor files updated with financials (as required by your agreement), audits, SSAE-16, and business resumption requirements? If the vendor markets or cross-sells, have you reviewed its training, scripts, complaints, and resolution of complaints?
Holidays – National and State banks can follow state holidays or ignore them. The Federal Reserve publishes its list of holidays and remember that four of these are static. January 1, July 4, November 11 and December 25 are set to those specific dates. If they fall on a Sunday, the holiday may be observed on the following Monday but they are not backed up to the preceding Friday. This year (2017) January 1 is a Sunday so it is observed on Monday the 2nd, but November 11 is a Saturday and it will be observed on that Saturday. The bank’s board should determine what holidays it will observe and the dates so that plans may be made accordingly. Regardless of what your board decides about which federal holidays to be closed on, keep in mind that you still have to factor in the effect of federal holidays for regulatory compliance (Reg Z, rescission, etc.).
Training – An actual regulatory requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training.
1. BSA (12 CFR §21.21(c)(4) and §208.63(c)(4) Provide training for appropriate personnel. Include CIP.)
2. Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii) Provide initial and periodic training)
3. Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of Subpart B of Reg CC (the subpart that deals with funds availability) with a statement of the procedures applicable to that employee
4. Customer Information Security – Pursuant to the Interagency Guidelines for Safeguarding Customer Information, training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.
5. FCRA Red Flags (12 CFR 1022.90(e)(3) Train staff, as necessary, to effectively implement the Program;)
6. You should add to your list training of appropriate staff on any overdraft protection programs your bank offers, so that they are able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. That’s one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the Agencies in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November, 2010.
7. MLO training – Under Regulation Z, those who fall within the definition of “loan originator” must obtain periodic training covering Federal and State law requirements that apply to the individual loan originator’s loan origination activities. § 1026.36(f)(3)(iii) . Reg Z says this periodic training must:
– Be sufficient in frequency, timing, duration, and content to ensure that the individual loan originator has the knowledge of State and Federal legal requirements that apply to the individual loan originator’s loan origination activities.
– Take into consideration the particular responsibilities of the individual loan originator and the nature and complexity of the mortgage loans with which the individual loan originator works.
While Section 1026.36(f) does not prescribe rules for the frequency of training, it is possible to look at what the SAFE Act requirements are for state licensed MLOs for ideas on topics to be covered and frequency. The SAFE Act training requirements for the state licensed MLOs have an annual frequency.
Reg P – although there is not a specific requirement for training in the Reg, the FRB Exam Manual specifically lists "Adequacy and regularity of the institution’s training program" as one of the factors for examiners to consider in determining the adequacy of the financial institution’s internal controls and procedures to ensure compliance with the privacy regulation.
Except where noted above, these do not state “annual” as a frequency requirement but that has been accepted as a best practice. While the regulations above may have stated training requirements, many other regulations need special training whether this is stated in the regulation or not in order to ensure compliance. At the top of your list, include:
· USA PATRIOT Act
· Reg D
· Reg E
· Reg Z
· Fair Credit Reporting Act
· Bank Bribery
· For insiders, Reg O
Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your bank’s Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.
Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee of the board at least annually. The report should describe the overall status of the information security program and the bank’s compliance with these Guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.
Annual MLO Registration § 1007.102 – Mortgage Loan Originators must renew their registration on the Registry during the period November 1 through December 31. This is also a good time to plan with management and Human Resources MLO bonus plans. § 1026.36(d)(1)(iv)(B)(1) have a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.
And some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, records retention requirements and destruction of expired records, and a designation by the Board of the next year’s holidays.
By Andy Zavoina
2017 – a new year and a fresh start, right? It never seemed fair to me that the new year is always hyped as though you get to start over. While it is a new year, you still carry with you compliance baggage from 2016. We do not have a crystal ball and cannot tell you what the CFPB will do or when. Nor can we tell you what changes the new administration will enact. Here are a few of our predictions:
1. Do not expect all of the Dodd-Frank Act to go away. There are many pieces that affect the securities industry and those not yet effective which may be easily delayed, changed or trashed altogether. But DFA changes like TRID would be very difficult to reverse. From your policies and procedures to loan systems, ask yourself if you would really like to go back to 2014? The work would be as great as what the TRID conversion took to get here. While we may see tweaks, major changes to established rules would be slow in coming.
2. Speaking of TRID, 2017 will likely be the year we see enforcement actions from examiners on transactions. Testing of individual loans will begin as the focus broadens from the systems and procedures your bank has used to now include transactional testing and individual citations for noncompliance.
3. UDAP/UDAAP is still a hot issue in part because it can be used as a catchall. (While UDAP and UDAAP are two different items, because of the similarities I refer to UDAAP.) Fair Debt Collections Practices Act (FDCPA) does not apply to a bank collecting its own debts, but violating the FDCPA requirements is considered a UDAAP event. Providing model disclosures such as under Reg E provides a safe harbor, unless those disclosures are not followed to the letter. Banks that required police reports were not adhering to the model disclosures and were cited under UDAAP for the violations. But a hot issue in UDAAP now involves vendor created products, particularly add-on products, and especially when the vendor is selling these for the bank. This is one reason your vendor agreements need to be reviewed and audited and complaints must be checked as well.
4. The Military Lending Act underwent a major revision. Have you reviewed your examiners’ workpapers yet? While a policy is not required, you could spend more time defending why your bank does not need one that you would spend writing one. Simply put, your bank is expected to have one. And your procedures should be updated to the new MLA and tested. Any time there is a major change you should be reviewing the implementation results before your examiners.