January 2019 OBA Legal Briefs

  • New year, new SAR
  • Required year-end housekeeping
  • FEMA NFIP snafu
  • Residential appraisal threshold unchanged (yet)

New year, new SAR

By Andy Zavoina

This time of the year many bankers are providing staff, management and their boards some annual updates and training. This may include security, Bank Secrecy Act and compliance topics. With recent events, one possible addition to what you might usually be discussing comes to mind. The Suspicious Activity Report (SAR) has been updated. SAR version 1.1 is being replaced with version 1.2. The effective date for this change was January 1, 2019. FinCEN will no longer accept older versions of the SAR form, so you cannot avoid this new requirement.

There have been numerous changes to the SAR form. Internally some banks prefer to use worksheets for employees who want to call attention to an activity which may lead to the submission of a SAR. If your bank does this, have you updated your internal worksheets and explained the changes to staff?

Perhaps the biggest change is the addition to the SAR of the new “cyber event” question. This is applicable to events happening to either the bank or a bank customer. It is the new field 42 and it may be used when there is an attempted digital denial of service (DDoS), attempt to hack the bank’s wire system or website, and for customers it may include account takeovers or fraudulent transfer instructions.

With these new requirements come new opportunities, to excel or to err. Training in advance and using controls to verify everyone understands the new form helps ensure you won’t be SAR-ry later.

Overview: Here is an overview of the form changes from version 1.1, to 1.2:

• Part I of the SAR 1.1 to 1.2 is changed in that the fields are renumbered but the content has stayed the same.

• Part II of the SAR form is the section that provides information on the suspected suspicious activity included in the report. This part includes several changes, as follows:

o Question 32 (formerly 29) is specific to structuring and has a few changes. Specifically, the phrase “or cancels” has been added to options “a” and “b.” For example, item “a” currently states that the subject “alters transaction to avoid BSA recordkeeping requirement.” The option now states “alters or cancels transaction to avoid BSA recordkeeping requirement.” The second change is that option “c,” which was about cancelled transactions, has been removed. The available options went from seven to six.

o The fraud question (was #31, now #34) has a few changes. A new option “b,” “Advanced Fee,” was added as were new options “j” and “l” which now include “Ponzi scheme” and “Securities fraud” respectively. Option “g,” “Healthcare” is now expanded to read “Healthcare/Public or private health insurance.”

o The question for casinos (was #32, now #35) also has a few changes but is of little interest to banks and we will ignore it here.

o The options on Other Suspicious Activity (was question #35, now #38) has three additions and two deletions. “Human Smuggling,” option “g” is added as is “Human Trafficking,” option “h.” The third addition was option “q,” “Transaction(s) involving foreign high-risk jurisdiction.” Deleted from SAR 1.1 were options “i,” “Misuse of ‘free look’/cooling off/right of rescission” and “q,” “Unauthorized electronic intrusion.”

o The question (was #37, now #40) on “Securities/Futures/Options” expanded from five options to six. Former option “b” on “Market manipulation/wash trading” was split adding a separate entry, option “e” for “Wash trading.”

o The “Mortgage Fraud” question (was #38, now #41) adds two new options and amends one other Added were option “a,” “Application Fraud,” and option “e,” “origination fraud.” Option “c” will add “short sale” to foreclosure fraud for a new entry, “Foreclosure/Short sale fraud.” Removed from SAR.1 was option ”d,” “Reverse mortgage fraud” and options were renumbered.

o A new category, “Cyber-event” becomes question #42. Option “a” is “Against the Financial Institution(s)” while item “b” is “Against the Financial Institutions customer(s).” Item “z” will be added to include an entry for “Other.”

o Option “n,” “Penny stocks/Microcap securities” under the question “Were any of the following product type(s) involved in the suspicious activity?” (was #39, now #45) removed the term “Penny Stocks” and “Microcap securities” is now option “m.” Also added was option “f,” “Deposit account.”

o Question #44 “IP Address” was removed.

o The question on “Types of securities and futures” (was #50, now #54) was expanded from 10 to 12 options. Added were “Execution-only broker securities” and “Self-dealing broker securities.”

• Under Part IV, question #83 is now #80, “Types of securities and futures” and it has similar additions as above in Part III. Added were “Execution-only broker securities” and “Self-dealing broker securities” as the options available went from 13 to 15.

• There were no changes to Part V.

Safe Harbor: The Safe harbor rules for SARs have not changed. Federal law (31 U.S.C. 5318(g)(3)) provides financial institutions complete protection from civil liability for all reports of suspicious transactions made to appropriate authorities, including supporting documentation, regardless of whether such reports are filed pursuant to a regulatory requirement or on a voluntary basis. Specifically, the law provides that a financial institution, and its directors, officers, employees, and agents, that make a disclosure of any possible violation of law or regulation, including in connection with the preparation of suspicious activity reports, “shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision of any State, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure.”

Confidentiality: SARs are also confidential. The SAR and any information that would reveal the existence of the SAR are confidential and may not be disclosed except as specified in 31 U.S.C. 5318(g)(2) and in FinCEN’s regulations (31 CFR Chapter X).

Prohibition on Disclosures by Financial Institutions: Federal law (31 U.S.C. 5318(g)(2)) provides that a financial institution, and its directors, officers, employees, and agents who, pursuant to any statutory or regulatory authority or on a voluntary basis, report suspicious transactions to the government, may not notify any person involved in the transaction that the transaction has been reported.

• Provided that no person involved in the suspicious activity is notified, 31 CFR Chapter X clarifies that the following activity does not constitute a prohibited disclosure:

• Disclosure of SAR information to certain governmental authorities or other examining authorities that are otherwise entitled by law to receive SAR information or to examine for or investigate suspicious activity, including:

o FinCEN;

o Any Federal, state, or local law enforcement agency;

o Any Federal regulatory agency that examines the depository institution for compliance with the BSA;

o Any state regulatory authority that examines the depository institution for compliance with state laws requiring compliance with the BSA.

o A U.S. bank or savings association may share a SAR with its controlling company (whether domestic or foreign). The sharing of a SAR or, more broadly, any information that would reveal the existence of a SAR, with a head office or controlling company (including overseas) promotes compliance with the applicable requirements of the BSA by enabling the head office or controlling company to discharge its oversight responsibilities with respect to enterprise-wide risk management, including oversight of a depository institution’s compliance with applicable laws and regulation.;

• Disclosure of the underlying facts, transactions, and documents upon which a FinCEN SAR is based; and

• For those institutions regulated by a Federal functional regulator (Federal bank regulatory agencies, the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC)), the sharing of SAR information within an institution’s corporate organizational structure, for purposes that are consistent with the Bank Secrecy Act, as determined by regulation or guidance.

What may be shared:

• the disclosure of the underlying facts, transactions, and documents upon which a SAR is based, including, but not limited to, disclosures related to filing a joint SAR and in connection with certain employment references or termination notices; and

• the sharing of a SAR, or any information that would reveal the existence of a SAR, within a depository institution’s corporate organizational structure for purposes consistent with Title II of the BSA, as determined by regulation or in guidance.

Prohibition on Disclosures by Government Authorities: Federal law (31 U.S.C. 5318(g)(2)) also provides that an officer or employee of any Federal, state, local, tribal, or territorial government within the United States who has knowledge that such report was made, may not disclose to any person involved in the transaction that the transaction has been reported, other than as necessary to fulfill the official duties of such officer of employee. FinCEN’s regulations clarify that “official duties” must be consistent with Title II of the Bank Secrecy Act and shall not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding, including a request pursuant to 31 CFR § 1.11.

The confidentiality of SARs needs some additional explanation. At the end of the day, the bank’s staff must remain in a UFO frame of mind in that “we can neither confirm nor deny anything on this matter.” This fact remains regardless of recent events. Last October the U.S. Attorney for the Southern District of New York had a FinCEN employee, Natalie Mayflower Sours Edwards, arrested. She was charged with unlawfully disclosing Suspicious Activity Reports to a member of the media, in violation of 31 U.S.C. § 5322 and 18 U.S.C. § 371. Each carries a maximum sentence of five years in prison. This appears to be the first criminal case based solely on the release of the confidential SAR information.

There have been two other prosecutions related to SAR information being released, but there were additional charges in those. In 2011, Frank Mendoza, who was a former bank employee. was convicted of an illegal SAR disclosure. Mendoza was charged with approaching the subject of a SAR filed by Mendoza’s bank from whom he solicited a bribe and to whom he offered assistance at the bank. Mendoza disclosed that a SAR was filed by the bank and he advised the subject of the SAR that a federal criminal investigation was imminent. The subject of the SAR reported the bribery solicitation to the FBI and Mendoza was arrested. Mendoza was found guilty of disclosing the existence of a SAR and accepting a bribe. He was sentenced to six months’ incarceration and assessed a civil money penalty of $25,000 by FinCEN.

In another case from the U.S. Attorney for the Southern District of New York, Robert Lustyik, a former Special Agent with the FBI, was charged in 2013 with disclosing confidential SAR information. In his case there was also an element of bribery. Lustyik allegedly sold SARs and other confidential law enforcement information in exchange for personal payments.

In this most recent case, Edwards, who is also claiming whistleblower status, disclosed SARs in encrypted email to a reporter. The SARs related to the U.S. Office of Special Counsel’s investigation of Paul Manafort, President Trump’s former campaign manager. The reporter wrote stories based in part on the SAR information.
Addressing the confidentiality requirements of a SAR is potentially an add-on to any training done on the new SAR requirements and the new form itself. Both promise to be issues which will be reviewed.

Required year-end housekeeping

By Andy Zavoina

As we enter the new year. you would think it is time to relax, say goodbye to 2018, and start off 2019 with a clean slate. But it does not quite work that way. It is time to ask yourself if all the little things are done, all the housekeeping items that could impact your 2019.

Reg E § 1005.8 – If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement, or the longer version that is sent annually. Electronic disclosures under E-SIGN are allowed here. This may also be a good time to review §1005.7(c) and determine if any electronic fund transfer services were added, and if they were disclosed as required.

The same review advice applies if you are using E-SIGN, because some E-SIGN agreements that specify what will be disclosed electronically are very narrowly drawn. Is your agreement narrow or broad, and are you disclosing things electronically that the agreement may not allow for?

Reg P § 1016.5 – Remember the requirements for the annual privacy notice were modified in late 2015 and finalized this year. As a result, your bank’s procedure may have changed. The Fixing America’s Surface Transportation (FAST) Act, enacted on December 4, 2015, amended Title V of the Gramm-Leach-Bliley Act (GLBA). While it took two years, the Reg now provides an exception so that banks meeting certain conditions are not required to send annual privacy notices to customers. We wrote about this in the December 2018 Legal Briefs if you want more information.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. Ensure that your practices have not changed and that the notice you are providing accurately describes your practices.

If you still need to provide annual notices, for Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for web-based disclosures. You can use e-disclosures on your bank web site when the customer uses the web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. So, the demonstrable consent requirements and others in E-SIGN’s 101(c) section do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Although Reg P is not specific as to a requirement for training in the Reg, the FRB Exam Manual specifically lists “Adequacy and regularity of the institution’s training program” as one of the factors to consider in determining the adequacy of the financial institution’s internal controls and procedures to ensure compliance with the privacy regulation.

BSA annual certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must enter into a contract requiring it to certify annually to your bank that it has implemented its AML program.

OFAC reporting. Banks must report all blocked accounts to OFAC within ten days of the event and annually by September 30, concerning those assets blocked (see form TD F 90-22.50). Make sure that report is on your calendar.

IRAs, IRS Notice 2002-27 – If a minimum distribution is required from an IRA for a calendar year and the IRA owner is alive at the beginning of the year, the trustee that held the IRA on the prior year-end must provide a statement to the IRA owner by January 31 of the calendar year regarding the required minimum distribution.

Reg Z thresholds and updates – These changes are effective January 1, 2019. You should ensure they are available to staff or correctly hard coded in your systems:

• the exemption threshold increased from $55,800 to $57,200

• The CARD Act penalty fees safe harbor amount in section 1026.52(b)(1)(ii)(A) remains at $28;

• The CARD Act penalty fees safe harbor amount in section 1026.52(b)(1)(ii)(B) remains at $39;

• The HOEPA total loan amount threshold that determines whether a transaction is a high cost mortgage is changed to $21,549;

• The HOEPA total points and fees dollar trigger amount is changed to $1,077;

• As of the effective date, a covered transaction is not a qualified mortgage unless the transaction’s total points and fees do not exceed 3 percent of the total loan amount for a loan amount greater than or equal to $107,747; $3,232 for a loan amount greater than or equal to $64,648 but less than $107,747; 5 percent of the total loan amount for loans greater than or equal to $21,549 but less than $64,647; $1,077 for a loan amount greater than or equal to $13,468 but less than $21,549; and 8 percent of the total loan amount for a loan amount less than $13,468.

Annual escrow statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against the next year’s escrow payments.

Fair Credit Reporting Act – Affiliate marketing opt-out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions on you and opt out requirements. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?

Fair Credit Reporting Act – FACTA red flags report – Section VI (b) (§ 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the board of directors, an appropriate committee of the board, or a designated employee at the senior management level.

Regulation O, Annual Resolution §§ 215.4, 215.8 – To comply with the lending restrictions and requirements of Reg O § 215.4, you must be able to identify the “insiders.” “Insider” means an executive officer, director, or principal shareholder, and includes any related interest of such a person. An “affiliate” is any company of which a member bank is a subsidiary or any other subsidiary of that company. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg BB (CRA), content and availability of public file § 228.43 – Your Public File is required to be updated and current as of April 1 of each year. Many banks update it continuously, but it’s good to check. [Note: Citation is to Federal Reserve Reg BB. The OCC and FDIC have their own, identical requirements/]

HMDA and CRA notices and recordkeeping – HMDA and CRA data are gathered separately by banks subject to the requirements, and both Reg C and Reg BB have reporting requirements for the Loan Application Registers (LAR). Each must be submitted by March 1 for the prior calendar year. If you are a reporter of either LAR ,you should start verifying the data integrity now to avoid stressing over the process at the end of February.

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

• BSA (12 CFR §§ 21.21(c)(4), 208.63(c)(4), and 326.8(c)(4) Provide training for appropriate personnel.

• Bank Protection Act (12 CFR §§21.3(a)(3), 208.61(c)(1)(iii), and 326.3(a)(3) Provide initial and periodic training

• Reg CC (12 CFR §229.19(f)) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee

• Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information, training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)

• FCRA Red Flag (12 CFR 222.90(e)(3) Train staff, as necessary, to effectively implement the Program

• Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

• Sect 303 of EGRRCPA requires training for the bank and staff to have immunity from liability for qualified individuals at banks who, in good faith and with reasonable care, disclose the suspected exploitation of a senior citizen to a regulatory or law-enforcement agency. The content is specified in the Act and must be provided “as soon as practicable” and “not later than 1 year after the date on which the individual becomes employed” by the bank. There is no reference to refresher training.

Security, Annual Report to the Board of Directors – (12 CFR §§ 21.4, 208.61(d) and 326.4) The Bank Protection Act requires your bank’s Security Officer to report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee of the board at least annually. The report should describe the overall status of the information security program and the bank’s compliance with these Guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. Check, in particular, any MLO who took vacation during that 60-day period, and may have neglected to renew. There is a re-registration window (for an extra fee) each year. This is also a good time to plan with management and Human Resources those MLO bonus plans. Section 1026.36(d)(1)(iv)(B)(1) of Reg Z allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.

Miscellaneous – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, records retention requirements and destruction of expired records, and a designation by the Board of the next year’s holidays. And don’t forget to determine whether there has been a review of those not yet extending vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 Minimum control elements for bank internal control program.


by John S. Burnett

On Thursday, December 27, the Federal Emergency Management Agency announced that the National Flood Insurance Program (NFIP) was suspended, and no new flood insurance policies could be issued during the partial government shutdown that began at midnight on December 21. The agency and the Department of Homeland Security were immediately hit with a flood (pun intended) of calls and emails reminding FEMA leaders that Congress had passed, and the president had signed – on December 21 – a bill extending authority for the NFIP through May 31, 2019. Evidently, the message about the program extension hadn’t reach FEMA management, which had to “walk back” its announcement on Friday evening, December 28.

Earlier on the 28th, the Fed, OCC and FDIC issued a statement reminding banks that they can continue making loans on properties in flood zones in periods when flood coverage isn’t available, referencing guidance issued in 2010. Since lapses in the NFIP authorization have become commonplace, we recommend keeping a copy of that guidance when the next NFIP hiatus hits. In the meantime, just chalk up the FEMA announcements of last week to a case of “READY, FIRE, AIM.”

Residential appraisal threshold unchanged (yet)

by John S. Burnett

A phone call we fielded on New Year’s Eve prompted this status reminder on the federal appraisal requirements. Of course, there was the April 9, 2018, doubling the $250,000 threshold for commercial real estate transactions to $500,000. The lower figure had been in place since 1994, and the agencies had proposed to increase it to $400,000, but later determined that doubling the threshold to $500,000 made sense given inflation and the minimal effect the increase would have on safety and soundness of financial institutions.

At the time, the agencies left the $250,000 threshold for residential appraisals in place, except for residential construction loans secured by multiple one-to-four family residential properties (which would be considered commercial transactions).

On December 7, the agencies proposed to increase the residential real estate transaction threshold from $250,000 to $400,000, and to include the hardship exemption for residential property in certain rural areas under EGRRCPA (to require evaluations for those exempt transactions). In addition, the proposal would implement the Dodd-Frank Act amendment to Title XI requiring appropriate review of appraisals for federally related transactions for USPAP compliance.

Comments on the December 7 proposal are due by February 5, 2019. Watch for a final rule no sooner than mid- to late-February.