Wednesday, August 10, 2022

December 2021 OBA Legal Briefs

  • 2022 to-dos today
  • New year, new rule—Computer-security incident notification
  • Foreclosure forbearance reminder
[Editor’s note: Due to the timeliness of this months articles, Part 2 of last month’s article on the new Fair Debt Collection Practice Act regulation will appear in our January 2022 Legal Briefs.]

_________________________________

2022 to-dos today

By Andy Zavoina

It is hard to believe that we are at the end of the year so soon. On the other hand, it seems like 2021 has lasted two years already. Still, we have worked through most of a pandemic but started bringing many if not all workers back into the branches, as well as our customers and soon we may expect examiners. It is time to get ready for 2022 and that means some of the light housekeeping may be in order. Let’s review some of your annual compliance chores to ensure they are tidy and cared for.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to compliance reporting to the board, this may include a personal presentation, or it may not. I recommend that it is, as it is an opportunity to express what is being done to control what has happened as well as foreseeable events and why, as that can assist you in getting the budget and assets necessary in the coming year. While the year end is not necessarily the most desirable time to make such a presentation, take whatever time you do get and use it wisely. Annual presentations such as this are better done when the directors can focus more on the message so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg BB (CRA), Content and availability of Public File § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That must be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs, as those may change. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping  § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation readies is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Fair Credit Reporting Act – FACTA Red Flags ReportSection VI (b) (§ 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.

This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers habits change, and importantly criminals change and each may require tweaks to the bank’s program.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square. These require disclosure and inaccurate disclosures may affect your claims processing.

HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1 for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report. When a systemic error is found it can be very time consuming to scrub all files for errors and correct them.

Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions, does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every institution will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank website when the customer uses the website to access financial products and services electronically and agrees to receive notices at the website, and you post your current privacy notice continuously in a clear and conspicuous manner on the website. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?

Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against the next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.00– These changes are effective January 1, 2022. You should ensure they are available to staff or correctly hard coded in your systems:

  • For open-end consumer credit plans under TILA, the threshold that triggers requirements to disclose minimum interest charges will remain unchanged at $1.00
  • For open-end consumer credit plans under the CARD Act amendments to TILA, the adjusted dollar amount in 2022 for the safe harbor for a first violation penalty fee will increase to $30 and the adjusted dollar amount for the safe harbor for a subsequent violation penalty fee will increase to $41
  • For HOEPA loans, the adjusted total loan amount threshold for high-cost mortgages in 2022 will be $22,969.
  • The adjusted points-and-fees dollar trigger for high-cost mortgages in 2022 will be $1,148.
  • For qualified mortgages (QMs) under the General QM loan definition in § 1026.43(e)(2), the thresholds for the spread between the annual percentage rate (APR) and the average prime offer rate (APOR) in 2022 will be:
    • 2.25 or more percentage points for a first lien covered transaction with a loan amount greater than or equal to $114,847
    • 3.5 or more percentage points for a first lien covered transaction with a loan amount greater than or equal to $68,908 but less than $114,847
    •  6.5 or more percentage points for a first lien covered transaction with loan amount less than $68,908
    • 6.5 or more percentage points for a first lien covered transaction secured by a manufactured home with a loan amount less than $114,847
    • 3.5 or more percentage points for a subordinate-lien covered transaction with a loan amount greater than or equal to $68,908
    • 6.5 or more percentage points for a subordinate-lien covered transaction with a loan amount less than $68,908
  • For all categories of QMs, the thresholds for total points and fees in 2022 will be:
    • 3 percent of the total loan amount for a loan greater than or equal to $114,847
    • $3,445 for a loan amount greater than or equal to $68,908 but less than $114,847
    • 5 percent of the total loan amount for a loan greater than or equal to $22,969 but less than $68,908
    • $1,148 for a loan amount greater than or equal to $14,356 but less than $22,969
    • 8 percent of the total loan amount for a loan amount less than $14,356
  • For Higher Priced Mortgage Loans (HPMLs), the special appraisal requirement exemption amount will be $28,500
  • The consumer lease (Reg M) and consumer credit transaction (Reg Z) exemption thresholds will be $61,000.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions.  The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked as of June 30.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

IRAs, IRS Notice 2002-27  If a minimum distribution is required from an IRA for a calendar year and the IRA owner is alive at the beginning of the year, the trustee that held the IRA on the prior year-end must provide a statement to the IRA owner by January 31 of the calendar year regarding the required minimum distribution.

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

  • BSA (12 CFR §21.21(c)(4) and §208.63(c)(4) Provide training for appropriate personnel.
  • Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial & periodic training
  • Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
  • Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
  • FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
  • Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

Miscellany – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays. And last but not least, has there been a review of those staffers who have not yet taken vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?

New year, new rule – Computer-security incident notification

By Andy Zavoina

On November 18, 2021, there was a joint release by the OCC, FDIC and the Federal Reserve concerning a new rule intended to close a gap on computer-security incident reporting requirements. The new final rule does several things. Succinctly, a bank will have 36 hours to report certain computer related security incidents to its prudential regulator. That sounds like a tight time frame, and it is, but the 79-page final rule provides a lot more details. We will leave it to the group within your bank to slice and dice the details, but we wanted to give you a detailed overview of these new requirements so that it can be discussed intelligently and planned for accordingly.

As FDIC Chairman Jelena McWilliams put it, the rule “addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations.” For many years banks have been tasked with reporting computer related security incidents to its regulator whether that be a formal requirement or in informal one. This final rule has a mandatory compliance date of May 1, 2022. Preparations for compliance will therefore be mixed with still working through the pandemic, the holiday season, CRA and HMDA scrubs and all things IRA and IRS. There is a lot to do in the next five months.

The new requirements are imposed not just on your bank to report to its federal regulator, but on certain of the bank’s service providers to report incidents to you. This allows the bank to then make a determination as to whether or not it must then in turn report up the food chain to its regulator, the OCC, FDIC or Fed.

So, let’s get to the nitty gritty.

When: The bank must notify its federal regulator as soon as possible and not later than 36 hours after determining a “notification incident” has occurred.

The rule separately requires your service providers to notify your bank as soon as possible when the service provider determines it has experienced “a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

You may be questioning the service provider’s timing requirement of “as soon as possible.” Read that to include a sense of urgency. The proposal wanted immediate notification but that is a very high benchmark and virtually impossible to follow. Timing is something the bank should discuss with its providers in advance, as well as whether there will be a designated point of contact with a back-up named, or if by default the contact is the chief executive or chief information officer or a comparable position.

What: The focus here is broadly described as “computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider.”

The final rule attempts to partially synchronize the definition of a computer-security incident with an existing definition from the National Institute of Standards and Technology (NIST). The final rule defines “computer-security incident” as an occurrence that results in actual harm to an information system or the information contained within it.  Computer related incidents “may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions.”

As defined in the final rule, a notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

There is obviously a lot in the final rule, and it may depend on your actual involvement in the IT area as to how deep your role will go. There will obviously be several subject matter experts involved in the task of compiling a risk strategy prior to completing any policy and procedures for compliance with the rule.

Why: The bank is required to notify its regulator within such a short period because the intent is to promote early awareness of the threat and the fact that others in the industry may be subject to similar threats. If there is a broader risk, it must be immediately addressed. This is the same reason a service provider is required to notify its bank customer – so that the bank can determine the risk to itself and the banking customers. A notification from a service provider may trigger a bank’s notification to its regulator.

This is separate from the requirements on the bank to address potential exposure or the actual loss of customer information and the reporting requirements that are triggered from that.

Practical Application: The bank needs to define some critical examples of the incidents it could foresee and ensure that there is room for interpretation as technology and attacks on it vary and change with time. The service providers fitting into these critical roles are those subject to the Bank Service Company Act. You may refer to 12 USC 18 Bank Service Companies as well as FIL-49-99 Required Notification for Compliance with the Bank Service Company Ac and FIL-19-2019 Technology Service Provider Contracts for more on who is subject to the rule and the responsibilities of the parties involved. If not referenced in contracts with these service providers already, amended and future contracts may mandate notifications requirements for qualified incidents.

Of importance is defining the moment that the 36-hour window opens is when the bank determines that a notification incident has occurred. The proposal started this clock when there was a “good faith belief” so the bank will want to best define these terms based on the descriptions and examples in the final rule. It is recommended the bank use clear procedures to evaluate the risk of any system compromise or failure that qualifies.

Because the final rule is targeted toward an occurrence that results in actual harm to an information system or the information contained within it, material incidents such as systems failures and the ever-increasing threat of ransomware attacks are an instigator for these rules. If your bank has insurance against ransomware attacks you may incorporate procedures associated  with that with procedures for the new rules. Pay attention to the term “actual harm” as that was a key variation from the proposal. The NIST definition was broader and the regulators wanted to narrow the reportable incidents to those that actually occurred. The regulators expressed that the changes were made to “narrow the focus of the final rule to those incidents most likely to materially and adversely affect banking organizations.” One example was a large-scale distributed denial of service attack that disrupts customer account access for an extended period of time, meaning longer than four hours.

Foreclosure forbearance reminder

By Andy Zavoina

The CFPB is all about protecting consumers and that point was reiterated in a November 10, 2021, release, “CFPB Takes Action to Prevent Avoidable Foreclosures.”

The Bureau announced that working in concert with other agencies (the FDIC, NCUA, OCC and others) they were prepared to enforce the protections in place for families and homeowners who are at risk of losing their homes. Protections were put in place to provide alternatives to foreclosure, and there are an estimated one million home loans with forbearance programs put in place due to COVID-19 which are due to expire at the end of 2021.

CFPB Director Rohit Chopra  said, “Failures by mortgage servicers and regulators worsened the impact of the economic crisis a decade ago…. Regulators have learned their lesson, and we will be scrutinizing servicers to ensure they are doing all they can to help homeowners and follow the law.” The agencies mentioned above issued a joint statement in April 2020 advising they would relax enforcement of Reg. X because of the pandemic. The recent statement is clear that lenders and servicers have had ample opportunity to adapt and the requirements of Reg. X all apply at this time.

It reminds servicers there needs to be attention to the borrower’s needs. Borrowers need a meaningful chance at loss mitigation programs, not lip service. This means the servicer must have adequate staff to handle the accounts and to communicate to borrowers what may be available to them. There are many options available for streamlined loss mitigation programs and servicers should be familiar with what is available to qualified applicants. There should be consistency in who is communicating with a borrower and efforts to avoid unnecessary handoffs and disqualification from a program followed by option to start a new process for some alternative program with someone else.

Those borrowers ending a forbearance program should also be allowed to resume scheduled payments. Determine if most or all of any missed payments can be deferred to the end of the current Note obligation under a deferral agreement. If needed, explore options to modify an existing loan and lower their payments if necessary and if feasible. Lastly, in many areas it is a sellers’ market and it may be an option that allows them to lessen any loss of equity in their home.  Your efforts at avoiding foreclosure should be well documented.

It is recommended that a pre-foreclosure checklist be used to ensure all the banks records are in order before a home is put into a foreclosure process. Document efforts to avoid foreclosure, to find loss mitigation programs, modifications available, deferral amounts and the borrower’s ability to maintain any restructuring that could be done. Then verify that all the bank’s disclosures required for the loan (think TRID and Reg B) were complete and accurate. If there are any deficiencies, consider how material they may be and if a plaintiff’s attorney could take advantage of them. Then, and only then, act accordingly.