January 2023 OBA Legal Briefs

  • Has your bank suddenly become a HMDA reporter?
  • Minutiae matter
  • Joint owners’ signatures on new joint accounts

Has your bank suddenly become a HMDA reporter?

By John S. Burnett

A recent federal court decision has lowered the loan reporting threshold for closed-end mortgage loans under the Home Mortgage Disclosure Act-implementing Regulation C from 100 to 25 closed-end mortgage loans in each of the two preceding calendar years. If your bank has been routinely making 50 or 60 closed-end mortgage loans and very few open-end mortgage loans each year for the last several years, you might have been planning to enjoy another year in 2023 of not being a HMDA reporter.

All that has changed. And if you haven’t realized that yet, you’ve got some scrambling to do.


In a final rule that became effective in 2015 (the “2015 final rule”), the CFPB set the HMDA reporting threshold for closed-end mortgage loans at 25 in either of the two preceding calendar years.

On May 2, 2019, the Bureau issued a proposal to, among other things, increase the 25 closed-end mortgage loan reporting threshold to either 50 or 100 such loans in either of the two preceding calendar years.

On May 12, 2020, the CFPB issued a final rule (the “2020 final rule”) that, among other things, increased the closed-end mortgage loan reporting threshold to 100 such loans in either of the two preceding calendar year. The change was effective July 1, 2020.

After the adoption of the 2020 rule, the National Community Reinvestment Coalition, Montana Fair Housing, Texas Low Income Housing Information Service, Empire Justice Center, the Association for Neighborhood & Housing Development, and the City of Toledo, Ohio, filed a lawsuit challenging the changes to the closed-end reporting thresholds (and other provisions) in the 2020 final rule, asserting that the 2020 final rule was arbitrary and capricious, contrary to law, and in excess of the Bureau’s statutory authority under the Administrative Procedure Act.

On September 23, 2022, the U.S. District Court for the District of Columbia issued an order vacating (nullifying) only the portions of the 2020 final rule that increased the closed-end mortgage loan reporting threshold. The court found that the “CFPB failed adequately to explain or support its rationales for adoption of the closed-end reporting thresholds under the 2020 Rule, rendering this aspect of the rule arbitrary and capricious.”

The court cited the preamble to the 2015 final rule in noting that the CFPB explained that “the loss of data in communities at closed-end mortgage loan-volume thresholds higher than 25 would substantially impede the ability of the public and public officials in these locales and others to understand access to credit in their communities.”

The CFPB offered no comment on the court’s ruling until December 6, 2022, when an article, “Changes to HMDA’s closed-end loan reporting threshold,”[https://www.consumerfinance.gov/about-us/blog/changes-to-hmda-closed-end-loan-reporting-threshold/] was posted to the Bureau’s blog. The article simply said, “The [court’s] decision means that the threshold for reporting data on closed-end mortgage loans is now 25 loans in each of the two preceding calendar years, which is the threshold established by the 2015 HMDA Final Rule, rather than the 100-loan threshold set by the 2020 HMDA Final Rule.”

The Blog article went on to say that the “CFPB recognizes that financial institutions affected by this change may need time to implement or adjust policies, procedures, systems, and operations to come into compliance with their reporting obligations. In these limited circumstances, in allocating the CFPB’s enforcement and supervisory resources, the CFPB does not view action regarding these institutions’ HMDA data as a priority. Thus, the CFPB does not intend to initiate enforcement actions or cite HMDA violations for failures to report closed-end mortgage loan data collected in 2022, 2021, or 2020 for institutions subject to the CFPB’s enforcement or supervisory jurisdiction that meet Regulation C’s other coverage requirements and originated at least 25 closed-end mortgage loans in each of the two preceding calendar years but fewer than 100 closed-end mortgage loans in either or both of the two preceding calendar years.”

On December 21, 2022, the CFPB published a final rule at 87 FR 77980 [https://www.federalregister.gov/d/2022-27204] with technical amendments to Regulation C that changed each mention of the 100 closed-end mortgage loans reporting threshold in subsections 1003.2(g) [definition of financial institution] and 1003.3(c) [excluded transactions] and the Official Interpretations of those subsections to 25 closed-end mortgage loans. The amendments became effective on publication.

What this all means

When the District Court vacated the portion of the 2020 final rule that increased the reporting threshold for closed-end mortgage loans from 25 to 100 such loans in either of the preceding two calendar years, it put those portions of the regulation and official interpretations back to their 2015 final rule wording, as if they were not changed by the 2020 final rule.

In the Bureau’s Blog article described just above, the Bureau acknowledged that the court’s ruling could HMDA filing requirements for applications and loans dated in 2020 (from July 1), 2021, and 2022, for financial institutions that made at least 25 but fewer than 100 closed-end mortgage loans in the two previous calendar years. It went on to say that it doesn’t intend to initiate enforcement actions or cite HMDA violations for failures to report closed-end mortgage loan data collected in 2020 through 2022 for institutions subject to Bureau enforcement or supervisory jurisdiction.

There have been no similar statements of intent not to initiate enforcement actions or cite HMDA violations from the Federal Reserve Board, FDIC, OCC, or NCUA. It would seem that those regulators will have to issue a similar statement because it is next to impossible for many bankers to go back over their applications and loans to find the data to back-file because they weren’t collecting HMDA data during that period.

Let’s assume that the other regulators issue such a statement. What does your bank need to do if it originated 25 or more closed-end mortgage loans in both 2021 and 2022 but hasn’t had to file since 2015?

1. If your bank never obtained a Legal Entity Identifier (LEI) or let its LEI lapse, jump on the task of getting one (or renewing or replacing the old one). You need it to create the unique loan numbers that have to be assigned to each entry on the HMDA LAR.

2. Make sure the bank has the right application forms to collect HMDA data

3. Quickly get lenders and loan assistants spun up on any changes in loan interview scripts and the necessity for checking that HMDA data are being collected with applications

4. Remember that each HMDA-related loan application received after December 31, 2022, will need to include HMDA data added as it gets processed and originated, denied, or withdrawn.

5. For loans already in the pipeline on January 1, 2023, check to see what HMDA data are missing, and take steps to obtain it.

Some industry trade groups have asked the CFPB and prudential regulators to formally declare a one-year amnesty on enforcement for small-volume lenders impacted by the court’s ruling. As of this writing, many such lenders are uncertain they can adapt their procedures by January 1, 2023, and we haven’t heard more from the Bureau or the prudential regulators.

Minutiae matter

By Andy Zavoina

Welcome to 2023. As I pen this month’s article one of my inbox emails is from Apple News and it is about 2023 horoscopes and what is in the stars for me. It is time to look forward, which may require looking back. I remember sitting at my compliance desk at 6:30 p.m., after having been there since 6:30 a.m., that a new year should come with a fresh start, a clean slate, a new beginning. All those audits I had not gotten to should be erased and I should be able to start with a fresh calendar. After all, I made it another year. But that is not how life works. It is not like a sporting event and the last game is over, start your game plan for the next one. Well – you do have to prepare for the future and that is what this article is about. But there was no “last game” and what was not finished still needs to get done. It is like the saying says, this is not a sprint, it is a marathon. That is when I consider coming in at 6 a.m. tomorrow to get an earlier start.

One thing to always consider as you begin planning your year is what are the major events you are aware of?

• Are we a HMDA reporter or now will be and what ramifications does that bring? If applicable, are we ready for the March 1 filing deadline this year? Do we have only the final quarter’s LAR entries to scrub or more, and how long will that take?

• The Regulation B small business data gathering rule will be coming out this first quarter. The CFPB has said it will, and in fact has promised it will be to both Congress and a court. But the final rule is not here yet and I will worry directly about that when we have the new rule. It will be a lot of preparation work. I am aware of that, and it is in the back of my mind as I start planning major events for 2023. But my focus now is what do I need to get done and on my “completed list” before that new requirement begins taking my time and attention.

• When is my next compliance exam? That is a compliance officers’ direct responsibility. What has been done to prepare for it and depending on when that is expected, more importantly, what has not been done? Start making that list if your exam is eminent. What other exams do you contribute to – Bank Secrecy, Safety and Soundness which may include Reg O, any fair lending or mortgage origination and servicing requirements? When we had a separate mortgage loan origination department, HUD and the VA. separately examined it You may have similar issues. And while we follow regulatory requirements typically to ensure consumer protections are in place, the fact is that exams are where our success or failure is often judged and scored. In preparation for those, we may have internally and externally completed audits done. When are these on the calendar and what preparation is needed for them?

Let’s look at the future, and to do that we have to reflect on the past. Let’s eliminate some of the small things, the minutiae. These are minimal tasks that need to be sorted and ensure there are no issues with compliance. It’s the little things sometimes that surprise you and bite you on the backside. So, let’s strive to eliminate as many of those as we can.

Now that signage requirements are addressed, let’s ensure “annual” tasks have been completed.

Reg BB (CRA), Content and availability of Public File Reg H § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update this continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That actually is to be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs as those may fluctuate. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR, you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation readies is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Reg C – HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1, for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square.

Reg G – Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions; does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every bank will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank web site when the customer uses the web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – FACTA Red Flags Report – Section VI (b) (12 CFR 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.
This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers’ habits change, and importantly criminals change, and each may require tweaks to the bank’s program.

Reg V, Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and have these consumers been given an opportunity to renew their opt-out?

RESPA Reg X, Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.3(b) – These changes are effective January 1, 2023. You should ensure they are available to staff or correctly hard coded in your systems. The exemption for Reg Z disclosures will increase from $61,000 to $66,400, meaning consumer loans over that amount (less real or personal property expected to be used as the consumer’s principal dwelling or a private education loan) will be exempt.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your bank’s Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to the Compliance Officer reporting to the board, this may include a personal presentation, or it may not. I recommend that it is because this is an opportunity to express what is being done to control security events from the recent past as well as foreseeable events and why these are important issues. These facts can assist Security in getting the budget and assets necessary for the coming year. There is no prescribed period during which the report must be made other than “annually,” and this may be based off the timing of the prior report, give or take a month. Annual presentations such as this are better done when the directors can focus more on the message so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

• BSA (31 CFR §1020.210(b)(4), and 12 CFR §208.63(c)(4) Provide training for appropriate personnel.
• Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial & periodic training
• Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
• Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
• FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
• Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

MISCELLANEOUS – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, following records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays. And finally, has there been a review of those staffers who have not yet taken vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?

Joint owners’ signatures on new joint accounts

By John S. Burnett

We on the OBA Compliance Team were reminded in recent weeks of the problems that can arise when a bank has opened a joint account without obtaining all of the joint owners’ signatures on the account signature card or other deposit contract. It’s our sense that banks aren’t allowing this to happen as often now as it did years ago. But a quick review of the subject may help keep it at “top of mind” when opening joint accounts.

First, a bank account agreement, whether it’s on the signature card itself or in a separate document, is a legal contract between the bank and the owner(s) of the bank account. When there are two or more owners, the agreement is also a contract between or among the joint owners. In most cases, each joint owner agrees that each owner has a right to all of the funds in the account, and, for most banks, each owner agrees to be responsible for any overdraft balance, regardless of which owner causes it.

But in order to have the right to the funds in the account or to be responsible for an overdraft in the account or have the right to request information on or statements of the account, each person has to formalize their participation in the agreement by signing the signature card. Furthermore, to be FDIC insured as a joint account, each owner must have signed, or there must be other evidence of the intent that the account be jointly owned.

Banks should have a tight policy and procedure for managing the opening of a joint account when an owner isn’t present. Assuming they have the ability, they could obtain electronic signatures for account agreements from owners absent from the account opening. If that is not possible, they should consider including in the deposit contract, atter consulting legal counsel, a provision that, if a person identified as a joint owner has not signed the signature card within ___ days after the opening of the account, the account’s ownership will change to eliminate that person’s interest in the account. They should also do a proactive (effective) job of following up with the customer who failed to sign in the days after the account was opened.