Saturday, July 13, 2024

December 2023 OBA Legal Briefs

  • Year End, Year Start

Year-End, Year Start

By Andy Zavoina

This is a time of celebrations, family, and looking forward to a new beginning as the calendar turns to 2024. But, has every “i” been dotted and “t” crossed for 2023? Do you get to exhale in a sigh of relief as you enjoy the holiday season, chill for a moment, and start anew on January 1? The answers are, “You need to know they are,” and “Absolutely not.” As 2023 ends, 2024 begins as a new year but what’s not done from the year-end still has to be. So, let’s do a quick review of those annual tasks and ensure you are really ready to close the books on 2023 and open the new one for 2024.

What must you always consider as you begin planning your year? The major events you anticipate, especially changes.


Are you a HMDA reporter, or now will be, based on your bank’s size and transactions and what ramifications does that bring? (See 1-5 immediately below for the requirements applicable to 2023 data. Each test must be met.) If applicable, are you ready for the March 1 filing deadline this year? Do you have only the final quarter’s Loan Application Register (LAR) entries to scrub, and if not, how long will that take? Are the first three quarters of 2023 ready to go?

1. Asset-Size Threshold Test. On December 31, 2022, your bank had assets in excess of $54 million. This was for data collection threshold for 2023. We expect the 2024 threshold to be released in late December.
2. Location Test. On the preceding December 31, your bank had a home or branch office located in a metropolitan statistical area (MSA).
3. Loan Activity Test. During the preceding calendar year, your bank originated at least one home purchase loan or refinancing of a home purchase loan secured by a first lien on a one-to four-unit dwelling.
4. Federally Related Test. Your bank is federally insured, regulated, or originated at least one home purchase loan or refinancing of a home purchase loan that was secured by a first lien on a one- to-four-unit dwelling and, well there is more to this test at 12 CFR 1003.2(g)(1)(iv) but I think we had you at “insured.”
5. Loan-Volume Threshold. Your bank meets or exceeds either the closed-end mortgage loan or the open-end line of credit loan volume threshold in each of the two preceding calendar years. A bank that originated at least 25 closed-end mortgage loans in each of the two preceding calendar years or originated at least 200 open-end lines of credit in each of the two preceding calendar years meets or exceeds the loan-volume threshold. (If the loan or line of credit is not a closed-end mortgage loan or an open-end line of credit, it does not need to be reported.

If you barely missed any of these five criteria, you’ll want to pay attention to any revisions to them next year, such as the asset threshold or loan volume.

Small Business Lending Data Rule

Small Business Lending Data Rule. The Reg B small business data gathering rule referred to as “1071” was released and there were legal challenges affecting the rule. It is important to note that the 1071 rule was not challenged, but the CFPB was. On July 31, 2023, the U.S. District Court for the Southern District of Texas ordered the CFPB not to implement or enforce the 1071 rule. The order stays all deadlines for compliance and in subsequent cases and rulings the stay applies to all banks. The Supreme Court has to rule on the case and that is expected about mid-2024. At that point, if the CFPB is successful, it may simply redesignate the deadlines and if it is not, the 1071 rule will be implemented in some form as it is based on Section 1071 of the Dodd-Frank Act, which is not in question. Ask yourself, if the CFPB is successful and that seems likely to many but remains an unknown, how fast will you be able to react on implementation and change management?

In the BOL Lending Compliance Triage Conference in November, Kimberly Boatwright recommended five critical steps compliance officers need to take now.

1. Determine your bank’s status/tier as a covered institution.

2. Conduct a Gap Analysis to understand your products, delivery channels and lending life cycle.

3. Commercial Lending Challenges that need focus, training, and action.

4. Based on your bank’s needs, allocate a budget.

5. Raise the Board’s and senior management’s awareness of issues related to implementation of Section 1071.

When is your next compliance exam?

That is a compliance officers’ direct responsibility. What has been done to prepare for it and depending on when that is expected, more importantly, what has not been done? Start making that list if your exam is imminent. What other exams do you contribute to – Bank Secrecy Act, Safety and Soundness which may include Reg O, any fair lending or mortgage origination and servicing requirements?

The New CRA Rule

One more biggie that cannot be ignored is the new Community Reinvestment Act rule that was recently published. Most of us are beginning to digest it now as the final rule takes effect on April 1, 2024, but with staggered compliance dates of January 1, 2026, and January 1, 2027. So, it is not an immediate need to completely revamp your policy and procedures, but the changes are enormous and you must start planning now. The November Legal Briefs edition has more on the new CRA, but here are a few key elements.

• Asset thresholds for small, intermediate and large banks will increase.
• Most of the rule’s requirements will go into effect on January 1, 2026, to give you time to prepare for implementation.
• Data reporting requirements, which only apply to large banks, will become applicable starting January 1, 2027.
• The rule allows small banks to be evaluated under the existing framework or opt in to be evaluated under the new framework.
• The final rule does not include a start date for examinations pursuant to the performance tests in the amended regulation. We will have to watch as the agencies prepare for and announce this.

Don’t forget the little things

Now let’s look at the future and eliminate some of the small things for peace of mind. These are minimal tasks that need to be sorted and ensure there are no issues with compliance. It’s the little things that sometimes catch you unprepared.

Let’s talk about signage requirements. In our main branch we had a “Fed wall,” which was one area which had the federally required (and state, as applicable) notice requirements. It should be in an area that is highly visible to the public to meet the intent of the posted notice requirements. It does no good to put these on the wall behind a door that stays open or the plastic trees in the lobby which prevent viewing them. You will not get credit during an exam for posting them where they cannot be seen. If there was a remodel done and the signage was taken down for maintenance, ensure it went back up, and in the right location.

As to being unsightly, beauty is in the eye of the beholder. If you put courier font printed pages in a $2 frame and nailed it to the wall, that is what it will look like. I recommend you lay out all the applicable disclosures and buy one large frame, have a matte cut for all these in one space and then everything is accounted for in one space. As a new branch is opened, just order another of the same design. This ensures everything is easily accounted for and posted easily on the wall rather than trying to lay out several frames, especially if those frames were each different giving a hodgepodge appearance. It is also a simple task to pull the frame down, remove the backing and switch out disclosures when necessary. As a tip, there is a transparent tape and removable tape that uses the same adhesive as sticky notes. It will hold your documents to the matte securely yet provide the flexibility to switch them out without destroying the matte or other documents.

Here are suggestions and justifications for your fed wall and other required signage.

1. Community Reinvestment Act Notice: This is to be posted in each lobby with one version in your main office and another in each branch, other than off premise electronic deposit facilities, the Public Notice described in 12 CFR 345.44 (FDIC), 228.44 (FRB), 25.44 (OCC).

2. Equal Housing Lending Poster: Post in lobby of main office, all branches, and in any other areas where loans are made. Note, this is an 11”x14” poster and unlike most other requirements for signage, the size requirements are specifically stated. 12 CFR 338.4 (FDIC), 24 CFR 110.15 and 110.25 (HUD and OCC) the FRB requirements fall under the Fair Housing Act. .

In August 2022 the FDIC made changes to its version of the sign. Refer to Federal Register Vol. 87, No. 151, Page 48079 as the Fair Housing and Consumer Protection Sale of Insurance Rule are both impacted. To improve efficiency and effectiveness the FDIC consolidated the Consumer Response Center and the Deposit Insurance Section under one organization, entitled the National Center for Consumer and Depositor Assistance. Fair Housing signage and the Sales of Insurance disclosure should refer to, “…National Center for Consumer and Deposit Assistance.” The effective date of the change was August 8, 2022. The OCC has also had changes to its poster. Refer to Bulletin 2021-35, August 5, 2021.

3. Home Mortgage Disclosure Act (HMDA). General notice of availability must be posted in each home office and physical branch offices located in an MSA. 12 CFR 1003.5(e). Non-HMDA banks do not post this notice.

4. Fair Credit Reporting Act (FCRA) requires that a consumer be allowed to notify the bank of an error in their consumer report. If a notice is posted informing consumers where to direct their notice, they may not be delivered to just any employee and must be properly directed. 623(a)(1)(C) (Note, this is a recommendation, not a requirement. Not having such a notice does set the bank up for failure as virtually all staff would need awareness training on how to handle such a notice from a customer.)

Additional signage requirements while you are auditing those above.

A. Customer Information Program procedures require providing adequate notice the bank is requesting information to verify customer identities prior to opening account. May be given or posted, 31 CFR 1020.220(a)(5)

B. FDIC Deposit Insurance Notices are to be displayed at each station or window (including drop boxes, teller windows, new accounts, drive-ups) where insured deposits are normally received, excluding automated service facilities such as ATMs, night depositories and POS. These signs must be 3″X7″ in size. 12 CFR 328.2 & FDIC 93-42, 94-17.

C. Funds Availability Policy is for banks routinely delaying availability of any deposited item. Disclosure is required of several items in a conspicuous place in each location where deposits are accepted. This includes the abbreviated text on ATMs but excludes drive-ups. These disclosures are contained in our Facts About Funds Availability brochure that doubles as the posted notice. 12 CFR 229.18

D. ATM Surcharge Notice requirements apply if your bank, as an ATM owner/operator, imposes a fee to complete a transaction or inquiry. The bank must disclose on the ATM that a fee may be imposed. 12 CFR 1005.16(c).

And for employees there are several other requirements.

E. 5-in-1 Employment Poster is required to be visible to job applicants and employees, 42 USC 2000e-10(a). This poster should include five parts, and if not in a combined poster, individual signs must be posted in the manager’s office or lobby. The five laws are: Equal Employment Opportunity Act, Fair Labor Standards Act, Employee Polygraph Protection Act, Family Medical Leave Act, and OSHA’s Plain Language “It’s The Law.” Refer to 29 USC 201, 29 USC 2003, 29 CFR 825.300, and 29 CFR 1903.2(a)(3)

F. Rate Board requirements under TISA/Reg DD are that indoor signs are exempt from many advertising requirements. But if a rate is stated it will use the term “annual percentage yield” or “APY” and contain a statement advising consumers to contact an employee for further information on terms and fees. 12 CFR 1030.8(e)(2)

G. Notice of Employee Rights has two requirements; 1) Executive Order 13496 is a Notice of Employee Rights under the National Labor Relations Act, the primary law governing relations between unions and employers in the private sector. See 29 CFR Part 471. Banks need to follow this for various reasons including due to FDIC insurance, savings bond transactions, TTL accounts and government contracts. Post the notice conspicuously in offices where employees covered by the NLRA perform contract-related activity, including all places where notices to employees are customarily posted both physically and electronically. 2) Employee Rights under the NLRA See section 7 of the NLRA, 29 U.S.C. 157

Now that signage requirements are addressed, let’s ensure “annual” tasks have been completed.

Annual compliance tasks

Reg BB (CRA), Content and availability of Public File § 228.43 – Your Public Files must be updated and current as of April 1 of each year. Many banks update this continuously, but it’s good to check. You want to ensure you have all written comments from the public from the current year plus each of the two prior calendar years. These are comments relating to the bank’s efforts in meeting community credit needs (your SBA loans may play a key role here) as well as any responses to comments. You also want a copy of the last public section of the CRA Performance Evaluation. That actually is to be placed here within 30 days of receipt. Ensure you are keeping up with branch locations and especially ATMs as those may fluctuate. The regulation has more on the content of this file. It may be best to review it with an audit workpaper to use as a checklist to avoid missing any required items.

CRA Notice and Recordkeeping § 228.42, 228.44, 1003.5 – CRA data, which can include small business and small farm as well as home mortgages, are gathered based on specific reporting requirements for the Loan Application Registers (LAR). CRA and HMDA information, if applicable, must be submitted by March 1, for the prior calendar year. If you are a reporter of either LAR you should start verifying the data integrity now to avoid stressing the process at the end of February. HMDA mortgage data should be compiled quarterly so this should not be a huge issue, but a thorough scrubbing as the new year starts and submission preparation approaches is always warranted.

Pertaining to this, national banks should ensure they have reviewed and updated as needed the CRA, FHA and ECOA notices in accordance with the Aug. 5, 2021, OCC Bulletin 2021-35. This bulletin provided updated content for the appropriate names and addresses for notices required by the Community Reinvestment Act and Equal Credit Opportunity Act, and for posters under the Fair Housing Act. National banks were required to make the appropriate changes to their notices and posters within 90 days of the issuance which then had a mandatory compliance date of Nov. 3, 2021.

Reg C – HMDA Notice and Recordkeeping § 1003.4, 1003.5 – HMDA data are gathered as home mortgage loans are applied for and are compiled quarterly if your bank is a HMDA reporter. There are specific and detailed reporting requirements for the Loan Application Register (LAR) itself. The LAR must be submitted by March 1, for the prior calendar year. If you are a reporter, you should start verifying the data integrity now and this is of vital importance if you have a large volume of records to report.

Reg E § 1005.8– If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.

This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square.

Reg G – Annual MLO Registration § 1007.102, 1007.103 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses. Additionally, paragraph (b) of 1007.103 requires updates that may require coordination with HR – were there name changes of an MLO or a move to another location?

Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of § 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.

Reg P § 1016.5 –There are exceptions allowing banks which meet certain conditions to forgo sending annual privacy notices to customers. The exception is generally based on two questions; does your bank share nonpublic personal information in any way that requires an opt-in under Reg P, and have you changed your policies and practices for sharing nonpublic personal information from the policies and procedures you routinely provide to new customers? Not every bank will qualify for the exception, however. John Burnett wrote about the privacy notice conundrum in the July 2017 Legal Briefs. That article has more details on this.

When your customer’s account was initially opened, you had to accurately describe your privacy policies and practices in a clear and conspicuous manner. If you don’t qualify for the exception described above, you must repeat that disclosure annually as well. Ensure that your practices have not changed and that the form you are sending accurately describes your practices.

For Reg P and the Privacy rules, annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis, so this is not necessarily a December or January issue, but it could be. And each customer does not have their own “annual date.” If a consumer opens a new account with you in February, you provide the initial privacy notice then. That is year one. You can provide the annual privacy notice for year two at any time, up until December 31 of the second year.

It is important to note that unlike most other regulatory requirements, Reg P doesn’t require E-SIGN compliance for your web-based disclosures. You can use e-disclosures on your bank web site when the customer uses the web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. So, the demonstrable consent requirements and others in E-SIGN’s 15 USC Sect. 7001(c) do not apply, but there must still be acceptance to receive them on the web. Alternatively, if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request this method is acceptable.

Fair Credit Reporting Act – FACTA Red Flags Report – Section VI (b) (12 CFR 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.

This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers’ habits change, and importantly criminals change and each may require tweaks to the bank’s program.

Reg V, Fair Credit Reporting Act – Affiliate Marketing Opt-Out § 1022.27(c) – Affiliate marketing rules in Reg V place disclosure restrictions and opt out requirements on you. Each opt-out renewal must be effective for a period of at least five years. If this procedure is one your bank is using, you must know if there are there any expiration dates for the opt-outs and whether those consumers have been given an opportunity to renew their opt-out.

RESPA Reg X, Annual Escrow Statements § 1024.17 – For each escrow account you have, you must provide the borrower(s) an annual escrow account statement. This statement must be done within 30 days of the completion of the escrow account computation year. This need not be based on a calendar year. You must also provide them with the previous year’s projection or the initial escrow account statement, so they can review any differences. If your analysis indicates there is a surplus, then within 30 days from the date of the analysis you must refund it to the borrower if the amount is greater than or equal to $50. If the surplus is less than that amount, the refund can be paid to the borrower, or credited against next year’s escrow payments.

Reg Z Thresholds and Updates § 1026.3(b)– These changes are effective January 1, 2024. You should ensure they are available to staff or correctly hard coded in your systems. The exemption for Reg Z disclosures will increase from $66,400 to $69,500, meaning consumer loans over that amount (except for loans secured by real or personal property expected to be used as the consumer’s principal dwelling or a private education loan) will be exempt.

BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked.

Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.

Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your bank’s Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.

Similar to the Compliance Officer reporting to the board, this may include a personal presentation, or it may not. I recommend that it is because this is an opportunity to express what is being done to control security events from the recent past as well as foreseeable events and why these are important issues. These facts can assist Security in getting the budget and assets necessary for the coming year. There is no prescribed period during which the report must be made other than “annually” and this may be based off the timing of the prior report, give or take a month. Annual presentations such as this are better done when the directors can focus more on the message, so try to avoid quarter ends, and especially the fourth quarter. This is not a “how-to” on the annual security report, but you can find more on the topic, free, on the BankersOnline Tools by searching on “annual security program.”

Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).

– BSA (31 CFR §1020.210(b)(4), and 12 CFR §208.63(c)(4) Provide training for appropriate personnel.
– Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial and periodic training
– Reg CC (12 CFR §229.19(f)) – Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee.
– Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
– FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
– Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.

MISCELLANY – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, following records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays.

And finally, has there been a review of those staffers who have not yet taken five consecutive vacation or “away time” days per Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?