Why IS There a Community Reinvestment Act?

Why IS there a Community Reinvestment Act?  

As anyone in compliance can attest to, there are myriad consumer compliance regulations.  For bankers, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks.  However, in point of fact, there are no bank consumer regulations that were not earned by the misbehavior of banks in the past.  Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices.   We believe that one of the keys to strengthening a compliance program is to get your staff to understand why regulations exist and what it is the regulations are designed to accomplish.  To further this cause, we have determined that we will from time to time through the year; address these questions about various banking regulations.  We call this series “Why IS there….”


The Community Reinvestment Act (“CRA”) is probably one of the most misunderstood and unfairly maligned of all of the consumer protection regulations.  Since its enactment, the CRA has been characterized as the regulation that makes financial institutions make “bad loans”.     It is not all uncommon to hear financial institutions refer to their problems loans as “CRA loans”.  Ironically, the preamble of the regulation makes it clear that there is nothing in the regulation that encourages bad loans.

The CRA is actually a part of a series of financial institution laws and regulations that were aimed directly at lack of credit availability in low to moderate income areas.   The CRA followed similar laws passed to reduce discrimination in the credit and housing markets including the Fair Housing Act of 1968, the Equal Credit Opportunity Act of 1974 and the Home Mortgage Disclosure Act of 1975 (HMDA). The Fair Housing Act and the Equal Credit Opportunity Act prohibit discrimination on the basis of race, sex, or other personal characteristics. The Home Mortgage Disclosure Act requires that financial institutions publicly disclose mortgage lending and application data. In contrast with those acts, the CRA seeks to ensure the provision of credit to all parts of a community, regardless of the relative wealth or poverty of a neighborhood.

All of these regulations were enacted to address the ongoing concerns caused by insufficient credit in low to moderate income areas.   In 2007 Ben Bernanke, then Chairman of the Federal Reserve discussed the need for the enactment of the CRA:

Several social and economic factors help explain why credit to lower-income neighborhoods was limited at that time. First, racial discrimination in lending undoubtedly adversely affected local communities. Discriminatory lending practices have deep historical roots. The term “redlining,” which refers to the practice of designating certain lower-income or minority neighborhoods as ineligible for credit, appears to have originated in 1935, when the Federal Home Loan Bank Board asked the Home Owners’ Loan Corporation to create “residential security maps” for 239 cities that would indicate the level of security for real estate investments in each surveyed city.1 The resulting maps designated four categories of lending and investment risk, each with a letter and color designation. Type “D” areas, those considered to be the riskiest for lending and which included many neighborhoods with predominantly African-American populations, were color-coded red on the maps–hence the term “redlining” (Federal Home Loan Bank Board, 1937). Private lenders reportedly constructed similar maps that were used to determine credit availability and terms. The 1961 Report on Housing by the U.S. Commission on Civil Rights reported practices that included requiring high down payments and rapid amortization schedules for African-American borrowers as well as blanket refusals to lend in particular areas.[1]

In addition to the problems caused by redlining, one of the main concerns that the Community Reinvestment Act was designed to address was the problem created by deposits being taken and not being reinvested in the same communities.

Congress became concerned with the geographical mismatch of deposit-taking and lending activities for a variety of reasons.   Deposits serve as a primary source of borrowed funds that banks may use to facilitate their lending. Hence, there was concern that deposits collected from local neighborhoods were being used to fund out-of-state as well as various international lending activities at the expense of addressing the local area’s housing, agricultural, and small business credit needs.[2]

Part of what Congress recognized by passage of the CRA is the role that financial institutions play in the development (or lack thereof) of communities.

According to some in Congress, the granting of a public bank charter should translate into a continuing obligation for that bank to serve the credit needs of the public where it was chartered.  Consequently, the CRA was enacted to “re-affirm the obligation of federally chartered or insured financial institutions to serve the convenience and needs of their service areas” and “to help meet the credit needs of the localities in which they are chartered, consistent with the prudent operation of the institution.” [3]

Despite its reputation otherwise, the Community Reinvestment Act doesn’t require any specific type of lending.  It does ask financial institutions to identify the credit needs of the community in which it is located and to do all that is possible to meet those credit needs.

Since it was first passed there have been relatively few changes in the regulation itself.  There HAVE been changes in the way it is administrated.  The most significant of these changes are:

  • Making evaluations public- The Financial Institutions Reform, Recovery and Enforcement Act of 1989 made the results of every CRA examination available to the public for review.
  • Differentiating between small, medium and large banks – In 1995, the CRA regulations were changed so that the smaller the institution, the more streamlined the CRA examination would be.

CRA Requirements  

Despite the size of the lending institutions, there are three tests on which CRA performance is judged.   The three tests are:

  • Lending Performance– at its most basic, this is a test that considers the size and resources of the financial institution. In addition, the economic opportunities that exist in the service area of the institutional are considered.  These factors are then compared to the level and distribution of loans that the institution originated.   Special attention is paid to geographic distribution of loans.  The idea here is to make sure that certain neighborhoods are not being left out of lending.
  • Investment Performance – This reviews the level of activity of a financial institution in overall community development. Community development can be accomplished through lending or investing in funds that are aimed at community development.  The definition of what does and does not qualify as community development has been a matter of controversy for several years and may be revised soon.
  • Service – The third test for CRA performance considers the amount services that financial institutions offer in low to moderate areas. Factors considered include things such as the record of opening and closing retail bank branches, particularly those that serve LMI geographies and individuals, the availability and effectiveness of alternative systems for delivering retail banking services in LMI geographies and to LMI individuals, range of retail banking services in each geography classification, extent of community development services provided and the innovativeness and responsiveness of community development services

Small institutions that are under $304 million[4] in assets have the option of deciding whether or not they want their performance under the last two tests reviewed.     For each of these tests there are degrees of activity that can be rated on a scale that goes from “substantial noncompliance” to “outstanding”.

There is nothing in any of these tests that requires a financial institution to make bad loans or even to seek out risky investments.  Instead, the directive of the CRA is that an institution should do all it can to identify opportunities for investments and services within all the communities that it serves.  Put another way, the CRA is asking financial institutions to find the “diamond in the rough” in low to moderate income communities.

CRA in the News 

As the 2008 -2010 financial crises began to subside, and experts began to look for causes, the CRA became a favorite villain for many.  Opponents of CRA placed the blame for predatory and subprime lending on the need to meet the requirements of CRA.  The argument goes that banks and financial institutions made risky loans to unqualified borrowers because that is what is required by the CRA.  There have been many scholarly articles and journal entries that have bene written to address this topic- and the recent movie ‘The Big Short’ also includes a great deal of information.  Despite the arguments there has been little to no effort made to significantly change the regulation.

The Community Reinvestment Act was passed at a time when financial institutions refused to invest in low to moderate income areas.   The main goal of this regulation is to get financial institutions to become good neighbors and to do their best to find customer who might otherwise be overlooked.

[1] The Community Reinvestment Act: Its Evolution and New Challenges  Chairman Ben S. Bernanke

At the Community Affairs Research Conference, Washington, D.C.  March 30, 2007

[2] The Effectiveness of the Community Reinvestment Act Darryl E. Getter   Congressional Research service 2015

[3] Ibid

[4] The figure for the smallest institutions is adjusted annually based upon the Consumer Price Index.

Getting to the Root of the Problem-An Important Step Towards Strong Compliance

Getting to the Root of the Problem- An important Step to Strong Compliance

The compliance examiners are coming!  It is time to get everything together to prepare for the onslaught right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily; the compliance examination is really an evaluation of the effectiveness of your compliance management program (“CMP”).  By approaching your examinations and audits in the same manner, the response to the news of an upcoming review becomes (almost) welcome.

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

  • Board Oversight
  • Policies and procedures
  • Management Information systems including risk monitoring
  • Internal Controls

The relative importance of each of these pillars depends on the risk levels at individual banks.  The compliance examination is a test of how well the bank has identified these risks and deployed resources.   For example, in a bank that has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, at a bank where new products are being offered regularly, the need for training can be critical.   The central question is whether or not the institution has identified the risks of a compliance finding and having done so, taken steps to mitigate risks.

Making the CMP fit Your Institution  
Making sure that your CMP is right-sized starts with an evaluation of the products that are being offered and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  In many cases, either decisions can create risks.  For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.

As a best practice, compliance has to be a part of the overall business and strategic plan of a financial institution.  The CMP has to be flexible enough to absorb changes at the bank while remaining effective and strong.
The True Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audits and examinations.  When reviewing these findings what is most important is getting to the root of the problem.  Moreover, not only the findings, but the recommendations  for improvement that can be found in examination and audit reports  can be used to help “tell the story”  of the effectiveness of the CMP.  It is very important to determine the root cause the finding.  Generally, the answer will be extremely helpful in addressing the problem.  There are times when the finding is the result of a staff member having a bad day.  On those bad days, even the secondary review may not quite catch the problem.  For the most part, these are the types of findings that should not keep you up at night.
The findings that cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.

Addressing Findings  

We suggest a five step process to truly address findings and strengthen the CMP.

  1. Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report.  If staff feels like what was discussed at the exit doesn’t match the final report, here is a communication concern.  We recommend fighting the urge to dismiss the auditor/examiner as a crank!  Call the agency making the report and get clarification to make sure that the concern that is being express is understood by staff.
  2. Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.
  3. Assign a personal responsible along with an action plan and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.
  4. Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.
  5. Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training, and finally a quality control check of the area affected.

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, It may be easy to see a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective.

Should Small Financial Institutions Perform Compliance Risk Assessments?

Why Should Small Financial Institutions Perform Risk Assessments?   

The concept of risk assessments is often associated with large banks and financial institutions – but it shouldn’t be.  Oftentimes, the ugly truth about risk assessments is that they are prepared specifically to meet a regulatory requirement and not much more.  Perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year.

Risk assessments can, and should be, used as a tool in the overall compliance toolkit.   When a compliance risk assessment if properly completed and deployed it have many uses including audit planning,  cost reduction, training development and resource allocation to name a few.   Ultimately, the risk assessment should be used as the bedrock of a strong compliance program.

The Component Parts of a strong Compliance Risk Assessment

Past examination and audit results– It goes without saying that the past can be prelude to the future, especially in the area of compliance.   Prior findings are an immediate indication of problems in the compliance program.   It is important that the root cause of the finding is determined and addressed.  The compliance risk assessment has to include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat.  We recommend that the action has to be more than additional training.    Training tends to be the number one answer and of course it is important.  However, without testing to determine whether or not the training is effective, the risk of repeat findings remains high.  It should also be noted that a lack of past findings does not necessarily mean that that the coast is clear.  Each compliance area should be reviewed and rated regardless of whether there were past findings.   In some cases, there are findings that are lying in wait and have not yet been discovered.

Changes in staff and management– change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, supposed the head of note operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to doing compliance checks at certain times during the loan origination process might become confused.  This increases the possibility of findings or mistakes.   Your compliance risk assessment should take into account the risks associated with changes and how best to address them

Changes in products, customers or branches– continuing on with the idea that change is going to happen, it is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year.  This will include any new products or services, new vendors, marketing campaigns that are designed to entice new types of customers.  The risk assessment should consider what resources will be required and how they should best be deployed.  Before new products are introduced, the compliance team has to consider the time necessary to make sure that all of the processes are in place.  New advertising means both technical and fair lending compliance considerations.

Changes in Regulations– Over the past five years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact small financial institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that affect your bank or will affect you bank.   As a best practice, it is advisable to review the annual report of your regulator to determine the areas of focused that are planned for the year.  Most regulators are transparent with this information and their publications will indicate areas of examiner focus for the upcoming year.

Monitoring systems in place – finally, the systems that you use to monitor compliance should be considered.  For many small institutions, this system is comprised of word of mouth and the results of audits and examinations.   Part of your assessment should include a plan to do some basic testing of compliance on a regular basis.  After all an ounce of prevention……

The Analysis

Once you have gathered all of the information necessary for completing the analysis, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings.  Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result and findings and develops a plan for reduction.

Inherent Risk

For each regulation that applies to your institution, you must first determine the level of inherent risk.  According to the Federal Reserve Bank, inherent risk can be defined this way:

Inherent consumer compliance risk is the risk associated with product and service offerings, practices, or other activities that could result in significant consumer harm or contribute to an institution’s noncompliance with consumer protection laws and regulations. It is the risk these activities pose absent controls or other mitigating factors.[1]

Your compliance risk assessment should consider the inherent risk associated with each product that is offered.  For each regulation, consideration should be given to the penalties associated with a violation.  As a best practice, the likelihood of review of the area by regulators should also be factored into the overall level of inherent risk.  For example, flood insurance is an area that is likely to be examined each and every time the examiners conduct a review and this should factor into the overall inherent risk rating of the area.

Effectiveness of Controls  

Once the inherent risk has been established, the next step is to assess the overall effectiveness of internal controls.  Your internal controls are the policies, procedures, training and monitoring that are performed on a regular basis.   This includes audits and internal reviews that are performed by the compliance department.

To complete the analysis it is necessary to be self-reflective honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to state that and make a plan to address the weakness.   If more training is necessary or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when a bank is faced with enforcement action.  It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.

Residual Risk  

Residual risk is defined as the possibility that compliance findings will occur after consideration of the effectiveness of controls.  The less effective the controls, the higher the residual risk.   Again, it is critical that the assessment in this area is one that has to be brutally honest.  If overall controls, are not what they should be, the weaknesses that exist should be reflected in the risk assessment.  The goal of the assessment is to determine the areas that have the highest levels of risk and to allocate resources accordingly.

Using the Document

The compliance risk assessment is like a Swiss army knife- it has several uses.   First, the compliance risk assessment should be used to help with the planning and scoping of audits for the year.  The highest areas of risk should receive the greatest scrutiny by the auditors.  Mover, the highest risk areas should be scheduled for review as early in the year as possible so that remediation efforts can be commenced and tested.

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the risk assessment has shown the potential for problems.    The risk assessment can also be used to set the priorities for which policies and procedures need to be updated and in what order.  The compliance risk assessment is a good tool for measuring the level and quality of compliance resources. As part of the risk assessment process, the level and quality of resources must be considered.   As the process is concluded, it is natural to use the results to develop specific requests for additional staff, software, training or other resources that are necessary to maintain a strong compliance program.

Creating the Compliance Environment

Probably the greatest untapped asset for any compliance officer is the staff at your institution.  Without the support and input of the people who are actually contacting customers and performing day to day operations, the effectiveness of your compliance program will be greatly limited.    Of course one of the greatest impediments to getting the “buy-in” of staff is the perception that many in the banking industry have of compliance.  There is generally dislike and disdain for anything compliance related.  Compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks.  Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address.  Taking the time to discuss the history of the regulations and what it is that they are trying to address can go a long way toward getting staff involvement.

Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support.

A comprehensive compliance risk assessment should be the key to a strong compliance program.


Your Partner in Balancing Compliance