Some Items to Consider for Your Audit Scope, January 18, 2017



As you prepare your annual audit schedule, a task that can often seem mundane, there are significant opportunities to take charge and “change the game”.   The schedule is often set by focusing on the number of audits that must be completed within the year. The bulk of the planning attention goes to the task of scheduling the audits in a manner that is least disruptive.   There is often little attention paid to the construction of the components of the audit scope.   Consider building the scope of the audits around the results of your risk assessment and you can greatly enhance the effectiveness of the audit reports.

The Standard Menu

Outsourced internal audit firms design the scopes for the audits that they conduct based upon their knowledge of auditing, regulatory trends, best practices and the overall knowledge of their staff. This practice allows the firms to bring a wealth of experience and important information from outside of the financial institutions that they are reviewing.   When your audit firm presents you the scope that they propose it is based upon completely external actors and considerations. This is not a criticism of the firm, it is a standard practice.   However, setting of the scope for internal audits is really supposed to be a collaborative effort, and both the audit firm and your institution are best served by developing the scope for audits together, after all, who knows the strengths and weaknesses of your institution better than the management? To get the biggest bang for your buck, why not tie the audit scope into the results of your risk assessment?

The Risk Assessment and the Internal Audit

An effective risk assessment of your compliance program can be an excellent source document for various things including budgeting requests for additional resources and scoping of audits.   Completing the assessment includes considering the inherent risk at your institution, the internal controls that have been established to address risk and a determination of the residual risk.   The process is intended to be one of self-reflection and consideration of the areas of potential weakness. For those areas that have the potential to be a problem, the best practice is to make sure they are included in the scope of an audit. Audit firms are more than happy to work with the management of the institutions they are reviewing on developing a scope. One of the crucial goals of the audit is to uncover areas where there are weaknesses in internal controls. For example, in your risk assessment, you may have noted a large number or errors in disclosures for new accounts. This should be a focus for the internal auditors when the compliance audit is performed.

Root Causes

An area that is often overlooked in audits is a discussion of the root causes for findings. For every violation or a problem noted during an examination or audit, there is a reason the violation occurred. Ineffective training, incomplete written procedures, poor communication or incompetence are all possible causes of a finding. Getting feedback from the auditors on the root cause of a problem allows the remediation to be most effective. One of the main reasons for repeat findings is ineffective remediation.

Future or Strategic Risks

The environment for banking is going through significant change as fintech companies have begun to make inroads into the financial markets. Financial institutions should consider whether their current systems, business plans and infrastructure is well positioned to meet the annual goals. External audit firms can be a very good source of information for industry trends and ideas.   Building a consideration of both future and strategic risks into the scope of the audit can yield significant benefits.

Self-Policing and the New Compliance Ratings

One of the main reasons to expand the scope of your audits is to take advantage of the new compliance ratings systems that take effect in March of 2017. The new ratings will consider the Board and management oversight, strength of the compliance program as well as the potential for consumer harm. These new ratings will put an increased premium on an institutions ability to self-police potential violations. The ability of a financial institution to identify problems, determine the root cause and to remediate the problem will have a large impact of the overall rating of the institution. By setting the scope of your audits to help self -police, your institution can take full advantage of the new ratings system.


What Is Supposed to be in my Risk Assessment? January 10, 2017


2017 is here! Now is the time for new resolutions, renewed plans for success and… if you’re in compliance, now is the time for new compliance risk assessments. As we have discussed in previous blogs, the risk assessment is often discussed and sometimes reviled as a meaningless regulatory requirement. When attempting to prepare a risk assessment, a frequent question is presented; what are the essential items in my risk assessment? Per regulatory guidance produced by the Federal Reserve:

“Principles of sound management should apply to the entire spectrum of risks facing an institution including, but not limited to, credit, market, liquidity, operational, compliance, and legal risk.”

This guidance applies to general principals of risk assessment preparation. The compliance risk assessment is something of a different animal because questions of market risk, credit risk and liquidity risk are relatively minor concerns when considering risks in compliance. The focus instead should be on compliance, transactional, strategic, financial and reputational risks associated with compliance activity.

Think of the risk assessment as a matrix – not the type where you get to choose a red pill or a blue pill, just a square with several blocks. There is a formula that you can use to complete an effective risk assessment. The basic formula is INHERENT RISK (minus) INTERNAL CONTROLS (equals) MITIGATED RISK.

Inherent Risk

Inherent risk is the risk associated with the products, customers and overall compliance structure at your bank.

An inherent risk is a risk category that really relates broadly to the activities and operations of a company without considering necessarily the company. For example, unsecured lending is inherently more risky than secured lending. If I were auditing an institution that was primarily involved in unsecured lending, then I would have a higher assessment of inherent risk in that organization than, let’s say, secured lending. And that’s a fairly simple example, but that type of a risk assessment is done for each critical business component1

When considering the level of inherent risk at your institution, consider all the products that you offer and the worst-case scenarios lurking in the background. For example, supposed you are considering the inherent risk associated with consumer lending. The inherent risk might look something like this:

Consumer Loans- Inherent Risk/Type of Risk Comment

Compliance Risk -The risk associated with the regulatory requirements for making consumer loans, e.g. disclosures, accurate calculations, etc.

Transactional Risks- The risks associated with the systems in place that are being used to support offering the product. Can your core support the loan types being offered?

Reputation Risks-The risk that the products will result in consumer complaints, UDAAP violations or potential fair lending concerns.

Strategic Risk -Are your products really meeting the credit needs of the community you serve?

The point of this part of the exercise should be to determine the level of risks that are part of offering the products at all. This level of risk doesn’t consider anything of your compliance program.

Internal Controls

One you have identified the risks inherent in the products you offer, the customers you serve and the overall current compliance program, the next step is to review the steps your institution has taken to address them. This is where your policies, procedures, training and independent audits come in. There is really an opportunity to self-reflect and simultaneously project your aspirations during this part of the risk assessment. It is one thing to note you have policies and procedures in place. It is a far different consideration to determine how effective they are. Are the policies and procedures written and updated on an annual basis? How much of the policies and procedures are internally developed and how much have been “borrowed” from other institutions? (Note: This is not to imply that borrowing is a bad thing, if the information truly reflects the situation at your institution). The risk assessment should contain an analysis of the current state of the internal controls. What would excellent controls look like and what would it take for the compliance department to get there? These considerations should be included.

Mitigated Risk

Your overall assessment of how well the internal controls at your institution address the possibility of problems is the mitigated risk. For the risk assessment to be a most effective tool, it is necessary for this process to truly consider potential proems with internal controls. Written policies and procedures, for example, can be comprehensive and up to the minute accurate, but totally ineffective if staff don’t use them. Training is an area often taken for granted. The online training that most institutions offer is a great start for training. However, for a full in-depth understanding, additional training that includes case-studies is a best practice.


For the banking industry in general regulators have put strategic risk at the forefront. For example, its semiannual risk perspective for spring 2016, the OCC noted that strategic risk is a concern:

“Banks are several years into the risk accumulation phase of the economic cycle. The banking environment continues to evolve, with growing competition among banks, nonbanks, and financial technology firms. Banks are increasingly offering innovative products and services, enabling them to better meet the needs of their customers. While doing so may heighten strategic risk if banks do not use sound risk management practices that align with their overall business strategies, failure to innovate to meet evolving needs or financial services may place a bank at a competitive disadvantage.”2

As the risk assessment process is completed this year, it is important to consider whether your institution is keeping up with trends in technology and innovation. The financial industry is being disrupted in a way that will significantly impact the relationship between customers and institutions. Without the right technology and business plan, it will be easy to be left behind. Make sure that your risk assessment considers strategic risk.

James DeFrantz is the Principal of Virtual Compliance Management Services LLC. He can be reached directly at

[1] William Lewis, Price Waterhouse Coopers  Comptroller of Currency Administrator of National Banks Audit Roundtable, Part 1 Risk Assessment and Internal Controls .

[2] OCC Semiannual Risk Perspective From the National Risk Committee  Spring 2016

BSA Risk Assessments-What’s the Point, December 28, 2016



For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment.  It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”.  In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail.  The detail required for a complete risk assessment is elusive at best.  Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”.

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments.   The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment.  Unfortunately, the form the risk assessment should take or the minimum information required are left as open questions for the financial institution.   Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use.

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan, can change the whole process.

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” 1


This preamble has several important ideas in it.   The expectation is, management of an institution can identify:

  • Who its customers are:  including the predominant nature of the customer base- are you a consumer institution or a commercial at your core?  Who are the customers you primarily serve?
  • What is going on in your service area?  Is it a high crime area or a high drug trafficking area, both or neither?  The expectation is you will know the types of things, both good and bad going on around you.  For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money.   The point is you need to know what is going on around you
  • Where are the outlier customers?  Do you know which types of customers who require being watched more than others?  There are some customers who, by the nature of what they do, require more observation and analysis than others.  The question is, have you identified these high-risk customers?
  • How well are you set up to monitor the risks at your institution?  Do you have systems in place are up to the task to discover “bad things” going?  Does the software you use really help the monitoring process?   This analysis should consider whether the staff you have   truly understand the business models your customers are using.  For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for?  The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB.
  • Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to money services business, does the BSA department have an increase in staff included in its budget?


Effective Risk Management 

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program.  The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources.   Independent audits and reviews should be directed to areas of greatest risk.  For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review.  In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

Rethinking the Risk Assessment process 

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions.  Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income.

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products.  When preparing the risk assessment, consider the resources necessary to offer new and (money making products).

There are no absolute prohibitions against banking high risk clients  

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” 2

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts.  We note the manual does not conclude high risk accounts should be avoided.

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering.  Financial institutions are expected to:

  1. Conduct a risk assessment on each of these clients,
  2. Consider the risks presented
  3. Consider the strengthening of internal controls to mitigate risk
  4. Determine whether the account(s) can be properly monitored and administrated;
  5. Determine if the risk presented fits within the risk tolerance established by the Board of Directors.

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse.    The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers.  The risk assessment section of the exam manual notes the following:

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”3

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean.    When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice.   For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual.  However, a financial institution can establish who the customers of the MSB are and what they do.  A baseline for remittance activity, check cashing and deposits and wire activity can be established.   If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word.   Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk.

For a more complete discussion of the effective use of the BSA/AML risk assessment, please contact us at

Planning Your Compliance Year- December 13, 2016

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenge of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of getting on top of compliance.


Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.[1]  For example, the Office of the Comptrollers’ annual report points out that strategic planning will be an emphasis of the examinations teams in 2017.   In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether the regulation will apply to your organization. [2] Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Step Two – Setting the Parameters

The next step is to complete a risk assessment.  Often, we see risk assessments that are performed specifically for meeting a regulatory requirement.  In many cases, these assessments are completed and put away until it is time to do an annual update.  We believe that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  Your risk assessment should include:

  • The areas where there have been regulatory of? internal audit findings in the past
  • The types of products the Bank offers and the risks associated with those products
  • New products contemplated
  • The management reports currently being generated by software
  • Changes in regulations that might affect the bank
  • Changes in staff that have occurred or are planned.

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  The assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be used to set the training calendar.

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulations B and Z?  Do you know what these are and how they affect you?

It is also a very good idea to sign up for all the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB. [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources only after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However, as the saying goes, an ounce of prevention is worth a pound of cure.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is a best practice that will enhance your compliance program and the quality of your life!

One of the best areas to get support for compliance is through the staff at your bank.   At the end of the day, compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The more help from staff that you get, the more efficient you can be.


Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem.

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the more urgent area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan can hit all the highest areas of risk to ensure that your program is successful.


Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!


[1] See for example,,


[2] This form can be found on our website at


Assessing Your Compliance Management Program- November 29, 2016

In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions.  These guidelines have since been adopted and will commence in March of 2017. The new compliance guidelines will represent a strong departure from the current system for rating. In addition, these guidelines present a strong opportunity for financial institutions to greatly impact their own compliance destiny.  Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.  The upcoming changes to the ratings for compliance programs, will put a premium on the overall effectiveness of your compliance management program.   The stronger the program for compliance, the less likely a single finding will impact the overall rating.

Determining Effectiveness

Although it is easy to assume that “effectiveness” is in the eye of the beholder, there are some metrics that can be used to make this determination.  Some of the factors that the regulators will consider when assessing effectiveness include:

·        Ability to identify compliance risks at the institution – under the new ratings systems the risk assessment your institution prepares will be a critical document. On a regular basis, it is necessary to identify all the risks associated with:

o  The products you offer

o  The customers you serve

o  The It systems you are using

o  The training program you have

o  The strength of the policies and procedures in place

o  Turnover at key positions

o  New and additional products offered

Regulators will expect the risk assessment process is comprehensive and robust and all potential problems are considered and addressed. For each risk mentioned above there should be steps designed to reduce risk to an acceptable level. In this case, the acceptable level should match with the risk appetite of the Board. All financial activity has some level of inherent risk. The risk assessment should detail how your institution has identified the risk and done all that it can to reduce the risk to the level the Board has decided they are willing to take.

·        Appropriate resources to address and mitigate risks – One of the disconnects that often occur between the completion of a risk assessment and the ongoing operation of a financial institution is consideration of the resources that are available. For example, it is one thing to develop comprehensive procedures for testing compliance with flood rules. It is another thing altogether not to have sufficient staff to complete all the steps in the procedures. Moreover, if the staff that are expected to follow the flood procedures are overburdened or under trained, your plans for mitigating risk will be thwarted. The level and quality of resources directed towards compliance will be a key consideration for the overall compliance rating under the new guidelines. Suppose your financial institution had a finding in the flood insurance area after an examination. If the finding was caused by an oversight, that is unlikely to repeat, the impact of the finding will be minimized. On the other hand, if the finding was created because there wasn’t enough time or staff to do a quality check, the issue looms large.

·        Ongoing testing of the internal controls – Much like the old saying “an ounce of prevention is worth a pound of cure” regular testing of compliance controls can greatly enhance the effectiveness of a compliance program. The testing doesn’t have to be extensive, just consistent. Take five of the most recent originated loans and make sure that the disclosures were completed timely and completely. Do the same for deposit accounts that have been recently opened. Complete a mystery shopping event to test employee’s knowledge of products and services.  By using ongoing testing, a compliance team can determine the areas of true weakness and address them.

·        Training of staff– Most financial institutions rely on on-line training to meet the obligations of keeping staff informed about the applicable regulations. On-line training is an extremely useful and cost effective manner to give staff members basic understanding. However, effective compliance programs augment this training with in-person classes that allow staff to ask real world examples. This reinforces the information and allows for a deeper understanding of the requirements of the regulations and how staff is critical for an overall strong program.

Using Findings to your advantage

Maintaining an effective program does not mean that there won’t be ANYfindings. It DOES mean that when errors occur, the compliance team can determine the root cause of the problem and develop a plan to address it.  An effective compliance program will be able to use findings to strengthen the program itself in the long run.

There are Lessons for All Financial Institutions in the Wells Fargo Case- Part Three: A Glaring Need – November 2, 2016

There are lessons for All Financial Institutions in the Wells Fargo Case

Part Three- Turning Our Eyes to a Glaring Need

We have talked about the Wells Fargo case involved violations of Unfair, Deceptive Acts or Practices Act. We noted that this is true because the practices of the bank forced extra accounts and products on customers who simply didn’t want them. In addition to unwanted accounts were significant fees and charges. In some cases, there were as many as 10 unwanted accounts for customers of Wells Fargo.

While this case continues to wind its way through various administrative hearings, news stories and the inevitable civil lawsuits, there is a strong irony in this case that can easily go unnoticed. There can be no doubt that customers of the Wells Fargo were victimized by an abusive campaign. However, while these customers can be considered OVERBANKED there are simultaneously millions of Americans are unbanked and underbanked.

A Forgotten Population

Wells and many other financial institutions continue to pursue practices that forced additional accounts on people who already had a banking relationship. In the meantime, there are millions of potential customers who have no relationship at all as the FDIC showed inn their 2015 study of Unbanked and underbanked populations.

The FDIC has defined Unbanked and underbanked as follows:

“…… many households—referred to in this report as “unbanked”—do not have an account at an insured institution. Additional households have an account, but have also obtained financial services and products from non-bank, alternative financial services (AFS) providers in the prior 12 months. These households are referred to here as “underbanked.”[1]

Per the Corporation for Enterprise Development, there are millions of unbanked and underbanked households across the country. For example, in 2010 the same organization estimated that 20% of the households in New Jersey are underbanked.[2].     The number of unbanked and underbanked people that live within the service areas of financial institutions presents both an opportunity and a level of risk. As the FDIC pointed out in there May 2016 study “Bank Efforts to serve underbanked and unbanked Communities” the whole banking community is better served when the level of trust and participation is increased[3].

Why Unbanked and Underbanked?

The FDIC asks the same sorts of questions every year the answers have been consistent. Here are some of the key observations:

  • The most commonly cited reason was “Do not have enough money to keep in an account.” An estimated 57.4 percent of unbanked households cited this as a reason and 37.8 percent cited it as the main reason.
  • Other commonly cited reasons were “Avoiding a bank gives more privacy,” “Don’t trust banks,” “Bank account fees are too high,” and “Bank account fees are unpredictable.
  • Perceptions of Banks’ Interest The 2015 survey included a new question asked of all households: “How interested are banks in serving households like yours?”
  • The survey results revealed pronounced differences across households.
  • Approximately 16 percent thought that banks were “not at all interested” in serving households like theirs, and the perceptions of the remaining 8 percent were unknown.
  • Unbanked households were substantially less likely than underbanked or fully banked households to perceive that banks were interested in serving households like theirs. More than half (55.8 percent) thought that banks were not at all interested, compared to roughly 17 percent of underbanked households and 12 percent of fully banked households.

While financial institutions are overbanking the customers they have, there are well over 50 million households in America that currently either don’t have a relationship with a bank or a minimal one.

Why serve these communities?

In many cases, misperceptions from the point of view of customers and financial institutions keep them apart. For far too long it has been an axiom that the costs of providing banking services for consumer accounts prevents an acceptable rate of return. However, through the development and use of new technologies, the costs associated with consumer accounts has significantly declined.

Without significant competition for the unbanked and underbanked households, financial needs are met by business that are predatory. The number of financial institutions offering high cost loans has proliferated and the number of unbanked and underbanked families has grown.

Advances in technology had made it possible for financial institutions to offer services to communities throughout the country and the world without needed to expand the branch system. Today’s digital wallet customer is tomorrow’s commercial loan.

Compliance as an Asset

For the financial institution that considers offering new products and services using technology, a new approach to compliance must be pursued.   Currently for most financial institutions, compliance is viewed as a necessary evil expense that is at best, the cost of doing business. However, suppose the role and function of the compliance department changed. When the compliance department becomes fully versed in the requirements for offering Fintech products, the institution can become an active participant in the burgeoning market. By putting resources into your institutions ability to assess and monitor risks, new products, partnerships and growth is possible. Start thinking of compliance as an asset- it can be the gateway to new sources of income

Towards New Markets

The fact is that there are products that are available and cost effective while the market for these products is huge; there simply must be a willing spirit. Rather than committing fraud, consider serving the unbanked and underbanked markets


[1] FDIC survey of unbanked and underbanked households

[2] See anked_Places_in_America.pdfJune 2016

[3]The FDIC recognizes that public confidence in the banking system is strengthened when banks effectively serve the broadest possible set of consumers. Accordingly, the agency is committed to helping increase the participation of unbanked and underbanked consumers in the banking system.

There are lessons for all financial institutions in the Wells Fargo case: Part Two


Part Two:  Management’s role in avoiding UDAAP violations

In the first part of this series we talked about the three prongs of the Unfair Deceptive Abusive Acts or Practices Act (“UDAAP”).  We detailed the three concepts that lead to violations and potential enforcement actions.  A brief description of the types of violations includes practices that are either:

  • Unfair: Fees or costs that a consumer has to pay that are unfair
  • Deceptive: Fees or costs that are not obvious in product disclosures
  • Abusive: Not helping the customer understand what it is they are getting into.

The Wells Fargo case is the most recent and one of the most newsworthy cases of a financial institution being cited for violations of UDAAP.   The actions of the bank in this case are obviously egregious and for the most part it is fairly clear that customers were mistreated.    However, there are several places where potential violations of UDAAP lurk that are not nearly so obvious.   The warning signs for potential UDAAP problems are not always obvious.   Senior management must play a significant role to when it comes to avoiding UDAAP.

UDAAP – A Different Approach

One of the vexing aspects of UDAAP violations is the manner in which they occur.  In the UDAAP world, technical compliance with a regulation is not nearly enough.   Violations are most often found in the outcome experienced by a customer of a financial institution.   While a disclosure may meet all of the requirements of the Truth in Savings Act, if fees are not explained in a manner that details the “worst case scenario” for the consumer, the disclosure might be misleading.     When considering your overall compliance program for UDAAP, it is important to consider your institutions overall level of transparency.  Marketing, disclosures and information packages must allow a consumer to understand everything that they are getting into and how much it will cost.  Financial institutions have greater resources than the customers they serve and the idea behind UDAAP is with those additional resources, your institution should do all that it can to make sure the customer understands things like overdraft fees are very expensive.

 Management’s Role

One of the many lessons from the Wells Fargo case is that management must play a significant role in addressing potential UDAAP issues.   An excellent source of information to determine potential problems is the customer complaints log.   By keeping track of the complaints from customers and following up on those complaints, management can get an early warning that customers experience does not match what they thought they were getting.   Compliant logs should be reviewed and considered as part of ongoing compliance committee meetings.

Another area for management to consider is large increases in non-interest income that far exceeds projections.  Put another way, when overdraft fees become a significant part of your income, there is strong potential for a UDAAP concern.   Management must keep a close watch for unintended consequences.


UDAAP Pitfalls

Here is a list of practices that have come under scrutiny for UDAAP consideration

  • Overdraft programs
  • Excess Flood Insurance
  • Debt collection Practices
  • Loan payment processing
  • ATM fees
  • Loans with balloon payments
  • Credit life and disability insurance sales
  • Rewards programs
  • Gift card sales
  • Credit Card programs

This is not to say that any of these programs are forbidden or even a bad idea.  Instead, what is necessary is to make sure that as you offer these programs or products, the disclosures about them are both clear and consistent.

Taking the followings steps when assessing overall UDAAP potential problems at your bank may reduce risk:

  1. Review all of the product features of consumer products at your bank.  For all products that have the potential to add fees or costs (such as early withdrawal penalties), review for potential UDAAP concerns;
  1. Have several members of staff review product features to determine whether the potential for misunderstanding exists;
  1. Review the revenue streams for consumer products and look for increases of more than 1% per quarter.  In the event that revenue has increased, determine the reason for the increase;
  1. Review the written and oral disclosures given to customers to ensure they are consistent and correct;
  1. Review current agreements with third party servicers to make sure there is a clear understanding of the services being provided:
  1. Conduct thorough and regular due diligence on third party servicers;


  1. Complete a regular check to ensure the language on all mediums of communication with the public is consistent (a maintenance fee is a maintenance fee);
  1. Evaluate customer complaints for signs of more serious systemic problems





There are lessons for all financial institutions from the Wells Fargo Case

sept27blogA Three Part Series- Part One- Understanding the Power of UDAAP

The recent news about a huge fine levied against Wells Fargo financial institution presents a cautionary tale for all financial institutions regardless their size. The law and regulation that were used to construct the enforcement actions against the financial institution and the subsequent fees and fines come from the Unfair, Deceptive, Abusive Acts or Practices Act (“UDAAP”). UDAAP is an extremely powerful regulation and it is important to remember that with these types of violations the considerations are different from other areas. A product or a practice can be technically in compliance with the spirits of a regulation, but still have UDAAP implications.

A brief description of UDAAP

At the end of the Great Depression, there was a public outcry for changes in regulations that dealt with all manner of financial institutions. During the financial crash consumers found many of the promises that had been made by business were not kept. Insurance companies did not pay as promised, department stores that had promised refunds for returns reneged, financial institutions closed overnight and business in general were able to avoid payments to consumers that they promised. Neither state governments nor individuals had many options when they found they had been misled or defrauded. A consumer who was defrauded often found fine print in the contract immunized the seller or creditor. Consumers could fall back only on claims such as common law fraud, which requires rigorous and often insurmountable proof of numerous elements, including the seller’s state of mind. Even if a consumer could mount a claim, and even if the consumer won, few states had any provisions for reimbursing the consumer for attorney fees. As a result, even a consumer who won a case against a fraudulent seller or creditor was rarely made whole. Without the possibility of reimbursement from the seller, consumers could not even find an attorney in many cases. [1]

Among the changes requested were laws that prevented practices that were deceptive or fraudulent. Eventually it fell to the Federal Trade Commission, FTC, to write regulations for consumer protection on a federal level. Unfair and Deceptive Act statutes were passed in recognition of these deficiencies. States worked from several different model laws, all of which adopted at least some features of the Federal Trade Commission Act by prohibiting at least some categories of unfair or deceptive practices. But all go beyond the FTC Act by giving a state agency the authority to enforce these prohibitions, and all but one also provides remedies consumers who have been cheated can invoke. In addition to the FTC regulations, state laws and court decisions help to shape the definition of unfair or deceptive business practices.

The Predecessor

The original UDAP (with one “A”) Unfair, Deceptive Acts or Practices is derived from Regulation AA, also known as the Credit Practices Rule. The regulation was divided into two subparts;

Subpart A outlines the process for submitting consumer complaints to the Board of Governors of the Federal Reserve System’s Division of Consumer and Community Affairs
Subpart B puts forth the credit practice rules pertaining to the lending activities of financial institutions. It defines certain unfair or deceptive acts or practices that are unlawful in connection with extensions of credit to consumers
Certain provisions in their consumer credit contracts, including confessions of judgment, waivers of exemptions, assignments of wages and security interests in household goods unfair or deceptive practices involving co-signers
Pyramiding late charges, in which a delinquency charge is assessed on a full payment even though the only delinquency stems from a late fee that was assessed on an earlier installment

Through the last half of the 20th century, UDAP regulation was largely the purview of the Federal Trade Commission. Financial institution regulatory agencies generally issued guidance for financial institutions to follow and some the practices that we mention above were specifically prohibited. However, the truth of the matter was that UDAP enforcement was not exactly a matter of grave concern in the financial institution industry.


The financial meltdown of 2009 lead to many changes in regulations including the passage of the Dodd-Frank Act. Among the changes brought about by Dodd-Frank, was the supercharging of UDAP. The regulation became the Unfair Deceptive Abusive Actions, Practices, or UDAAP.

UDAAP with two ‘A’s goes beyond extensions of credit and introduces an enterprise-wide focus on all the products and services offered by your institution. The CFPB has been given the authority to bring enforcement actions under UDAPP. Considered at a high level, UDAAP is more of a concept than an individual set of regulations. The idea is that dealings with the public must be fair and that financial institutions should in fact look after the best interests of its customers.

Another key difference is that UDAAP coverage makes it unlawful for any provider of consumer financial products or services to engage in unfair, deceptive or abusive act or practices; therefore, this regulation may be applicable far beyond financial institutions.

Under the new UDAAP regime, financial institutions can be liable for the actions of the third party processors that they hire. This is one of the many reasons why vendor management has become such an important area.

Even though there a great number of laws that deal with required disclosures on financial products such as loans and certificates of deposit, these laws generally do not deal with the fairness of the terms or the possibility that a consumer may unwittingly agree to additional fees and terms that go well beyond the agreed to interest rate. UDAAP is designed to address this problem.

The Basics

What is “unfair’?

The practice causes or is likely to cause substantial injury.
The injury cannot reasonably be avoided.
The injury is not outweighed by any benefits.
Briefly, what this means is if a customer has to pay fees or costs because of some act by the financial institution that is deemed unfair, then a substantial injury has occurred. The description of the regulation does say the injury does not necessarily have to be monetary, it can be emotional. However, there are no current examples of this second form of substantial injury. This is the section of the regulation that is most often applied to overdraft programs. Even in the cases where financial institutions allow overdrafts only after getting a customer’s permission and providing monthly statements that show the amounts of overdraft fees that have been paid, a substantial injury can be found.

What is “deceptive” ?

The practice misleads or is likely to mislead.
A “reasonable” consumer would be misled.
The presentation, omission or practice is material.
According to the CFPB, to determine whether an act or practice has actually misled or is likely to mislead a Consumer, the totality of the circumstances is considered. Deceptive acts or practices can take the form of a representation or omission. The Bureau also looks at implied representations, including any implications that statements about the consumer’s debt can be supported. Ensuring claims are supported before they are made will minimize the risk of omitting material information and/or making false statements that could mislead consumers.

Any programs that have the possibility of late fees or additional fees as the result of balances, usage charges or any fees that are in addition to the initial fees all have the possibility being misleading. We have found this section is most often cited when the language used in disclosures does not match the language in advertisements or on the website. For example, in one case, a financial institution called a fee a “maintenance fee” in its advertisements, but called the fee a “monthly” fee in the disclosures it gave customers at the time they opened the accounts. This was cited as a deceptive disclosure.

What is “abusive” ?

The practice materially interferes with the consumers ability to understand a term or condition of a product or service.
The practice takes unreasonable advantage of a consumer’s lack of understanding of the risk, costs and conditions of a products or service.
The CFPB description of this portion of the regulation notes a consumer can have a reasonable reliance on a financial institution to act in his or her best interests. This means for products or services which are offered that have the ability to add fees or costs, there is an affirmative duty to make sure the customer knows what it is they are getting into. It is also critical to pay particular attention to the second part of rule which defines abusive; a practice that takes advantage of a customer’s lack of understanding of fees and costs of a product. This part of the rule requires Financial institutions to be vigilant not only about disclosures they give to customers, but also about the level of fees being charged to the customer. An add-on interest charge may make economic sense. It may also be designed with a legitimate business purpose in mind. The fee can be applied to all customers that have a specific type of account and therefore, not a violation of fair lending or equal credit opportunities laws. However, these types of fees can adversely impact customers of limited means. As a result, these sorts of additional charges on an account can represent a UDAAP concern.

Part Two-The role management must play in preventing UDAAP violations

The Beneficial Ownership Rule: Part Two – Due Diligence

bor-part2In the first part of this series we described the new beneficial ownership rule. We talked about the reasons that the rule was passed and we noted that the central idea of this rule is making sure that financial institutions get complete information when an account is opened for a legal entity. This is especially true when a legal entity has a complex ownership structure. There is a second aspect of the rule that changes the due diligence process for legal entities to a dynamic one. This portion of the rule is being called the “fifth pillar” of BSA/AML compliance programs.

Due Diligence
Under the new Beneficial Ownership rule, the definition of due diligence is essentially changed, especially for accounts that are opened for legal entities. The rule specifically requires institutions to obtain background information on any person that owns, or controls the legal entity. For purposes of this rule, ownership is defined as anyone who maintains an ownership stake of 25% or more of the entity. Control means anyone who has a significant responsibility to manage or direct the entity. A controlling person could have zero ownership interest in an entity.

Currently information about the persons who control or own legal entities is not necessarily required, although as a best practice, this information should often be considered important to the due diligence process. The Beneficial Ownership rule makes obtaining the ownership and control information a requirement of the account opening and due diligence process. The rule also requires that financial institutions should write policies and procedures that reflect these requirements. The rule notes that the policies and procedures should be risk based and should detail the various steps taken based upon the risk rating of the account. The types of documentation that can be considered acceptable for meeting the requirements of the rule are described.

Due Diligence as a dynamic process
When developing your compliance program to meet the requirements of the new rule, consider that due diligence for legal entities should become a dynamic process. It won’t be enough to obtain ownership and control information at the time the account is opened and then stop. There must be ongoing monitoring of accounts for changes in the ownership or control and analysis of what those changes mean.
In recent years, one of the tactics that money launders have employed is to take over legitimate long standing business to hide “dirty money”. For example, in late 2014, the Los Angeles area garment industry was overrun by a scheme known as “Black Market Peso Exchanges. Drug money was used to purchase goods and then the goods were shipped to other countries where they were resold and converted back to cash. In many cases, the reason that this scheme was able to proceed was that the person or persons that desired to launder the money became a part owner of what was once a legitimate business.

In a similar manner, when a person who has bad intentions is able to control an entity, then the possibility that suspicious activity might occur goes up exponentially. An important part of ongoing monitoring for suspicious activity must be continuing due diligence on both the ownership and controlling persons of an entity.

Asking the second Question
Once information is obtained about the owners and/controllers of a legal entity there is an additional review process that should occur. Does the owner or controller of the legal entity increase the likelihood or potential for money laundering? In the alternative, does the information that you have obtained about the owner or controller leave more questions than answers? For example, suppose your corporate customer runs a small flower shop on main street. One day, a 30 % interest in the flower shop is purchased by a man who is the owner of the local casino. Why would the owner of a casino want a flower shop business? Since a casino is a high cash, high risk, business, and people do still buy flowers with cash, there is an increased risk that the new controlling person may try to move some of his money through the deposits of the flower shop. In this case, the best practice would be to find out all that you could about the new owner and why this controlling interest makes sense. Moreover, now is the time to determine whether or not your BSA department still has the capability to monitor the flower shop now that it has a new owner. Do you have the ability to determine whether suspicious activity might be occurring? Not only should due diligence be dynamic, it should also include the analysis necessary to make the most efficient use of the information obtained.

The Beneficial Ownership Rule- A Two Part Series

borpart1Part One – What is the rule and What Does it mean to Me?

On May 11, 2016, the Financial Crimes Enforcement Network (FinCEN) announced its final rule strengthening the due diligence requirements for covered financial institutions. This rule is generally known as the beneficial ownership rule. This rule represents a significant change in the overall administration of Bank Secrecy Act/Anti-Money laundering (BSA/AML) compliance programs. The purpose of the change was made clear in FinCEN’s announcement of the final rule.

“Covered financial institutions are not presently required to know the identity of the individuals who own or control their legal entity customers (also known as beneficial owners). This enables criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously. The beneficial ownership requirement will address this weakness.”

Put another way, the purpose of this rule is to address one of the biggest weaknesses in the current system for identifying suspicious activity. The fact that that financial institutions have been required to obtain information about a legal entity without considering the ownership and /or control of the legal entity has allowed many a “bad guy” to effectively hide his/her illicit activity. The preamble to the rules lists out several examples of how legal entities have been taken over by criminals in an effort to launder money. Some of the more interesting examples included:
• A series of shell companies that were used to take over and loot a publicly traded mortgage company.
• Using a series of small legal entities to cover a drug smuggling ring
• Using a series of companies that were ostensibly for movie production to hide large amounts of cash that was being used for human trafficking

In all of the cases that were cited, the common feature was the ownership and control of the legal entities was obscured by a complex holding structure. The beneficial ownership rule is designed to addresses this practice. The rule requires that a financial institution doing business with a legal entity should know who owns and controls the entity. This is the enumerated requirement. However, it should be the understood that simply knowing this information is not enough. Once the due diligence information is obtained, it is critical to ensure that it makes sense in context. For example, does it really make sense that a flower shop owner also owns a casino? These business are entirely unrelated except for the fact that they are both often cash intensive businesses.

The Rule Itself
The final rule creates a “fifth pillar” in the standard group of expectations for a comprehensive BSA/AML compliance program. Ongoing and risk based due diligence for customers will now be considered an essential part of the compliance program. The rule makes due diligence a dynamic process rather than the traditional process that essentially ended at the time the account was opened. Financial institutions are expected to stay abreast of who the beneficial owners of a legal entity are and how their ownership might impact ongoing monitoring of the account. As the beneficial owners change, then the manner in which the account is viewed should change accordingly.

Beneficial Ownership is a broad definition that includes both ownership and control.
Ownership – is denied as any person who directly or indirectly owns more than 25 percent of the equity of a legal entity
Control – The term “beneficial owner” means a single individual with significant responsibility to control, manage, or direct the legal entity customer (e.g., a Chief Executive Officer, Vice President, or Treasurer).

These two prongs are critical because there are many times when a person or persons could actually have a minimal ownership stake in a firm or even no actual legal ownership, but still have the ability to control the firm. The rule requires all covered institutions to obtain information on all people who own or control a legal entity.

Financial institutions are expected to design policies and procedures that detail how staff will use their best efforts to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of a legal entity customer. The procedures must allow the financial institution to identify all beneficial owners of each legal entity customer at the time of account opening unless an exclusion or exemption applies to the customer or account.

Why Wait?
The rule requires all covered institutions to be in compliance by May of 2018. Covered institutions in this case means:
“For purposes of the CDD Rule, covered financial institutions are federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities”

Though this rule only technically only applies to covered institutions, it will be prudent for all financial institutions to become familiar with the requirements of the regulations and to apply the standards enumerated therein. Financial institutions will expect that their Money Service Businesses meet the same standards because the risks for undetected suspicious activity is the same.

There is absolutely no reason to wait to implement the principals detailed in the rule. By developing policies and procedures that are able to determine beneficial ownership, a financial entity can have more effective risk mitigation of its customer base. At the end of the regulatory day, knowing your customers and what it is that they do is the heart of any string AML Compliance program

In Part Two- we will discuss the details of a strong beneficial ownership program.

Your Partner in Balancing Compliance