VCM BLOG

Should Small Financial Institutions Perform Compliance Risk Assessments?

Why Should Small Financial Institutions Perform Risk Assessments?   

The concept of risk assessments is often associated with large banks and financial institutions – but it shouldn’t be.  Oftentimes, the ugly truth about risk assessments is that they are prepared specifically to meet a regulatory requirement and not much more.  Perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year.

Risk assessments can, and should be, used as a tool in the overall compliance toolkit.   When a compliance risk assessment if properly completed and deployed it have many uses including audit planning,  cost reduction, training development and resource allocation to name a few.   Ultimately, the risk assessment should be used as the bedrock of a strong compliance program.

The Component Parts of a strong Compliance Risk Assessment

Past examination and audit results– It goes without saying that the past can be prelude to the future, especially in the area of compliance.   Prior findings are an immediate indication of problems in the compliance program.   It is important that the root cause of the finding is determined and addressed.  The compliance risk assessment has to include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat.  We recommend that the action has to be more than additional training.    Training tends to be the number one answer and of course it is important.  However, without testing to determine whether or not the training is effective, the risk of repeat findings remains high.  It should also be noted that a lack of past findings does not necessarily mean that that the coast is clear.  Each compliance area should be reviewed and rated regardless of whether there were past findings.   In some cases, there are findings that are lying in wait and have not yet been discovered.

Changes in staff and management– change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, supposed the head of note operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to doing compliance checks at certain times during the loan origination process might become confused.  This increases the possibility of findings or mistakes.   Your compliance risk assessment should take into account the risks associated with changes and how best to address them

Changes in products, customers or branches– continuing on with the idea that change is going to happen, it is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year.  This will include any new products or services, new vendors, marketing campaigns that are designed to entice new types of customers.  The risk assessment should consider what resources will be required and how they should best be deployed.  Before new products are introduced, the compliance team has to consider the time necessary to make sure that all of the processes are in place.  New advertising means both technical and fair lending compliance considerations.

Changes in Regulations– Over the past five years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact small financial institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that affect your bank or will affect you bank.   As a best practice, it is advisable to review the annual report of your regulator to determine the areas of focused that are planned for the year.  Most regulators are transparent with this information and their publications will indicate areas of examiner focus for the upcoming year.

Monitoring systems in place – finally, the systems that you use to monitor compliance should be considered.  For many small institutions, this system is comprised of word of mouth and the results of audits and examinations.   Part of your assessment should include a plan to do some basic testing of compliance on a regular basis.  After all an ounce of prevention……

The Analysis

Once you have gathered all of the information necessary for completing the analysis, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings.  Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result and findings and develops a plan for reduction.

Inherent Risk

For each regulation that applies to your institution, you must first determine the level of inherent risk.  According to the Federal Reserve Bank, inherent risk can be defined this way:

Inherent consumer compliance risk is the risk associated with product and service offerings, practices, or other activities that could result in significant consumer harm or contribute to an institution’s noncompliance with consumer protection laws and regulations. It is the risk these activities pose absent controls or other mitigating factors.[1]

Your compliance risk assessment should consider the inherent risk associated with each product that is offered.  For each regulation, consideration should be given to the penalties associated with a violation.  As a best practice, the likelihood of review of the area by regulators should also be factored into the overall level of inherent risk.  For example, flood insurance is an area that is likely to be examined each and every time the examiners conduct a review and this should factor into the overall inherent risk rating of the area.

Effectiveness of Controls  

Once the inherent risk has been established, the next step is to assess the overall effectiveness of internal controls.  Your internal controls are the policies, procedures, training and monitoring that are performed on a regular basis.   This includes audits and internal reviews that are performed by the compliance department.

To complete the analysis it is necessary to be self-reflective honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to state that and make a plan to address the weakness.   If more training is necessary or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when a bank is faced with enforcement action.  It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.

Residual Risk  

Residual risk is defined as the possibility that compliance findings will occur after consideration of the effectiveness of controls.  The less effective the controls, the higher the residual risk.   Again, it is critical that the assessment in this area is one that has to be brutally honest.  If overall controls, are not what they should be, the weaknesses that exist should be reflected in the risk assessment.  The goal of the assessment is to determine the areas that have the highest levels of risk and to allocate resources accordingly.

Using the Document

The compliance risk assessment is like a Swiss army knife- it has several uses.   First, the compliance risk assessment should be used to help with the planning and scoping of audits for the year.  The highest areas of risk should receive the greatest scrutiny by the auditors.  Mover, the highest risk areas should be scheduled for review as early in the year as possible so that remediation efforts can be commenced and tested.

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the risk assessment has shown the potential for problems.    The risk assessment can also be used to set the priorities for which policies and procedures need to be updated and in what order.  The compliance risk assessment is a good tool for measuring the level and quality of compliance resources. As part of the risk assessment process, the level and quality of resources must be considered.   As the process is concluded, it is natural to use the results to develop specific requests for additional staff, software, training or other resources that are necessary to maintain a strong compliance program.

Creating the Compliance Environment

Probably the greatest untapped asset for any compliance officer is the staff at your institution.  Without the support and input of the people who are actually contacting customers and performing day to day operations, the effectiveness of your compliance program will be greatly limited.    Of course one of the greatest impediments to getting the “buy-in” of staff is the perception that many in the banking industry have of compliance.  There is generally dislike and disdain for anything compliance related.  Compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks.  Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address.  Taking the time to discuss the history of the regulations and what it is that they are trying to address can go a long way toward getting staff involvement.

Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support.

A comprehensive compliance risk assessment should be the key to a strong compliance program.

[1]COMMUNITY BANK RISK-FOCUSED CONSUMER COMPLIANCE SUPERVISION PROGRAM

The Case for Non-Qualified Mortgages: Part Two

The Case for Non-Qualified Mortgages – A Two Part series

Part Two- The Case of Non-qualified Mortgages

Introduction

In the first part of the article we noted that the ability to repay rules make a demarcation between “qualified” and non-qualified mortgages.   Qualified mortgages must have the following characteristics:

  • The borrowers debt to income ration cannot exceed 43 percent
  • The points and fees on the loan cannot exceed the cap established in the regulation[1]
  • May not have balloon payments
  • May not contain interest only payments
  • May not exceed 30 years

We noted that if the loan terms do not meet these parameters, then the loan is considered nonqualified and a lender must meet the ability to repay standards.  The ability to repay standards include specific components which are designed to document that a lender has established the borrower’s ability to repay a loan under the worst case circumstances of the terms of the loans.

We noted further that many lending institutions have taken the stance that in the face of these rules, they will only make qualifying mortgages.  However, several prudential regulators have made it clear that avoiding nonqualified mortgages was not the intention of the regulation.   On the contrary, there are several legitimate reasons why “thinking outside the box” and making nonqualified mortgages should be considered.

Why make Non-Qualified Mortgages 

For purposes of this discussion, it is important to point out that the borrowers who require nonqualified loans fit into two rather extreme categories.  There are the very wealthy borrowers whose financial characteristics don’t fit into the traditional borrowers.  These are borrowers who may have highly liquid assets, but irregular income.  Or perhaps these borrowers want a “bridge” loan to buy a house while they await completion of a large business transaction that will result in an influx of cash.   For these borrowers the need for nonqualified mortgages is largely an accommodation.

The second set of borrowers are the potential homeowners in low to moderate income areas.   These borrowers tend to be outside of the qualified loan parameters through economic circumstances that without some level of assistance will result in continued struggle.   It is this second set of borrowers that we have in mind in the remaining discussion.

Increased interest margins– Non qualified loans generally present a higher level of risk than qualified loans.  As a result, higher loan fees and rates are appropriate.   This is in no way meant to say that lenders can return to the bad old days of predatory lending.  Remember that the regulatory requirement is that the lender must prove that they have documented the borrowers’ ability to repay the loan.  The calculation must be made while considering the worst case scenario for the borrower. [2]

When considering these loans, it is also important to remember that with the proper underwriting, even though there is higher risk, the performance of loans in lower to moderate income neighborhoods has been actually equal to or better than the performance of other neighborhoods.  For example, a study performed by the Federal Reserve Bank found that during the financial meltdown of 2008;

Federal Reserve researchers also report that subprime mortgages made in CRA-eligible neighborhoods perform at least as well as those made in similar non-CRA-eligible neighborhoods, that a Large national affordable mortgage program has substantially lower defaults than the subprime segment, and that the majority of recent foreclosure filings have occurred in non-CRA eligible middle- and upper-income neighborhoods. [3]

Reduced Competition – Just because so many financial institutions have eschewed the non-qualified mortgage doesn’t mean that the need for these loans has disappeared.  In fact, the fear of what might happen with non QM’s has left a void.   As a result there is actually a strong market for non QM’s and the lender who decides to enter the market can have the virtual “pick of the litter”.

In 2013, three former regulators with the CFPB saw this opportunity and launched an investment firm that provides financing for investors in the Non QM resale market.    The first venture of the firm was to launch a wholesale mortgage company. The venture table funds non-QM loans and assume all the risks from the lenders.

Minimal Infrastructure Changes – The whole point of the ATR rule is that lenders must develop sound systems for determining that a borrower can repay a loan.  The essence of the regulation is acting in a safe and sound manner.  For those institutions that wish to thrive and survive, safe and sound policies and procedures should be a daily practice.  The steps that are required to meet the ATR rule should be second nature

Meeting the Credit Needs of the Community – Many lenders talk about meeting the credit needs of the community in their Community Reinvestment Act statements.  Of course, more often than not, this statement is theoretical and can’t really be documented.   A program that allows first time homebuyers with a legitimate chance at asset acquisition is one of the largest credit needs of most communities across the country.  There are a number of institutions that have recognized this need and have developed successful lending programs that are couple with credit counseling.  The results have been excellent.    Both Time Federal Savings of Medford Wisconsin and Geddes Federal Savings in Syracuse NY have implemented non QM programs for first time homebuyers with unquestioned success.

The CRA rewards innovation– for lending institutions that are subject to the Community Reinvestment act, there is a strong reward for innovative lending practices.

“[The] ending Test also favors the use of innovative or flexible lending practices “in a safe and sound manner to address the credit needs of low- or moderate-income individuals or geographies.”[4]

The development of a lending program that allows nontraditional borrowers to obtain mortgages can lead to an outstanding CRA rating.

In the end, there is absolutely no reason to run away from Non-qualified mortgages.   The potential for good results far outweighs the risk.

[1] These caps are specified in the regulation and vary depending on the size of the loan.

[2] In this case, worst case means, when all of the highest rate increases and fees have kicked in.

[3] Glenn Canner and Neil Bhutta, Memo to Sandra Braunstein “Staff Analysis of the Relationship between the CRA and the Subprime Crisis”

(November 21, 2008), available at http://www.federalreserve.gov/newsevents/speech/20081203_analysis.pdf.

[4] Federal Financial Institutions Examination Council (FFIEC), “A Guide to CRA Data Collection and Reporting,” (January 2001), available at

http://www.ffiec.gov/cra/guide.htm.

The Case For Non-Qualified Mortgages-Part One

The Case for Non-Qualified Mortgages – A Two Part Series

Part One- Qualified Loans and the Ability to Repay Rule

Starting in January of 2014, the Ability to Repay /Qualified Mortgage Rule took Effect.  This rule established a standard for closed end consumer credit secured by residential real estate.  The rule establishes “qualifying” loans and non-qualifying loans.   Since the time that the rule was implemented, many if not most lenders have decided to stay away from non-qualified loans.  However, there is a case to be made that “non-qualifying” loans should be considered.

Some Quick History

The ability to repay rule was enacted in direct response to the financial crises of 2009.  In particular, one of the lending practices that was popular at the time was the practice for “low documentation” or “no documentation”, or “stated income” loans.   These are loans that are approved with little to no documentation of the borrower’s ability to repay the loan.  In fact, the lender would simply take the borrower at his or her word that they had sufficient income to pay the loan without checking further.  As we are all painfully aware, these practices lead to record numbers of defaults on loans, foreclosures and in generally, economic upheaval.

The Dodd Frank Act has provisions that are designed to stop many of these practices.  It should be noted that the legislation was also designed to benefit both sides of a transaction.  In exchange for sticking to the qualified mortgage parameters, the lender was given some legal protections against a lawsuit by the borrower in case of foreclosure.   For a loan that is considered a qualified loan, the bank can enjoy the legal presumption that it performed all of the documentation necessary to have determined the borrower’s ability to repay the loan.  This is very important in a lawsuit for foreclosure on the loan because one of the strongest defenses that a borrower might have is that the bank did not act in good faith in granting the loan and is therefore not entitled to foreclosure.

The rule establishes standards that lending institutions must meet for mortgage loans to be considered qualifying.

Qualifying Loans  

The ability to repay rule has one big safe harbor; if a loan is considered a qualifying loan, then the lender does not have to meet the other requirements of the ability to repay rule.   For a loan to be qualifying:

  • The borrowers debt to income ration cannot exceed 43 percent
  • The points and fees on the loan cannot exceed the cap established in the regulation[1]
  • May not have balloon payments
  • May not contain interest only payments
  • May not exceed 30 years

Again, If the loan is a qualifying loan, the assumption is made that the lender has established the ability to repay, and the borrower could not use a bad faith defense in an action of foreclosure.

There is an exception to this rule that allows for small lenders with assets of less than $1 billion and who serve mostly rural and underserved communities.  For these institutions the 43% debt to income ratio can be exceeded.     There are some other exclusion also that time will be discussed at another time and place.

Impact on the Mortgage Market 

Many banks have also used the QM/ATR rule as a shield to protect against the claims that mortgage loans to low income (often minority) borrowers have been hurt by the rule.    Like many things that involve federal rules, the truth is far more complicated than that.  The rules were definitely designed to stop predatory lending practices.  Predatory loans take advantage of borrowers by starting out with rates and terms that are unrealistic to get the borrower approved.  Once the loan is approved, the lender collects fees and the loan itself often becomes irrelevant.  As we discovered in the financial meltdown, the loans made by predatory lenders (often called sub-prime) had little to no chance of being repaid and as soon as the full terms of the loan were realized, borrowers were no longer able to make payments and the mortgages collapsed into foreclosure.  Predatory lenders were more than happy to make these transactions because there was a robust market for selling the toxic loans to others and by the time they went into foreclosure, the loan was somebody else’s headache.    [2]

In the event that the loan an institution wants to make doesn’t meet the qualified mortgage parameters, then the “ability to Repay” rule applies.   This rule, more commonly known as the ATR rule, requires that a lender must consider several factors to determine a borrower’s ability to repay.  These factors include:

  1. Current or reasonably expected income or assets (other than the value of the property that secures the loan) that the consumer will rely on to repay the loan;
  2. Current employment status (if you rely on employment income when assessing the consumer’s ability to repay);
  3. Monthly mortgage payment for this loan. Monthly payment on any simultaneous loans secured by the same property;
  4. Monthly payments for property taxes and insurance that you require the consumer to buy, and certain other costs related to the property such as homeowners association fees or ground rent;
  5. Debts, alimony, and child- support obligations;
  6. Monthly debt-to-income ratio or residual income, that you calculated using the total of all of the mortgage and non-mortgage obligations listed above, as a ratio of gross monthly income;
  7. Credit history

The ATR rule does not ban any particular loan features or transaction types, but a particular loan to a particular consumer is not permissible if the creditor does not make a reasonable, good-faith determination that the consumer has the ability to repay. Thus, the rule helps ensure underwriting practices are reasonable.

When the ability to repay rule first took effect, many lenders immediately took the position that they would issue only qualified loans.  The rationale has been that these loans not only possess the necessary protections, but they also appear to be the preferred loans of the regulators.    Put another way, many traditional lenders such as banks and credit unions, seem to take the position that regulators did not want them to make unqualified loans.

More recently however, regulatory agencies have been showing a desire to get lenders to consider the possibility that nonqualified loans can still be considered both safe and sound.  For example,

“Scott Strockoz, a deputy regional director for the FDIC also said that the regulators would take a flexible view of non-qualified mortgages that banks do decide to issue, particularly if the bank can demonstrate that the mortgage is still well-written and even if they fall outside of the parameters that would make it a qualified mortgage.  He acknowledged, however, that some institutions were already pledging to steer clear out of the space because of potential litigation risks or other concerns” [3]

The Comptroller of the Currency also noted regulators “don’t want to see our institutions not make non-QM loans – we were pretty clear that we did not see that as being a safety and soundness issue for those institutions.”[4]

The point here is that with right set of internal controls, Non QM loans are not only safe and sound, regulators have an expectation that financial institutions will continue making these loans.

Non-Qualified Mortgages- a Tale of Two Borrowers  

There are currently two markets that are developing in the non QM mortgage area.  The first is for the nontraditional wealthy borrower.  In many cases, this borrower may not fit the traditional QM parameters.  They may have a great deal of cash set aside, but minimal ongoing income for example.

Matthew Ostrander, CEO of Parkside Lending emphasized that some non-QM loans can be safer than QM loans. He described two scenarios.  The first is a non-QM borrower with a $1 million income, 70% LTV and a 760 FICO score, but with a 55 DTI that falls outside of QM requirements.   These borrowers are finding that there is a very strong market for QM loans.   These loans tend to be “bridge” financing that allows the borrower an opportunity to purchase housing that will eventually be refinanced with a more traditional (qualified loan) at some time in the future when the borrower is ready.

The second sets of non QM borrowers are first time home buyers for whom the QM represents something or a bar.  This is a borrower with a $50,000 income, 43 debt-to-income ratio, 97% loan-to-value and a 620 credit score.  These are also the borrowers who were set upon during the financial crisis of 2008.  The truth is that these borrowers represent both an opportunity and a risk.  However, these characteristics should not be a bar to offering mortgages.   The caution here is that the underwriting requirements should be realistic and should reflect the risk appetite of the bank.

Congressman Barney Frank commented on this dichotomy:

Chairman Frank was emphatic: “Yes, it is a problem when people get mortgages they shouldn’t get. It has been a historically greater problem that some people couldn’t get mortgages they should get. I will guarantee … that doesn’t happen.”[5]

There are actually many good reasons why a financial institution should consider non-qualified mortgages.  In part Two, we will discuss those reasons

[1] These caps are specified in the regulation and vary depending on the size of the loan.

[2] The Movie, “The Big Short” provides and excellent description o predatory lending practices.

[3] Regulators nudge banks on non-QM lending,  Rob  Soupkup  April 2014  Finpro

[4] Ibid

[5] American Banker “Dodd-Frank’s ‘Qualified Mortgage’ Was Intended to Be Broad”  Raymond Natter April 25, 2012

What to do When the Regulators Have a Finding

What to do when the regulators have a finding

Introduction

If you are or have been in the compliance arena you are familiar with this scenario; The examiners have just come to your office with a most somber countenance.   They are here to report a significant finding that has resulted from their review.  You have several options, you can:

  1. Hide under your desk and hope they go away
  2. Engage in histrionics and accuse them of picking on your bank
  3. Threaten to sue
  4. Listen closely to what they are saying and ask a series of questions that will allow you to deal with the finding in an effective manner

The fact is that findings happen!  The fact also is that there are findings and there are FINDINGS!   The way you deal with each of these will greatly impact your compliance life.    There are a number of critical steps that your institution can take that will allow your response to have the greatest impact.

Step One- What, Exactly is the Finding? 

It is critical to find out all you can from the examiner when they are presenting the finding.  In many cases, findings are the result of a miscommunication or misunderstanding of questions being asked.   For example, at one bank, an examiner asked where flood insurance policies are stored and was told they are kept in the loan file.   However, the person who gave this answer was unaware that the procedure had been changed and flood loan policies were now kept in a different place.  In this case, the examiners originally were ready to cite the bank for several violations of the flood rules because the information in the loan files was stale.  It is very important to determine form the outset the exact nature of the violation being cited.

Along these lines, it is important determine the specific regulation, guidance or rule that has been violated.  By going to the source of the regulatory requirement, you can get the clearest picture.   As part of this process, it is also useful to get an understanding of whether or not the rule in question is new or has been around for some time.  While it is generally true that the older the rule, the bigger the concern that is being cited as a finding, there are circumstances where this may not be the case.   For example, a reinterpretation of a rule has the same impact as a new rule.   There are sometimes areas that receive new or increased focus.  For example, the requirement that a flood insurance customer receive notice of being a flood area every time a loan is modified, is a requirement that has recently received greater attention, even though the requirement has been in place for many years.

The source of the finding can be a critical consideration when determining the level of enforcement action.

Even though it is understandable, we recommend that your never use the “I was never cited for this before” answer.    You drive faster than the speed limit on the freeway on a regular basis.  This doesn’t mean that it is okay and you would try that answer with a highway patrolman!

At the end of the day, make sure that you can explain the violation to someone else as a test to ensure that you understand the issue.

Step Two- Why did this Happen? 

A frequent mistake that institutions make is to simply fix the problem that is cited in the regulation – i.e., missing disclosures; we will simply start making the disclosures going forward.  The problem with this approach is that it is simply a bandage.  It doesn’t necessarily address the real concern that may have caused the finding in the first place.   The next step in managing a finding is getting to the root of the problem that caused it.

There are several questions to ask when determining the root cause of a finding.  Was it a training issue or were policies and procedures outdated and inefficient?  One the most important questions to ask is whether or not the problem is systemic or limited to an individual staff member or business line.  Is the root of the problem that we don’t understand what the regulation is asking or is it more the case that training needs to be reinforced?    Determining the root cause of a finding allows the institution to frame the magnitude of the issue and to build a response that is appropriate.

Step Three- Is this indicative of a bigger problem?

Once the root cause of a finding has been determined, it is necessary to determine if the findings are an indication of a much bigger problem.   There are as many reasons that findings occur as there are findings.  However, some reasons are indicative of a much larger problem.  For example, if the root cause of the problem is that the institutions was simply unaware of changes to the regulation, there is a fundamental flaw in the overall compliance management program.  This does not mean that your compliance staff is incompetent.  There are many regulations that are coming at financial institutions on a regular basis.  There have to be sufficient resources to ensure that the changes in regulations are communicated and necessary procedures implemented.

In the alternative, perhaps the issue is one of training.  Many institutions use online training programs.  These programs are a cost effective means to training staff and are widely accepted by regulators.   There are however, times when the on-line training may not be sufficient.  In many cases, the opportunity to receive in person training that details the history and goals of a regulation is the best most effective way to reduce findings and violations.

The compliance examination of your institution is ultimately a test of the effectiveness of the compliance management program.   The role of the program at its core should be to identify and to mitigate risks.  If the system that you have developed is not capable of performing this function effectively, findings are indicative of a much bigger problem.

Step Four – Communicating

It is important to communicate the finding(s) to senior management and the Board so that they are fully informed.   As a best practice, the root cause and the proposed solution should be communicated simultaneously.  Communicating the understanding of the finding as well as the plan for fixing the problem is an excellent way to demonstrate to the regulators that you understand the breadth and depth of the concern.  The relationship built on trust and communication will go a long way where there are severe findings. especially if the findings are servere.

Step Five – Find out as soon as you can what the regulatory implications will be

As we noted earlier, there are findings and there are FINDINGS!  In some cases, the finding can simply be a matter of a small correction.  In other cases, the examiner many find that a pattern and practice of violations exists.  In these cases, the examiner can recommend enforcement actions up to and including civil money penalties.    For example, it is critical to find out from the examiners whether or not they will consider a finding a repeat finding.  Repeat findings are an indication of general weakness in the compliance program and are always considered grave, no matter the area of the finding.  In this way, a minor or technical finding can become a matter requiring attention or even the basis for a supervisory letter.   The regulatory implications of the finding must also be communicated to senior management.

Suppose you Don’t Agree

We are aware that many financial institutions either don’t agree or that have misgivings about a finding, but go along to get along.  While this practice may seem to make life easier, it is not actually the most prudent path to take.   ASK for clarification– this is not to be argumentative, but without doing so, you can lock yourself into an untenable position.  In the event that the examiner may be asking something of the institution that is infeasible (e.g. acquiring a new software program).  This is also why it is important to understand the source of the finding- if it is an interpretation or the regulation, there is likely to be a change in the next examination; different examination teams have different interpretations of the regulation.  Ultimately, a forceful yet respectful disagreement is a good thing and is respected by the regulators.

All of the regulators have a system in place to allow for appeals of decisions in those instances where both parties may agree to disagree.

Pick Your Battles

Remember that the compliance review is ultimately an analysis of the compliance management program.  Individual findings do not necessarily indicate a fundamental weakness of the CMP.  Make sure that you keep the difference between findings and FINDINGS in mind.

**PLEASE JOIN US THURSDAY MARCH 17, 2016 AT 10AM PST FOR OUR FREE 15 MINUTE REGULATORY BRIEFING “WHAT TO DO WHEN THE EXAMINERS HAVE A FINDING”  FOR MORE INFOMRATION AND DETAILS GO TO WWW.VCM4YOU.COM

Why is there a Home Mortgage Disclosure Act?

Why IS there a Regulation C? 

As anyone in compliance can attest to, there are myriad consumer compliance regulations.  For financial institutions, these regulations are regarded as anything from a nuisance, to the very bane of their existence.  However, in point of fact, there are no consumer regulations that that have not been earned  by misbehavior  in the past.  Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices.   We believe that one of the keys to strengthening a compliance program is to encourage your staff to understand why these regulations exist and what it is the regulations are designed to accomplish.  To further this cause, we have determined that, from time to time throughout the year; address these questions about various banking regulations.  We call this series “Why is there….”

Introduction

The Home Mortgage Disclosure Act and its implementing regulation, Regulation C are one of the regulations that were enacted as the result of past bad behavior.  This law came into being during a time when a great deal of attention was being paid to the lending practices of financial institutions in urban areas.  In the late 1950’s and early 1960’s Congress conducted several hearings on the lending practices of banks and financial institutions.  In particular, many financial institutions were engaged in practices that were starving some communities from mortgage credit.  One of the most pernicious practices was called “redlining”.  It was called redlining because some government agencies and financial institutions would literally take a map of a city and draw red-lines around neighborhoods that were not to be considered for mortgages.   The areas that were red-lined were neighborhoods that had majority racial minorities.  Without proper mortgages and stable home-owners, neighborhoods decline, decay and eventually become what we know as ghettos.   Economists noted that the practice of redlining caused “disinvestment “in the redlined communities.   In other words, deposits were being taken in from the redlined area, but those same funds were being loaned out in other areas.  Money was flowing from one community and then distributed elsewhere.

A second practice that received attention was the refusal to grant credit to women without the co-signature of a spouse or male relative.   Single women that would otherwise qualify for mortgages were being denied consideration by policy of financial institutions.    During this time period both single women and minority families were being denied mortgages simply by the policies of lending institutions.

The government hearings on mortgage lending resulted in the passage of several pieces of legislation aimed directly at opening the mortgage credit market to women and minorities.  Among the legislation that passed during this period were the Fair Housing Act and the Equal Credit Opportunity Act.

The net effect of these two powerful pieces of legislation was to help to open the credit application process for minorities and women.   However, unfortunately, just the opportunity to apply for credit is not a guaranty of fair treatment or a positive outcome.  It soon became evident that financial institutions had taken a different approach to denying credit.

Financial institutions began taking applications for women and minority applicants and  changed written lending policies so that  neighborhoods weren’t excluding in writing.   Despite these changes, the experience of   women and minorities remained the same; little to no credit was granted.   As a result, Congress decided in 1975 that that the experiences of minority and women borrowers who apply for mortgages should be recorded.   Towards that end, HMDA was created.

HMDA 1.0

The practice of redlining and disinvesting in communities was the first target of HMDA.  The initial idea was to get banks to disclose the total amounts of loans that they made in specific areas.   Congress theorized that redlining would be quickly unmasked as banks would have to show the places where the loans were made.  It would become evident that certain neighborhoods were getting no loans.    The problem here was that the Banks did not have to show individual loans; only the total amount of loans in a given census tract.  Financial institutions did not have to show the individual loans, and as a result, a few loans strategically placed could give the impression of strong community service when this was not that case at all.  For example, a one million dollar loan to a business in the census tract could give the impression that a bank was investing this in the community.   Ultimately, the first version of HMDA proved to be ineffective in addressing redlining.

HMDA 2.0

Starting in the late 1970’s the mortgage industry experienced significant change.  Banks and Savings & Loans that had dominated the market began to experience competition.  Finance companies, mortgage bankers and other financial institutions began to enter the home loan market.  These lenders were aggressive and as a result many of the redlining and disinvestment practices that had been in place were simply overrun by the demand for more and more mortgages.

However, this did not end the need for disclosure of lending information.   The experience of women and minorities in getting mortgages was still less than satisfactory.  The focus of regulatory agencies changed from redlining to the lending practices of individual institutions.  By collecting information about the experience of borrowers at individual institutions, the regulatory agencies theorized that valuable information could be gleaned about how people in protected classes were being treated.

Information collected had to account for the fact that, more than just banks were providing mortgage funding.   In the late 1980s, HMDA was amended and the information that all lenders had to collect was increased to include racial, ethnic, and gender information, as well as income for each applicant.  In addition, both rejected and accepted applications for loans that did not close was added to the information that financial institutions must collect. [1]

HMDA 3.0

The mortgage industry continued to grow and change and as it did, the types of mortgages being offered also changed.  By the turn of the century, the question wasn’t about people in protected classes being denied credit.  Instead, it was more the type of credit being offered.  In the early part of the decade the number of adjustable rate mortgage ballooned.  Many of these products had “teaser rates” which were significantly below the actual rate that would be paid on the loan.  This decade saw “predatory lending” practices explode.  Predatory lending is in essence, the practice of making loans with complicated high rates and fees to unsophisticated borrowers.  The unsuspecting borrower believes that he/she is paying a low loan rate when in fact, at the time the loan adjusts, the rate is several times higher.  A huge number of these loans were included in the financial meltdown of 2008.

The third iteration of HMDA was then, the result of changed practices by mortgage lenders.  In early 2000 the main issue was no longer discrimination in approvals or denials, but in pricing (predatory lending).  HMDA was again amended to add the information about pricing and lien status.   In an effort to improve the quality of HMDA data, the revised regulation also tightened the definitions of different types of loans and required the collection of racial and ethnic monitoring information in telephone applications

HMDA  3.5

The most recent changes in HMDA don’t necessarily represent wholesale change in lending practices.  Instead additional data is being collected with the idea that more data points can be used to study differences in the experiences of women and minorities when they apply for mortgages.   These changes are a reflection of the fact that the data form HMDA is actually being reviewed and used for studies of lending behavior.

So What Do They Do With the Information? 

When the information is collected by the regulators, it is actually used by many different agencies for various purposes.  Community advocacy groups use the information to bolster arguments about various issues they wish to emphasize.  The government uses the information for economic studies and as a basis for amending regulations and laws.  HMDA information has been at the heart of many studies about lending discrimination.  Many argue that the information collected by HMDA doesn’t tell the full story of whether or not a borrower suffered discrimination.  It does however, raise a threshold issue and it is often the case that HMDA is used to determine whether further study is indicated.   As recently as last week, a study was published that, unfortunately concludes that there are still severe racial disparities in the granting of mortgages.[2]

The HMDA LAR is used to create the database that is used by all of these agencies and for all of these studies.   This is why the examiners are so fussy about getting those entries correct!

HMDA to the Defense

The same information can be used to defend an institutions record.  When compliance programs work the way that they should, the experiences of all who apply for credit will look the same.  By using the information from the HMDA LAR  it is possible for a financial institution can show that each and every applicant gets the same consideration.

So at the end of the day, when you are frustrated with those picky regulators insisting that each entry is correct, remember that you are adding information to a very important and consequential study.    It really is important that we get it right.

[1] The Home Mortgage Disclosure Act: Its History, Evolution, and Limitations†  By: Joseph M. Kolar and Jonathan D. Jerison

[2]“Report: Profound Racial Disparities in Mortgage Lending Seen in Oakland”  Darwin BondGraham.  East Bay Express February 24, 2016

 

Changing the Way We Think About Compliance

Changing the Way We Think About Compliance       

Compliance, Compliance, COMPLIANCE!   Sometimes just saying the word can evoke a dramatic response from financial institution management.    Even though there has long been talk of a separate set of regulations for community banks, no such changes are in the offing.  For now and the immediate future, community banks and small financial institutions will face increasing expectations in the area of compliance.    Moreover, the costs of compliance can be prohibitive.  This is especially true if your bank has experienced compliance problems in the past.

Despite the gloom and doom and through all of the curses there are actually reasons to support compliance regulations.    Wait, what did you say?

History as a Guide

A quick review of the history of some of the most far-reaching consumer regulations yields a familiar pattern.  In each case, banks and financial institutions engaged in unfair or unreasonable practices.  Eventually, a public outcry was raised and legislation was passed in response.   The history of the Truth in Lending Act   (Regulation Z) provides a good example.

Starting in the late 1950’s the United States saw a tremendous growth in the amount of credit.  In fact, in a study the US House of Representatives estimated that the amount of credit in the United States from the end of World War II to the end of 1968 grew from $5.6 billion to $96 billion.   [1]

The growth in credit was fueled by consumer credit and in particular, a growing middle class that created a huge demand for housing, cars and various other products that went with acquiring the American Dream.   As time passed more and more stories of consumers being misled about by use of terms like “easy payments”, “low monthly charges” or “take three years to pay”.   The borrowers found out that even though they thought they were paying an interest rate of 1.25 %; with add-ons, fees and interest payments that were calculated using deceptive formulas, the rate was actually as much as three times what they thought.

Congress began to investigate the growing level of consumer debt and eventually in 1968; the Truth in Lending Act was first passed.  Congress was clear about what they were trying to do:

“The Congress finds that economic stabilization would be enhanced and the competition among the various financial institutions and other firms engaged in the extension of consumer credit would be strengthened by the informed use of credit.  The informed use of credit results from an awareness of the cost thereof by consumers. It is the purpose of this subchapter to assure a meaningful disclosure of credit terms so that the consumer will be able to compare more readily the various credit terms available to him and avoid the uninformed use of credit, and to protect the consumer against inaccurate and unfair credit billing and credit card practices.” [2]

The regulations that have been implemented as part of the Dodd Frank Act have a similar history.  The most recent financial meltdown was caused in part by the lack of oversight and by financial products that far outpaced the reach of the regulations.  Dodd Frank is the most recent legislative response to the public outcry about the behavior of banks and financial institutions.

Of course, it is also clear that the behavior that caused the most recent meltdown was not being practiced at community banks.  It is unfortunate that the whole industry is often painted with a broad brush.  However, the fact is that the public does not make much of a distinction between large banks and community banks.  The reputation of the industry suffered mightily during the meltdown.  The good news is that the regulations have helped to restore the confidence of the public in that financial system.   Therefore, while regulations may be bothersome, they do support the industry.

Overall Effects

Sometimes, we focus on the negative to the point that it is hard to see the overall positive impacts of regulations.   One of the positive effects of compliance regulations is that is goes a long way toward “leveling the playing field” among financial institutions.   RESPA (the Real Estate Settlement Procedures Act) provides a good example.  The focus of this regulation is to get financial institutions to disclose the costs of getting a mortgage in the same format throughout the country.   The real costs associated with a mortgage, the arrangements that a bank has with third parties and the amount that is being charged for insurance taxes and professional reports that are being obtained all have to be listed in the same way for all potential lenders.  In this manner, the borrower is supposed to be able to line up the offers and compare costs.  This is ultimately good news for community banks.  The public gets a chance to see what exactly your lending program is and how it compares to your competitors.  The overall effect of this legislation is to make it harder for unscrupulous lending outfits to make outrageous claims about the costs of their mortgages.   This begins to level the playing field for all banks.

There are other regulations that can help the reputation of your institution.  For example, the public reporting requirements for the Community Reinvestment Act and the Home Mortgage Disclosure Act can result in positive information about your bank.    A strong record of lending within the assessment area and focusing on reinvigoration of neighborhoods is a certainly a positive for an institution’s reputation.

Protections not just for Customers

In some cases, consumer regulations provide protection not just for consumers but also for banks.  The most recent qualifying mortgage and ability to repay rules present a good case.  These rules are designed to require additional disclosures for borrowers that have loans with high interest rates.   In addition to the disclosure requirements, the regulations establish a safe harbor for banks that make loans within the “qualifying mortgage” limits.  This part of the regulation actually provides a strong protection for banks.  The ability to repay rules establish that when a bank makes a loan that is below the established  loan to value and debt to income levels, then  the bank will enjoy the presumption that the loan was made in good faith.  This presumption is very valuable in that it can greatly reduce the litigation costs associated with mortgage loans.  Moreover, as long as a bank makes only “qualifying mortgages’ the level of regulatory scrutiny  will likely be lower than in the instance of banks that make high priced loans. [3]

The next time you hear a conversation about how bad consumer regulations are, we suggest that you take a step back.  Consider that the regulations are generally well earned, that they provide stability and can tend to level the playing field for community banks.  Also, please consider the idea that in at least some cases, these regulations provide protections for banks.  You may not turn out to be a consumer zealot, but we think you will give compliance regulations a different, more accepting look.

[1]  Griffith L. Garwood, A Look at the Truth in Lending – Five Years after, 14 Santa Clara Lawyer 491 (1974).

[2]  See Preamble to 15 U.S.C. 1601 (1970)

[3] Of course, a strong case can be made for the origination of non-qualified loans.   This case will be presented in subsequent blogs

When to Hold ‘Em and When to File ‘Em A Two Part Series on SAR Filings-Part Two

When to Hold ‘Em and When to File ‘Em- A two Part Series on SAR Filings

Part Two- The Decision

In the first part of this series we noted that Suspicious Activity Reports (“SARs”) are an essential part of the world financial crimes monitoring network.   There are analysts at an agency called FinCen that read all of the SARs and capture data about the various schemes that criminals employ in attempts to launder money.   We also noted that filing of SARs has become an area of stress for BSA staff at financial institutions. On one hand, there is a concern that failure to file a SAR might result in criticism by regulators. There are also concerns that filing SARs is a pointless exercise that creates more administrative work and accomplishes little.   After all, a proper filing involves research transactions, performing analysis and drawing conclusions that must be documented. Moreover, almost all SAR’s require a second filing 90 days later to discuss whether the suspected activity has continued.

At the end of the day, whether or not a SAR should be filed is the decision of the financial institution. It is the expectation of regulators that this decision should be part of a well-established and defined process.   According the FFIEC BSA examination manual the process should include five component parts; identification of unusual activity, managing alerts, SAR decision making, SAR completion and Monitoring on continuing activity.

  • Identification or alert of unusual activity;   This is the part of any BSA compliance program that combines human intelligence and software. All financial institution staff are required to receive annual training on BSA/AML. One of the main reasons for this requirement is that staff is expected to be able to identify activities that don’t fit into normal patterns or activities for their customers. For example, a longtime customer who normally receives his payroll and pay bills out of his account suddenly deposits $15,000. The expectation is that the staff members of the institutions should gently, but firmly find out the source of this unusual deposit. Of course there are many reasonable answers for how the customer came across this money.

Monitoring software should perform a similar functions.   The whole point of using software is to aggregate transactions so of a customer so that any transactions that fall outside of the normal or expected create an alert and follow-up.

  • Managing Alerts: Managing alerts is important so that institutional resources are focused on the highest area of risk. Not every customer at your institution is engaged in nefarious activity. In fact, the vast majority are good people who are simply conducting banking activity.   Much like the boy who cried “wolf” in the children’s fairy tale, there can be a such thing as too many BSA/AML warnings. The expectation of regulators is that you will adjust your monitoring to create warnings for activity that is truly suspicious or out of the pattern of normal activity.   This is at the heart of the requirement that financial institutions perform model validation on a regular basis.[1] There should be a formal and well established method for reviewing alerts and resolving them in a timely and comprehensive manner.
  • SAR Decision Making:   There has to be a clear process for making SAR decisions and there also has to be an ultimate decision maker for whether or not the SAR will be filed.       The individual decision about whether or not to file a SAR rests with the financial institution.       The FFIEC BSA Manual makes this clear
    • In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.
  • SAR completion and filing: there should be a clearly defined process for who performs the research necessary to complete the SAR in a timely and complete manner. The SAR narrative should tell the story in that it should clearly identify the who, what, where, when and why the activity is considered suspicious. The SAR should be filed within 30 days of the time the activity is determined to be suspicious.
  • Monitoring and SAR filing on continuing activity: Once the SAR is filed, there should be a process in place to continue to monitor the customer to determine if additional suspicious activity is continuing.   At the conclusion of 90 days of monitoring, there should be a follow-up SAR that tells “the rest of the story”. Was the activity repeated, or was it just a bump in the road? [2]

The Decision

So you have your system in place. Your staff is well trained to look for unusual activity and your software is monitoring for suspicious behavior.   The questions still remains, just what exactly is suspicious?   Unfortunately, there simply is no one right or wrong answer to that question. Suspicious is in the eye of the beholder.   This is why the “know your customer” component is critical to a strong BSA compliance program. The more that you know about your customer and what they are doing, the more obvious suspicious activity becomes.

As a best practice, if there aren’t several members of your institutions staff that fully understand the business model of a client, it is a bad idea to continue the relationship. Regulators expect that financial institutions have the ability to know the source of funds, the customer base, and the typical transaction flow of the peers of your customer. For example, suppose you have a customer who sells fresh flowers. The expectation would be that staff members at your institution understand how a fresh flower stand works, what typical receipts there might be, who the customers of the stand are and how transactions are conducted. Does the customer sell for cash only? Why? What level of cash is normal for a flower stand?   Is it likely that a flower stand would send or receive wires?   The point is that that the more that is known about the business, then the more likely that unusual activity can be determined.

In addition to knowing the business, the institution must have the means to monitor activity in a transparent manner. Through a combination of software, direct conversations and onsite visitations with the client, the institution should maintain a clear picture of normal transaction activity.

In the event that a transaction seems unusual, there is absolutely nothing wrong with asking the customer directly. In many, if not most cases, there is a completely acceptable explanation. Most customer will have no trouble with providing documentation to support their activities. Small business owners are generally proud of their accomplishments and don’t mind discussing a large sale or adding a new client.   Of course, when a client is unwilling or unable to provide an explanation and present documentation, there may be trouble.   The decision to file or not to file is one that your institution must be able to live with and defend through documentation.

Defensive SARs- Don’t do it!

In many cases banks don’t truly know or believe that activity is suspicious, but file a SAR “defensively”.   The idea here is that we can tell whether or not the activity is unusual or simply don’t have the time to do the necessary research to make a determination, so filing a SAR is seen as a temporary fix. However, defensive SARs are a sign of weakness or deficiencies in a BSA compliance program. If there is not sufficient time, or a complete understanding of the business model of the client to properly monitor and research the activity of a customer, as a best practice, the customer should be considered for de-risking (account closure). Simply filing SARs defensively is staving off the inevitable.

There Comes a Time

After a SAR has been filed for the first time on a customer, as a best practice, it is worth considering how the filing might change the relationship between the institution and the customer.   If the possibility exists that there is activity that may be considered suspicious or unusual on an ongoing basis there are really only two clear choices.   The first is to study the business plan of the customer and to gather sufficient information to document that the activity is normal and customary. The concept of suspicious activity is one of context. That is, if we return to the flower shop example above, does it make sense that wires might be going to an obscure bank in Europe? It does indeed if you find out that there is a rare flower that exists in that part of the world and the flower shop has made a marketing point of being able to deliver the rare flower in your area. Moreover, if the flower shop owner is able to show shipping details of the flower, insurance bills, bills of lading or other similar documents that prove the shipment of flowers, then the wires are ordinary and customary.

The other option is to consider the account for de-risking. Many institutions let ego, or the pursuit of fee income get in the way of safe and sound operating. When a customers’ operations are way ahead of the capabilities and resources of the institution, it is time, as Kenny Rodgers would say, to know when to walk away and know when to run.

[1] This should not be confused with data validation.  Model validation is a test of the efficacy of the software settings.

[2] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity

Please join us this Thursday February 18, 2016 at 10am PST for a FREE webinar “To File or Not to File a SAR.”

Please join us this Thursday February 18, 2016 at 10am PST for a FREE webinar “To File or Not to File a SAR.” You may register at https://lnkd.in/b2xA2bQ. We hope to see you there!

When to Hold’em and When to File ’em

When to Hold ‘em and when to File ‘em – a Two Part Series on SAR Filings    

Amongst the many ongoing tensions of running a Bank Secrecy Act (“BSA”) compliance program, the decision about whether or not to file a Suspicious Activity Report (“SAR”) often becomes a daily test.   To paraphrase the lyric of Kenny Rodgers, you have to know when to hold ‘em and when to file ‘em”.

There was a period of time a few years ago when filing SAR’s became the remedy for all “ills” in the BSA area.  Many small institutions found themselves filing as many as 60-70 SAR’s a month.  In extreme cases, more than a quarter of all customers had either a new SAR or a follow-up SAR being processed.   In those cases, an inordinate amount of time and resources were being spent on processing forms that said essentially, that there was “no change’ and the customer was still doing what had caused the initial report to be filed.

While there is no definitive answer to the ongoing questions of when to file a SAR, there are some guidelines that can be used to help with the process.

The Point of it all with SAR’s 

Why do we even have SAR’s and what in the world are they used for?  According to the FFIEC’s (Federal Financial Institutions Examination Council”) BSA handbook, SAR’s are a critical component of the national BSA program.

Suspicious activity reporting forms the cornerstone of the BSA reporting system. It is critical to the United States’ ability to utilize financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes. [1]

According to FinCen, the organization that reads and acts on SAR, the purpose of SARs is:

The purpose of the Suspicious Activity Report (SAR) is to report known or suspected violations of law or suspicious activity observed by financial institutions subject to the regulations of the Bank Secrecy Act (BSA). In many instances, SARs have been instrumental in enabling law enforcement to initiate or supplement major money laundering or terrorist financing investigations and other criminal cases. Information provided in SAR forms also presents the Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) with a method of identifying emerging trends and patterns associated with financial crimes. The information about those trends and patterns is vital to law enforcement agencies and provides valuable feedback to financial institutions.[2]

For the BSA Officer who sometimes feels that these reports are being prepared only so that they can disappear into the ether, take heart.  Your SAR’s area read and they are acted upon in many instances.

In her comments to the International Bankers annual anti-money laundering seminar, FinCen Director, Jennifer Calvery[3]  described the federal government’s efforts to fight the terror group commonly known as ISIS.    She noted that although much of the activity of that group is in Syria and Iraq, the fact of the matter is that they have to have trading partners around the world to get the supplies that they need to wage war.   There are several things that FinCen and similar agencies are trying to accomplish to stop them; disrupting revenue streams by denying funds wherever possible, limited the access to the international financial system and finally, punishing any individual or group that helps ISIS.

Here is one example that has been cited:

… [A] Case originated in 2008 with BSA data concerning an individual who was later convicted of conspiring to provide and providing material support to the Pakistani Taliban. The defendant funneled money to Pakistan as Taliban insurgents fought for greater control in northwest Pakistan.  BSA data was critical in uncovering the diverse and complex methods the individual used to send money from the United States to Pakistan, each of which was designed to conceal and support his activities. Investigators uncovered at least three methods: 1) wire transfers from the United States to Pakistan, where an associate picked up and administered the funds; 2) transfers of funds from cashier’s checks drawn on U.S. banks to a bank in Pakistan where co-conspirators could draw checks; and 3) bulk cash carried by family members and other travelers from the United States to Pakistan.  [4]

So ultimately, regardless of the size of your institution, the SAR’s that you file are part of something much bigger.  You are deputies in the fight against some very dark forces including human traffickers, drug dealers and terrorists and the information that you provide is critical in this fight.

A Balancing Act

The decision to file a SAR must be a balancing act.  For the BSA Officer at most financial institutions there remains the fear that the decision not to file a SAR might result of heavy regulatory criticism.  It is sometimes the case that institutions will file a SAR even when they feel that they are totally informed about the transactions and do not feel it is suspicious.    Filing a SAR to avoid regulatory criticism is commonly called “defensive SAR filing”.   While almost no institution will admit to doing so, a large number have actually filed defensively.

As a best practice, the SAR process should also be tied to the “de-risking” consideration process at your institution.  There are many times when a customer engages in a suspicious transaction that is a onetime thing.  Perhaps there a large cash transaction and the explanation from the customer is somewhat sketchy.  A SAR is filed and the account is closely monitored for the next 180 days.   There is no other unusual or suspicious activity.   In these cases no additional SAR needs to be filed.

However, there are cases when a customer engages in suspicious activity and continues to do so.  For many institutions, the process has become a continuous string of monitoring account activity and filing SARs.  However, in the event that a customer is engaging in activity that the institutions finds suspicious, the prudent course is to act on that information.   In the event that there are three or more SARs filed on a customer for the same type of activity, it is necessary to make one of two determinations:

  • The activity can be fully explained and vetted and is therefore not suspicious
  • The institution does not have the information necessary to properly monitor and manage the risk presented by the customer and therefore must terminate the relationship (“de-risk”)

Continuously filing SARs on a customer without considering the customer for de-risking is a red flag for regulators.  This is in an indication that the BSA staff of your institution does not fully understand what the customer is doing.    Once activity of a customer has been determined to be suspicious, the process for gathering additional information should begin.  Ultimately, if the BSA staff is unclear about a customer’s activity or business, he/she presents an unacceptable level of risk.    Filing a SAR defensively can be an act of simply giving up and admitting that there is insufficient information about the customer.

The Examination Process and SARs.

Again, the BSA examination manual is helpful here.  It states that what the examiners are supposed to be looking at is the SAR Decision Process.

Within this system, FinCen and the federal banking agencies recognize that, as a practical matter, it is not possible for a bank to detect and report all potentially illicit transactions that flow through the bank. Examiners should focus on evaluating a bank’s policies, procedures, and processes to identify, evaluate, and report suspicious activity. However, as part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the bank’s suspicious activity identification, evaluation, and reporting process[5]

It is clear from the text of the examination manual that they is no expectation that a financial institution will be able to catch every suspicious transaction that takes place.   There are simply not enough resources for that to be the reality.  Instead regulators expect financial institutions to develop systems that allow for the identification, and monitoring of the highest risk areas.

There are five key components to an effective SAR monitoring system.   The five components are:

  • Identification or alert of unusual activity (which may include: employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output).
  • Managing alerts.
  • SAR decision making.
  • SAR completion and filing.
  • Monitoring and SAR filing on continuing activity.[6]

In part two-we will discuss what each of these components mean and how to determine when to Hold ‘em and when to file ‘em.

[1] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[2] Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative (November 2003)

[3]  Comments of FinCen Director Jennifer Shasky Calvery at INSTITUTE OF INTERNATIONAL BANKERS

ANNUAL ANTI-MONEY LAUNDERING SEMINAR APRIL 30, 2015

[4] FinCen Recognizes High-Impact Law Enforcement Cases Furthered through Financial Institution Reporting

[5] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[6] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity

 

 

Understanding Banking Compliance Regulations

Introduction

Compliance regulations have become the center of a number of discussions in the financial services industry.   Starting with the financial meltdown of 2008 the numbers of regulations that directly impact the relationship between consumers and banks have grown exponentially.   Of course, the costs associated with compliance have also grown and become a significant part of the strategic planning processes and budget for financial institutions.     Quite often, compliance regulations are derided as unnecessary and burdensome while the regulatory agencies that are charged with enforcing them are considered unreasonable or unfair.     Unfortunately, it is often the case that the reasons compliance regulations exist and the goals of compliance examiners are misunderstood.  This misunderstanding can lead to less than effective compliance management programs, mistrust of regulatory agencies and overall inefficiencies in the compliance regulation process.   Understanding the “why’s” and “what’s” of compliance can go a long way towards a stronger compliance program.

Compliance a Brief History

Although there are several theories about why banking is such a heavily regulated industry, some common themes develop when considering this topic.   Chief among the reasons that are advanced as an argument for bank regulation is the idea that banks and financial institutions must maintain stability, and the regulatory structure helps to create stability.  For example, deposit insurance helps to eliminate the fear that financial institutions will run out of money for their customers.  Another argument for regulation is the role that financial institutions play in the payment system.  This is an area that requires stability.  The ability of funds to flow freely through the financial system is one of the hallmarks of the stability of the US financial system.  A third area that is often cited is the need to promote efficiency and competition among financial institutions.

In the aftermath of the stock market crash of 1929, the banking system experienced one of its greatest crises of confidence. Significant “runs “on banks caused liquidity concerns and brought the whole US financial system to a crashing stop. The result of these events was to usher in the modern age of bank regulation.  From that time on, there have been a series of regulations and regulatory agencies that have been developed that have all been designed to promote stability and efficiency in the financial system.   Generally, financial institution rules that promote the overall stability of the financial institutions are considered “safety and soundness” rules.  Safety and soundness rules deal with the overall levels of risks that are inherent at individual banks.   Levels of capital, limits on the loans to one borrower and the ability to identify and manage the risks presented by individual customers are all examples of safety and soundness rules.

While safety and soundness rules can generally trace their lineage back to the Great Depression, consumer regulations don’t enjoy the same clear history.  For the most part, compliance regulations have been implemented following a much more indirect path.   The pattern for development of consumer protection regulations is a familiar one.

1.     A practice or product of a financial institution impacts a group of consumers in a negative way (e.g.  women or minorities do not have equal access to credit).

2.      The offending practice receives widespread attention of the public

3.      The public outcry receives the attention of government

4.       Legislation is passed to directly change the practice or product.

This has been the pattern time and time again in the development of all of the notable consumer protection regulations that have been enacted in the financial services industries.   For example, Regulation Z (the Truth in Lending Act) was passed after public outcry about the lack of complete information detailing the costs of borrowing from banks.  From the flood insurance rules, the SAFE Act to the Servicemen’s Civil Relief Act, each of the significant consumer protection regulations has followed this same pattern and path. While it can be passionately argued that regulation is not always the most efficient means to prevent bad practices, waiting for market discipline to self-regulate has historically caused more harm than good.

It is important to remember that consumer compliance regulations, regardless of the design or requirements, have similar goals in common; to prevent policies or practices that have caused real people harm in the past.   Moreover, it is also the case that financial institution practices that hurt people have not been prevented by consumer regulations.  In fact, the reason that the Consumer Financial Protection Bureau was created was to further strengthen the protections for consumers.

“…CFPB will be the single, consumer-focused regulating authority, consolidating the existing authorities scattered throughout the Federal government under one roof.  And, the Bureau’s oversight includes the large banks and credit unions that had historically been regulated by the Federal government, as well as independent and privately owned “non-bank financial institutions” that had never been regulated before.

This means that for the first time, the Federal government will be able to regulate the activities of independent payday lenders, private mortgage lenders and servicers, debt collectors, credit reporting agencies, and private student loan companies.” [1]

A Peek Inside Consumer Regulations

In addition to their similar origins, consumer regulations also share similar approaches to addressing problems.  The institutions to which these regulations apply are required to either disclose information to customers or collect information about customers. Regardless of the actions that are required of the financial institution, the overall goal of consumer compliance regulations is to provide as much information as possible to the general public.   Data that is collected is used to study the impact of financial institution practices. For example, the data from the HMDA LAR (Loan Application Register) is used to study trends in housing and the experience of women and minorities at institutions that originate mortgages. Regulatory disclosures, such as the Truth in Lending disclosures are meant to give the customer the ability to easily compare the costs of a loan from one institution to the next.  The finance charges and fees are all supposed to be listed in a uniform manner to allow a customer to lay offers for a loan side by side.

Ultimately, consumer regulations are supposed to level the playing field between financial institutions who have significant resources and unsophisticated borrowers who have limited resources.

Compliance Examinations

When examiners conduct a compliance examination, the ultimate goal is to determine the strength and effectiveness of the compliance management program (‘CMP”).  The CMP is comprised of the policies and procedures that cover compliance, the internal controls that have been established, independent reviews and training of staff.  The examination team will take a step-by-step approach.

First, there will be analysis to determine that each of the critical components of the CMP have been established.  Policies and procedures are reviewed to make sure that they are comprehensive and up to date.  Do these documents give staff information on the expectations of the Board and senior management?  Further, in the case of procedures, do they direct staff on the proper steps to take to conduct transactions?   The compliance examiners will also review training programs and analyze whether they are keeping staff appropriately informed of applicable regulations.   Finally, this portion of the examination will analyze independent review (audits) to make sure that the scope is appropriate.

Next the examiners make a determination about the overall effectiveness of the CMP.  For example, the most complete written policies and procedures in the world have no impact if the results of independent reviews are ignored.   The CMP must have the ability to determine the roots of noncompliance and a plan for corrective action.

As a third step, the compliance examination reviews the ability of the senior management at the financial institution to identify risks and to take action to mitigate risks. Many times, when there are regulatory concerns at financial institutions, the root cause is the inability of staff to recognize why an activity is risky or the extent of the risk.   For example, an institution that serves a large number of high risks clients, must have the ability to determine what makes them high risk and precisely how to monitor activities to look for suspicious behavior.   Before a bank takes on an MSB (“Money Service Business”) as a client, there should be sufficient staff knowledge of MSB’s.  The institution should also have the software ability to closely monitor transactions of MSB’s.

Finally, the compliance examination staff will review the skill sets and knowledge of the staff who are charged with keeping the institution incompliance.   A highly experienced and knowledgeable staff can serve as a strong counterbalance to limited policies and procedures, for example. On the other hand, staff who are unfamiliar with compliance regulations will be expected to have significant resources to use.

The compliance rating is based upon the overall effectiveness of the CMP at a financial institution.

Compliance regulations are the direct result of bad behaviors of financial institutions. Most of the regulation are designed to give the consuming public maximum information.  Compliance will be a part of banking on an ongoing basis.  Embrace your inner compliance officer.

[1] Consumer Financial Protection Bureau 101: Why We Need a Consumer Watchdog JANUARY 4, 2012 AT 11:13 AM ET BY MEGAN SLACK  Whitehouse.gov blog

Your Partner in Balancing Compliance