This is my last installment of what I learned at the ABA's Regulatory Compliance Conference in June.  I hope my notes have provoked some thoughts and helped you manage compliance at your bank.  This last session dealt with how Compliance Officers handle keeping up with the barrage of compliance issues, new proposals, final regulations, and more.  Also, it touched on developing procedures for new requirements.  Here are my notes:

New issues:  Is it a Proposal, final, Guidance, FAQ?  You don't have to respond to all of these (proposals) or take them all the same (final rule vs. FAQ/Guidance).

Can you leverage off consultants/vendors (BOL, ABA, Compliance Headquarters, etc.)?  Call your vendors and ask them what they know and how they can help your bank.

Compliance personnel should not develop procedures.  Take the Compliance Officer expertise of requirements and the expertise of the business lines to develop procedures together.

• The Compliance Officer doesn't have the knowledge or technical expertise to tell Senior Loan Officers how to do their job!
• If the bank gets "lost", whose fault is it?  Who's responsible?
• Foster relationships to help them comply.  The Compliance Officer doesn't do the compliance.  You are their ally. 

Don't cry wolf every time a new requirement is proposed.

• The Compliance Officer should give regulatory updates to Sr. Mgt / BOD:
• Finals, FAQs, Guidance
• Maybe mention proposals but only if you feel they are significant or going to be finalized.
• This gives them a heads up that you/they will need additional resources.

Access the implication of new requirements:

One presenter indicated she copies and pastes relevant parts of new requirements (including definitions) into a Word document.  She then inserts comments about what parts apply to her bank, which ones don't, feedback from departments, etc. 

• - She provides this to the regulators when they come.
• - This shows the bank has thought through new issues, how it impacts the bank, what doesn't apply, etc.
• - This acts like a risk assessment (thinking through the issues) which is what most of the requirements are asking for.

When new requirements are issued, don't send an email out to people and scare your personnel ("this goes into affect in 6 months and we have to do it").  Rather send an email to the key people that need to know and ask them for a face to face meeting. You can give them a short synopsis "I need 1 hour of your time to discuss the new ID Theft requirements".  Attach the Word summary (discussed above) so they can be prepared for the meeting.

I'm still providing you with my notes from the ABA's Regulatory Compliance Conference.  I attended a session on Risk Rating and Prioritizing tasks as a Compliance Officer.  Below are my notes from this session:

Gone are the days of checking off tasks.  Now you must risk assess everything.  Apply a risk approach to everything.  What issues are facing your bank?

Getting Organized:

Design a "Issues Status Report"

Be sure to list the responsible office and responsible officer/manager. (These people will want their name off the list - so it becomes a priority for them).

            If past due, change the color (yellow or red).  This will get a faster response.

Design a "Project Status Report"

Showing the schedule, process and completion status of tasks.  This is a great way to report to senior management and/or Board.

Risk Rating/Prioritizing:

Lower risk = lower priority

For example, check some disclosures once per year (such as the Cosigner notice) to make sure verbiage hasn't changed.

"Don't let the Compliance Tail wag the Banking Dog"

            If you under manage, issues will arise.

            If you over manage, you risk profits.

It's not a "compliance culture". It's a "Risk Culture."

            Risk management starts at the top.

            Many senior people don't like the term "compliance". Use "risk".

Auditing & Risk Rating: 

For example, not all of Reg E is a high risk: 

Issuing access device (205.5) vs. initial disclosures (205.7) vs. error resolutions procedures (205.11). 

Same with Reg D, yet Reg D doesn't have the same monetary penalties or seems to receive less examiner scrutiny.

 

 

Here are some more notes from the ABA's Regulatory Compliance Conference.  I attended a session on analyzing your institution's HMDA data that was very good.  Below are my notes from this session.

1.  Analyze your data now (before submitting). Not after you report it.

• Periodically (quarterly, semi-annually, annually?) review your data and know what it is telling you AND why.
• Be ready to defend your data.
• Feel free to add other data to your HMDA LAR (FICO scores, debt to income, loan to value, etc.).

2.  Can you explain ethnic, racial or gender disparities? Compare denials and pricing information on these categories.

3.  Review the time between application and action dates. Why do some take so long?

4.  Review rate spreads and HOEPA loans.

5.  Look for conspicuous lending gaps.

6.  Explain your data:

• Is there anything that looks odd to you?
• What does it mean to you?
• What will it mean to the public?
• Is it consistent with your institution's strategic goals?
•  Are results different by lending departments/channels/products? Why?
• Are results different among your lenders and/or brokers?

7.  If the HMDA data isn't correct, it trickles into several other areas (CRA Exam and CALL reports) which are not correct either.

"We expect banks to be self identifiers" - Calvin Hagins, Director of Compliance Policy, OCC

I continue to bring you my notes from the ABA's Regulatory Compliance Conference.  This session dealt with risk ratings. Not just the bank's BSA/OFAC risk rating, it also includes risk rating customers and employees of your institution.

Risk Assessment = analysis of current hazards AND future threats to your bank.

• One person should not do the institution's BSA/OFAC risk assessment alone.
• Don't forget to update your institution's BSA/OFAC risk assessment - at least annually.

Risk Rate employees? ID Theft, assisting in laundering money, embezzlement, etc.

• The BSA Officer is in the best position to cover up these types of activities because of wide access to reports & systems information. Best position to steal.
• Tellers - low pay, high temptation, high amount of opportunity.
• Senior Officers who have access to cash and/or sensitive information.

 Account Opening - risk rating accounts:

• You must ask the difficult questions.
• Treat all customers equally. Ask everyone the tough questions.
• Risk Rate all customers.
• Don't say "no risk" when rating customers.
•  Circular logic:
• How do you know what is suspicious activity if you don't know the customer?
• Then again, how do you assign a rating when you don't know the customer yet?
• Hire competent help.

 

 

I'm continuing to report about things I learned while at the ABA's Regulatory Compliance Conference (ABA RCC) in Chicago in June.  I had the fantastic opportunity to speak on a Flood Panel with a representive from FEMA, the FDIC and two bankers.  Here's some things we discussed that I thought may be of interest to you:

• Flood Zone Discrepancies:
• AE vs. AO (or others). The FDIC representative said they are not worried about this. Flood insurance is in place and premium is same. What they are concerned about is A vs. B, C, D, X (the Standard Flood Hazard Determination Form indicating the building is "in" a Special Flood Hazard Area and the insurance represents a building not "in").
• This is a big deal to the regulators right now.

• Flood Insurance is a "risk management" issue and needs to be treated as such.

• Replacement Cost Value:
• If the NFIP doesn't require RCBAP to 100% (only 80%), then why is FEMA Guidelines pushing 100% RCV on General and Dwelling policies? [Sorry, that's a rhetorical question to which I have no answer.]

• FEMA/NFIP are working on eliminating the co-insurance penalty on RCBAPs.  We should see this in the next 2 years.

• Mobile Home Policies:  Can they include Flood Insurance automatically?
• If the insurance was purchased prior to 1/07, it MAY automatically have Flood Insurance.
• If the insurance was purchased after 1/07, Flood Insurance CAN be purchased as a rider.
• If included, does it meet the 6 requirements of Private Insurance as outlined on page 57-58 of the FEMA Guidelines (section 5)?

• A private flood insurance policy that meets all six of the FEMA criteria described in a. through f. below conforms to the mandatory flood insurance purchase requirements of the 1994 Reform Act. To the extent that the private policy differs from the NFIP Standard Flood Insurance Policy (SFIP), available on the FEMA website at http://www.fema.gov/business/nfip/sfip.shtm, the differences should be carefully examined before the policy is accepted as sufficient protection under the law.

In my last blog, I wrote the first installment concerning my attendance at the American Bankers Association's Regulatory Compliance Conference (ABA RCC) in Chicago.  Here's another short piece on what I learned in a session on the new ID Theft Prevention Program requirements.  These are my notes and not necessarily complete sentences.  If you need more information on the FACTA ID Theft requirements be sure to read our June & January 2008 e-newsletters.

• Examination procedures are to be issued by the "end of the Fall". Q&A's coming as well. 
• Board Of Directors involvement - seems to be a trend among new requirements.
• You can't elevate everything up to the Board (yet the regulators seem to want to)!
• The Board must approve the INITIAL program and get an annual report. They don't have to approve all program changes throughout the year.
• Banks can incorporate existing policies & programs into the FACT Act program:
• Leverage existing policies. (CIP, Data Protection, Fraud Prevention, Privacy)
• What's this program supposed to look like? We don't really know yet.
• It's not supposed to be something you start from scratch. That's why the examiners said this will only take 25 hours (yeah, right!).

Recently someone asked me what I thought was a very easy flood insurance question.  The scenario played out like this:

The bank is going to make a loan secured by buildings located within a Special Flood Hazard Area (SFHA).  The borrower does not have enough funds to pay for the flood insurance out of their own pocket.  The bank told them not to worry that they would add the flood insurance premiums to the loan amount and disburse funds to the insurance agent at closing.  The lender asked if this practice would satisfy the flood insurance requirements.  I responded without hesitation that indeed it would and what would be better proof than the bank issuing the check and delivering it to the insurance agent.

Well, I was wrong.  You see, flood insurance is required prior to making, increasing, renewing or extending any loan secured by improved property located within a SFHA.  In the scenario above, flood insurance was not in place prior to closing; rather, it was put in place after closing.  The loan was closed, a check was cut and then delivered to the flood insurance agent for payment.  Therefore, the flood insurance requirements were not met.

Using the same scenario above the bank could have met the regulatory requirement by instructing the borrower to write a check to the flood insurance agent prior to loan closing.  Obviously, the bank would have to then cover the check if the borrower was short on funds, depending on when the payment was made.  The bank could then reimburse the borrower/cover the check with funds from the loan closing disbursement.

When it comes to flood insurance we need to remember that things that seem to make logical sense don't necessarily ensure compliance with the regulatory requirements.

This is the second installment about things I learned while at the ABA's Regulatory Compliance Conference.  Here's another short piece on what I learned in a session on UDAP - something we don't talk about much, but is very ugly if the regulators believe your institution is involved in a deceptive act.  These are my notes and not necessarily complete sentences.

• There is a bill in Congress to allow FTC to be more involved in the regulation of banks (directly).
• What's deceptive?  You'd better be able to substantiate it BEFORE you make the claim.
• Every State has a "UDAP like" law
• New Proposal will expand Reg AA
• Was limited (Credit Practices Rule).  The proposed rules have more "teeth" and coverage
• Congress is getting involved.
• Credit card & ODP targeted.
• Exposure beyond Marketing
• Fulfillment has to match promises
• Even if years later and there has been system changes
• "Combined Balance" = my account + ODP/HELOC/OD LOC will get you a UDAP violation and FTC referral.  No question.
• Bottom line:  The "net impression" is what matters.

I recently attend the American Banker Association's Regulatory Compliance Conference (ABA RCC) in Chicago along with 1200 other compliance professionals.  I had the honor of speaking on the topic of Flood Insurance on a panel with representatives from the NFIP and the FDIC, along with two bankers.  Over the next few weeks, I'll be giving you some notes from some of the sessions I attended.

The first session was called the "State of the Union".  We, at Banker's Compliance Consulting, are always trying to stay on top of the regulatory issues, hot topics and new releases.  This session really scared me when they began listing all the issues we face or are about to face.  Here's a short list:

• Reg Z - High Cost Mortgage proposal. Expect the final to be issued in July.
• Lots of other proposals and changes coming:
• RESPA (I really hope this one doesn't happen!);
• Flood FAQs (hopefully, we'll see the final FAQs by the end of the year);
• FACT Act - 2 final (ID Theft and Address Discrepancy) and 1 proposal concerning the Risk Based Pricing Notice;
• 2 Truth in Lending proposals in process;
• UDAP (most concerning overdrafts); and
• Reg DD (mostly concerning overdrafts).

On top of all this, the speakers indicated, there are more regulations & guidance likely to be coming from Congress.  With the current mortgage "crisis", Congress feels they need to get more involved in the regulatory process.  They are more than concerned with several issues like Predatory Lending and Broker licensing and regulating.  While I agree there are a few bad apples out there that need to be reigned in, I don't believe more regulations will improve our industry or protect the victimized.  In fact, the more disclosures we give, the less the "protected" will read.  Hence, the effect is "more is less".

We (that means YOU) need to write comment letters and talk to our Congressional Representatives.  Help them understand your perspective so they are more informed instead of just hearing from the few victims.

As you all know, one of the "hot buttons" of regulatory compliance is flood insurance.  Recently, there has been a lot of commotion about "insurable value".  If you're not familiar with this, I encourage you to read our Comment Letter - specifically pages 2-4 - concerning FAQ #7.

Unfortunately, some regulatory Regional and Field offices are stating lenders must use Replacement Cost Value (RCV) when calculating the proper amount of flood insurance.  I'm aware of guidance from the Dallas OCC Regional Office and the Dallas, Philadelphia and San Francisco Districts of the Federal Reserve Board stating this incorrect information.  Now that sounds pretty bold of me (I'm disagreeing with all of those regulatory offices) yet there's no question in my mind that using RCV is NOT what the National Flood Insurance Act requires nor is it a requirement of the regulation.  It is simply a "best practice" published in the 2007 FEMA Guidelines (see page 27).

When I have the chance to talk to regulators about this issue, they have always "come around" and "softened" their approach.  Many have said they are backing off on this issue - at least until the regulatory FAQs are finalized (we're hoping by the end of 2008) or other guidance is issued.

I'm not against purchasing RCV when it will pay.  If my home flooded, I would hope I was adequately insured.  However, you can't get a RCV payout on non-primary dwellings and even in many instances when you are insuring a primary dwelling.  So why should a lender require insurance that won't pay?  I believe to require insurance when it won't pay is not only a bad PR issue for lenders, but it can also be seen as a deceptive act - something none of us want to be associated with.  So why would our regulatory agencies ask us to do just that?  Good question, one that I don't have the answer to.

Stay tuned and good luck.