Returning to Normal – (One Step at a Time)
As COVID-19 became a pandemic, the economic impact grew with the virus. Unemployment rates were once again at record highs and businesses had to adapt to new health guidelines to maintain business continuity. To help both businesses and consumers during this troubling time, the United States government issued the CARES Act and many other regulatory changes. This included the introduction of Paycheck Protection Program (PPP) loans and removed excessive transaction requirements for savings accounts under Regulation D. Aside from these major changes, there were many slight regulatory changes. As the fully vaccinated population continues to grow in the United States, and we get closer to returning to our “pre-pandemic” lifestyles, the Consumer Financial Protection Bureau (CFPB) is rescinding a handful of regulations that were implemented during the pandemic. This is because the CFPB no longer finds these flexibilities to be necessary to financial institutions at the expense of consumer protections. The rescinded policies are listed at the link here: https://www.consumerfinance.gov/about-us/newsroom/cfpb-rescinds-series-of-policy-statements-to-ensure-industry-complies-with-consumer-protection-laws/
Although many of the flexibilities that were issued in response to the pandemic are slowly being removed, there are a few changes that are not. Among the extended or permanent change, first, the Regulation D changes removing excessive transactions have not been rescinded. As a matter of fact, the Federal Reserve has indicated that this change is intended to be a permanent change.
- Are the recent amendments to Regulation D temporary or permanent?
On April 24, 2020, the Board of Governors issued an interim final rule amending its Regulation D to delete the six-per-month limit on convenient transfers from “savings deposits.” The underlying reason enabling the changes in Regulation D is the FOMC’s choice of monetary policy framework of an ample reserve regime. In such a regime, reserve requirements are not needed. As a result, the distinction made by the transfer limit between reservable and non-reservable accounts is also not necessary. The Committee’s choice of a monetary policy framework is not a short-term choice. The Board does not have plans to re-impose transfer limits but may make adjustments to the definition of savings accounts in response to comments received on the Board’s interim final rule and, in the future, if conditions warrant. https://www.federalreserve.gov/supervisionreg/savings-deposits-frequently-asked-questions.htm
This means that the banks can still determine whether it would like to continue monitoring savings accounts for excessive transactions. Charging fees for excessive transactions would also be at the bank’s discretion.
Additionally, the Regulation O modification that PPP loans to insiders would continue to be exempt from most of the Regulation O provisions for loans made before March 31, 2022. Therefore, aside from §215.5, PPP loans are not considered an “extension of credit” under Regulation O and do not count toward the insiders’ lending limits.
As the world returns to its “pre-pandemic” state, there may be continuing regulatory transitions and Compliance Alliance will continue to update and provide guidance on the regulatory landscape as it happens. Until then, it is important that the banks readjust their policies and procedures as the recently rescinded policy statements would no longer be applicable.
Don’t Fear the Audit
Audits—a word that can make even the strongest buckle. The banking sector is no stranger to audits and the auditing process. As we all know, bank audits are routine, common procedures affecting institutions of all sizes. But what is important to remember is regardless of whether you are in management, the Audit department or a business unit of a bank, everyone needs to gain clarity about what bank audits are, and what to expect during the process.
Bank audits are a routine, formal process where the institution’s operations, controls, records and risk management are reviewed for accuracy, legitimacy, safety and efficiency. Regardless of whether a bank chooses to have an external auditing firm perform audits, or whether they are assigned internally to an audit team, or whether the bank uses technology and software solutions to assist in the implementation of internal auditing programs, all financial institutions should have an audit framework to stay abreast of their internal controls and compliance management oversight. To facilitate a consistent approach across the organization, the Board of Directors should ensure that the bank has its own audit framework, that is held accountable to the bank’s board through reporting, and that its audit function performs audit activities of a sufficient scope to enable the Board to satisfy its fiduciary and legal responsibilities. This audit function, whether internal or external, is essential to the overall information security and compliance management systems. So, monitoring and assuring that, overall, the bank’s assets are secured and safeguarded is the key concern.
Risk management oversight and high-impact reporting will assist financial institutions to be proactive in their document collection to improve regulatory compliance. It will enhance cybersecurity monitoring to prevent attacks, consumer, and bank harm, and ultimately, losses. Audits, when scoped successfully, will provide a comprehensive analysis of compliance management, continuity plans, information security, and oversight into vendor management risks. Reviews of bank policy and procedures reduce further risks and provide for comprehensive risk assessments. But the endgame to a successful audit is improve efficiencies and executions through formalized Board reporting.
A key feature to achieve the above expectations is independence and objectivity—both have specific meanings within the internal audit environment. Independence is freedom from conditions that threaten the ability of the audit activity to carry out audit responsibilities in an unbiased manner, while objectivity is an unbiased mental attitude that allows internal auditors to perform engagements so that they believe their work product provides no quality compromises. Additionally, professional competence, due professional care and auditor integrity are imperative to a successful examination and evaluation of internal or external audit findings.
Ways to ensure a successful audit function is to develop an audit charter or policy that articulates the purpose, standing and authority of the audit function within the bank to promise effective internal and compliance controls. Every activity, including those outsourced, and every business unit of the bank should fall within the scope of the audit function being completed or outsourced. The bank’s risk management processes should act towards supporting and reflecting its adherence to regulatory provisions and safety and soundness, which is why it is crucial it appear within audit’s scope.
Whether done internally or externally, it is important to not forget this function within an institution and the interconnectedness it has with the bank’s overall success at mitigating risks. It will help identify and provide solutions for risks and ensure compliance with laws and regulations that ultimately protect the bank’s assets and consumers. Do not fear the audit—embrace it!
Demonstrable Intent – Open the box and Look Inside (No Cats Were Harmed in the Process)
Have you heard about Schrodinger’s cat? It is a famous thought experiment where a cat is put into a box with a flask of poison, an internal monitor, and a radioactive source. The experiment was designed to show that once the cat goes into the box, the state of the cat is unclear until it can be determined. Demonstrable intent must similarly be shown or demonstrated.
The E-SIGN Act, or Electronic Signature in Global and National Commerce Act, created a system of ensuring that electronic signatures, contracts, and records are valid and enforceable if they meet certain criteria. The E-SIGN Act requires the bank to obtain consumer consent before sending any disclosures or notices electronically. It requires the bank to do the following:
- Inform the consumer of any right or option to have the record provided or made available on paper;
- Explain what transactions and notices the consent pertains to;
- Describe the procedures a consumer must use to withdraw consent and update contact information;
- Inform the consumer how to obtain paper copies after consent is received and what fee is associated with them
- Before consenting – provide the consumer a statement of hardware and software requirements for access and retention of the electronic record. (See link for more details)
Once this information is provided to the consumer, they must “consent electronically, or confirm [their] consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.” (see §101(c)(1)(C)(ii)) In other words, the bank must show demonstrable consent by the consumer, and the consumer must agree to receive documents electronically and must consent in a manner that both a) demonstrates that they can access the documents electronically, and b) provides the consent in an electronic format.
As an illustration, if a Bank wishes to provide customers with electronic PDF statements, one of the ways a bank could obtain demonstrable consent is by requiring the customer to first open a pdf to consent or confirm electronic delivery. In receiving and responding to this initial request, the customer reasonably demonstrates they will be able to access the records that were agreed to be sent electronically.
What does this have to do with Schrodinger’s cat? To know if the cat is alive or dead, the box must be opened. The same is true with demonstrable consent. Even if the bank has received a notarized-hand-written-authorization, permitting the records to be electronically sent – under E-SIGN – the bank and their regulator cannot know if the customer has received and has access to the record sent, without them demonstrating they were able to do so. Using our PDF example, they must open that first PDF to show they have the reasonable ability to open any PDF.
The bottom line of demonstrable consent is this, the customer must prove to the bank that they can receive and view the electronic records BEFORE the bank sends them.
CFPB Issues New FAQs Regarding Unauthorized Electronic Fund Transfers and Errors Under Regulation E
In a world of rapidly evolving technology, banks must accordingly respond in ensuring compliance with regulation regarding electronic fund transfers (EFTs). Regulation E implements the Electronic Fund Transfer Act and ensures consumers are protected when they engage in EFTs. Earlier this month, the Consumer Financial Protection Bureau (CFPB) issued out an updated set of frequently asked questions covering the area of unauthorized electronic fund transfers and errors under the regulation. Regulation E contains provisions that allow consumers to dispute certain transactions classified as errors. If a consumer submits a notice of an error because of an EFT, the bank is required to undergo an investigation process to determine the legitimacy of the error and can involve provisional or final credit to the consumer regarding that transaction.
A common Regulation E dispute involves an unauthorized transaction. The regulation defines an unauthorized transaction as an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer. Traditionally, a situation in which a transaction is made from an account other than the person who owns the account would fall under this definition assuming the person making the transaction did not have authority to do so. This would generally mean that a transaction made by the person who owns the account would not be considered as a Regulation E error. However, the FAQ seeks to clarify that there can be situations in fraud where it may not be as clear.
The FAQ emphasizes that if a third party induces a consumer into sharing account information used to initiate an EFT, then it would be considered an unauthorized EFT and therefore an error under Regulation E. This would apply in the situations where a fraudster calls the consumer pretending to be a bank representative to induce the furnishing of account information as well as accessing a consumer’s computer to obtain the information and initiates the EFT.
The FAQ also states that when assessing liability for an unauthorized EFT under Reg. E, a consumer’s negligence cannot be considered by the bank. The regulation prohibits negligence being used as the basis for greater liability than what is allowed under the regulation. The permissible parameters of liability under the Regulation come from 1005.6 and depends on certain circumstances such as the timing of the consumer alerting the bank of an error.
It is important to note that with any EFT dispute, banks should also review any relevant contracts such as the underlying account agreement or contractual agreement with card providers or private networks. The FAQ underscores the fact that banks and consumers cannot contract their way out of Regulation E obligations, but it is indeed possible that these documents can contractually obligate the bank to investigate and take certain action on disputes that are not otherwise covered by the Regulation. As always, Compliance Alliance will always be here to assist you with any of your needs. In the meantime, our Regulation E toolkit can be helpful as a great starting point.
Overview of the 2021 Updates to the FFIEC BSA/AML Examination Manual
The FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual has undergone a number of changes in 2020 and 2021 thus far. It was most recently updated on February 25, 2021, and again on June 21, 2021. Overall, the revisions include more detailed instructions for examiners as they examine a bank’s BSA/AML compliance program. The instructions provide transparency for examiners as they assess a bank’s compliance with BSA regulatory requirements.
Some of the key updates which have been made to the FFIEC BSA/AML Examination Manual in 2021 include:
- Assessing Compliance with BSA Regulatory Requirements – this section of the examination manual was updated to provide a high-level overview of how examiners should complete their scope and plan for examinations. The updates also encourage examiners to focus on the actual processes followed by bank in addition to their policies and procedures.
- Customer Identification Program – this section of the examination manual was updated to include guidance for opening accounts for customers who have applied for a tax identification number, but who have not yet received. It also clarifies the expectation for the procedures that banks are expected to follow when making and maintaining a record of a customer’s identity. A new subsection was also added which provides guidance to examiners regarding “exemptions”.
- Currency Transaction Reporting – this section of the examination manual was updated to provide clearer descriptions for aggregation requirements. Guidance is also added which addresses “structured transactions” and “identification required”. These updates also clarify the expectations that banks must follow when receiving errors subsequent to filing CTRs, back filing, and amending CTRs.
- Transaction of Exempt Persons – this section of the examination manual was updated to reaffirm the expectations for banks to conduct an annual review of exemption eligibility for customers who were previously exempt from CTR reporting. This section also provided guidance which expands the type of customer for which the bank is not required to confirm eligibility for exemption. A new “operating rules” subsection was added to this section, and clarification was provided regarding the bank’s obligations for recordkeeping and reporting requirements as it relates to other regulations.
- International Transportation of Currency or Monetary Instruments Reporting – this section of the examination manual was updated to outline the regulatory requirements for banks regarding international transportation of currency or monetary instruments including the bank’s obligation to complete a Report of International Transportation of Currency or Monetary Instruments (CMIR).
- Purchase and Sale of Monetary Instruments Recordkeeping – this section of the examination manual was updated to provide clear guidance regarding the regulatory recordkeeping requirements banks must comply with and the limitations banks must follow for the purchase or sale of monetary instruments.
- Reports of Foreign Financial – this section of the examination manual further explains the reporting requirements and filing instructions regarding the required Report of Foreign Bank and Financial Accounts (FBAR), which must be filed for certain foreign transactions.
- Special Measures – this section of the manual was updated to provide more transparent guidance regarding five special measures which must be imposed, individually, jointly or in any combination.
It is important to note that while there have been a number of updates to the FFIEC BSA/AML Examination Manual, the manual itself does not establish any new requirements for financial institutions. Also, financial institutions should not interpret the updates as new instructions or as new or increased areas of focus for BSA/AML Examinations. These updates are considered further transparency into the examination process and should aid examiners in the support of risk-focused examination work.