Resting Assured: Audit Season in Bloom
Spring has sprung! And for many of our community banks out there, the changing of the weather brings along with it the so-called “audit season.” For many more of our banks – particularly when it comes to those banks’ internal audit departments – every season is audit season.
For banks navigating the demands of this time of year, Compliance Alliance offers a unique solution to address the challenges audit season can present. Assurance Services, part of the Compliance Alliance family of companies, provides expert audit services on a range of regulatory topics – many of which are common focal points during agency examinations.
The following is Part 1 of a roundup of key areas and common pitfalls identified during recent audit engagements – each one a timely reminder of where banks should focus attention to stay aligned with regulatory expectations. Stay tuned next week for Part 2!
Advertising: The Logo Problem
Financial institutions should take a closer look at their use of regulatory logos in marketing, particularly in digital mediums. Several banks have used the FDIC corporate logo in advertising – sometimes even the version with a globe inside the “C.” It should be noted that this logo is reserved exclusively for use by the FDIC itself. Banks should instead use the proper “Member FDIC” statement in all marketing for insured deposit products, as outlined in 12 CFR 328.6 (and, if using a reproduction of the symbol, that which is described in § 328.2(b)).
In addition, Equal Housing Lender logos and the FDIC statements were often missing from social media profiles and posts; remember, the definition of an advertisement under Part 328 is very broad, and so the requirements of 12 CFR 328.6(c) should be reviewed whenever the bank has a “commercial message, in any medium.”
BSA and CIP: Precision Matters
BSA and CIP processes are driven by a risk-based approach, and that often requires a high attention to detail, even for seemingly minor things. For example, Currency Transaction Reports (CTRs) require detailed and accurate occupational information (Item 9 of the CTR Filing Instructions explicitly asks for “specific descriptions” of the occupation, profession, or type of business of the Part 1 individual or entity).
Another key consideration is the consistent use of CIP tools during account onboarding. In some cases, identity verification tools were not run for all new customers. Regardless of how familiar staff may be with a client, the bank’s CIP must be applied consistently to meet the bank’s BSA obligations under 31 CFR 1020.220 – and to uphold sound practices in verifying and understanding the bank’s customers.
Wire Transfers: Purpose and Process
Wire activity remains a relatively high-risk area, particularly in documentation. While most institutions perform callback verifications, how they document those verifications can tend to vary. Some callbacks are noted via phone logs, others via email, and sometimes the method of verification isn’t captured at all. Therefore, it’s critical to document and maintain a consistent and complete record of who verified the wire, how it was verified, and when.
Additionally, wire purposes should be clearly defined and recorded. Descriptions like ‘Deposit’ or ‘Funds’ are too vague to truly reflect the reason for the wire, which effectively defeats the point of including a purpose field in the first place. Banks should encourage their staff to use more descriptive terms – these provide greater transparency, and can generally help in identifying suspicious transactions.
If you have any other questions in the meantime, feel free to reach out to Assurance Services at 888-353-3933. Otherwise, come back next week for Part 2!
OFAC’s Interim Final Rule: 10 Years of Records – But Which Ones?
It’s been said that, “If you love something, set it free.” OFAC, apparently, does not second that emotion – at least not when it comes to transaction records. Instead, they now require banks to hold onto them for ten years – twice as long as before.
In September 2024, the Office of Foreign Assets Control (OFAC) quietly dropped an interim final rule (found at 89 FR 74832) amending the Reporting, Procedures, and Penalties Regulations (RPPR) under 31 CFR Part 501, and requiring that “certain transaction” records – which were once required to be kept for five years – now be retained for ten years. With an effective date of March 12, 2025, many financial institutions (and other entities subject to OFAC regulations) are now left wondering the full scope of this rule, and which of their records will be affected.
However, the rule itself provides little clarity on exactly what “certain transactions” fall under this requirement. Instead of offering a straightforward or exhaustive list, OFAC relies on reference (bordering on implication) to existing regulatory language – specifically 31 CFR Part 501, Subpart C – to “outline” what falls under the new requirement. Broadly, these would be transactions involving or subject to OFAC regulations, including blocked or sanctioned property, rejected or unexecuted prohibited transactions, transactions requiring OFAC authorization through licenses, and any activities tied to specific sanctions programs. In other words, the implication is that any transaction that falls under OFAC’s oversight now carries a decade-long recordkeeping obligation.
Here’s a high-level breakdown of some of the records now subject to the updated rule. First, documentation related to blocked property and assets (essentially, anything frozen due to U.S. sanctions). This may include bank accounts, securities, real estate, and other holdings belonging to entities on the Specially Designated Nationals (SDN) List – and similar restrictions (31 CFR 501.603). It is important to note here that the 10-year retention period begins after the date of the transaction, which means the actual recordkeeping timeframe may sometimes extend beyond a decade. For blocked property, the clock doesn’t start until the property is unblocked. As a result, in cases where assets remain blocked, the recordkeeping requirement can effectively last indefinitely. Next, records pertaining to rejected or unexecuted transactions – any transaction halted due to OFAC regulations (where there is not an otherwise “blockable” interest). This generally would cover wire transfers, credit card payments, securities trades, and any other financial activity that couldn’t proceed due to sanctions compliance (31 CFR 501.604). Additionally, transactions requiring an OFAC license fall under the expanded rule, even if the license application was denied. Whether seeking authorization for payments, trade, or other restricted dealings, it would appear appropriate to retain all applications and supporting documentation (31 CFR 501.602 and, by reference, 31 CFR 501.801).
Finally, records related to specific sanctions programs look to be encompassed. This could include compliance due diligence, sanctions screening logs, internal risk assessments, and audit reports. (31 CFR 501.601 and A Framework for OFAC Compliance Commitments).
Though the rule doesn’t do much in the way of clarifying the scope of the relevant recordkeeping obligations, it makes no secret as to why this longer retention period is being imposed. OFAC’s decision aligns with the 21st Century Peace Through Strength Act, which, among other things, extended the statute of limitations on civil penalties for sanctions violations from five years to ten years (50 U.S.C. 1705(d) and 4315(d)). In other words, the government now has a decade to enforce penalties for violations, so banks likewise need to hold onto records for the same period to avoid potentially unpleasant consequences. This may be particularly relevant for markedly complex financial cases, where illicit transactions can take years to uncover.
As the rule and the updated retention requirements are currently in effect at the time of this publication, now may likely be the perfect time for a record retention schedule review – to that end, our Record Retention Schedule Cheat Sheet is a useful tool that covers federal record retention requirements. Moreover, banks may want to evaluate (and update) their retention policies to reflect the shift from five-year to ten-year recordkeeping for applicable transactions, as well. As always, if you have any other questions or concerns about it, feel free to contact us on the Compliance Hub Hotline.
After all – though many may not “love” it – setting an OFAC record free too soon could be a costly mistake.
Time of the Signs: Delays in FDIC Signage Rule Compliance Dates
The FDIC announced last week that there would be additional delays in the compliance dates for some of FDIC signage requirements under Section 328. The March 3, 2025 announcement set out changes to the compliance date specifically for 12 CFR 328.4 and 12 CFR 328.5 the sections relating to the digital sign requirements.
The date by which banks must include the digital sign on their digital deposit taking channels, such as websites and mobile banking applications, as well as ATMs, will now be March 1, 2026.
Based on the updates and changes the FDIC has made to the rule, the compliance dates for the signage rule will now be broken out into three parts with three different dates:
January 1, 2025 – Subpart B. The compliance date for Subpart B, which prohibits false advertising, misrepresentation of insured status, and misuse of the FDIC name or logo, was not delayed in either of the delays and therefore became effective on January 1, 2025.
May 1, 2025 – Official Sign, Advertising Statement, and “Not-Not-May” Disclosures. The FDIC rule change that moved the compliance date from January 1 to May 1, 2025 applied to all of Subpart A, which includes requirements around when the official sign, the advertising statement, and the non-deposit “not-not-may” disclosures should be used. For these items, the compliance date remains May 1, 2025, as those provisions were not part of the most recent delay.
March 1, 2026 – Sections 328.4 and 328.5. The provisions in Subpart A dealing with the digital sign specifically (sections 328.4 and 328.5), however, have now been further delayed until March 1, 2026, giving us the third compliance date. The FDIC also clarified that the policies and procedures required by Section 328.8 (compliance date remains May 1, 2025), will not need to address the requirements in Sections 328.4 or 328.5 until March 1, 2026, which is the full compliance date for these provisions.
One of the questions that came up frequently with the first delay was whether it modified only the compliance date or whether it also modified the ATM installation date set at 12 CFR 328.4(e), which states that, for ATMs that do not offer access to non-deposit products, the digital sign is required only on ATMs installed after January 1, 2025.
It was unclear in the first delay whether that January 1, 2025 date would be changed to May 1, 2025 and it is also unclear whether the date will now be changed to March 1, 2026. The FDIC statement that the delay “includes analogous requirements related to an IDI’s ATM and like devices” is still not definitive on this point. It appears, however, that the FDIC will likely propose changes to the regulation to address points of confusion; these revisions should clarify the “installation date” question about the ATM digital sign requirement.
Because this action by the FDIC does not delay any provisions other than those related to the new digital sign, it seems likely that any changes to the rule will be limited to the two sections relating to the use of the digital sign. The rules regarding the use of the official sign, the advertising statement, and the non-deposit disclosures, as well as the Subpart B prohibitions against misrepresentations and material omissions, appear likely to remain the same.
Beneficial Ownership: The Saga Continues
On February 27, FinCEN announced it would not impose penalties or take other enforcement measures based on companies’ failure to file or update their beneficial ownership information reports. It also intends to release an interim rule by March 21, further extending the beneficial ownership information (“BOI”) reporting deadlines. Additionally, it forecasted a new notice of proposed rulemaking and opportunity for comment later this year, indicating that FinCEN may revisit the Corporate Transparency Act (“CTA”) rules altogether.
If your head is spinning with the various rules, proposals, injunctions, and other events on the CTA’s road to regulatory implementation, you are not alone. The CTA’s whirlwind drama has all the highs, lows, and surprise twists of any Hollywood thriller.
The CTA was originally passed through a harrowing veto override on January 1, 2021. It requires FinCEN to issue implementing regulations; FinCEN proposed to issue three rules for this purpose, the first being the Reporting Rule requiring that certain entities report their BOI to FinCEN. The Reporting Rule as originally finalized would have required covered entities to report their BOI to FinCEN by January 1, 2025.
Lawsuits quickly emerged to challenge the Reporting Rule, and, in a few cases, injunctions were issued limiting enforcement of the Rule. In December 2024, a nationwide preliminary injunction was issued in Texas Top Cop Shop v. Garland prohibiting enforcement of the Rule pending the outcome of the case. In a surprise twist, however, that injunction was stayed by the Supreme Court in January 2025. Justice Gorsuch’s concurrence in the Texas Top Cop Shop decision added to the suspense by suggesting that the Court may be open to directly considering whether a district court may issue this type of nationwide injunction. Although a separate legal issue, a decision in that regard could have potentially broad ramifications in the American legal system.
Although the Top Cop Shop injunction ended, the story wasn’t over yet. Also in January 2025, a separate stay was ordered in another case (from the same district as Top Cop), Smith v. U.S. Dept. of Treasury. That injunction was stayed on February 18, however, following the Top Cop Shop decision, thereby allowing CTA enforcement to proceed as to all covered entities – except, of course, the plaintiffs in yet another case, National Small Business United v. Yellen, pending in the Eleventh Circuit.
It was against this backdrop that FinCEN, not to be left out of the action, announced on February 19 that March 21 would be the new reporting deadline for companies not subject to a later deadline (or protected by the stay in the Eleventh Circuit case). The February 27 announcement that FinCEN will, by March 21, issue a new interim rule further delaying filing deadlines would therefore seem to supersede that February 19 announcement, meaning that reporting will not be required until some time after March 21.
In the meantime, a Maine court has ruled that the CTA is constitutional and district courts in two other circuits have concluded that the CTA is likely constitutional and denied preliminary injunctions. It is therefore quite likely that a circuit split could emerge, increasing the chances that this will be ultimately decided in a final showdown at the Supreme Court – unless, of course, legislative efforts now being made to repeal or amend the CTA present a final surprise twist before the legal battle resolves. Stay tuned as this drama unfolds!
As always, the Compliance Hub Hotline is available to assist with any regulatory thrillers that may come your way.