May 2020 Newsletters

Important Security Reminder About Protecting Data

By C/A Staff

As many of us have transitioned to working remotely during these unprecedented times, one thing continues to hold true – we strive to provide exceptional service to those who need it the most. Whether that’s a bank customer or internal team member, we need to remember our responsibility to protect and maintain confidential and sensitive information.

What is considered confidential and sensitive information? Basically, any information that you, your bank, or your customer would not want disclosed. Examples of this information include:

  • Customer data (name, address, social security or tax number, account number, credit/debit card number, etc.)
  • Bank data (policies, procedures, strategic plans, proprietary information, regulatory filings, etc.)
  • Passwords

Now, it’s likely your bank has already established policies and procedures on how to handle confidential and sensitive information with care (i.e.– a clean desk policy).  As is common at many banks, documents should be maintained in a secure environment and disposed of in shred bins when no longer needed.    

Those same standards of care apply when working remotely, which most likely is your new home office (in my case – the kitchen table).

Here are a few tips to help you manage in this new environment:

  • Only print bank and customer documents when necessary to do the job.
  • Designate a secure place to store these documents.
    • A desk drawer or file cabinet may work (if it locks – even better!).
    • In a pinch – storage bin, spare trash can, grocery bag, backpack, etc.
    • Don’t leave it out in the open where it could be misplaced or misused.
  • Shred all the documents at home if you have a document shredder.
    • Never just throw a document into the recycle bin or trash without shredding.
  • No shredder – no problem!
    • Just utilize your secure place (second bullet above) until such time as you can return to the office and place them in the shred bin.

As you know, banks and their customers place a great deal of trust in you to protect data. By following the above-mentioned best practices, you’ll be heading down the right path for maintaining that trust.  For more information relating to working from home or the COVID-19 pandemic, please visit Compliance Alliance’s pandemic resource webpage.

Final HMDA Thresholds Issued

by C/A Staff

After much anticipation, on April 16 the CFPB issued the 2020 HMDA Final Rule which adjusts Regulation C’s institutional and transactional coverage thresholds for closed-end mortgage loans and open-end lines of credit. With respect to open-end lines of credit, the CFPB decided that 500 was not the magic number, and the final rule will decrease this number to 200 beginning January 1, 2022 when the temporary threshold of 500 open-end lines of credit expires.

As expected, for closed-end loans the threshold is increasing from 25 to 100. What was not expected is the effective date for this increase, which is July 1, 2020. It seems the CFPB is becoming infamous for having effective dates for HMDA rules begin mid-year, which can create confusion for how to collect and report information. So how is the threshold going to work?

First, let’s take a look at those banks that were subject to the closed-end requirements on January 1, because they originated at least 25 closed-end mortgage loans in each of prior two years (2018 and 2019), but will no longer be subject on July 1 because they originated fewer than 100 closed-end loans. These banks will be able to stop collecting HMDA data on closed-end loans beginning July 1. They should still have recorded the data already collected during the first quarter 2020 on a LAR by April 30 (30 calendar days of the end of that first quarter), but they will not have to have to do this for the second quarter since the deadline for recording that data would be after July 1. When it comes to reporting, these banks will not have to report any closed-end loans next year on March 1 unless they choose to do so optionally. If they do choose to report optionally, they must report data for the full calendar year and not just data collected up until the effective date.

Here’s an example to make sure these requirements make sense: 

  • ABC Bank originated 50 closed-end loans in 2018 and 65 closed-end loans in 2019. 
  • Under the current rules they are subject to collecting, recording and reporting closed-end loans. As of July 1, they will be exempt. 
  • They must still collect data through June 30, 2020, but any data collected after March 31 will not have to be recorded. 
  • ABC has decided not to optionally report this collected data on their closed-end loans because doing so would require them to report data for the full calendar year on closed-end loans.

For the open-end threshold, nothing will be affected in the collecting, reporting and recording arenas until 2022. Beginning January 1, 2022, those banks that originated at least 200 open-end lines of credit in each of the two preceding calendar years (2020 and 2021) must begin collecting data on their open-end lines of credit and recording the data within 30 calendar data after the end of each quarter. This recorded data will then be due to be reported by March 1, 2023.

That covers the 2020 HMDA Final Rule and the new thresholds.  As always, if you have questions, our Hotline staff is always there to assist you.

Preparedness for Additional Hardships During A Pandemic

by C/A Staff

As we in the financial industry have just begun to settle into the new normal of doing business remotely, we have been reminded by recent natural disasters that a pandemic is only one layer of preparedness we must address. As a result of recent events, organizations have taken steps to prepare for the unknowns to come: some institutions may have become overwhelmed and some may have reviewed insurance coverages, emergency funding channels, technological abilities, effects of limiting employee exposure, and more. However, other recent events have reminded us that this is just not enough. You should take the preparedness planning further and safeguard every area of your organization.

In conjunction with the craziness of the new normal due to the pandemic, many banks have also been impacted by natural disasters. This requires our industry to once again reset and ensure our organizations can withstand the potential impact of multiple hardships. The ability to adapt is what has allowed the financial industry to survive through rough times before, and being proactive will assist in making it through not only the pandemic, but whatever may come next.

Remember to include the possibility of additional hardships in your planning and testing even in this already strained environment. Services that may have otherwise been fully staffed and operational may be experiencing shortcomings during the pandemic, and this could adversely affect your continuity of business functions. While the digital age has given the industry the ability to sustain many hardships with off-site backup storage and functional operational capabilities, it is important to note that your IT disaster recovery planning may have been adversely affected and may need reassessment, which is no easy task to accomplish if the need arises.

Other areas to consider are physical and environmental security. When institutions plan for these areas, they traditionally consider one type of event happening, and do not consider multiple hardships at once. The unfortunate reality is that this just isn’t going to be good enough. With increased disaster and pandemic awareness, we as an industry must begin to look at multiprong continuity. Not only could a situation arise where physical locations are affected, but the organization may also have employees who are vital to the communication line that is now disabled due to an illness, or the impact of a disaster. It is for this reason back-up employees should be identified, in case of an issue or one person’s inability to fulfill the necessary duties.

Business continuity planning has been in place for some time and should be tested to ensure operations are sustainable. It has also long been on the regulatory radar and is sure to expand with all that has happened, so that institutions are encouraged to be proactive in addressing additional hardships and their ability to maintain business as usual.

So, in a time where we are experiencing a new normal, take a proactive approach to ensure you have tested your business continuity planning with not only a single-incident, but multi-incident approach. Testing your institution’s ability to continue operations under various circumstances must be your focus. Our industry is vital to the country and we must constantly work to protect and test our capabilities.

Pandemic Planning and the Possible Effects on the Financial Industry

Pandemics are infectious diseases that spread rapidly over a country, or the entire world. Financial institutions should take notice of the focus on pandemic planning, especially considering the current Coronavirus outbreak. Pandemic planning has been on the minds of regulatory agencies for some time now, and for obvious reasons. A pandemic influenza outbreak could potentially bring the financial industry to its knees, so it is imperative that financial institutions take the time to ensure they have a well-tested plan in place.

Pandemic plans are significantly different than traditional continuity plans due to the potential wide-ranging effects. Pandemic outbreaks can potentially affect a much larger area than other traditional continuity issues. They are, for example, more likely to be much larger in scale and duration than other interruptions banks have faced. Pandemic outbreaks are also more likely to come in waves, and to be difficult to confine to a specific geography or region.

It is specified by the regulatory agencies that institutions should determine what potential adverse effects the pandemic could have on their ability to operate effectively. An institutions Business Continuity Plan (BCP) should address preventive programs, scalable strategy, plan for critical operations, testing for oversight, as well as pandemics. Specifically, the pandemic section of the BCP should be easy to adapt to reflect the scale of the situation. A sound plan should minimize the disruptions to processes and should maintain the trust and confidence of its customers.

A sound plan should include a preventative program, a documented strategy, comprehensive framework of facilities, systems, or procedures, a testing program, and an ongoing oversight program. The preventive program should contain policies that encourage employees to stay home when the need arises. The policy should clearly address potential fears of reprisal. In this case, the strongest offensive is a good defense.

The documented strategy can be in the form of policy that addresses how the institution will prepare for the outbreak and how it will continue to operate through the various waves of the outbreak. For example, the policy may address when travel should be suspended or limited to critical travel needs. Institutions may need to determine what core activities could be done with minimum staff, or even off-site.

A comprehensive framework is designed to ensure the institution can maintain critical operations in the event large numbers of staff are affected or are unavailable for prolonged periods. The framework should set limits around things like face-to-face contact, and specify what can be accomplished via alternative means such as email, teleconference, and other technological means. Pandemic planning can present unique challenges to the institution and the management of critical activities.

The final areas to consider are the testing and oversight programs. The only way to ensure the institutions plans are adequate is to test the plan. The oversight program will capture the results and point to any deficiencies that need to be addressed in the ongoing plan and updates.

At the end of the day, the institution must be proactive in measuring effects of potential pandemics, prevention of expanded contact, operational abilities, flexibility of the plan, and testing of the plan with continued updating. Effective management of the process will reduce the risk of catastrophic failures due to a pandemic outbreak.