September 2024 Newsletters

Have You Heard of the New Proposed Recordkeeping Requirements for Custodial Accounts?

On September 17, 2024, the FDIC issued a Notice of Proposed Rulemaking (“NPRM”) on Requirements for Custodial Deposit Account with Transactional Features and Prompt Payment of Deposit Insurance to Depositors. The NPRM has a 60-day comment period.

The rule focuses on ensuring prompt and accurate payment of deposit insurance in the event of an IDI’s failure and consumer access to funds at an IDI (FDIC-insured depository institutions) in the event of third-party failures. It also touches briefly on concerns that third party advertisements for these types of accounts may misrepresent the third party as FDIC-insured or may otherwise mislead consumers about FDIC insurance. The NPRM specifically discusses the Synapse bankruptcy as an example of “severe hardship” that has been “devastating” for consumers and “deeply troubling” to the FDIC. The proposed rule would require non-exempt custodial accounts to meet a variety of requirements designed to prevent future Synapse-like issues.

The rule would define a covered custodial account as an account 1) established for the benefit of beneficial owners, 2) containing commingled deposits of multiple beneficial owners, and 3) allowing beneficial owners to authorize or direct a transfer through the account holder to a party other than the account holder or beneficial owner. It does contain several exemptions such as IOLTA accounts, real estate broker accounts, escrow accounts, etc.

The proposed rule would contain file format specifications that IDIs would be required to use to maintain current and accurate data on covered custodial accounts. IDIs would have to maintain internal controls that would ensure accurate deposit account balances and daily reconciliations against the bank’s beneficial ownership records.

For IDIs that use a third party to meet the recordkeeping requirements, the IDI would be required to have direct, continuous, and unrestricted access to records in the standardized file format. The IDI would also need to have a continuity plan in place that would provide for uninterrupted compliance with the rule in the event of the third party’s failure.

IDIs would be required to have a direct contractual relationship with third parties maintaining these records, with the contract including defined roles and responsibilities for recordkeeping, including an assignment of rights to the IDI (for any rights that are necessary to access data held by other parties), a requirement for the third party to implement adequate controls to comply with the rule, and a requirement for periodic validation of compliance with the recordkeeping requirements. The third party would not be able to complete these validations internally, so they would have to be done by an external auditor or the IDI.

Each IDI holding covered custodial deposits would be required to annually submit to the FDIC and its own regulator a certification signed by the IDI’s CEO, COO, or highest-ranking official stating that the IDI has implemented and tested its implementation of the recordkeeping requirements within the last 12 months. IDIs would also be required to notify their regulator and the FDIC of any material changes to their information technology systems that are relevant to compliance with the rule, a list of account holders maintaining covered custodial deposit accounts, the results of implementation testing, and the results of any independent validation of records maintained by third parties.

FinCEN Summarizes Recent Trends in Mail-Related Check Fraud

FinCEN recently released a report summarizing trends in mail-related check fraud. According to the report, almost 90% of check fraud reports are being filed by banks, with small- and medium-sized banks filing the majority of reports.

Checks stolen from the mail can be used in a variety of ways, with the most popular approach being to alter the check, either by washing it or simply writing on it, and then depositing it. Some methods are less sophisticated, such as depositing the check with a forged endorsement, while others can be much more sophisticated.

Fraudsters may use the information from stolen checks to create counterfeit checks or they may sell the information from the check online.  Some will open fraudulent accounts for depositing the checks. These accounts can be opened by stealing the identity of an existing individual or business, or they may be opened in the name of entities that do not actually exist. In what is perhaps the most complicated use of stolen checks, some fraudsters will send washed and altered checks to the victims of their romance or employment scams, convincing the victim to deposit the check and send the funds back to the fraudster before the check is returned.

FinCEN additionally notes that fraudsters tend to prefer to conduct their activities in ways that avoids face-to-face interaction with bank personnel. ATM deposits are therefore a preferred deposit method, although remote deposit capture is even better, because it avoids the risk that bank employees will notice signs of alteration when they process the physical check.

Although the report demonstrates that mail-related check fraud is a large and serious problem, the report provides information about how these crimes are perpetrated and gives insights on areas where banks may want to focus in order to reduce their liability on check fraud related claims.

Customer Identification Procedures. One method of committing check fraud involves identity theft used to open new accounts, often for entities, using the name of the check payee or a name that is nearly identical. The entities or individuals in whose name the account is opened may not even actually exist and the addresses provided are often fraudulent. Banks may want to consider whether they can improve identity verification measures at account opening to lower their risk of check fraud.

Mobile Deposit and Remote Deposit Funds Availability. While banks often are left with liability for fraudulent checks due to Regulation CC’s funds availability requirements, banks can set different funds availability policies with respect to mobile and remote deposits in the agreements to provide these services. Identifying indicators of fraud risk may enable the bank to develop policies for these deposit types that allow the bank to reduce the risk of loss for these types of deposits, which are popular with fraudsters.

Online Account Opening. Customers may appreciate that online account opening is fast and convenient, but it looks like fraudsters appreciate that it enables them to avoid detection. Banks may want to consider limiting online account opening to lower risk accounts and customers or, alternatively, consider using additional identity verification tools when reviewing accounts opened online in order to more effectively manage the risk associated with these accounts.

Blank Checks. It’s not just signed checks that are stolen in the mail; fraudsters also steal blank checks. Banks may want to consider whether they can encourage customers to order checks through the bank, so that the bank can confirm delivery of checks with the customer and take early action if blank checks are not received, in addition to potentially directing customers to checks that are more difficult to wash.

Reducing Mailed Checks. Banks may want to encourage customers to reduce the number of checks they place in the mail. Offering or incentivizing lower risk alternatives like bank-supported online bill pay options may help reduce the bank’s overall risk, particularly if the customer is informed that the use of these services may reduce the risk of check fraud.

Identifying Washed Checks. Under the UCC, the bank of first deposit (“BOFD”) will often end up responsible for payment when an altered check is discovered. Establishing procedures for identifying potentially washed checks and ensuring that employees are properly trained on spotting counterfeit, washed, and altered checks may reduce the bank’s overall liability.

The CTA’s Third Rule: Coming Soon?

Since the enactment of the Corporate Transparency Act (CTA) in 2021, banks have been anticipating that changes to beneficial ownership requirements. The CTA requires FinCEN to issue three rules, two of which have now been finalized.

The Reporting Rule was issued in September 2022 and became effective on January 1, 2024, although existing entities have until 2025 to comply. Entities formed in 2024 have 90 days after formation to comply. This rule requires entities to report their beneficial ownership information to FinCEN. FinCEN has issued a small entity compliance guide and FAQs to assist entities in complying with the Reporting Rule.

The second rule is the Access Rule, which governs access to and use of BOI. This rule, which was finalized in December 2023 and became effective February 20, 2024, governs access to the information collected by FinCEN under the Reporting Rule. It allows BOI to be disclosed to financial institutions in support of their compliance with customer due diligence requirements and requires financial institutions accessing this information to protect the information with the same level of security that applies to customer nonpublic personal information (NPPI) under the Gramm-Leach-Bliley Act (GLBA). It also imposes civil (and in some cases, criminal) penalties for unauthorized disclosure of BOI information. It does not, however, modify banks’ customer due diligence requirements, so although banks are authorized to access the information to meet their CDD requirements, those requirements do not yet require banks to access the information:

The Access Rule does not create a new regulatory requirement for banks to access BOI from the BO IT System or a supervisory expectation that they do so. Therefore, the Access Rule does not necessitate changes to Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance programs designed to comply with the existing Customer Due Diligence rule (the “current CDD Rule”) and other existing BSA requirements, such as customer identification program requirements and suspicious activity reporting. Interagency Statement for Banks – On the Issuance of the Access Rule (fincen.gov)

The third rule, dubbed the Conforming Rule, will revise the current CDD Rule and, presumably, require financial institutions to access the information gathered under the Reporting Rule (and to do so in compliance with the Access Rule). Although originally slated to be released in 2023, the rule has not yet been proposed. The Treasury Department indicated in its recent agenda that FinCEN would release a proposed Conforming Rule in October 2024 with a 60-day comment period ending in December 2024. Assuming FinCEN adheres to this schedule, it seems unlikely that any changes to bank’s beneficial ownership procedures will become effective before 2026.

To throw another wrench in the works, a federal court ruled on March 1, 2024 in National Small Business United v. U.S. Dept. of Treasury that the CTA is unconstitutional. The appeal of that ruling is still pending with the Eleventh Circuit and scheduled for oral argument on September 27, 2024. Given the possibility that this case will end up going to the Supreme Court, it appears unlikely that this matter will be fully resolved when FinCEN issues the final Conforming Rule.

As we wait for further developments in this area, there are a few pro-active measures that banks can take to prepare for upcoming changes:

  • Advise customers. FinCEN’s website provides information that may be appropriate for banks to distribute or make available to new or existing business customers to help ensure that they are aware of the requirements and, where appropriate, obtain guidance from their own counsel.
  • Alert customers to fraud risks. FinCEN has reported that scams purporting to represent FinCEN or assist with BOI reporting appear to be soliciting information from individuals and entities. As with other potential scams, banks may serve as a trusted source of information encouraging customers to be skeptical of these types of communications.
  • Review security requirements. Financial institutions will presumably be required to access BOI information and ensure security of that information in conformance with the Access Rule. Banks looking to get ahead of the curve may want to start looking at incorporating BOI their training on information security and identifying changes that may be required in related procedures and policies to conform with Access Rule requirements. It may also be a good time to review existing information security protocols, including those of third parties, to confirm compliance with GLBA requirements.

As always, Compliance Alliance will keep members informed as developments unfold and, in the meantime, you are welcome to contact the Compliance Hub Hotline with any questions or concerns you may have.

National Association of Realtors Settlement: What Does It Mean for Banks?

In March of this year, the National Association of Realtors entered into a settlement resolving litigation over certain Realtor practices. The terms of the settlement became effective on August 17, 2024. Although no banks were parties in the lawsuit and are therefore not included in the settlement, banks may see some changes in real estate broker practices that will change how closing disclosures look.

At the heart of the lawsuit was a dispute over sellers offering compensation for the buyer’s agent, particularly the practice of advertising those offers on the Multiple Listing System (MLS). The terms of the settlement include a prohibition against offering compensation for the buyer’s agent on MLS and also a requirement that Realtors representing buyers enter into a written agreement that includes any compensation for which the buyer will be responsible.

The settlement does not limit the terms that can be negotiated between the buyer and seller. It does not prohibit sellers from offering other concessions on the MLS, or from negotiating, off MLS, seller compensation of the buyer’s agent. Because the settlement does not place restrictions on the terms that buyers and sellers can agree to, but rather only on Realtor actions, it should not affect how the bank generates the LE and CD or the information it uses to do so. The CD will still reflect the amounts agreed to, by the buyer or seller, in Box H. 12 CFR 1026.38(g)(4).

It isn’t clear yet exactly how the market will adjust to this change or what new norms will arise in the future. As a result of the settlement, however, it seems likely that banks could begin to see more transactions with buyer-paid broker fees. At Compliance Alliance, we have seen a little bit of this already with an increase member questions about disclosing buyer-paid broker fees.

The exact amount of the fee is often not going to be available to the bank when it prepares the loan estimate. Because the charges in Section H are not subject to a separate tolerance requirement beyond this “best information available” standard, the addition of buyer-paid broker fees should not create a cure requirement unless there is a concern that the loan estimate was not prepared in good faith.

The good faith requirement in Reg Z is that the LE be “consistent with the best information reasonably available to the creditor at the time it is disclosed.” https://www.consumerfinance.gov/rules-policy/regulations/1026/19/#e-3-iii  If the information is not available at the time the LE is issued or the information changes after the LE is issued, it does not appear that a revised LE would be required or a tolerance issue would arise, because the requirement to issue the LE based on the best information available would have been met. If the bank does have information on the amount of buyer-paid realtor fees reasonably available to it at the time the LE is issued, however, those fees must then be estimated in the LE in order to meet the good faith requirement and avoid any obligation to cure those fees. As always, feel free to reach out to Compliance Hub’s Hotline if you have any questions or concerns.