The Target Case and the implications for Red Flags Policies and Procedures  

For many of our clients, when it comes to Red Flags and Identity theft policies and procedures, the response has been a bit of “write it and forget about it”.  Lets face it, the changes to the Fact Act that  prompted regulators to ask banks to develop policies and procedures in this areas have been  have not been followed up with a great deal of examination or regulatory resources.   With the financial meltdown, the development of a new regulatory agency, significant changes in consumer regulation and ongoing concerns in BSA/AML, Red Flags and identity Theft have not been the priority.   However, we believe that significant change is at hand.  We believe that this is true due to a confluence of factors. 

By now most of us have heard about the case of Fraud that Target Department stores is currently experiencing.  In fact, as the days go by it seems that the level of the breach of security is ever increasing.  More and more customers are finding out that their debit cards may have been corrupted and the potential for identity theft is poignant.  In addition to the obvious financial consequences of this breach of security is the harm to the reputation of Target stores.  The loss in confidence in the ability of an institutions ability to handle confidential information can be particular harmful to the bottom line.  This is especially true when considering a bank.  There can be no question then, that the trouble that Target stores is having will heighten the review of Red Flags policies and procedures at banks in the coming year. 

Increased Enforcement

It is not just the Target incident that will soon heighten regulatory activity in this area. The dispute about which entities would be included in the act’s definition of a creditor prevented any enforcement action from 2008 through 2010.  The FTC resolved this dispute by changing the definition and with their updated rule.  In 2013 the SEC and the Futures Trading Commission published their versions of the rule and so now the circle is complete.    All the agencies will use a form of Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation [1]when evaluating the Red Flags and identity theft program at a bank.    We suggest that the beginning of the year is a great time to review your Red Flags policies and procedures to make sure they are up to date. 

26 Red Flags

The Interagency Guidance describes 26 examples of red flags that Banks should be able to identify, monitor and address should they be activated.   Although the guidance does not purport to be exhaustive, we believe that these 26 items are the minimum that should be part of a proper Red Flags risk mitigation program.     

There are five categories that fit the 26 examples given in the guidance.  These categories are:

·         Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;

·         The presentation of suspicious documents;

·         The presentation of suspicious personal identifying information, such as a suspicious address change;

·         The unusual use of, or other suspicious activity related to, a covered account; and

·         Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

In addition to the above list there is a sixth category that does not include examples.  It is described as:

·         Other red flags based upon the financial institutions experience.  

This last category should be given particular care and attention.  In the event that there is some sort of fraud activity that the Bank has experienced that outside of the norm, the expectation is that the compliance team will be vigilant in taking steps to monitor and mitigate that activity.   Examiners will pay particular attention to this area as this category tends to show activity that is unique to the product base or customer base of the bank that experienced the fraud. 

Red Flags and BSA Compliance

A quick review of the categories of fraud that are discussed in the Red Flags guidance should alert the reader to the similar areas of focus between a strong CIP/KYC program and a Red Flags program.  As part of strong BSA program, information is collected from customers and monitored on a regular basis in an effort to fully identify and monitor customer activity to reduce the possibility of suspicious activity.  A strong Red Flags program should address this same area of information.  

The account opening process could, and in our opinion should serve as the heart of the Red Flags and BSA/AML programs.   A strong program will require account opening staff to obtain complete and accurate documentation from the potential customer at the time an account is being opened.  Any discrepancies in the information provided should be pursued and the account should not be opened unless or until the discrepancy is resolved.  In the event that no resolution is provided by the customer the SAR investigation process should begin and the potential for a SAR filing should be thoroughly pursued. 

The same symbiotic relationship between Red Flags and ongoing monitoring for BSA/AML exists. Even with established customers, unusual or unexpected activity should serve as a red flag for identity theft or fraud as well as a key for heightened scrutiny or Enhanced Due Diligence.  

The Red Flags Program

While the BSA and the red flags programs can be quite similar and work side by side, regulators are expecting to see a robust separate red flags program that is designed to identify and monitor fraudulent activity and to take steps to mitigate the risk of further fraud.   The strong Red Flags program should include:

·         A Red Flags Risk Assessment- The assessment should include all covered accounts and should be updated annually

·         Policies- Board approved policies in the area of red flags should be reviewed and approve don an annual basis

·         Procedures- Compliance staff should review procedures on a regular basis to make sure that current practices at the bank are in compliance with the procedures and that procedures are in fact up to date and consistent with policy.  

·         Ongoing Review- Compliance should verify on a regular basis that staff understands the requirements of the red flags procedures and why they are important.   We recommend a quarterly transaction testing sample to gauge the level of understanding. 

·         Independent testing- As part of the regular audit scope for operations compliance, there should be independent testing of compliance in this area. 

Although the area of Red Flags has been somewhat dormant over the past several years, expect that 2014 will bring renewed focus on this area. 

---

[1] 12 CFR 334 Appendix J

New Guidance from the Fed on Examination of Community Banks - A Three Part Series

Part Residual Risk – The Defining Measure

In part one of this series we discussed the examination guidance on community banks from the Federal Reserve.  We noted that Consumer Affairs letter 13-19 details the risk based approach that the Federal reserve intends to use for the examination and supervision of banks $10 billion in assets or smaller.  We pointed out that we believe that this guidance presents both a warning and an opportunity.  The warning is that the regulators will increasingly expect that banks have a strong system for recognizing and evaluating risk.  The opportunity presented is the ability to present a strong case to the regulators and in doing so, reduce overall regulator contact. In the second part of this series, we discussed the methodology for measuring the level of inherent risk at your bank.  We stressed that the assessment of this level of risk should be comprehensive, honest and forward thinking.  The idea that regulatory agencies are looking to reward banks that provide a level of self-policing is becoming a reality.   Therefore, the more straightforward and clear-eyed the risk assessment, the more credibility that management will have with regulators. 

Residual Risk- Your Compliance Footprint

So now you have recognized that the warning from regulators is that they expect you to have a strong knowledge of the compliance risks inherent in your day to day operations.  You have also recognized that the opportunity exists to create a positive image with regulatory staff; an image of an institution that takes it compliance administration seriously. 

Ultimately, it is the manner in which compliance risk is managed and administered that will determine the level of risk at a financial institution.   We believe that there are several steps that banks can take to reduce their overall residual risk and improve the supervisory profile.  These steps go beyond the obvious need to:

A.       Make sure that policies and procedures are up to date and complete;

B.      Conduct periodic training;

C.      Perform independent transaction testing;

D.      Keep abreast of changes in regulations   

We also believe that there are structural ways to get the most out of a compliance program and thereby reduce residual risk. 

Embracing your Inner Compliance Persona 

If you were to do a study of the history of bank compliance history, you would find that there are simply no regulations that have not been rightly earned by the industry!  And even though we have not actually run across any of the culprits, the fact of the matter is that there are stories upon stories of bad behavior by banks that lead to the regulations that impact us day to day. 

The point here is that even though much of the disclosures and reporting required by consumer regulation tends to create a great deal of work; the evils that these regulations are trying to prevent are real.  In our opinion, it is better to embrace the idea that the regulation exists and work to incorporate compliance into day-to-day operations than it is to spend time lamenting them. 

Getting the Board’s “Buy-In” 

For all banks, the Board of Directors is ultimately responsible for the success of failure of the operation.  In that regard, it is the Board which sets the tone for the priorities at the institutions they oversee.  Getting the members of the Board to actively participate in the administration of the compliance program will send a strong message to the staff at the Bank.   

A Board that is well informed asks questions and follows up on management reports will greatly enhance the overall compliance program and elevate the level of compliance to its proper level. 

The more than staff at the Bank realizes that the Board takes compliance seriously, the more that compliance issues will become a thing of the past.  Task number one then for the Compliance Officer is to get the buy in of the Board of Directors.  

The Bank Secrecy Act is one of the few regulations that specifically requires Board members to receive annual training.  As a result, BSA training is generally the only class that we regularly see Board members taking on a regular basis.   In our opinion, this is a grave mistake!  Board members should take regular and comprehensive classes on all areas of importance to the Bank, including compliance.   We recommend that the Compliance Officer should be a pest when it comes to this training and continue to insist that the Board receive training on at a minimum, the “big four “  (Regulation B, CRA Fair Lending and UDAAP).     The more the Board understands the requirements of these regulations, the more they will insist on being informed of the compliance effort at the Bank. 

Making Compliance a Part of the Daily Activity at the Bank

We strongly encourage banks to make a point of explaining what it is that the regulations are trying to accomplish as part of any training that is provided.  For example, when training staff of the reporting requirements of HMDA, we have found that it is extremely useful to explain that the Federal Reserve takes the data from the HMDA reports and produces a great deal of economic research on lending and housing trends.   When staff understands that it is critical that the data is accurate because it is part of a bigger system, they are willing to take the time to get it right.  By developing a positive attitude about compliance, you can greatly enhance the overall effectives of a compliance program.  Getting the input of staff can leverage the limited resources that are available.    

 Why should you Care? 

At the end of the day, many a bank has taken the position that limited consumer activity means that there doesn’t need to be an extensive compliance program.  Besides, banks don’t get closed down for compliance violations, right?  

While it is true that no bank has been closed for exclusively consumer compliance related problems (yet!),   it is also true that the CFPR and by implication other banking agencies have made it clear that enforcement of regulations will become increasingly aggressive.  This is especially true in the areas of Fair Lending, UDAAP, CRA, Flood Insurance and BSA/AML compliance.   These are all areas that apply to ALL lending, Consumer or commercial. 

Failure to have a strong compliance program can lead to various enforcement actions including cease and desist orders and civil money penalties.   At a minimum, the bank that does have a good answer for how it is addressing inherent risk will have a high residual risk profile and can expect to feel increased supervisory activities form the regulators.  At the end of the day, the current guidance gives your bank the opportunity to greatly impact its own destiny.  

New Guidance from the Fed on Examination of Community Banks - A Three Part Series

Part Two – Defining the Inherent Risk Profile

In part one of this series we discussed the examination guidance on community banks from the Federal Reserve.  We noted that Consumer Affairs letter 13-19 details the risk=k based approach that the Fed intends to use for examination and supervision.  We pointed out that we believe that this guidance presents both a warning and an opportunity.  The warning is that the regulators will increasingly expect that banks have a strong system for recognizing and evaluating risk.  The opportunity presented is the ability to present a strong case to the regulators and in doing so, reduce overall regulator contact.

Developing Your Own Compliance Risk Profile-Inherent Risk

The first thing that regulators will review is the inherent risk of compliance violations at a bank.  This review is designed to look at both internal and external factors at the bank that could cause a compliance problem.  We recommend that our clients perform this review on a regular basis.   To determine the inherent risk of compliance, we recommend a five step approach:

Ø  Products:  take an assessment of the products that you offering.  Even though you may offers several very sophisticated consumer products, the inherent risk that there will be a compliance violation has more to do with the infrastructure that you have in place to administrate these loans than the products themselves.   How long have you been offer the suite of products that you have?  Are there any new products (less than a year old)?  What problems has your bank experienced with the products in the past?  Have there been findings or enforcement actions?   Another area to examiner here is the level of stability of staff, the longer the staff has been in place; the more likely that the problems have been experienced can be overcome.   Finally in this area, it is important to be aware of any new or changing regulations that might impact the delivery  of your product lines

Ø  Policies and procedures:  every bank has a set of policies and procedures so the question is not so much whether you have them; it is whether they are effective.  You should have a procedure for reviewing policies and procedures on an annual basis.  The next question to pursue is what are the actual practice sat the bank Vis-a -Vis the policies and procedures.  It is often the case that staff tends to “re-write “procedures in an effort to streamline work.   It is essential to do a regular “sound check” of staff to see whether the policies and procedures are truly being followed.  In this area it is also critical that the auditing staff being retained is “mean”.  Regulators have been very clear in emphasizing the need for audits to contained detailed scopes.

Ø  Compliance culture:  what is the overall level of acceptance of compliance at the bank?  For many of our clients compliance is viewed as at best, a necessary evil.  Frankly, in most cases compliance is viewed with abject hostility.  Despite this fact compliance is here to stay and is going to continue to be emphasized.  The truth is that there are no compliance regulations that have not been earned by the banking industry at some time in the past.  The level of responsiveness to compliance findings and concerns is a matter that will be given a great deal of weight by regulators.   It is important to get senior management and the Board’s buy-in! 

Ø  Training:  This is an area that often gets overlooked.  Many banks look to cut costs by reducing training to a bare minimum.  We also advise that this is a mistake.  The regulators expect that staff will be kept up  to date on regulations and will consider a well-developed system for training to be a very positive factor in reducing inherent risk  

Ø  Overall economic and regulatory environment:  Although it is easy to keep one’s “nose to the grindstone” when dealing with compliance, development if a strong assessment of inherent risk requires that the compliance staff be able to look at the light at the end of the tunnel and make  sure that the light isn’t from an oncoming  train!  

The detailed Risk-Based compliance supervision program is a document that goes into great detail about the methods that the examination staff is expected to employ when developing a risk profile for the community banks it supervises. 

Keys to Effectively Assessing Inherent Risk

We believe that there are a few keys to developing a risk portfolio that will allow for reduced or even minimal supervision from your regulator

·         Your assessment must be comprehensive.   You must take into account both internal and external factors.   This means that your assessment should consider what is going on in the marketplace surrounding the products that you offer.  It is not enough to simply chug along doing what you do with little knowledge of trends in the industry.  It is important to be aware of regulators are responding to fees charged for overdrafts for example.   This sort of information can keep your bank from making an untimely decision to offer a product that has been frowned upon.

·         Your assessment must be honest.  Regulators are increasingly willing to work with banks that “come clean’ about their problems.   It is much better for you to recognize weaknesses in your system than for the regulators to do so.  When THEY point it out, they also draw the conclusion that you are unaware!  If there are problems in your current compliance system, point them out and present a plan for addressing them in the most expeditious manner  possible

·         Your assessment must be forward looking.    Your assessment should consider the changes that the new regulations will require,  planned growth at the bank and changes in the community Finally your assessment should be dynamic and have the ability to be updated on a  regular basis

While it is the examination staff that will ultimately create the risk profile document, we advise our clients to develop a risk assessment on their own and be prepared to share it with the regulatory staff.  Remember the goal is to develop a reputation for clear-eyed compliance and collaboration.  

New Guidance from the Fed on Examination of Community Banks - A Three Part Series

Part One- A Warning and an Opportunity  

 Introduction

The Federal Reserve recently released Community Affairs Letter #13-19.  The title of this letter is “Community Bank Risk-Focused Consumer Compliance Supervision Program”.  The letter details the approach that the agency plans to employ when approaching the examinations of banks with assets less than $10 billion in assets.   At first glance, the casual reader could complete this guidance and conclude that not much is changed; that the agency has simply restated its risk based approach to examinations.  We however, contend that there is more to this letter than meets the casual eye.  In fact, it is our contention that this guidance presents both a warning and an opportunity

The Warning

The guidance discusses the approach that supervisory staff should use when developing a risk profile for a bank.  This approach of course, includes past examination reports and history, environmental facts such as the economic conditions around the bank and the overall income performance at the bank. The expectation is also that the supervisory staff will contact the bank and interview staff about their impressions of the risk profile at the bank.[1]  The portion of this guidance that may go unsaid is that the expectation is that Banks will have the ability to completely, accurately and realistically assess the levels of compliance risk and present steps that are being taken to mitigate risk.  The bank must be able to distinguish residual risk from inherent risk. 

·         Inherent risk – This is the risk associated with a particular line of business of a product or even a customer base

·         Residual risk- This is the level of risk that remains after the Bank has taken steps to mitigate

In parts two and three of this series we will discuss identifying and rating each of these levels of risk at community banks.   But the point here is that the supervisory staff will expect the management of the Bank to know what these risks are and to have clearly identified what it is they have done to reduce risk and how they monitor the risk that remains. 

A quick example might be a decision to offer Home Equity Lines of Credit (“HELOCS”)

Inherent Risk [2]- The risk that is always associated with this kind of product may include many of the following:  

o   Improper Disclosures

o   Incorrect Right of Recession

o   Failure to get copies of Appraisals to customers

o   Unfair or incomplete disclosures of Pricing

Residual Risk [3] – This is the level of risk that will exist even after the mitigation is put in place:

o   Bank Staff uses improper or incomplete forms

o   Staff is unaware of the required disclosures

o   Staff turnover creates lower knowledge of the product

Examination staff will interview the management of the Bank to make sure that they recognize all of the risks that are associated with the product and have included these risks in the strategic decision to offer the product.  Did the Bank have the staff in place, the infrastructure in place and the ability to monitor compliance established before the product was offered? 

If the supervisory staff comes to the conclusion that the ability of the management to recognize and mitigate risk, then the likelihood is that there will a great deal of supervisory activity. 

The Opportunity

The chance to prove that you have truly identified the risks associated with the overall operation of the Bank and to demonstrate that you have taken steps to control those risks gives you the opportunity to greatly control your overall compliance environment.  

The ability to self- assess, self-correct and self-police will greatly enhance the relationship and reduce the need for regulator intrusions.  It has become increasingly clear that the regulators are looking to Banks to be able to recognize risks and self-police them.  For example, CFPB bulletin 2013-06[4] addresses the fact that regulators will look favorably on the Bank that “self-polices”.  We addressed our opinion on this subject in our blog post dated July 25, 2013.  We are strong supporters of the idea that Banks can greatly and positively impact the relationship with the regulators (and reduce the amount of examinations!) by charting a course that includes a strong risk assessment and self-policing. 

Preparing Your Risk Profile  

As you prepare for the regulatory assessment that is imminent, we advise that you do your own assessment.  As you do an assessment, be prepared to consider all of the potential compliance issues independent of safety and soundness, marketing and strategic planning.  The assessment must be based only on the risks associated with noncompliance.   

Make sure that you consider current training and access to training for the upcoming onslaught of regulations in 2014.  The process should be one that is brutally honest and takes into account the Bank’s own knowledge of weaknesses and areas of concern.   The willingness of a management to discuss the true status of the compliance program will help the bank develop a collaborative relationship with the regulators.  From this point the possibilities are endless. 

In part two of this series we discuss the identification of inherent risk 

---

[1] Examiners need to contact institution management to develop and maintain an understanding of the institution and the market(s) in which it operates. Such contact typically involves a specific information request that provides the opportunity to learn about any changes that would affect the profile. These changes might include changes in management personnel, organizational structure, or the institution’s strategic direction, including any new products, markets, or delivery channels the institution has introduced or entered or is considering introducing or entering.

[2] This list is not intended to be all inclusive, but simply for discussion purposes. 

[3] See Comment Above

[4] Responsible Business Conduct: Self-Policing, Self-Reporting,

Remediation, and Cooperation