Community Bank Compliance : 2014

Monday, July 7, 2014

Flood Insurance – Dangerous Waters Ahead!

If you have spent any time at all in the compliance world, you know one constant; flood insurance will be an area of risk. Flood insurance violations are consistently one of the most common bank compliance violations cited by the regulatory agencies. A strong compliance program includes a significant level of resources dedicated to the administration of the flood loan portfolio. Now, just when you think that you might have a strong level of control over the portfolio, along comes change!

Biggert Waters Changes

The first of these changes comes from the Biggert Waters Flood Insurance Reform Act of 2012. Buildings that are classified as Other Residential are now insurable up to $500,000 rather than the $250,000 maximum that applied previously.

Other residential Buildings are defined as non-condominium residential buildings designed for use for five or more families. Because of this change as of June 1, 2014, apartment buildings and residential/commercial buildings should be insured up to the lessor of:

· the outstanding principal balance of the loan(s); or

· the maximum amount of insurance available under the NFIP, which is the lesser of:

· the maximum limit available for the particular type of structure; or

· the “insurable value” of the structure

The change is that the maximum amount is now $500,000. The interagency statement that announced this change also pointed out that he new level of insurance is required immediately. Therefore, if you have collateral that is a multifamily dwelling unit that is in a flood zone; the time is now to make sure that you have adequate insurance.

FDIC Interpretation

We have recently been made aware of an interpretation of mortgages used to secured loans that can be a game changer! The following language is common in mortgage instruments that are being used around the country;

THIS MORTGAGE, INCLUDING THE ASSIGNMENT OF RENTS AND THE SECURITY INTERESTIN THE RENTS AND PERSONAL PROPERTY, IS GIVEN TO SECURE (A) PAYMENT OF THE INDEBTEDNESS ANO (B) PERFORMANCE OF ANY AND ALL OBLIGATIONS UNDER THE NOTE, THE RELATED DOCUMENTS, AND THIS MORTGAGE. THIS MORTGAGE IS GIVEN AND ACCEPTED ON THE FOLLOWING TERMS:

This language has recently been interpreted to create on the contents of the structure that is being pledged as collateral. If the property is in a flood zone, this means that the borrower will be expected to obtain flood insurance on the contents of the borrower. The FDIC has held that flood content insurance is required regardless of whether or not the bank filed a UCC-1 financing statement. [1] In the 12^th district, the FDIC examination staff has taken the position that they will not require contents insurance on residential properties.

There have been cases where an institution has been allowed to demonstrate that they had no intention to take the contents as collateral. In these cases, the requirements were:

· The appraisal on the property could not mention the contents

· The loan write up did not mention the contents

The cases when this approach has been allowed are limited. We recommend that for commercial loans with collateral in a flood zone that you;

· Review the mortgage document to determine whether the language could possible create an inadvertent lien on contents ;

· Prepare documentation that specifically states your intentions with the contents. In other words, if you truly do not want to take the contents as collateral, prepare a document that specifically waives the contents and get the customer to execute it

· Ensure that all flood insurance is up to date and in an amount that is sufficient,

Contents Insurance Valuation

In the event the bank has taken contents as collateral either intentionally or in the manner described above, we note that the regulators has required that the bank establish the value of the collateral through independent means.

While the direction from the regulators has been somewhat sparse, it is clear that the loan file should have some documentation of the efforts that lending staff made to determine a value of the contents being insured. Among the ways that might be employed to determine value:

· On site visits

· Valuation services such as Kelly Blue Book

· Customers financial statement if CPA prepared

· Valuation used for loan funding

Just when you thought you had a handle on your flood loan portfolio, change can bite you!

[1] At the time of this posting, we were unaware of this interpretation being used by the Federal Reserve , the CFPB or the OCC.

Sunday, June 22, 2014

Vendor Management- The Next Compliance Frontier

A two Part series- Part Two Developing the Proper Balance

There can be no doubt that vendor management is a “hot topic” among regulators these days. Each of the “prudential regulators” (OCC, FDIC, FRB) have all issued recent guidance about developing third party relationships. As we discussed in the first part of this series, the guidance from each of the regulators has a central theme. Put succinctly,

“ A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships” [1]

The guidance from each of the regulators includes differing levels of detail. However, there are common themes of risk that are delineated. In addition, it is clear that the regulators expect financial institutions to complete due diligence on the third party services they engage. Unfortunately, one of the questions that remains open is just what level of due diligence is required for each relationship. A corollary question might be which services that are performed by third parties are considered critical or core services.

While we agree that vendor management is a critical issue and that your vendor management program must be appropriate and comprehensive, we also believe that there must be a balance between the due diligence it performs on third party services and what the bank does internally vis a vis the third party providers.

History of Vendor Relations and the Reason for the Guidance

Starting at the beginning of the first decade of the new millennium, the relationship between banks and third party services providers enjoyed a relative boom. During the time period, banks used third parties to offer services that were traditionally in house such and core operating systems, In addition to these services, banks also used outside firms to offer new and diverse products that the bank itself had not offered. Subprime lending and brokered deposits and two such products.

While the use of outside vendors has many benefits such as reduced costs and leveraging the skills and experience housed at the outside firm. These relationship can also increase risks. By the middle the decade, the level and types of risks that these firms present began to present themselves. Some of the areas that regulators began to find trouble with third party vendors included:

· Several banks relied too heavily on a provider to administer the flood loan portfolio. When examiners review the portfolio, they found many instances where the insurance amount was inadequate , Further in one case, the provider was unaware that changes had occurred in the flood mapping.

· Vendors who have been retained to assist with loan modifications have in many cases, failed to meet the agreed upon terms of modification. In other cases, vendors delay the processing of loan modifications by sending borrowers duplicate document requests, causing hardships for the borrowers. If bank management is not monitoring a vendor’s activity, it will not be aware of problems that may be occurring with the vendor. We are all too familiar with how this process created a huge problem during the financial crisis of 2009

· Vendors who promised revenue enhancement. In several cases, the revenue enhancement schemes included things like increased overdraft fees additional charges to customers for use of their credit facilities. This additional revenue resulted in UDAAP violations at banks and in at least one case lead to enforcement action.

· Privacy concerns that have been created by the failure of a third party vendor to maintain adequate security over customer records.

Various cases such as these has led to the guidance that we now see being issued by the regulatory bodies. The Federal Reserve issued a statement that describes the types of activities that can lead to problems with third party relationships.

· Overreliance on third-party vendors. The regulators have made it clear that banks are ultimately responsible for the work of their third party providers. Therefore, even though the bank is outsourcing, it must do what is necessary to administrate the area.

· Failure to train new staff or retain knowledgeable staff. There must be somebody at the bank that understands what it is that the provider is doing!

· Failure to adequately monitor the vendor. There should be a way for the bank to determine that the vendor is meeting standards. The Bank must have a way to regularly monitor the results of the vendor

· Failure to set clear expectations. The bank has to be clear in what it needs, This includes letting the vendor know that expectations include keeping up to date with changes in regulations.

The guidance in the area of vendor management is written to address these concerns and the problems that have historically been caused by the third party vendors. All of the guidance is clear that the regulators will hold the banks ultimately responsible for the actions of its vendors.

Level of Due Diligence

One of the questions that we noted above was about what level of due diligence is required for a third party contract. The OCC guidance defines a critical activity as

Critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that

· could cause a bank to face significant risk if the third party fails to meet expectations.

· could have significant customer impacts.

· require significant investment in resources to implement the third-party relationship and manage the risk.

· could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house.[2]

For those arrangements that involve critical activities, the expectation is that the that bank will perform comprehensive due diligence at the start of the contracting process as well as monitoring throughout the execution of the contract.

The steps that are necessary for the proper engagement of a third party for a critical activity are discussed in each of the regulatory guidance documents that have been released. The OCC bulletin provides the most comprehensive list that includes:

· Relationship Plan: Management should develop a full plan for the type of relationship it seeks to engage. The plan should consider the overall potential risks, the manner in which the results will be monitored and a backup plan in case the vendor fails in its duties.

· Due Diligence : The bank should conduct a comprehensive search on the background of the vendor, obtain references, information on its principals, financial condition and technical capabilities. It is during this process that a financial institution can ask a vendor for copies of the results of independent audits of the vendor. There has recently been a great deal of attention given to the due diligence process for vendors. Several commenters and several banks have interpreted the guidance to require that a bank research a vendor and all of its subcontractors in all cases. We do not believe that this is the intention of the guidance. It is not at all unusual for a third party provider to use subcontractors. We believe that a financial institution should get a full understanding of how the subcontracting process works and consider that as part of the due diligence, however, it impractical to expect a bank to research the backgrounds of all potential subcontractors before engaging a provider.

· Risk Assessment: Management should prepare a risk assessment based upon the specific information gathered for each potential vendor. The risk assessment should compare the characteristics of the firms in a uniform manner that allows the Board to fully understand the risk associated with each vendor. [3]

· Contract Negotiation: The contract should include all of the details of the work to be performed and the expectations of management. The contract should also include a system of reports that will allow the bank to monitor performance with the specifics of the contract. Expectations such as compliance with applicable regulations must be spelled out. The OCC bulletin includes the following phrase:

o Ensure that the contract establishes the bank’s right to audit, monitor performance, and require remediation when issues are identified. Generally, a third-party contract should include provisions for periodic independent internal or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions to monitor performance with the contract

This language has also been the subject of a great deal of media and financial institution attention. Some have interpreted this phrase to mean that a community bank that uses one of the large core providers has the right to perform an independent audit of the provider. We believe that this interpretation is inaccurate as it would be impractical to carry out. We believe that the phrase means that the financial institution is entitled to a copy of the report of the independent auditor.

· Ongoing Monitoring: Banks must develop a program for ongoing monitoring of the performance of the vendor. We recommend that the monitoring program should include not only information provided by the vendor, but also internal monitoring including

o Customer complaints;

o Significant change sin sources of expenses and revenues

o Changes in loan declines, withdrawals or approvals

o Changes in the nature of customer relations ships (e.g. large growth in CD customers).

· Oversight and Evaluation: There should be a fixed period for evaluating the overall success and efficacy of the vendor relationship. The Board should, on a regular basis evaluate whether or not the relationship with the vendor is on balance a relationship with keeping.

While all of the above steps represent best practices for developing relationships with vendors, it is important to remember that a balance must be maintained. The vendor management program cannot be so time consuming or stringent that a bank is left without the ability to engage consultants. However, there must be sufficient diligence and monitoring of vendor relationship to ensure that the bank is managing risks effectively.

[1] OCC BULLETIN 2013-29

[2] Ib. Id.

[3] It should be noted that the regulatory agencies have made it clear that they expect the Board of Directors to present a credible challenge to the information being presented. To do so, the Board must be fully informed of the risks associated with each potential vendor.

Wednesday, June 11, 2014

Vendor Management- The Next Compliance Frontier

A two Part series- Part One Forming a Relationship

Technology and innovation have always been the hallmarks of the US economy. Technological innovations have dramatically changed the lives of people around the world. The development of the internet begat devices for accessing the internet and soon a technological boon unlike anything the world has seen began. Innovations in technology continue to impact our lives. Today social media has impacted presidential elections and has even been instrumental in the overthrow of governments.

The banking industry has not been left out of the technological revolution. Today the products and services that banks offer are directly impacted by the software and operating systems being employed. Moreover, the development of technology has increased overall efficiency and has helped to developed economies of scale in various areas. As technology has advanced at software companies, financial institutions have found that outsourcing various tasks has had the positive effects of lowering costs while leveraging technology and resources.

Many banks today rely on outsourced functions ranging from core operating systems to monthly billing programs. The reliance on third parties to provide core functions at banks is no longer viewed as a less than desirable situation, it is normal. However, over time the types of relationships that banks began to form with outside vendors became more complicated and in some cases exotic. Some banks used third parties to offer loan products and services that would otherwise not be offered. In many cases, the administration of the contractual relationship was minimal; especially when the relationship was profitable.

The level and type of risk that these agreements created came under great scrutiny during the financial crisis of 2009. Among the relationships that are most often scrutinized for areas of risk are:

Third-party product providers such as mortgage brokers, auto dealers, and credit card providers;
Loan servicing providers such as providers of flood insurance monitoring, debt collection, and loss mitigation/foreclosure activities;
Disclosure preparers, such as disclosure preparation software and third-party documentation preparers;
Technology providers such as software vendors and website developers; and

Providers of outsourced bank compliance functions such as companies that provide compliance audits, fair lending reviews, and compliance monitoring activities.[1]

According to the FDIC, a third-party relationship could be considered “significant” if:

• The institution’s relationship with the third party is a new relationship or involves implementing new institution activities;

• The relationship has a material effect on the institution’s revenues or expenses;

• The third party performs critical functions;

• The third party stores, accesses, transmits, or performs transactions on sensitive customer information;

• The third-party relationship significantly increases the institution’s geographic market;

• The third party provides a product or performs a service involving lending or card payment transactions

the third party poses risks that could materially affect the institution’s earnings, capital, or reputation;

• The third party provides a product or performs a service that covers or could cover a large number of consumers;

• The third party provides a product or performs a service that implicates several or higher risk consumer protection regulations;

• The third party is involved in deposit taking arrangements such as affinity arrangements; or

• The third party markets products or services directly to institution customers that could pose a risk of financial loss to the individual[2]

The FDIC, the OCC and the FRB have all issued guidance on the proper way to administer vendor management. While the published guidance from each of these regulators its own idiosyncrasies, there are clear basic themes that appear in each.

All of the guidance has similar statements that address the types of risk involved with third party relationships and all discuss steps for mitigating risks. We will discuss the methods for reducing risk further in part two of this series.

Types of Risk Associated with Third Party Relationships.

Regardless of the size of your bank, or the overall complexity of the operation, the risks that follow will exists at some level with any third party relationship.

Operational Risk

Operational risk is present in all products, services, functions, delivery channels, and processes. Third-party relationships may increase a bank’s exposure to operational risk because the bank may not have direct control of the activity performed by the third party.

Operational risk can increase significantly when third-party relationships result in concentrations. Concentrations may arise when a bank relies on a single third party for multiple activities, particularly when several of the activities are critical to bank operations. Additionally, geographic concentrations can arise when a bank’s own operations and that of its third parties and subcontractors are located in the same region or are dependent on the same critical power and telecommunications infrastructures.

Compliance Risk

Compliance risk exists when products, services, or systems associated with third-party relationships are not properly reviewed for compliance or when the third party’s operations are not consistent with laws, regulations, ethical standards, or the bank’s policies and procedures. Such risks also arise when a third party implements or manages a product or service in a manner that is unfair, deceptive, or abusive to the recipient of the product or service. Compliance risk may arise when a bank licenses or uses technology from a third party that violates a third party’s intellectual property rights. Compliance risk may also arise when the third party does not adequately monitor and report transactions for suspicious activities to the bank under the BSA or OFAC. The potential for serious or frequent violations or noncompliance exists when a bank’s oversight program does not include appropriate audit and control features, particularly when the third party is implementing new bank activities or expanding existing ones, when activities are further subcontracted, when activities are conducted in foreign countries, or when customer and employee data is transmitted to foreign countries.

Compliance risk increases when conflicts of interest between a bank and a third party are not appropriately managed, when transactions are not adequately monitored for compliance with all necessary laws and regulations, and when a bank or its third parties have not implemented appropriate controls to protect consumer privacy and customer and bank records. Compliance failures by the third party could result in litigation or loss of business to the bank and damage to the bank’s reputation.

Reputation Risk

Third-party relationships that do not meet the expectations of the bank’s customers expose the bank to reputation risk. Poor service, frequent or prolonged service disruptions, significant or repetitive security lapses, inappropriate sales recommendations, and violations of consumer law and other law can result in litigation, loss of business to the bank, or negative perceptions in the marketplace. Publicity about adverse events surrounding the third parties also may increase the bank’s reputation risk. In addition, many of the products and services involved in franchising arrangements expose banks to higher reputation risks. Franchising the bank’s attributes often includes direct or subtle reference to the bank’s name. Thus, the bank is permitting its attributes to be used in connection with the products and services of a third party. In some cases, however, it is not until something goes wrong with the third party’s products, services, or client relationships, that it becomes apparent to the third party’s clients that the bank is involved or plays a role in the transactions. When a bank is offering products and services actually originated by third parties as its own, the bank can be exposed to substantial financial loss and damage to its reputation if it fails to maintain adequate quality control over those products, services, and adequate oversight over the third party’s activities.

Strategic Risk

A bank is exposed to strategic risk if it uses third parties to conduct banking functions or offer products and services that are not compatible with the bank’s strategic goals, cannot be effectively monitored and managed by the bank, or do not provide an adequate return on investment. Strategic risk exists in a bank that uses third parties in an effort to remain competitive, increase earnings, or control expense without fully performing due diligence reviews or implementing the appropriate risk management infrastructure to oversee the activity. Strategic risk also arises if management does not possess adequate expertise and experience to oversee properly the third-party relationship.

Conversely, strategic risk can arise if a bank does not use third parties when it is prudent to do so. For example, a bank may introduce strategic risk when it does not leverage third parties that possess greater expertise than the bank does internally, when the third party can more cost effectively supplement internal expertise, or when the third party is more efficient at providing a service with better risk management than the bank can provide internally.

Credit Risk

Credit risk may arise when management has exercised ineffective due diligence and oversight of third parties that market or originate certain types of loans on the bank’s behalf, resulting in low-quality receivables and loans. Ineffective oversight of third parties can also result in poor account management, customer service, or collection activities. Likewise, where third parties solicit and refer customers, conduct underwriting analysis, or set up product programs on behalf of the bank, substantial credit risk may be transferred to the bank if the third party is unwilling or unable to fulfill its obligations

Managing Risk

One of the most important points that all of the regulators are driving home is that they intend to hold financial institutions responsible for the action for the third party service providers. For example, if an automobile dealer with whom a bank has a relationship engages in lending activities that have fair lending concerns, the bank under whose name they are providing the service will also be found to have fair lending concerns.

This is not to say that there is a general distaste for outsourcing of third party arrangements. It is to say that when the arrangement is made, there should be a risk management system in place ahead of the formation of the relationship. The program should include at a minimum the following:

· A Risk Assessment;

· Due Diligence in Selecting a Third Party;

· Contract Structuring and Review;

· Oversight;

We will discuss the proper risk management system for your third party vendors in part two of this blog. For now, remember that the standard for development of a risk management program is “A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships” [3]

[1] See Vendor Risk Management — Compliance Considerations

By Cathryn Judd, Examiner, and Mark Jennings, Former Examiner, Federal Reserve Bank of San Francisco

[2] FDIC Compliance Manual

[3] OCC BULLETIN 2013-29 Managing Third Party Relationships

Monday, June 2, 2014

What Your Declines and Withdrawals Say About You

The regular review of the declines and withdrawals is a common practice at the banks. In fact a secondary review of decline notices and withdrawals is a standard part of a strong compliance management program. The typical review includes making sure that notices are given on a timely basis, to the appropriate parties and that notices include the proper reasons for the declination.

We believe that you can use the information from this process to unlock a treasure trove of information about your bank and how it relating to the community that it serves.

But we believe that there are several other what if we expanded the use of the information that we collected here ? What if we started using this information to do analysis of how we are doing with overall compliance

Basic Requirements of all banks

The Community Reinvestment Act, The Equal Credit Opportunity Act, Fair Lending laws, the Home Mortgage Disclosure Act, and the Unfair Deceptive Abusive Acts or Practices Act all come together in a pantheon of laws aimed at shaping the way banks relate to the communities they serve. On separate occasions, we have discussed the origin of a number of these laws. We have always maintained that all of these laws were enacted as a result of bad behavior by certain institutions. And while there is plenty of disagreement about the overall efficiency of these laws, but they are in fact here to stay.

There are several common from each of these regulations;

· Customers are to be treated fairly at all points of contact with the bank

· Loan applicants are to be judged on a basis that is objective

· Customers are to be kept informed of the basis for credit decisions

· Banks products should reflect the needs of the communities in which they are located

· The experience of customers who apply for mortgage products must be transparent

· All members of the community should be encouraged to become customers

Trying to meet all of these goals while still running a profitable operation can be a daunting task indeed. However, for banks that are proactive and that have a strong commitment to compliance, meeting the goals of these regulations is a part of the overall strategic plan. Further, we believe that there are steps that banks can take to enhance the overall monitoring of the progress towards meeting these goals . The declines and withdrawals are a prime example.

Granted that some of the information that is required for banks to collect by HMDA is otherwise prohibited. For example, you cannot ask an applicant for a small business loan his race or ethnicity. That is unless, you are conducting a self-assessment of your overall compliance. To be precise Regulation B says at 202.5 (b) (1)

Self-test. A creditor may inquire about the race, color, religion, national origin, or sex of an applicant or any other person in connection with a credit transaction for the purpose of conducting a self-test that meets the requirements of §202.15. A creditor that makes such an inquiry shall disclose orally or in writing, at the time the information is requested, that:

(i) The applicant will not be required to provide the information;

(ii) The creditor is requesting the information to monitor its compliance with the federal Equal Credit Opportunity Act;

(iii) Federal law prohibits the creditor from discriminating on the basis of this information, or on the basis of an applicant's decision not to furnish the information; and

(iv) If applicable, certain information will be collected based on visual observation or surname if not provided by the applicant or other person

In case you are wondering, section 202.15 is designed to encourage self-testing and it states, that the results of self-testing are privileged. The basic requirement here is that when you do find problems they must be appropriately address. You should also know that the fact that you did a self-test is NOT privileged. Therefore, if you perform a self-test and do not want to share the results with the regulator, that is your right. However, it is also a red flag to the regulator.

We believe that this provision of the regulation coupled with the fact that you already have a structure in place to collect the necessary information presents an outstanding opportunity.

Withdrawals

Currently banks that are HMDA reporters are required to keep information on mortgage borrowers that withdraw their applicants before the process is completed. In addition information is required to be kept for loans that were approved and offered to the applicant, but rejected. This information can be used for a number of purposes. For example, a high level of withdrawals can be an indication that the loan process is taking too long to reach a decision. High withdrawals rates could also indicate that the pricing at your bank is not competitive.

We suggest that with a little extra analysis, this same information could tell you about the experience of minorities and women. Are women withdrawing at a higher rate than men? The same question could be asked about minority applicants. You could determine if applicants from low to moderate income tracts have the same experience as those form medium income and high income tracts. It is important to point at that the lack of minority or women applicants also tells a story!

Declines

Both HMDA and the ECOA require lenders to keep information about declines. However, only HMDA requires that information about the borrowers race, ethnicity and gender should be kept. Again, this information is generally used for a few purposes such as determining whether applications are being notified in a timely manner as required by the regulations. In addition, the decline files are generally used for the purpose of determining that the proper reasons for the declination have been given to the customer.

Here again, we note that with a minimal adjust to the information that is collected, you could collect information about the experiences of women and minorities. In addition, you could get important information about the experiences of people within low to moderate income tracts. This information would also help the bank to determine whether certain loan parameters are disproportionately impacting a certain segment of the community.

Using information form declines and withdrawals, your bank can also get a much better idea of where in the assessment area, your customers are coming form. If certain areas are being missed, the conversation about why and what can be done can begin.

Of course we are not suggesting that by doing an empirical comparison between the withdrawals and denials of women versus men or minorities versus nonminority will tell a complete story. It will help you to start asking the right questions and in so doing, get you to the point of better compliance. By addressing the questions raised by this analysis you direct resources to the highest areas of risk in compliance while improving your overall standing in your community. This information could lead to surveys questionnaires, focus groups or whatever innovations are appropriate.

We have included a form on the website that might useful in developing this analysis.