Credible Challenge, Risk Management and Compliance

 For several years now, regulators have talked about enterprise wide risk management (“ERM”).  Often times however, when you ask someone to describe, it becomes a “shaggy dog” story with many different component parts but no main theme.  The truth is that there has not been much clear guidance in this area.  

In recent months there have been some developments that have come together to shed some light on what ERM might mean for community banks.  First there has been the OCC pronouncement about the expectations for ERM in very large banks.   Next the concept of clear credible challenge by the Board to the senior management of banks has been espoused by all of the regulatory agencies.  Finally , regulators have made it clear that in the future, compliance management will be considered a part of the “M” rating in a banks CAMEL rating for safety and soundness. 

The OCC released guidance for very large banks on what is expected for a credible risk management structure.  For very large banks this means that there has to be:

·       Department heads and  line business holders must track and manage the individual risk in their business units

·       There must be an independent risk manager whose role it is to  monitor and control risk throughout the organization

·       Independent audits must be performed to test the risk monitoring system

The main thrust of this guidance is that there has to be an entity (ultimately the Board) that serves to set the level of risk that is acceptable at a financial institution.  Further the risk managers should be independent of the risk takers.  At the end of the day, the expectation is that the Board will control the level of risk at the Bank and must push back against the business lines that naturally want to increase risk for profits. 

Along those same lines, the idea that the Board must present credible challenge to the senior management at the bank is a concept that is becoming widely impressed by the regulators.  The concept here is not simply that the Board members question each and every decision of management.  Instead the idea is that the Board must undertake a process that allows them to get comprehensive information about the banks performance in real time.  It also means that the Board must then take this information and use it to challenge the strategic plans and projections of management.  Much like the biblical saying that “iron sharpens iron” the idea here is that the Board must increasingly ensure that management has thought through the idea and has answers for credible challenges to those plans.   Again most of the pronouncements in this area are directed at large banks, but that no means says that community banks should a different route. Board members should be cognizant of the fact that the regulators are expecting a strong commitment to directing the bank. 

The third factor that comes into play is the ascendance of compliance as an issue for bank management.  In past years, the truth is that compliance often took a back seat to safety and soundness.  After all, the thought went, no banks fails because of compliance problems.  However, recently regulators have come to realize that compliance management is s indeed a reflection of overall management.  The ability of banks to direct the compliance management program has to be a part of the “M” component of the CAMEL ratings.  In point of fact the Comptroller of the Currency in remarks made in late 2013 said as much.   In his December 2013 comments to the Consumer Federation of America, Mr. Tim Curry, the Comptroller of the Currency pointed out that consumer compliance is a management issue:

In reality, there is no neat dividing line between consumer compliance and safety and soundness issues. If an institution has a compliance issue, they are certain to have underlying risk management issues.  Consumer protection is inextricably linked to safety and soundness. ^[1]

The fact of the matter is that at the very base of the financial crisis that this country recently experienced is consumer lending gone horribly wrong.   Compliance is going to be a major focus for the regulators in the near future.  The areas of compliance are also expanding.  The area in simply the alphabet soup regulations that we know so well, vendor management, debt collections practices, the effects of practices at a bank are all topic that cme under the rubric of compliance.

Putting together the ideas of enterprise wide risk management, credit challenge theory and compliance management as a safety and soundness issue.  We come to a “brave new world” for compliance.  When the strategic plan is being put together for example, it will soon be the expectation that the question “how are we meetng the credit needs of our community” is asked regularly.  When a Chief Credit Officer tells the Board that it is not economically feasible to offer home mortgages, it will be expected that a member of the Board will challenge the officer to “prove it”! 

There are currently many mantras that have been held to be true for some time without challenge.  For example, community often say that they have limited accesses to community development opportunities because they get eaten up by the big banks.  Now is a good time to find out if that is really true.  When was the last time you actually reviewed the community development opportunities in your assessment area.  This is not to say that there are vast opportunities out there that remain untapped.  It IS to say that now is the time to prove it with statistics and research!  

What’s a community Bank to do?

It is clear that the regulators don’t expect community banks to hire a full time risk officer.  Frankly it might be easy to say these directives only apply to large banks, stick ones head in the proverbial sand and hope that nothing will happen.  On the other hand, it is also clear that the regulators are expecting that a senior management position, preferable one that is not in the risk taking function to monitor and administrate the risk portfolio of the bank.  Now is the time to face the inevitable realty of risk management.  

So how does a community banks start the risk management process under his new regime.  Well, you start with putting your Board reports on turbo charge!   Report to the board have to step outside the box.  In addition to the operating results of the last reporting period, the reports should include changes to regulations and how these regulations might impact the bank.  For example, many community banks felt hat the rules on qualified mortgages represented a whole new world of regulatory concerns and immediately decided to make only qualifying mortgages.  However, if the specifics of these regulations had been presented to Boards with the opportunity to discuss them, many would have noticed that the regulations basically state best practices for making loan.  There was very little to fear and the in some cases, an opportunity to increase market share.   Going forward regulators will expect that these sort of regulations receive robust discussion at the Board level. 

We also suggest that Board reports include information on technological changes and they impact the bank.  Mobile banking and RDC present opportunities to grow the client base.  Of course, both of these products come with the possibility of increased risk.  The expectation that the decision to use (or not to use) these products will come after the considered decision of the Board.  

One of the areas that often goes overlooked by banks is the changing demographics of the assessment area that they serve.  In the recent past the failure to note the changing face of the neighborhood lead a client to make a product decision that lead to a fair lending investigation.  The bank simply decided that the minimum disposable income for HELOCs would by $50,000.  However, because had not done research on its assessment area in some time, they were unaware that this decision cut out whole neighborhoods that surrounded the headquarters of the bank.   In our opinion, change presents opportunity, so a changing environment has to be one of the considerations of a strategic plan. 

In the end, now is the time to enhance your risk management program, the level of Board participation in the process and to include compliance as one of the pillar considerations that your bank makes as it plans for the future.

---

[1] Comments by Comptroller Tim Curry before the CFA Financial Services Conference  December 2013

EDD- The Place Where Marketing and BSA Come Together

EDD- The Place Where Marketing and BSA Come Together

Enhanced Due Diligence (EDD) and Customer Due Diligence (CDD) are two areas of close focus of the regulators.  The need to enhance EDD is one of the top citations that we see at the conclusion of BSA examinations.  We see criticism over the trend to have accounts subject to EDD that have numerous Suspicious Activity Reports and continued High Risk monitoring that seem endless.  These accounts often have specific trends of activity that makes them seem unusual or suspicious and it is this activity that draws the attention and scrutiny the BSA department.  

There are several concerns that the regulators have raised about these “evergreen” high risk accounts.  There is of course, the question of when a pattern of activity that repeats itself in a regular intervals becomes something less than suspicious.  There is also the question of whether the financial institution should keep the account if the account holder is regularly engaged in suspicious activity.  On the other hand if the pattern of the customer is truly not criminal and is part of a regular and legitimate business, then important BSA resources are being expended unnecessarily on these accounts. 

We note that in many of these cases, additional information on the customer would be of great assistance to the BSA department. The ability to know about the customers’ business and why it works the way it does can completely change the characterization of activity. 

A quick example, on of our clients had a customer who was on the high risk lit because several SAR’s had been filed for structuring.  The customer had a habit of depositing around $9,000 every two days.  Of course this appeared to be structuring.  However, once we looked into a little further, we found that the customers’ business insurance required that the customer could only have a certain amount of cash on hand.  The $9,000 deposits were necessary to meet the insurance requirements! 

It would be easy to look at this situation and blame the BSA staff for not having done enough research.  However, we noted that one of the things that held back the effectiveness of the BSA staff was lack of intimate knowledge of the customers.  And the best source of that knowledge was the account managers who actually worked with the clients.   Our conclusion has been that this is the place where BSA compliance and cross marketing come together.  

The core of any good BSA program is the system’s ability to know its customers thoroughly.  And in point of fact, the core of a strong marketing program is the same.   To effectively cross sell to customers, the expert sales person is able to know the needs of his customer and anticipate how the bank will best be able to meet those needs.  The goals of both the BSA department and business development is essentially the same-KNOW YOUR CUSTOMER

So Why Can’t We Be Friends?

 

Too often, because neither department fully understands what the other is trying to accomplish, natural partners become adversaries.  The BSA Department is seen as a group of people who don’t seem to understand that the bank is a for profit business.  “We can’t ask these people questions that will make them mad” say the operations and marketing staff.  On the other hand, the marketing department can be seen as the “Bain of the existence” of the BSA department.  Incomplete information leads to additional work and monitoring that might be avoided. 

The truth is that with a little work, these two departments can enhance BSA compliance while expanding market share.   As an account officer discovers that he has a client that needs to add RDC to his product base, it is important to let the BSA department know that business has been growing and transactions are now going to change.  Despite the way transactions are changing the actual line of business is still the same and not really a matter for concern.  By the same token, maybe  the customer mentions that he has been approached about a new line of business that sounds good, but is unfamiliar (bitcoin anyone?).  A quick check with the BSA Department can help the account officer steer the client clear of harmful sometimes illegal business lines.  

We recommend a program that cross trains these two departments in particular.  When one is aware of t what the other is doing the results are tremendous.  For example, at one of our clients, a customer had decided to open his own business and run it out his home.  The business did better than expected and soon the customer was conducting a large number of transaction son his personal account.  These transactions drew the attention of the BSA staff, SARs were filed and within months, the account was being considered for closure.  Fortunately in this case, the BSA Officer and the Account Officer talked about the customer.  When they did it became obvious that a business account and several other potential business products were in order.  Not only was the account NOT closed, but he bank was able to sell the customer a business analysis account, a revolving line of credit and a business credit card account.  

Share a Little –

 

The account opening process and the account updating process provide excellent opportunities for information.  Once that information is obtained, when it is shared a great deal of positive things can happen.  The more you know about your client, the more you can keep the bank safe and your customer happy! 

Why IS there a Truth in Lending Act (aka) Regulation Z? 

As anyone in compliance can attest to, there are Myriad consumer compliance regulations.  For bankers, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks.  However, in point of fact, there are no bank consumer regulations that were not earned by the misbehavior of banks in the past.  Like it or not these regulations exit to prevent bad behavior and/or to encourage certain practices.   We believe that one of the keys to strengthening a compliance program is to get your staff to understand why regulations exist and what it is the regulations are designed to accomplish.  To further this cause, we have determined that we will from time to time through the year; address these questions about various banking regulations.  We call this series “Why is there….” 

For any lender that has made a consumer purpose loan in the past 30 years, the Truth in Lending Act aka, Regulation Z has been a major factor.  The main part of any consumer lending audit or examination is compliance with the Omni present Reg. Z.   And just as you might know that the regulation exists, you also know that if mistakes are made, they can be costly.  If examiners find that a loan or groups of loans has not been properly documented and the consumers not properly informed, various painful enforcement actions may occur.  These can range from reimbursements to the customer, a look back at the entire loan portfolio and even the possibility of civil money penalties.   It is clear that Reg. Z is a powerful regulation.   But why does it exist?  What is it the regulators are trying to get banks to do? 

We believe that the more you know, the more you comply! 

What was Happening?

Starting in the late 1950’s the United State saw a tremendous growth in the amount of credit.  In fact, a study the US House of Representatives estimated that the amount of credit in the United States from the end of World War II to the end of 1968 grew from $5.6 billion to $96 billion.   [1]

The growth in credit was fueled by consumer credit and in particular, a growing middle class that created a huge demand for housing, cars and various other products that went all with acquiring the American Dream.   As time passed more and more stories of consumers being misled about the cost of borrower by terms “easy payments”, “low monthly charges” or “take three years to pay”.   The borrowers found out that every though they thought they were paying an interest rate of 1.25 % with add-ons,  fees and interest payments that were calculated using deceptive formulas , the rate was actually as much as three times what they thought.  

Congress began to investigate the growing level of consumer debt and eventually in 1968 the Truth in Lending Act was first passed.  Congress was pretty clear about what they were trying to do: 

The Congress finds that economic stabilization would be enhanced and the competition among the various financial institutions and other firms engaged in the extension of consumer credit would be strengthened by the informed use of credit. The informed use of credit results from an awareness of the cost thereof by consumers. It is the purpose of this subchapter to assure a meaningful disclosure of credit terms so that the consumer will be able to compare more readily the various credit terms available to him and avoid the uninformed use of credit, and to protect the consumer against inaccurate and unfair credit billing and credit card practices. [2]

So from the very start the idea behind the Truth in Lending Act is to force lenders to list the cost of borrower in a common format.  Consumer should be able to take their Regulation Z disclosures and be able to shop from one financial institution to the next and compare prices. 

For the next several years, the Federal Reserve and the courts began to shape what the Truth in Lending law would eventually come to represent.  After a series of court decisions and interpretive rulings by the regulators, the law began to grow in importance.   The basic history of the regulation is this: 

The Truth in Lending Act (TILA), 15 USC 1601 et seq., was enacted on May 29, 1968, as title I of the Consumer Credit Protection Act (Pub. L. 90-321). The TILA, implemented by Regulation Z (12 CFR 226), became effective July 1, 1969.

The TILA was first amended in 1970 to prohibit unsolicited credit cards. Additional major amendments to the TILA and Regulation Z were made by the Fair Credit Billing Act of 1974, the Consumer Leasing Act of 1976, the Truth in Lending Simplification and Reform Act of 1980, the Fair Credit and Charge Card Disclosure Act of 1988, the Home Equity Loan Consumer Protection Act of 1988.

Regulation Z also was amended to implement section 1204 of the Competitive Equality Banking Act of 1987, and in 1988, to include adjustable rate mortgage loan disclosure requirements. All consumer leasing provisions were deleted from Regulation Z in 1981 and transferred to Regulation M (12 CFR 213).

The Home Ownership and Equity Protection Act of 1994 amended TILA. The law imposed new disclosure requirements and substantive limitations on certain closed-end mortgage loans bearing rates or fees above a certain percentage or amount. The law also included new disclosure requirements to assist consumers in comparing the costs and other material considerations involved in a reverse mortgage transaction and authorized the Federal Reserve Board to prohibit specific acts and practices in connection with mortgage transactions. Regulation Z was amended to implement these legislative changes to TILA.

 The TILA amendments of 1995 dealt primarily with tolerances for real estate secured

credit. Regulation Z was amended on September 14, 1996 to incorporate changes to the TILA. Specifically, the revisions limit lenders' liability for disclosure errors in real estate secured loans consummated after September 30, 1995. The Economic Growth and Regulatory Paperwork Reduction Act of 1996 further amended TILA. The amendments were made to simplify and improve disclosures related to credit transactions[3]

 

Changing Times Makes Changing Law

 

A quick comparison of these changes to the regulation with economic events in the United States will tell a story of bank and financial institutions practices that avoided the general intent of the regulation in one way of another.   The growth and development of the credit card market prompted the changes in Reg. Z that have to do with open end credit and the growth of adjustable rate mortgages because the additional changes to mortgage disclosures.  

The goal of Regulation Z has always been a desire to tell the borrower the highest amount she may possibly pay for borrowing money from an institution.   Regulation Z does not tell a borrower how much they may charge or even how they may structure consumer deals.  However, it does require that you disclose what you are charging to the customer in a clear and understandable manner. 

 One of the most notable changes to the regulation is the right of rescission.  This portion of the regulation was written to stop a particularly nasty practice: 

 

TILA's legislative history indicates that Congress included rescission to provide a cooling off period to borrowers who obtained credit secured by a lien against their primary residence. Congress heard a parade of horror stories from consumers about unscrupulous home improvement contractors who pressured them into financing expensive renovation projects (like aluminum siding) but failed to disclose that the loan was secured by a lien on the consumer's dwelling. Consumers who defaulted on the financing lost their homes. Rescission is designed to protect consumers from making an impulsive decision by disclosing the lien and providing a three-day cooling off period after the loan closing. With the salesperson gone, the consumer can reconsider whether he wants to place his home at risk.[4]

 

The point here that as lending practices change, the disclosure requirement may change, but the goal of the regulation remains the same.  

 

Why are They Doing This to Us?  

 

At the end of the day, the goal of the Truth in Lending Act is to make it possible for a borrower to compare the cost of borrowing between one lender and the other AND the cost of borrowing versus the cost of buying the same item for cash.   In other words, the borrower should be able to tell how much the bank is costing her to borrower money to buy the car.  Unfortunately, the way in which this cost is defined causes headaches!

According to Reg. Z the finance charge should include all of the costs that the lender is creating vis a vis a cash transaction: 

 

The finance charge is the cost of consumer credit as a dollar amount. It includes any charge payable directly or indirectly by the consumer and imposed directly or indirectly by the creditor as an incident to or a condition of the extension of credit. It does not include any charge of a type payable in a comparable cash transaction.

For many of our clients this language leaves as many questions as it does answers but the basic thrust of it is that things like taxes and official documents are costs that anyone would have when they buy a card or a house.  Anything else is generally going to be a finance charge. 

 

Recent Changes and the Future

 In 2011, the rule making authority for Regulation Z was transferred to the Consumer Financial Protection Bureau.   Since that time we have seen some updates to the regulation including the ability to repay rules, treatment of higher-priced mortgages and appraisal and escrow rules for these high priced mortgages.   Again these changes are a directly reflection of lending practices.  As loan terms evolve and change, the regulation will also evolve. 

 The focus of these rules is to ensure that customer of financial institutions know exactly what it is that they are getting into.  The best rule to follow is when in doubt, disclosure and make sure you disclose the worst case scenario

---

[1] Griffith L. Garwood, A Look at the Truth in Lending - Five Years after, 14 Santa Clara Lawyer 491 (1974). 

[2] See Preamble to 15 U.S.C. 1601 (1970)

[3] http://www.federalreserve.gov/boarddocs/caletters/2008/0805/08-05_attachment1.pdf

[4] Philadelphia Federal  Reserve The Right of Recession: Overview and Recent Developments Compliance Corner 2007

To Tweet or Not to Tweet

The fact is that innovation is one of the greatest traits of the US economy.  The more we innovate, the more things grow and change.  The same is true in the banking industry where technology has produced dramatic change in the industry.   Mobile and RDC are two of the up and coming and spreading technologies.   As these technological advances continue, the relationship between banks and their customers has also changed.  Many banks are reducing the number of physical branches that they maintain and instead serve their customers virtually through the internet.   In addition, to keep up with the changing environment financial institutions have begun to explore the use of social media as a means of achieving growth.  And just as you might have expected, the regulatory agencies that monitor banks have considered the risks that the growing use of social media presents.   Recently, the FFIEC published proposed guidelines for the use of social media by the financial institutions that they regulate.    This proposed guidance establishes the fact that social media is an area that examiners will review in the coming years.    

Social Media as a Tool for Growth

Social media sites such as Facebook, Twitter and LinkedIn have been all the rage for some time.   Not only young people but the parents of young people use these networks extensively.       The fact is that millions of people around world stay connected and get the bulk of their information from these sites.   There is no question then that social media represents the opportunity for banks to connect with a much larger market than the ones that traditional advertising reach.  Taken a step further, sites such as Facebook and Twitter give financial institutions yet another means to reach out to communities that may have been under banked or altogether overlooked in the past. 

A cleverly designed Facebook page or a well-placed twitter campaign can produce impressive results for advertisers that include these sites as part of the marketing plan.   Banks can benefit from the potential to reach customers that had heretofore been unreachable.   On the other hand, potential customers can ask questions on the internet that they may be embarrassed to ask in person.   In addition, they can review information from a bank at their own pace and without the pressure of a bank employee looking at them.  

Used the proper way, it is clear that including social media in the overall strategic and marketing plans can create opportunities for growth at financial institutions. 

Social Media as a Risk Consideration

Along with the potential for growth, the use of social media presents the possibility of adding a great deal more risk to financial institutions portfolio.  The FFIEC proposed guidance is designed to focus on this risk and the steps that financial instructions should take to manage this risk.   The guidance mentions three types of risk to consider:

·         Compliance Risk

·         Reputational Risk

·         Operational Risk

Compliance risk generally derives form the possibility that social media is designed d to become a form of formal advertising.   When financial institutions advertise that are several regulations that apply.  Included in these are the Truth in Lending and Truth in Savings Acts.  Both of these regulations act in similar fashion and require a great deal of disclosure when “triggering terms” are used.  The guidance points out that in the event that social media is used as advertising, there should be systems I place to make sure that all required disclosures are being made.   Moreover, social media is an outlet for customer complaints and if a financial institution is going to use social media there has to be a mechanism to monitor and quickly respond to official complaints. 

Reputational risk comes from the need to manage and maintain social media sites.  The fact is that information moves swiftly on the internet and it is very easy for a site that is not constantly monitored to become obsolete overnight.   The guidance here is that when a financial institution commits to using a social media site, the commitment has to be full-fledged.  There must be a system for limited the numbers of people who can make changes to the social media and this pole have to be tasked with constant monitoring of the site.   Websites are viewed by the public as the internet manifestation of the financial institution and the material on the website must properly reflect the mission and overview of the Board. 

Operational risk is described by the guidance as the possibility that the use of social media will increase the possibility of internet attacks on the bank.  Social media sites must be administered with the full complement of security procedures to ensure that privacy of financial information is maintained at all times.  

The Guidance

The good news is that the guidance mirrors the structure of the several other pronouncements form the FFIEC.  The steps that should be taken by an institution include policies and procedures, reporting to the Board and internal controls to prevent security breaches and compliance concerns.   If a financial institution chooses to use social media, then the policies, procedures, reporting and testing should be documented. 

Though this is proposed guidance today, the fact of the matter is that the guidance will soon become official and examiners will be directed to review this rea as part of the compliance and safety and soundness examinations.  Now is the time to embrace the change and develop strategies for use of social media. 

Hot Spots

Based upon our reading of the guidance and the overall emphasis with financial institutions regulators, it is clear that the “hot spots” for social media usage will be:

·         Advertising- ensuring that any social media used as advertising has proper disclosures

·         Privacy- ensuring that customer information is properly protected

·         Complaints- Developing a system to ensure that complaints on social media are monitored

·         Discouragement – Ensuring that social media sites don’t  lend themselves to discouragement of potential customers from classes

Even though the guidance is proposed at the time of this writing it is clear that social media will be an issue for financial institutions in the near future and examiners will include this area in the scope going forward.