Conducting  a Validation of Your BSA/AML software- A two part Series     

Since the beginning of crime, there has been a need to hide the ill-gotten gains of criminal activity.  Early bad guys held their loot in caves.  Later, treasure chest provided a means of hiding criminal wealth.   However, despite the form that ancient loot took, the goal was and has always been to reduce assets to currency so that it can be used in exchange for other goods and services.   The need to take illicit assets or money and hide its source is known commonly as “money laundering”.  Criminals of all sorts engage in money laundering and have become exceedingly sophisticated in their pursuit of hiding the sources and uses of their money.  

Because the “bad guys’ continue to evolve, the history of the Bank Secrecy Act (“BSA”) and Anti-Money Laundering laws (“AML”)   is one of ongoing change.  The laws that make money laundering illegal can be traced back to the Bank Secrecy Act of 1970.   Since the time the BSA was passed, there have been seven major legislative changes to the overall legislative scheme that covers this area.  These changes are;

·         Money Laundering Control Act (1986)

·         Anti-Drug Abuse Act of 1988

·         Annunzio-Wylie Anti-Money Laundering Act (1992)

·         Money Laundering Suppression Act (1994)

·         Money Laundering and Financial Crimes Strategy Act (1998)

·         Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept   and  Obstruct Terrorism Act of 2001 (USA PATRIOT Act)

·         Intelligence Reform & Terrorism Prevention Act of 2004

As technology has changed, so have the goals of many of the criminals that want to launder money.  In addition to drug dealers,  there are terrorists and persons that engage in human trafficking. All of whom are developing ways to hide their cash. 

Each of the changes in BSA/AML laws were designed to improve the overall monitoring of cash and cash equivalent transactions.  Although  these changes were not addressed entirely at banks, each change increased the requirements for compliance at banks.  For community banks, the changes have been ongoing and significant.  As the regulations changed, the expectations of the regulatory bodies evolved.  Today, no self-respecting banker would consider operating without a full BSA/AML compliance program.   Moreover, very few banks can get away with a manual system for tracking and aggregating the transactions of their customers.   Today, a sound BSA/AML program includes software that helps bank staff aggregate and monitor transactions of its customers.  

The expectation of what a full BSA program should include continues to change and evolve.  One of the most recent changes has been the expectation that all banks, including community banks will:

a)      Obtain AML/BSA monitoring software and;

b)      Perform a data and model validation on an annual basis.  

 The Source of the Data Validation Requirement 

The OCC and the Federal Reserve issued guidance in 2011 that was called Supervisory Guidance on Model Risk Management”[1] .  This guidance was first thought to deal with only the financial models such as those that that are used for projecting interest rate risk or the allocation of the allowance for loan losses.   However, a more complete review of the information included in the guidance has produced increased expectations in the area of BSA/AML. 

In relevant part, the guidance states that a model is defined as follows: 

“For the purposes of this document, the term model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates. Models meeting this definition might be used for analyzing business strategies, informing business decisions, identifying and measuring risks, valuing exposures, instruments or positions, conducting stress testing, assessing adequacy of capital, managing client assets, measuring compliance with internal limits, maintaining the formal control apparatus of the bank, or meeting financial or regulatory reporting requirements and issuing public disclosures. The definition of model also covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided that the output is quantitative in nature”[2]

When one reads this definition of a model, it is clear that BSA/AML monitoring software is included.  The guidance is directed toward the idea that modeling software cannot be a panacea when it comes to compliance.  Models can only be effective when they are part of a complete compliance program in any area.  In the area of BSA/AML compliance, this is especially true.  

The model guidance points out that there are several areas of risk that  are associated with the use of models at a financial institution.  Many of these risks apply to BSA/AML monitoring software.   When the areas of risk are simplified, the two main concerns for BSA software are:

1.       The data that is being collected and loaded into the monitoring software is inaccurate: and

2.       The data that is being collected is insufficient to properly mitigate risk.  

 

Data Validation

To address the first of the above enumerated risks, all banks should perform a data validation. [3]    This process is basically exactly how it sounds.  The data validation is the process of making sure that the information in your monitoring software is being accurately and completely loaded from  your core system.   While this portion of the guidance may be the most straight forward there are few points to remember when preparing to perform an appropriate data validation.  

Know Thy Software

It is important to know the type of software that you are using.  Generally, there about five types of monitoring software that are currently popular and on the market.  It is important to know which type of software  your bank is using so that you can determine whether the appropriate data is being pulled.  The five types of software are:

·       Risk based- These are systems that incorporates various factors such as NAICIS codes, zip       codes, volume and frequency to predict higher risk customers

·      Rule based- system that compares transactions to scenarios that mimic suspicious activity

·      Behavior based- These systems establish a base line for a customer and track activity that exceeds the baseline

·       Intelligent systems- This software is based on decision trees that follow data that has indicated suspicious activity

·       Combination- These systems incorporate two or more of the above into the software.  

Regardless of the type of system that you are using, it is important to recognize how your system works so that you know the data points that  should be  recognized.   For example, if you are using behavior based software, it is important to recognize what information the software needs to know to establish the baseline for a particular customer. 

Software-Know thy User

It is critical that all of the transaction codes that your bank uses are being properly loaded into, and recognized by the software that you are using.   Each bank has its own unique set of transaction codes that have been established to identify transactions that are conducted.  The software vendor cannot know all of the idiosyncrasies of your bank and it is therefore incumbent on your compliance staff to ensure that the transaction codes are being properly loaded and recognized by your monitoring software. 

Compare to the Core

Many banks we have worked with use the data validation information that is provided by the vendor.  However, it is important to remember that this validation will simply tell you what happen to the information that you gave to the vendor.  If there are other errors in logic or misunderstandings about what information should be captured, this will not appear in the vendors’ validation.  We recommend that the data validation should be completed by comparing the software information to core data information.  

 Ongoing Validation

Many banks and vendors believe that once a data validation has been done, there is little need to do another one.  If everything checks out and all data is being loaded properly, what is the problem/ have you ever logged onto your computer and found that everything had changed, even though you did not do anything different?  BSA software is the same.  Even though you may not have consciously made changes to the software or to the processes, things  change for various reasons.  Because change is constant, it is a best practice to test data validity on a regular basis.    Consider this; if you do find a problem, it will be necessary to go back to the last data validation to determine the extent of the problem.  The longer you have waited, the bigger the problem!

The Known Knowns

Finally, a data validation would not be complete without considering what the data actually does and does not display.  For example, one weakness of many software monitoring programs is the inability to closely monitor transfer transactions.  Suppose a customer cashes a check and gives the proceeds to another customer.  It is important to be able to determine how this information would be captured by the software.  In the alternative, if the information is not captured by the software, what provisions have been made to monitor such a transaction?

 

In part two, we will address the model validation which has proven to be the most difficult part of this process. 

---

[1] See OCC 2011-12;  Federal Reserve SR 11-7

[2] Ibid 

[3] The guidance clearly applies to ALL banks. 

Addressing Upcoming Changes in HMDA Directed by the Dodd Frank Act-A Two Part Series

Part Two:  Being proactive is the Way to go! 

In part one of this series, we discussed a brief history of HMDA.  The goal of this regulation has always been to collect comprehensive information about the lending practices of financial institutions.  We also noted that changes in the regulation have been directly related to changes in the mortgage industry. 

The Dodd Frank Act is yet another example of how occurrences in the banking industry have affected regulation.   The official statement of CFPB director Rich Cordray describes how the Dodd Frank Act has been impacted by the most recent financial meltdown. 

When Congress enacted the Dodd-Frank Act in 2010, it specifically tasked us, the Consumer Financial Protection Bureau, with getting better information from mortgage lenders. Congress directed us to improve HMDA reporting because, just as Louis Brandeis, America’s original consumer advocate and later a distinguished Supreme Court Justice, observed, “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”[1]

With that thought in mind, the Dodd Frank Act added several specific new requirements to HMDA.    These new requirements include the following:  

·         The total points and fees;

·         the term of the loan;

·         the length of any teaser interest rates;

·         the borrower’s age

·         the borrower’s credit score and credit score. This new data may be made available to the public, consistent with the privacy interests of borrowers and applicants

The Proactive Approach

As we mentioned in part one of this series, the above list of changes to HMDA are already known because they are written into the Dodd Frank Act.  We suggested that  for these changes, your bank could immediately start collecting this additional information, taking comfort in knowing that these will eventually be required. 

 In addition to these Dodd Frank mandated changes, the  changes CFPB has been empowered to look at additional ways that HMDA can be changed to require data collection that can help with analysis of the mortgage industry.  The February statement makes it clear that the CFPB  is taking this duty seriously and is considering a number of additional changes. 

“ So we are considering other types of information that would give regulators a better view of developments in all segments of the housing marketplace. We are considering asking financial institutions to include more underwriting and pricing information, such as an applicant’s debt-to-income ratio, the interest rate, the total origination charges, and the total discount points of the loan. This will help regulators spot troublesome trends in mortgage markets around the country.[2]

The following is a list of changes being considered  by the CFPB and their explanation: 

New Data Element	CFPB  Description
Mandatory reporting of denial reasons	Denial reasons are important for understanding whether financial institutions are serving the housing needs of their communities and treating applicants fairly. Lenders currently have the option of reporting the reasons for denial of loan applications. Many, but not all, lenders report denial reasons – in fact, certain lenders that report to the OCC and FDIC are already required to provide this information. The Bureau believes that requiring this information for all HMDA reporters will result in more consistent and statistically meaningful data
Debt-to-Income (DTI) ratio	Debt-to-income is a key factor in underwriting decisions, closely related to borrowers’ ability to repay, and is critical in understanding patterns in mortgage outcomes. When denial reasons are reported, too much debt is a primary reason for rejection of loan applications. In assessing  repayment ability under Bureau rules, lenders are required to consider the borrower’s total DTI or residual income. Thus, including DTI in HMDA data could provide additional insight into lenders’ denial rates.
Qualified Mortgage status of loan	The Bureau is considering proposing to require lenders to report whether they determined the loan to be a Qualified Mortgage. Qualified Mortgages are loans that meet certain criteria and are presumed to comply with the Bureau’s Ability-to-Repay rule. Including Qualified Mortgage status in HMDA data could help regulators better  determine how the CFPB’s rules are impacting the mortgage market.
Combined loan-to-value (CLTV) ratio	The combined loan-to-value (CLTV) ratio is a key factor in underwriting decisions, and is critical in understanding patterns in mortgage outcomes. The CFPB is considering requiring lenders to report the ratio of the combined unpaid principal balance of multiple loans to the value of the property. The Dodd-Frank Act expanded HMDA to include loan-to-value ratios, but lenders consider the CLTV in underwriting and pricing loans, so including CLTV in HMDA will improve analyses of pricing information
Automatic underwriting systems results.	Lenders widely use automatic underwriting systems (AUS), as a critical part of their decision whether to approve or deny an application. Including AUS decisions in HMDA could help regulators better understand credit decisions and identify problems .
Affordable housing programs	For loans secured by dwellings with more than one unit, the Bureau is considering requiring lenders to report whether the property is deed restricted for affordable housing. This data might enable more robust analysis of access to credit in certain communities and better targeting of public resources, consistent with HMDA purposes and assisting with Community Reinvestment Act compliance exams
Manufactured housing data	Lenders are currently required to report whether a loan will be for a manufactured home. The market for credit to finance manufactured home purchases is different from the market for credit to finance site-built home purchases. Additional information on manufactured home loans, including the type of financing and whether the borrower will own or lease the land where the home is sited, will make it easier to identify the sources of differences in denial rates, and will improve understanding of manufactured home financing
Additional points and fees information	The Dodd-Frank Act requires lenders to report total points and fees and rate spread. The CFPB is considering requiring more detailed pricing-related information which will help regulators compare similarly situated borrowers to identify potentially discriminatory lending practices for further investigation and reduce “false positives” when analyzing disparities.  Additional information may include:    ·         Total origination charges ·         Total discount points ·         Risk-adjusted, pre-discounted interest rate ·         Interest rate

 

While it is impossible to accurately predict which of changes will be implemented or in fact all of them will, we believe that a discernable theme is developing.  Put most directly,  the time is now to gather as much information about the lending process as  possible.   Your new HMDA data collection process should be as expansive as possible.  The good news is that all of this information should be readily available from the loan application process.  If you look at the above list again, you see that that there is virtually nothing that you don’t ask for during the application process.  Now is the time to look at the information about HMDA,  what it is intended to do and what the CFPB is considering . We believe that the best practice is to address this data collection in a proactive matter. 

As we noted before, the changes that are mandated by Dodd Frank and the changes being considered by the CFPB have not yet been implemented through a new regulation.  What we suggesting is that now is the time to address  the increased information requirements so that when the implementing regulation is finally adopted, the transition will be smooth.  It is also worth noting that with the additional information being collected, a bank can greatly enhance its knowledge of the credit needs of its community.  This information will be critical for CRA, Fair Lending and strategic planning purposes. 

We have attached our suggested form that includes all of the categories being considered in addition to the ones that we know will change. 

---

[1] FEB 7 2014 Prepared Remarks of CFPB Director Richard Cordray on the HMDA Press Call

 

[2] Ib. id. 

Addressing Upcoming  Changes in HMDA Directed by the Dodd Frank Act-A Two Part Series

Part One: The “Known-Knowns”  

In August of 2014, the CFPB released it proposed changes to the Home Mortgage Disclosure Act (“HMDA”) (Regulation C) .  The comment period for these changes ended in October of 2014 and the and the final rule is scheduled for July of 2015.   Of course it is impossible to predict exactly what the changes will be, but to paraphrase a speech from Donald Rumsfeld, there are some known-knowns when it comes to these changes.     

A Quick Bit of Background

Remember that HMDA  is designed to help develop information on the lending practices of banks.  In its original form, HMDA was designed to make banks disclose where they were lending to help stop “red-lining”.   Red-lining  is  the  practice of specifically refusing to make loans in areas or neighborhoods.  In the past there were lenders who would literally take a map of a city and draw a red line around neighborhoods in which they refused to lend.  

As the mortgage industry grew and changed, HMDA also changed.  The focus of the information being collected moved from  disclosure of information at banks collectively to the experience of individual borrowers at banks.  Information on the application process and the results of the application were added to HMDA data collection requirements in the 1980’s. 

At the turn of the 21^st century, the focus of the information collected changed again and this time the type of credit being offered became the focus.  As a result the terms of the loans and more information about the lien status of the loans was added to HMDA.  

Dodd Frank Changes

The changes in HMDA that are being brought about by Dodd Frank are another step in the progression of the regulation.   The idea here is that HMDA will be used to develop more information about the overall status of the mortgage  industry .  For example, the CFPB noted in press releases that;  

“While a lot of information is contained in HMDA….additional mortgage information could help federal regulators, state regulators, lenders, consumer groups, and researchers better monitor the market. For example, no data is currently gathered on home equity lines of credit which surged prior to the housing crisis nor on teaser mortgage rates which had a hand in causing it.  HMDA data currently contains only limited information about loan features and interest rates.”[1]

In addition, the Dodd Frank changes will also require a HMDA-like program that will collect information on women and minority owned businesses.   Don Sokolov, the Deputy  Associate Director, Division of Research, Markets & Regulations  for the CFPB  put it this way: 

“The Dodd-Frank Act helps small businesses by filling a major gap in knowledge about the market for small business credit. Section 1071 of the Dodd-Frank Act amends the Equal Credit Opportunity Act to require that financial institutions collect and report information concerning credit applications made by small businesses and women- or minority-owned businesses. One stated purpose of Section 1071 is to strengthen fair lending oversight. The CFPB and other authorities will be able to use these data to improve the effectiveness and efficiency of fair lending enforcement efforts^[2]”

The type of information that will be required here is still very much unknown and we will discuss this area further in Part Two of this series. 

Moving Forward-Getting Ready for Changes

Despite the fact that there are currently no regulations that specifically, address these changes, the CFPB has begun the process.  Therefore, one of the” known-knowns” is that the regulations are coming.  

We also know that there are several data points that will be part of the new regulation.  We know this because these data points are written into the law and will be required to be part of the new regulations.  The Dodd-Frank Act specified new data points to be collected and reported: namely, the total points and fees of the mortgage; property value and improved property location information; the length of any teaser interest rates, prepayment penalties, and non-amortizing features; lender information, including a unique identifier for the loan officer and the loan; and the borrower’s age and credit score.

 Finally, we also have a good idea of additional changes that the CFPB is considering.  We know this because they released a factsheet that shows they required changes and changes being considered. [3]

Using what we know about the changes that are coming, we know that there are at least different approaches that financial institutions can take to prepare: 

1)       Do nothing and what for the regulations to be published;

2)      Address the “known-knowns”  by collecting the data that is written in the law;

3)      In addition to the above attempt to start collecting data on the proposed areas.  

We whole heartedly do not advise taking the first approach.  While it can seem prudent to wait until a change is actually made, in this case, we know that the change is coming.  Waiting until the rule is published leaves your bank open to higher risk and the costs associated with last minute alterations that need to be made.  The risk adverse route is to marshal forces now to get ready for the changes that you know are coming. 

Taking the second route and addressing the areas that are certain to be part of the new regulations is, in our opinion, a risk adverse approach. 

The following is a list of data that is required by Dodd Frank, along with the CFPB comments; 

New Data Element	CFPB  Description
Age & Credit score	Unscrupulous lenders may target the elderly for unsuitable and costly loans – having applicant age will help regulators identify and potentially take action to discourage these schemes. Credit score will make it easier to understand why some borrowers are denied and why some borrowers pay higher rates than others. Credit score will also help regulators identify lenders  who may warrant closer review.
Total points and fees at origination	It is critical that regulators understand how much borrowers are paying for their loans in the form of the total points and fees and the rate spread. These data points will significantly enhance financial regulators’ understanding of pricing outcomes and risk factors for  borrowers.
Value of property securing loans	The value of a property is an important part of a lender’s decision whether to make a loan and what rate to charge. Property value information  will help regulators better understand lenders’ acceptances and denials, and the rates and fees they charge borrowers. Improved location information will help with analyses of local mortgage  markets.
Introductory fixed-rate period for variable-rate loans, Prepayment penalties,  Ability to make other than fully-amortizing payments	Particularly in the years leading up to the mortgage crisis, certain types of loan features have been  problematic  for consumers. Including this information in HMDA will give financial regulators a  better  view of the effect of riskier loan features.
SAFE Act unique identifier, Universal loan identifier.	Including  information such as an identifier for the loan officer who works with the borrower, a unique identifier  for the loan, and information about whether the applicant or borrower works with a mortgage broker,  would help regulators keep track of lenders’ business practices.

 

There are several points of information that are also being considered by the CFPB.  We will discuss these and the implications for reporting in our next post. 

Since we know that this information will be part of any new regulation, now is the time to start developing the processes and getting the training necessary for staff to understand the requirements.  In doing so,  your  institution will make the transition smooth, reduce risks and overall costs. 

We have attached a suggested data collection form for your review in part two of this series.

---

[1] See Swanson- CFPB Changes HMDA Data Collection-Mortgage News Daily February 2014

[2] Testimony of Testimony of Dan Sokolov Deputy Associate Director, Division of Research, Markets & Regulations Consumer Financial Protection Bureau

[3] CFPB FACTSHEET: CONSUMER FINANCIAL PROTECTION BUREAU TAKES STEPS TO IMPROVE INFORMATION ABOUT ACCESS TO CREDIT IN THE MORTGAGE MARKET  February 7, 2014

Three Lines of Defense at a Community Bank- Part Two   

In our first blog in this series we describe the compliance guidance that has been issued by the prudential regulators.   This guidance describes an approach to compliance that is summed up by the phrase “three lines of defense”.   We argued that despite the fact that the guidance only directly impacted large banks, it is likely that similar guidance will be issued or at a minimum,  similar expectations will be raised for community banks.  Further, we argued that the three lines of defense can be a more effective and economically efficient means to administrate a compliance management system (“CMS”).     

Of course it is obvious that at most community banks there are limited resources.  The idea of trying to develop a risk and compliance framework that includes the three lines of defense may seem impossible or impractical.   However, when one considers the philosophy at the heart of the three lines of defense, the structure appears more plausible.  

 

The First Line of Defense – The Business Unit  

Under the three lines of defense approach to compliance and risk, the business  units  in a bank that take the actions to produce income or reduce expenses are the ones that create risk.    This also means that these same business  units should be the ones that understand and appreciate the risks being taken as well as the controls that should be employed to reduce risk.   These dynamics are also true at a community bank.  

 

Lending officers, operations officers and their staffs are the ones that have the closest and most impactful customer contact.  The information obtained through customer contact can be an invaluable asset for the compliance officer.  For example, the loan officer who completes a credit write up is the person most intimate with the business operation of the customer. It is this officer who is in the best position to complete an enhanced due diligence review.    Operations staff who contact customers to discuss unusual transactions are the ones who have the most up to the minute information of the operations of those clients.  

 

In the same manner the lending and operations staff has the best information about the optimum ways to ensure disclosures are being properly and timely completed.    Unfortunately, at many community banks, the compliance officer is the one who develops policies and procedures.  In many cases, the procedures in particular are ignored or objected to by staff members who are supposed to use them.   The business units are the group that  are best suited to design and implement procedures with input from the compliance officer.   

 

One approach that has been effective for many community banks is to develop and implement a compliance committee.  Typically this committee is comprised of the business unit heads at the bank, the compliance officer, the auditor (if there is one) and various members of operations and lending staff.   This committee can become a central place for compliance issues of the day, review of updated policies and procedures and follow up on outstanding items.  It is also a forum for the business  units heads to develop risk assessments and get input form compliance and various others who may have a valuable information.  

 The Second Line of Defense – The Compliance Officer  

In our previous blog we referred to four categories from the larger discussion of the categories of compliance in the 2005 paper by the Basal Committee on Bank Supervision entitled “Compliance and the compliance function in banks.  We noted that there are ten categories.  One of these directly addresses the compliance department at a bank.      

“Organizing and governing principles of the compliance function, including its independence, the adequacy and qualifications of its resources, its responsibilities for both guidance and monitoring, and its relationship with Internal Audit”    

This is the basic principle underlying the compliance officer as the second line of defense.    The compliance officer should be independent, have sufficient resources  and authority to affect change.    Unfortunately this is currently not the case for many community banks.  The Compliance Officer rarely reports to the Board or a Committee of the Board.  In addition, in many of the banks we visit, the compliance officer is saddled with a great number of operations tasks and reporting requirements that tend to dominate their time.   Little if any compliance testing is performed policies and procedures are also left to the compliance officer to revise.    

As a true second line of defense the compliance officer should have sufficient resources and talent to conduct ongoing compliance testing based upon a schedule that is reviewed and approved by the compliance committee.  The results of the compliance reviews should be reported to the Board or a committee of the Board.  In this manner the importance of the overall compliance program is evaluated to its proper level and a compliance culture can flourish.  This is not to say that community banks should hire large numbers of compliance staff without regard to the bottom line.  There are several opportunities to outsource a portion of the compliance function that will allow the compliance officer to have sufficient time and resources to most effective.  

 

Internal Audit- the Third Line  

The line of defense is the internal audit function.  For most community bank’s the internal audit function is outsourced and the Audit Committee or the full Board hire an independent firm to all or most of the audits scheduled in a year.   For many community banks  the audit decision has become a matter of costs and the winner of the contract goes to the lowest bidder.  

However, the more efficient approach is to view the internal audit function as a partner in the overall compliance and risk management program.  The audit firm should review and analyze the overall risk and compliance framework at the bank.  In addition, audit findings should address root causes and determine whether those root causes are indicative of a departmental or bank wide concern.   

 

The Board must be willing to receive findings and discuss changes that should be implemented to reduce risk.    We believe that any bank including a  community bank can adopt the three lines of defense philosophy.  Moreover, we believe that in doing so, a bank can enjoy increased efficiency  while improving the effectiveness of the compliance management system.