Community Bank Compliance : February 2016

Sunday, February 28, 2016

Why IS there a Regulation C?

As anyone in compliance can attest to, there are myriad consumer compliance regulations. For financial institutions, these regulations are regarded as anything from a nuisance, to the very bane of their existence. However, in point of fact, there are no consumer regulations that that have not been earned by misbehavior in the past. Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices. We believe that one of the keys to strengthening a compliance program is to encourage your staff to understand why these regulations exist and what it is the regulations are designed to accomplish. To further this cause, we have determined that, from time to time throughout the year; address these questions about various banking regulations. We call this series “Why is there….”

Introduction-

The Home Mortgage Disclosure Act and its implementing regulation, Regulation C are one of the regulations that were enacted as the result of past bad behavior. This law came into being during a time when a great deal of attention was being paid to the lending practices of financial institutions in urban areas. In the late 1950’s and early 1960’s Congress conducted several hearings on the lending practices of banks and financial institutions. In particular, many financial institutions were engaged in practices that were starving some communities from mortgage credit. One of the most pernicious practices was called “redlining”. It was called redlining because some government agencies and financial institutions would literally take a map of a city and draw red-lines around neighborhoods that were not to be considered for mortgages. The areas that were red-lined were neighborhoods that had majority racial minorities. Without proper mortgages and stable home-owners, neighborhoods decline, decay and eventually become what we know as ghettos. Economists noted that the practice of redlining caused “disinvestment “in the redlined communities. In other words, deposits were being taken in from the redlined area, but those same funds were being loaned out in other areas. Money was flowing from one community and then distributed elsewhere.

A second practice that received attention was the refusal to grant credit to women without the co-signature of a spouse or male relative. Single women that would otherwise qualify for mortgages were being denied consideration by policy of financial institutions. During this time period both single women and minority families were being denied mortgages simply by the policies of lending institutions.

The government hearings on mortgage lending resulted in the passage of several pieces of legislation aimed directly at opening the mortgage credit market to women and minorities. Among the legislation that passed during this period were the Fair Housing Act and the Equal Credit Opportunity Act.

The net effect of these two powerful pieces of legislation was to help to open the credit application process for minorities and women. However, unfortunately, just the opportunity to apply for credit is not a guaranty of fair treatment or a positive outcome. It soon became evident that financial institutions had taken a different approach to denying credit.

Financial institutions began taking applications for women and minority applicants and changed written lending policies so that neighborhoods weren’t excluding in writing. Despite these changes, the experience of women and minorities remained the same; little to no credit was granted. As a result, Congress decided in 1975 that that the experiences of minority and women borrowers who apply for mortgages should be recorded. Towards that end, HMDA was created.

HMDA 1.0

The practice of redlining and disinvesting in communities was the first target of HMDA. The initial idea was to get banks to disclose the total amounts of loans that they made in specific areas. Congress theorized that redlining would be quickly unmasked as banks would have to show the places where the loans were made. It would become evident that certain neighborhoods were getting no loans. The problem here was that the Banks did not have to show individual loans; only the total amount of loans in a given census tract. Financial institutions did not have to show the individual loans, and as a result, a few loans strategically placed could give the impression of strong community service when this was not that case at all. For example, a one million dollar loan to a business in the census tract could give the impression that a bank was investing this in the community. Ultimately, the first version of HMDA proved to be ineffective in addressing redlining.

HMDA 2.0

Starting in the late 1970’s the mortgage industry experienced significant change. Banks and Savings & Loans that had dominated the market began to experience competition. Finance companies, mortgage bankers and other financial institutions began to enter the home loan market. These lenders were aggressive and as a result many of the redlining and disinvestment practices that had been in place were simply overrun by the demand for more and more mortgages.

However, this did not end the need for disclosure of lending information. The experience of women and minorities in getting mortgages was still less than satisfactory. The focus of regulatory agencies changed from redlining to the lending practices of individual institutions. By collecting information about the experience of borrowers at individual institutions, the regulatory agencies theorized that valuable information could be gleaned about how people in protected classes were being treated.

Information collected had to account for the fact that, more than just banks were providing mortgage funding. In the late 1980s, HMDA was amended and the information that all lenders had to collect was increased to include racial, ethnic, and gender information, as well as income for each applicant. In addition, both rejected and accepted applications for loans that did not close was added to the information that financial institutions must collect. [1]

HMDA 3.0

The mortgage industry continued to grow and change and as it did, the types of mortgages being offered also changed. By the turn of the century, the question wasn’t about people in protected classes being denied credit. Instead, it was more the type of credit being offered. In the early part of the decade the number of adjustable rate mortgage ballooned. Many of these products had “teaser rates” which were significantly below the actual rate that would be paid on the loan. This decade saw “predatory lending” practices explode. Predatory lending is in essence, the practice of making loans with complicated high rates and fees to unsophisticated borrowers. The unsuspecting borrower believes that he/she is paying a low loan rate when in fact, at the time the loan adjusts, the rate is several times higher. A huge number of these loans were included in the financial meltdown of 2008.

The third iteration of HMDA was then, the result of changed practices by mortgage lenders. In early 2000 the main issue was no longer discrimination in approvals or denials, but in pricing (predatory lending). HMDA was again amended to add the information about pricing and lien status. In an effort to improve the quality of HMDA data, the revised regulation also tightened the definitions of different types of loans and required the collection of racial and ethnic monitoring information in telephone applications

HMDA 3.5

The most recent changes in HMDA don’t necessarily represent wholesale change in lending practices. Instead additional data is being collected with the idea that more data points can be used to study differences in the experiences of women and minorities when they apply for mortgages. These changes are a reflection of the fact that the data form HMDA is actually being reviewed and used for studies of lending behavior.

So What Do They Do With the Information?

When the information is collected by the regulators, it is actually used by many different agencies for various purposes. Community advocacy groups use the information to bolster arguments about various issues they wish to emphasize. The government uses the information for economic studies and as a basis for amending regulations and laws. HMDA information has been at the heart of many studies about lending discrimination. Many argue that the information collected by HMDA doesn’t tell the full story of whether or not a borrower suffered discrimination. It does however, raise a threshold issue and it is often the case that HMDA is used to determine whether further study is indicated. As recently as last week, a study was published that, unfortunately concludes that there are still severe racial disparities in the granting of mortgages.[2]

The HMDA LAR is used to create the database that is used by all of these agencies and for all of these studies. This is why the examiners are so fussy about getting those entries correct!

HMDA to the Defense

The same information can be used to defend an institutions record. When compliance programs work the way that they should, the experiences of all who apply for credit will look the same. By using the information from the HMDA LAR it is possible for a financial institution can show that each and every applicant gets the same consideration.

So at the end of the day, when you are frustrated with those picky regulators insisting that each entry is correct, remember that you are adding information to a very important and consequential study. It really is important that we get it right.

[1] The Home Mortgage Disclosure Act: Its History, Evolution, and Limitations† By: Joseph M. Kolar and Jonathan D. Jerison

[2]“Report: Profound Racial Disparities in Mortgage Lending Seen in Oakland” Darwin BondGraham. East Bay Express February 24, 2016

Sunday, February 21, 2016

Changing the Way We Think About Compliance

Compliance, Compliance, COMPLIANCE! Sometimes just saying the word can evoke a dramatic response from financial institution management. Even though there has long been talk of a separate set of regulations for community banks, no such changes are in the offing. For now and the immediate future, community banks and small financial institutions will face increasing expectations in the area of compliance. Moreover, the costs of compliance can be prohibitive. This is especially true if your bank has experienced compliance problems in the past.

Despite the gloom and doom and through all of the curses there are actually reasons to support compliance regulations. Wait, what did you say?

History as a Guide

A quick review of the history of some of the most far-reaching consumer regulations yields a familiar pattern. In each case, banks and financial institutions engaged in unfair or unreasonable practices. Eventually, a public outcry was raised and legislation was passed in response. The history of the Truth in Lending Act (Regulation Z) provides a good example.

Starting in the late 1950’s the United States saw a tremendous growth in the amount of credit. In fact, in a study the US House of Representatives estimated that the amount of credit in the United States from the end of World War II to the end of 1968 grew from $5.6 billion to $96 billion. [1]

The growth in credit was fueled by consumer credit and in particular, a growing middle class that created a huge demand for housing, cars and various other products that went with acquiring the American Dream. As time passed more and more stories of consumers being misled about by use of terms like “easy payments”, “low monthly charges” or “take three years to pay”. The borrowers found out that even though they thought they were paying an interest rate of 1.25 %; with add-ons, fees and interest payments that were calculated using deceptive formulas, the rate was actually as much as three times what they thought.

Congress began to investigate the growing level of consumer debt and eventually in 1968; the Truth in Lending Act was first passed. Congress was clear about what they were trying to do:

“The Congress finds that economic stabilization would be enhanced and the competition among the various financial institutions and other firms engaged in the extension of consumer credit would be strengthened by the informed use of credit. The informed use of credit results from an awareness of the cost thereof by consumers. It is the purpose of this subchapter to assure a meaningful disclosure of credit terms so that the consumer will be able to compare more readily the various credit terms available to him and avoid the uninformed use of credit, and to protect the consumer against inaccurate and unfair credit billing and credit card practices.” [2]

The regulations that have been implemented as part of the Dodd Frank Act have a similar history. The most recent financial meltdown was caused in part by the lack of oversight and by financial products that far outpaced the reach of the regulations. Dodd Frank is the most recent legislative response to the public outcry about the behavior of banks and financial institutions.

Of course, it is also clear that the behavior that caused the most recent meltdown was not being practiced at community banks. It is unfortunate that the whole industry is often painted with a broad brush. However, the fact is that the public does not make much of a distinction between large banks and community banks. The reputation of the industry suffered mightily during the meltdown. The good news is that the regulations have helped to restore the confidence of the public in that financial system. Therefore, while regulations may be bothersome, they do support the industry.

Overall Effects

Sometimes, we focus on the negative to the point that it is hard to see the overall positive impacts of regulations. One of the positive effects of compliance regulations is that is goes a long way toward “leveling the playing field” among financial institutions. RESPA (the Real Estate Settlement Procedures Act) provides a good example. The focus of this regulation is to get financial institutions to disclose the costs of getting a mortgage in the same format throughout the country. The real costs associated with a mortgage, the arrangements that a bank has with third parties and the amount that is being charged for insurance taxes and professional reports that are being obtained all have to be listed in the same way for all potential lenders. In this manner, the borrower is supposed to be able to line up the offers and compare costs. This is ultimately good news for community banks. The public gets a chance to see what exactly your lending program is and how it compares to your competitors. The overall effect of this legislation is to make it harder for unscrupulous lending outfits to make outrageous claims about the costs of their mortgages. This begins to level the playing field for all banks.

There are other regulations that can help the reputation of your institution. For example, the public reporting requirements for the Community Reinvestment Act and the Home Mortgage Disclosure Act can result in positive information about your bank. A strong record of lending within the assessment area and focusing on reinvigoration of neighborhoods is a certainly a positive for an institution’s reputation.

Protections not just for Customers

In some cases, consumer regulations provide protection not just for consumers but also for banks. The most recent qualifying mortgage and ability to repay rules present a good case. These rules are designed to require additional disclosures for borrowers that have loans with high interest rates. In addition to the disclosure requirements, the regulations establish a safe harbor for banks that make loans within the “qualifying mortgage” limits. This part of the regulation actually provides a strong protection for banks. The ability to repay rules establish that when a bank makes a loan that is below the established loan to value and debt to income levels, then the bank will enjoy the presumption that the loan was made in good faith. This presumption is very valuable in that it can greatly reduce the litigation costs associated with mortgage loans. Moreover, as long as a bank makes only “qualifying mortgages’ the level of regulatory scrutiny will likely be lower than in the instance of banks that make high priced loans. [3]

The next time you hear a conversation about how bad consumer regulations are, we suggest that you take a step back. Consider that the regulations are generally well earned, that they provide stability and can tend to level the playing field for community banks. Also, please consider the idea that in at least some cases, these regulations provide protections for banks. You may not turn out to be a consumer zealot, but we think you will give compliance regulations a different, more accepting look.

[1] Griffith L. Garwood, A Look at the Truth in Lending - Five Years after, 14 Santa Clara Lawyer 491 (1974).

[2] See Preamble to 15 U.S.C. 1601 (1970)

[3] Of course, a strong case can be made for the origination of non-qualified loans. This case will be presented in subsequent blogs

Monday, February 15, 2016

When to Hold ‘Em and When to File ‘Em- A two Part Series on SAR Filings

Part Two- The Decision

In the first part of this series we noted that Suspicious Activity Reports (“SARs”) are an essential part of the world financial crimes monitoring network. There are analysts at an agency called FinCen that read all of the SARs and capture data about the various schemes that criminals employ in attempts to launder money. We also noted that filing of SARs has become an area of stress for BSA staff at financial institutions. On one hand, there is a concern that failure to file a SAR might result in criticism by regulators. There are also concerns that filing SARs is a pointless exercise that creates more administrative work and accomplishes little. After all, a proper filing involves research transactions, performing analysis and drawing conclusions that must be documented. Moreover, almost all SAR’s require a second filing 90 days later to discuss whether the suspected activity has continued.

At the end of the day, whether or not a SAR should be filed is the decision of the financial institution. It is the expectation of regulators that this decision should be part of a well-established and defined process. According the FFIEC BSA examination manual the process should include five component parts; identification of unusual activity, managing alerts, SAR decision making, SAR completion and Monitoring on continuing activity.

Identification or alert of unusual activity; This is the part of any BSA compliance program that combines human intelligence and software. All financial institution staff are required to receive annual training on BSA/AML. One of the main reasons for this requirement is that staff is expected to be able to identify activities that don’t fit into normal patterns or activities for their customers. For example, a longtime customer who normally receives his payroll and pay bills out of his account suddenly deposits $15,000. The expectation is that the staff members of the institutions should gently, but firmly find out the source of this unusual deposit. Of course there are many reasonable answers for how the customer came across this money.

Monitoring software should perform a similar functions. The whole point of using software is to aggregate transactions so of a customer so that any transactions that fall outside of the normal or expected create an alert and follow-up.

Managing Alerts: Managing alerts is important so that institutional resources are focused on the highest area of risk. Not every customer at your institution is engaged in nefarious activity. In fact, the vast majority are good people who are simply conducting banking activity. Much like the boy who cried “wolf” in the children’s fairy tale, there can be a such thing as too many BSA/AML warnings. The expectation of regulators is that you will adjust your monitoring to create warnings for activity that is truly suspicious or out of the pattern of normal activity. This is at the heart of the requirement that financial institutions perform model validation on a regular basis.[1] There should be a formal and well established method for reviewing alerts and resolving them in a timely and comprehensive manner.
SAR Decision Making: There has to be a clear process for making SAR decisions and there also has to be an ultimate decision maker for whether or not the SAR will be filed. The individual decision about whether or not to file a SAR rests with the financial institution. The FFIEC BSA Manual makes this clear

In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.

SAR completion and filing: there should be a clearly defined process for who performs the research necessary to complete the SAR in a timely and complete manner. The SAR narrative should tell the story in that it should clearly identify the who, what, where, when and why the activity is considered suspicious. The SAR should be filed within 30 days of the time the activity is determined to be suspicious.
Monitoring and SAR filing on continuing activity: Once the SAR is filed, there should be a process in place to continue to monitor the customer to determine if additional suspicious activity is continuing. At the conclusion of 90 days of monitoring, there should be a follow-up SAR that tells “the rest of the story”. Was the activity repeated, or was it just a bump in the road? ^{^[2]}

The Decision

So you have your system in place. Your staff is well trained to look for unusual activity and your software is monitoring for suspicious behavior. The questions still remains, just what exactly is suspicious? Unfortunately, there simply is no one right or wrong answer to that question. Suspicious is in the eye of the beholder. This is why the “know your customer” component is critical to a strong BSA compliance program. The more that you know about your customer and what they are doing, the more obvious suspicious activity becomes.

As a best practice, if there aren’t several members of your institutions staff that fully understand the business model of a client, it is a bad idea to continue the relationship. Regulators expect that financial institutions have the ability to know the source of funds, the customer base, and the typical transaction flow of the peers of your customer. For example, suppose you have a customer who sells fresh flowers. The expectation would be that staff members at your institution understand how a fresh flower stand works, what typical receipts there might be, who the customers of the stand are and how transactions are conducted. Does the customer sell for cash only? Why? What level of cash is normal for a flower stand? Is it likely that a flower stand would send or receive wires? The point is that that the more that is known about the business, then the more likely that unusual activity can be determined.

In addition to knowing the business, the institution must have the means to monitor activity in a transparent manner. Through a combination of software, direct conversations and onsite visitations with the client, the institution should maintain a clear picture of normal transaction activity.

In the event that a transaction seems unusual, there is absolutely nothing wrong with asking the customer directly. In many, if not most cases, there is a completely acceptable explanation. Most customer will have no trouble with providing documentation to support their activities. Small business owners are generally proud of their accomplishments and don’t mind discussing a large sale or adding a new client. Of course, when a client is unwilling or unable to provide an explanation and present documentation, there may be trouble. The decision to file or not to file is one that your institution must be able to live with and defend through documentation.

Defensive SARs- Don’t do it!

In many cases banks don’t truly know or believe that activity is suspicious, but file a SAR “defensively”. The idea here is that we can tell whether or not the activity is unusual or simply don’t have the time to do the necessary research to make a determination, so filing a SAR is seen as a temporary fix. However, defensive SARs are a sign of weakness or deficiencies in a BSA compliance program. If there is not sufficient time, or a complete understanding of the business model of the client to properly monitor and research the activity of a customer, as a best practice, the customer should be considered for de-risking (account closure). Simply filing SARs defensively is staving off the inevitable.

There Comes a Time

After a SAR has been filed for the first time on a customer, as a best practice, it is worth considering how the filing might change the relationship between the institution and the customer. If the possibility exists that there is activity that may be considered suspicious or unusual on an ongoing basis there are really only two clear choices. The first is to study the business plan of the customer and to gather sufficient information to document that the activity is normal and customary. The concept of suspicious activity is one of context. That is, if we return to the flower shop example above, does it make sense that wires might be going to an obscure bank in Europe? It does indeed if you find out that there is a rare flower that exists in that part of the world and the flower shop has made a marketing point of being able to deliver the rare flower in your area. Moreover, if the flower shop owner is able to show shipping details of the flower, insurance bills, bills of lading or other similar documents that prove the shipment of flowers, then the wires are ordinary and customary.

The other option is to consider the account for de-risking. Many institutions let ego, or the pursuit of fee income get in the way of safe and sound operating. When a customers’ operations are way ahead of the capabilities and resources of the institution, it is time, as Kenny Rodgers would say, to know when to walk away and know when to run.

[1] This should not be confused with data validation. Model validation is a test of the efficacy of the software settings.

[2] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity

Sunday, February 7, 2016

When to Hold ‘em and when to File ‘em - a Two Part Series on SAR Filings -

Part One: Not all SAR's are the Same

Amongst the many ongoing tensions of running a Bank Secrecy Act (“BSA”) compliance program, the decision about whether or not to file a Suspicious Activity Report (“SAR”) often becomes a daily test. To paraphrase the lyric of Kenny Rodgers, you have to know when to hold ‘em and when to file ‘em”.

There was a period of time a few years ago when filing SAR’s became the remedy for all “ills” in the BSA area. Many small institutions found themselves filing as many as 60-70 SAR’s a month. In extreme cases, more than a quarter of all customers had either a new SAR or a follow-up SAR being processed. In those cases, an inordinate amount of time and resources were being spent on processing forms that said essentially, that there was “no change’ and the customer was still doing what had caused the initial report to be filed.

While there is no definitive answer to the ongoing questions of when to file a SAR, there are some guidelines that can be used to help with the process.

The Point of it all with SAR’s

Why do we even have SAR’s and what in the world are they used for? According to the FFIEC’s (Federal Financial Institutions Examination Council”) BSA handbook, SAR’s are a critical component of the national BSA program.

Suspicious activity reporting forms the cornerstone of the BSA reporting system. It is critical to the United States' ability to utilize financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes. [1]

According to FinCen, the organization that reads and acts on SAR, the purpose of SARs is:

The purpose of the Suspicious Activity Report (SAR) is to report known or suspected violations of law or suspicious activity observed by financial institutions subject to the regulations of the Bank Secrecy Act (BSA). In many instances, SARs have been instrumental in enabling law enforcement to initiate or supplement major money laundering or terrorist financing investigations and other criminal cases. Information provided in SAR forms also presents the Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) with a method of identifying emerging trends and patterns associated with financial crimes. The information about those trends and patterns is vital to law enforcement agencies and provides valuable feedback to financial institutions.[2]

For the BSA Officer who sometimes feels that these reports are being prepared only so that they can disappear into the ether, take heart. Your SAR’s area read and they are acted upon in many instances.

In her comments to the International Bankers annual anti-money laundering seminar, FinCen Director, Jennifer Calvery[3] described the federal government’s efforts to fight the terror group commonly known as ISIS. She noted that although much of the activity of that group is in Syria and Iraq, the fact of the matter is that they have to have trading partners around the world to get the supplies that they need to wage war. There are several things that FinCen and similar agencies are trying to accomplish to stop them; disrupting revenue streams by denying funds wherever possible, limited the access to the international financial system and finally, punishing any individual or group that helps ISIS.

Here is one example that has been cited:

… [A] Case originated in 2008 with BSA data concerning an individual who was later convicted of conspiring to provide and providing material support to the Pakistani Taliban. The defendant funneled money to Pakistan as Taliban insurgents fought for greater control in northwest Pakistan. BSA data was critical in uncovering the diverse and complex methods the individual used to send money from the United States to Pakistan, each of which was designed to conceal and support his activities. Investigators uncovered at least three methods: 1) wire transfers from the United States to Pakistan, where an associate picked up and administered the funds; 2) transfers of funds from cashier’s checks drawn on U.S. banks to a bank in Pakistan where co-conspirators could draw checks; and 3) bulk cash carried by family members and other travelers from the United States to Pakistan. [4]

So ultimately, regardless of the size of your institution, the SAR’s that you file are part of something much bigger. You are deputies in the fight against some very dark forces including human traffickers, drug dealers and terrorists and the information that you provide is critical in this fight.

A Balancing Act

The decision to file a SAR must be a balancing act. For the BSA Officer at most financial institutions there remains the fear that the decision not to file a SAR might result of heavy regulatory criticism. It is sometimes the case that institutions will file a SAR even when they feel that they are totally informed about the transactions and do not feel it is suspicious. Filing a SAR to avoid regulatory criticism is commonly called “defensive SAR filing”. While almost no institution will admit to doing so, a large number have actually filed defensively.

As a best practice, the SAR process should also be tied to the “de-risking” consideration process at your institution. There are many times when a customer engages in a suspicious transaction that is a onetime thing. Perhaps there a large cash transaction and the explanation from the customer is somewhat sketchy. A SAR is filed and the account is closely monitored for the next 180 days. There is no other unusual or suspicious activity. In these cases no additional SAR needs to be filed.

However, there are cases when a customer engages in suspicious activity and continues to do so. For many institutions, the process has become a continuous string of monitoring account activity and filing SARs. However, in the event that a customer is engaging in activity that the institutions finds suspicious, the prudent course is to act on that information. In the event that there are three or more SARs filed on a customer for the same type of activity, it is necessary to make one of two determinations:

· The activity can be fully explained and vetted and is therefore not suspicious

· The institution does not have the information necessary to properly monitor and manage the risk presented by the customer and therefore must terminate the relationship (“de-risk”)

Continuously filing SARs on a customer without considering the customer for de-risking is a red flag for regulators. This is in an indication that the BSA staff of your institution does not fully understand what the customer is doing. Once activity of a customer has been determined to be suspicious, the process for gathering additional information should begin. Ultimately, if the BSA staff is unclear about a customer’s activity or business, he/she presents an unacceptable level of risk. Filing a SAR defensively can be an act of simply giving up and admitting that there is insufficient information about the customer.

The Examination Process and SARs.

Again, the BSA examination manual is helpful here. It states that what the examiners are supposed to be looking at is the SAR Decision Process.

Within this system, FinCen and the federal banking agencies recognize that, as a practical matter, it is not possible for a bank to detect and report all potentially illicit transactions that flow through the bank. Examiners should focus on evaluating a bank's policies, procedures, and processes to identify, evaluate, and report suspicious activity. However, as part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the bank's suspicious activity identification, evaluation, and reporting process[5]

It is clear from the text of the examination manual that they is no expectation that a financial institution will be able to catch every suspicious transaction that takes place. There are simply not enough resources for that to be the reality. Instead regulators expect financial institutions to develop systems that allow for the identification, and monitoring of the highest risk areas.

There are five key components to an effective SAR monitoring system. The five components are:

Identification or alert of unusual activity (which may include: employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output).
Managing alerts.
SAR decision making.
SAR completion and filing.
Monitoring and SAR filing on continuing activity.[6]

In part two-we will discuss what each of these components mean and how to determine when to Hold ‘em and when to file ‘em.

[1] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[2] Guidance on Preparing a Complete & Sufficient Suspicious Activity Report Narrative (November 2003)

[3] Comments of FinCen Director Jennifer Shasky Calvery at INSTITUTE OF INTERNATIONAL BANKERS

ANNUAL ANTI-MONEY LAUNDERING SEMINAR APRIL 30, 2015

[4] FinCen Recognizes High-Impact Law Enforcement Cases Furthered through Financial Institution Reporting

[5] FFIEC BSA Examination Manual Suspicious Activity Reporting-Overview

[6] FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity

Monday, February 1, 2016

Understanding Compliance Regulations

Introduction

Compliance regulations have become the center of a number of discussions in the financial services industry. Starting with the financial meltdown of 2008 the numbers of regulations that directly impact the relationship between consumers and banks have grown exponentially. Of course, the costs associated with compliance have also grown and become a significant part of the strategic planning processes and budget for financial institutions. Quite often, compliance regulations are derided as unnecessary and burdensome while the regulatory agencies that are charged with enforcing them are considered unreasonable or unfair. Unfortunately, it is often the case that the reasons compliance regulations exist and the goals of compliance examiners are misunderstood. This misunderstanding can lead to less than effective compliance management programs, mistrust of regulatory agencies and overall inefficiencies in the compliance regulation process. Understanding the “why’s” and “what’s” of compliance can go a long way towards a stronger compliance program.

Compliance a Brief History

Although there are several theories about why banking is such a heavily regulated industry, some common themes develop when considering this topic. Chief among the reasons that are advanced as an argument for bank regulation is the idea that banks and financial institutions must maintain stability, and the regulatory structure helps to create stability. For example, deposit insurance helps to eliminate the fear that financial institutions will run out of money for their customers. Another argument for regulation is the role that financial institutions play in the payment system. This is an area that requires stability. The ability of funds to flow freely through the financial system is one of the hallmarks of the stability of the US financial system. A third area that is often cited is the need to promote efficiency and competition among financial institutions.

In the aftermath of the stock market crash of 1929, the banking system experienced one of its greatest crises of confidence. Significant “runs “on banks caused liquidity concerns and brought the whole US financial system to a crashing stop. The result of these events was to usher in the modern age of bank regulation. From that time on, there have been a series of regulations and regulatory agencies that have been developed that have all been designed to promote stability and efficiency in the financial system. Generally, financial institution rules that promote the overall stability of the financial institutions are considered “safety and soundness” rules. Safety and soundness rules deal with the overall levels of risks that are inherent at individual banks. Levels of capital, limits on the loans to one borrower and the ability to identify and manage the risks presented by individual customers are all examples of safety and soundness rules.

While safety and soundness rules can generally trace their lineage back to the Great Depression, consumer regulations don’t enjoy the same clear history. For the most part, compliance regulations have been implemented following a much more indirect path. The pattern for development of consumer protection regulations is a familiar one.

1. A practice or product of a financial institution impacts a group of consumers in a negative way (e.g. women or minorities do not have equal access to credit).

2. The offending practice receives widespread attention of the public

3. The public outcry receives the attention of government

4. Legislation is passed to directly change the practice or product.

This has been the pattern time and time again in the development of all of the notable consumer protection regulations that have been enacted in the financial services industries. For example, Regulation Z (the Truth in Lending Act) was passed after public outcry about the lack of complete information detailing the costs of borrowing from banks. From the flood insurance rules, the SAFE Act to the Servicemen’s Civil Relief Act, each of the significant consumer protection regulations has followed this same pattern and path. While it can be passionately argued that regulation is not always the most efficient means to prevent bad practices, waiting for market discipline to self-regulate has historically caused more harm than good.

It is important to remember that consumer compliance regulations, regardless of the design or requirements, have similar goals in common; to prevent policies or practices that have caused real people harm in the past. Moreover, it is also the case that financial institution practices that hurt people have not been prevented by consumer regulations. In fact, the reason that the Consumer Financial Protection Bureau was created was to further strengthen the protections for consumers.

“…CFPB will be the single, consumer-focused regulating authority, consolidating the existing authorities scattered throughout the Federal government under one roof. And, the Bureau’s oversight includes the large banks and credit unions that had historically been regulated by the Federal government, as well as independent and privately owned “non-bank financial institutions” that had never been regulated before.

This means that for the first time, the Federal government will be able to regulate the activities of independent payday lenders, private mortgage lenders and servicers, debt collectors, credit reporting agencies, and private student loan companies.” [1]

A Peek Inside Consumer Regulations

In addition to their similar origins, consumer regulations also share similar approaches to addressing problems. The institutions to which these regulations apply are required to either disclose information to customers or collect information about customers. Regardless of the actions that are required of the financial institution, the overall goal of consumer compliance regulations is to provide as much information as possible to the general public. Data that is collected is used to study the impact of financial institution practices. For example, the data from the HMDA LAR (Loan Application Register) is used to study trends in housing and the experience of women and minorities at institutions that originate mortgages. Regulatory disclosures, such as the Truth in Lending disclosures are meant to give the customer the ability to easily compare the costs of a loan from one institution to the next. The finance charges and fees are all supposed to be listed in a uniform manner to allow a customer to lay offers for a loan side by side.

Ultimately, consumer regulations are supposed to level the playing field between financial institutions who have significant resources and unsophisticated borrowers who have limited resources.

Compliance Examinations

When examiners conduct a compliance examination, the ultimate goal is to determine the strength and effectiveness of the compliance management program (‘CMP”). The CMP is comprised of the policies and procedures that cover compliance, the internal controls that have been established, independent reviews and training of staff. The examination team will take a step-by-step approach.

First, there will be analysis to determine that each of the critical components of the CMP have been established. Policies and procedures are reviewed to make sure that they are comprehensive and up to date. Do these documents give staff information on the expectations of the Board and senior management? Further, in the case of procedures, do they direct staff on the proper steps to take to conduct transactions? The compliance examiners will also review training programs and analyze whether they are keeping staff appropriately informed of applicable regulations. Finally, this portion of the examination will analyze independent review (audits) to make sure that the scope is appropriate.

Next the examiners make a determination about the overall effectiveness of the CMP. For example, the most complete written policies and procedures in the world have no impact if the results of independent reviews are ignored. The CMP must have the ability to determine the roots of noncompliance and a plan for corrective action.

As a third step, the compliance examination reviews the ability of the senior management at the financial institution to identify risks and to take action to mitigate risks. Many times, when there are regulatory concerns at financial institutions, the root cause is the inability of staff to recognize why an activity is risky or the extent of the risk. For example, an institution that serves a large number of high risks clients, must have the ability to determine what makes them high risk and precisely how to monitor activities to look for suspicious behavior. Before a bank takes on an MSB (“Money Service Business”) as a client, there should be sufficient staff knowledge of MSB’s. The institution should also have the software ability to closely monitor transactions of MSB’s.

Finally, the compliance examination staff will review the skill sets and knowledge of the staff who are charged with keeping the institution incompliance. A highly experienced and knowledgeable staff can serve as a strong counterbalance to limited policies and procedures, for example. On the other hand, staff who are unfamiliar with compliance regulations will be expected to have significant resources to use.

The compliance rating is based upon the overall effectiveness of the CMP at a financial institution.

Compliance regulations are the direct result of bad behaviors of financial institutions. Most of the regulation are designed to give the consuming public maximum information. Compliance will be a part of banking on an ongoing basis. Embrace your inner compliance officer.

[1] Consumer Financial Protection Bureau 101: Why We Need a Consumer Watchdog JANUARY 4, 2012 AT 11:13 AM ET BY MEGAN SLACK Whitehouse.gov blog