Community Bank Compliance : 2020

Monday, June 8, 2020

BSA Risk Assessments-What’s the Point

For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment. It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”. In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail. The detail required for a complete risk assessment is elusive at best. Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”.

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments. The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment. Unfortunately, the form the risk assessment should take, or the minimum information required are left as open questions for the financial institution. Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use.

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan can change the whole process.

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” [1]

This preamble has several important ideas in it. The expectation is, management of an institution can identify:

Who its customers are: including the predominant nature of the customer base- are you a consumer institution or a commercial at your core? Who are the customers you primarily serve?

What is going on in your service area: Is it a high crime area or a high drug-trafficking area, both or neither? The expectation is you will know the types of things, both good and bad going on around you. For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money. The point is you need to know what is going on around you at all times.

Where are the outlier customers: Do you know which types of customers who require being watched more than others? There are some customers who, by the nature of what they do, require more observation and analysis than others. The question is, have you identified these high-risk customers?

How well are you set up to monitor the risks at your institution: Do you have systems in place are up to the task to discover “bad things” going? Does the software you use really help the monitoring process? This analysis should consider whether the staff you have truly understand the business models your customers are using. For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for? The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB.

Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to the money services business, does the BSA department have an increase in staff included in its budget?

Effective Risk Management

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program. The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources. Independent audits and reviews should be directed to areas of greatest risk. For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review. In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

Rethinking the Risk Assessment Process

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions. Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income.

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products. When preparing the risk assessment, consider the resources necessary to offer new and (money making products).

There are no absolute prohibitions against banking high risk clients

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” ^[2]

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts. We note the manual does not conclude high risk accounts should be avoided.

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering. Financial institutions are expected to:

1. Conduct a risk assessment on each of these clients,

2. Consider the risks presented

3. Consider the strengthening of internal controls to mitigate risk

4. Determine whether the account(s) can be properly monitored and administrated;

5. Determine if the risk presented fits within the risk tolerance established by the Board of Directors.

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse. The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers. The risk assessment section of the exam manual notes the following:

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”^[3]

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean. When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice. For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual. However, a financial institution can establish who the customers of the MSB are and what they do. A baseline for remittance activity, check cashing and deposits and wire activity can be established. If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word. Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk.

Sunday, May 3, 2020

Using Fintech to Offer New Products- a Three-Part series

Part Two- Fintech is Here to Stay

While the overall public impression of banks and financial institutions took a major hit during the 2008 financial crisis, in large part, the damage was being slowly repaired. However, it is obvious that the relationship between financial institutions and the public has changed forever. Even before the coronavirus hit the economy, a broad wave of consumer distrust buffeted the banking industry's reputation over the past year, bringing an end to a run of positive change in public perception in the years after the financial crisis, according to the annual American Banker/Reputation Institute. Let's face it, the current times are not exactly the best for the image of banks. In addition to the mortgage crisis, there have been several highly publicized scandals involving some of the larger and best-known banks. The rollout of the current economic stimulus plan has had mixed results at best. Even though many of these things go through cycles and the conventional wisdom is that “it will all blow over”, the current times are somewhat different

As pointed out in Bankshot[1] banking journal- “What’s at stake? Customers have more choice than ever when it comes to where they do their banking, including from an increasing array of fintech competitors with arguably less cultural and emotional baggage than the traditional banking industry. Now, more than ever before, there are real alternatives to banking.

Most of these alternatives are being provided by financial technology companies AKA FinTechs. As we noteddin the first part of this series, there is a huge potential pool of customers that FinTechs have been designed to meet; the unbanked and underbanked.

The FDIC conducts a study of the number of households that are underbanked and unbanked in the Us every two years. The most recent study was conducted in 2017. The highlights from this study are as follows:

· In 2017, 6.5 percent of U.S. households were “unbanked,” meaning that no one in the household had a checking or savings account. Approximately 8.4 million U.S. households, made up of 14.1 million adults and 6.4 million children, were unbanked in 2017.2 An additional 18.7 percent of U.S. households were “underbanked” in 2017, meaning that the household had an account at an insured institution but also obtained financial products or services outside of the banking system.

· Specifically, a household is categorized as underbanked if it had a checking or savings account and used one of the following products or services from an alternative financial services (AFS) provider in the past 12 months: money orders, check cashing, international remittances, payday loans, refund anticipation loans, rent-to-own services, pawn shop loans, or auto title loans. Approximately 24.2 million U.S. households, composed of 48.9 million adults and 15.4 million children, were underbanked in 2017.

The survey points out that a large portion of the population in this survey are turning to alternative financial institutions for their banking need. The need for nontraditional banking services is one of the main drivers of the financial technical “fintech” industry. Many bakers seem to understand that fintech companies present the possibilities for significant change in the industry. According to a survey conducted by PWC:

· FinTech is a driver of disruption in the market. Financial Institutions are increasingly likely to lose revenue to innovators, with 88% believing this already is occurring. The perceived business at risk trend has continued to rise, to 24% on average this year among all sectors.

· Incumbents are becoming more aware of the disruptive nature of FinTech, shown well by the fact that, in 2017, 82% of North American participants believe that business is at risk, up from 69% in 2016. Insights from PwC’s DeNovo also indicate that 30% of consumers plan to increase usage of non-traditional Financial Services providers and only 39% plan to continue to use only traditional Financial Services provider. In addition, asset backed lenders have largely increased their share of lending (the lending club and other peer-to- peer business).

Fintech companies have been in the business of designing products that address some of the concerns raised by the unbanked or underbanked. For example, speed of delivery, consideration of alternative means for credit underwriting and ease of delivery.

Despite the idea that fintech equals disruption, it doesn’t have to be a negative thing. Disruption often results in improvement in efficient and better service. In fact, there are several places where fintech companies and financial institutions, especially community banks have converging interests.

Community banks and credit unions have overall higher levels of trust and a better public image than their larger brethren. Because community banks are smaller, they are more nimble and making changes to products lines can happen quickly and in response to customer needs. The independent bankers association published the “Fintech strategy Roadmap in 2017” as a guide for the many opportunities that fintech companies can present. A summary of these opportunities includes;

o Increased Operational Efficiency and Scale

o Increased Access to Customers with a Younger Age Demographic

o Increased Access to Loan Customers in New Markets

o Enhanced Brand Reputation

o Enhanced Customer Experience

Disruption is simply that- it doesn’t necessarily have to be a bad thing. In fact, disruption can result in greater efficiencies and more effective. Some good news, these companies have done all of the research and development work with venture capital funds! They have worked out a lot of the bugs that are usually part of delivery of a new product. Some more good news, these companies are burdened by a regulatory scheme that really limits them. That is that they are considered MSB’s and must get state licenses to operate in each state. Because of this, many FinTechs are looking for a partnership with a bank- in this way they get around the need for licenses.

In Part Three, we will discuss best practices for partnering with Fintech Companies

***For More Information on FinTech’s and Financial Institutions visit www.VCM4you.com***

[1] https://www.americanbanker.com/bankshot

Sunday, April 26, 2020

We hear a lot about fintech companies Financial technology, also known as FinTech, is a line of business based on using software to provide financial services. Financial technology companies are generally, startups founded with the purpose of disrupting incumbent financial systems and corporations that rely less on software.

The overall goal of Fintech companies include:

• Efficient and speedy delivery of funds

• Development of alternate means of solutions for ongoing problems

• Especially in the financial industry there are a lot of naysayers, but the fact of the matter is that there are structural reasons for the potential success of FinTechs. Underbanked and unbanked people represents a huge potential market. The FDIC produces a great deal of information about the unbanked and underbanked every two years. The study is called 2019 FDIC National Survey of Unbanked and Underbanked Households. As of 2019, the combined number of unbanked and underbanked was almost 30 million people.

Fintech companies are pointed directly at the needs of the underbanked and unbanked

• When thinking of a fintech, it is important to note that what they are trying to do is to get money to people is a manner that is both fast and cheap

• FinTechs are also working on ways to meet the needs of a large group of people who are outside of the banking industry

• Fintech companies understand that while not everyone has a banking account, mostly everyone has a cell phone or a similar electronic device

Using this technology, fintech companies are reducing the need for bank accounts. FinTech companies are really going after this population of people who for the most part are potential bank customers by providing solutions to problems that people have with banks. One of the things that Fintech companies have focused on are the many uses of the smartphone. For example, smartphones can be used for stored value. That is, just like a reloadable debit card, the smartphone can be used to reload value repeatedly. Fintech companies such as Zoom, Square and Amazon is making it possible to transfer funds and store funds. Other Fintech companies are changing the way that credit is underwritten. Fintech also has increased a small institutions ability to offer different products and services. As traditional means for profit become more scarce, Fintech opens the possibilities for additional income streams.

The 30 million people in the underbanked and unbanked populations are your potential customers! The statistics show that this group is getting younger and more internet savvy. The more that the customers use their smartphones, the less likely they are to rely on banks

Some examples of the many uses of a smartphone in the The fintech industry includes the following:

• Stored Value - A stored-value the card is a payments card with a monetary value stored on the card itself, not in an external account maintained by a financial institution. Stored-value cards differ from debit cards, where the money is on deposit with the the issuer, and credit cards which are subject to credit limits set by the issuer.

• APIs - An open API is a publicly available application programming interface that provides developers with programmatic access to a proprietary software application or web service. APIs are sets of requirements that govern how one application can communicate and interact with another.

• Nationwide Reach- Using data analytics, fintech companies can have access to customer behavior data and assist with marketing opportunities

For many of the unbanked, fintech companies represent a much-welcomed alternative to the use of high cost check cashers. In addition, there are companies that are taking on Payday lenders who up to this point have not had a great deal of competition.

• One of the other things that these companies do is give financial institutions the ability to offer products and services

Information is power and even for a small institution, if you are unaware of what your customers want and are going to want in the future, it is a problem. The regulatory agencies that cover financial institutions have recognized this synergy and have issued guidance and taken steps that are designed to ease the process for relationships between financial institutions and Regtech companies. These included:

• Regulators are encouraging institutions to pool resources when it is feasible

• Joint Statement on Banks and Credit Unions Sharing Resources to Improve Efficiency and Effectiveness of Bank Secrecy Act Compliance was issued in October of 2018

• One of the main points of the statement is that there are ways that financial institutions can leverage what other banks or firms are doing

• Fintech companies have the ability to help in a number of ways. Some of these companies have developed programs that are help with analytics and security

• The Office of the Comptroller of the Currency has initiate the Fintech charter program that was designed to allow Fintech companies to have special banking powers. This charter has been called into question by a decision of a federal court that is now undergoing appeal.

Regardless of the outcome from the appeal of the Fintech charter, the regulatory agencies have noted that fintech and banking are a natural combination that will continue to grow and in scope and activity.

In Part Two we will discuss specific innovations oin Fintech

***For More Information on FinTech’s and Financial Institutions visit www.VCM4you.com***

Sunday, March 15, 2020

Changing Your Outlook on Internal Audits

Part Two- What is a Control Environment?

There are myriad whitepapers and scholarly articles discussing control environment theories. Many of these documents discuss in detail the components of the concept of controls. At the heart of the matter, the control environment is comprised of your institutions ability to identify the risks inherent in ongoing operations compared to the steps you have taken to mitigate those risks. Put another way, why DO you have written policies and procedures? What are they designed to do? Policies and procedures often seem like an arcane phrase that auditors and examiners like to glibly toss out, but they really are the heart of the control environment. The process of developing policies and procedures should follow the development of a risk assessment. Risk assessments are too often performed as a matter of course and then forgotten throughout the year.

An effective risk assessment of your compliance program can be an excellent source document for various things including budgeting requests for additional resources and scoping of audits. Completing the assessment includes considering the inherent risk at your institution, the internal controls that have been established to address risk and a determination of the residual risk. The process is intended to be one of self-reflection and consideration of the areas of potential weakness. For those areas that have the potential to be a problem, the best practice is to make sure they are included in the scope of an audit. Audit firms are more than happy to work with the management of the institutions they are reviewing on developing a scope. One of the crucial goals of the audit is to uncover areas where there are weaknesses in internal controls. For example, in your risk assessment, you may have noted a large number or errors in disclosures for new accounts. This are should subsequently be a focus for the internal auditors when the compliance audit is performed.

In the previous blog, we talked about the FFIEC compliance rating system gives a great deal of incentive to follow a process in this order

· Complete risk assessment covering products and services

o Plus

· Development of the policies and procedures designed to address the risk identified in the first step

o Plus

· Development of the policies and procedures designed to address the risk identified in the first step

o Equals

· Your control environment

Of course, that is not the end of the story. If fact, that is only the first half. Once the control environment has been established, it is critical to determine which controls are preventative and which are detective.

Preventative Controls: are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages. Put another way, preventative controls are designed to keep bad things form happening at the inception.

Detective Controls: is an internal control intended to find problems within a company's processes. Detective controls are designed to find problems in delivery and implementation

The way that you test these controls depends on how they are designed to work. In the case of preventative controls, the test is to determine whether they keep a transaction form being completed based upon an error. Detective controls are designed to catch problems in the overall process such as adverse actions that have a problem trend.

Consider the implications for the internal audit process. The current process tests the results and not the control environment. Your auditor could test 50 loans and find no problem. The conclusion that is drawn is that all is well; but really how do you know that loans 51-70 are not all problem loans? The idea here is to self-police by testing the control environment

As we noted in the first part of this series, the scope of the internal audit function at financial institutions has been an area of focus for regulators. Regulators have focused on whether the scope of internal audits meets both regulatory standards and is appropriate in light of the overall risk profile of a financial institution. It is the second of these two considerations that has most often caused findings and created concerns. It is, therefore, critical that the scope of audits reflect an understanding of the risks inherent at your financial institution.

A control risk assessment (or risk assessment methodology) documents the internal auditor's understanding of the institution's significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.[1]

At smaller institutions, there generally is not a full-time internal auditor on staff. This does not obviate the need for comprehensive and timely risk assessments. Unfortunately, the risk assessment process is often overlooked. The risk assessment should consider the following:

Past Examination and Audit Results-

It goes without saying that the past can be a prelude to the future. Prior findings are an immediate indication of lack of effectiveness of internal controls. It is important that the root cause of the finding or recommendations from regulators is identified and addressed. Internal audits should coordinate with the risk assessment to test the effectiveness of the remediation.

Changes in Staff and Management

Change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change. For example, suppose the head of Note Operations is brand new. This new manager will want to process loans using her/his own system. Loan staff who may be used to past procedures may become confused. Change generally increases the possibility of findings or mistakes. Your risk assessment should take into account the risks associated with changes and how best to address them. In addition, this is an area that should be covered by internal audit as it presents a risk.

Changes in Products, Customers or Branches

It is also important that your risk assessment consider all of the different aspects of changes that have occurred or will occur during the year. Any new products or services, new vendors, and/or marketing campaigns that are designed to entice new types of customers are all changes that impact the overall risk profile of the institution. The resources necessary to address these changes should also be a consideration for the internal audit.

Changes in Regulations

Over the past few years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies. Many of these changes do not impact smaller institutions directly, but many do. Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year. Part of your risk assessment process has to consider changes that will affect your institution. The internal audit scope should also consider whether the institution is prepared to meet changing regulatory requirements.

Monitoring systems in place

The information systems being employed to monitor the effectiveness of internal controls should be considered. For many institutions, this system is comprised of word of mouth and the results of audits and examinations. Information used by senior management and reported to the Board should be sufficient to allow credible challenges by the Board.[2]

Using the Risk assessment to Set Audit Scopes

Once a risk assessment is completed, the results should be directly tied to the internal audit schedule. The FIIEC guidance points out the relationship between the internal audit plan and the risk assessment:

An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.[3]

The risk assessment should prioritize the potential for findings, while the audit scope should be developed to test mitigation steps made to reduce findings.

The criticism that is often raised about outsourced audit is that the scope is incomplete. This is often the case because outsourced vendors have developed their scope based upon best practices, and their experiences at various institutions. While this is obviously a best practice for the audit vendor, the problem is that it doesn’t always fit the individual institution. Information from a comprehensive risk assessment should be incorporated into the scope of an internal audit.

In this manner, the auditor can best consider the areas of risk that are the highest priority at a particular institution. For example, when developing the scope for an independent audit of a BSA/AML program, the scope should include the most recent risk assessment. Changes in the customer base, an increase in the overall risk profile of the bank or a change in personnel are all factors that should be included in the audit scope. In addition, the auditor should consider whether current monitoring systems have the capability to properly monitor the additional level of risk. Finally, the professional abilities of the BSA staff should be considered as they relate to additional risk.

Outsourced internal audit firms design the scopes for the audits that they conduct based upon their knowledge of auditing, regulatory trends, best practices and the overall knowledge of their staff. This practice allows the firms to bring a wealth of experience and important information from outside of the financial institutions that they are reviewing. When your audit firm presents you the scope that they propose it is based upon completely external actors and considerations. This is not a criticism of the firm, it is a standard practice. However, setting of the scope for internal audits is really supposed to be a collaborative effort, and both the audit firm and your institution are best served by developing the scope for audits together, after all, who knows the strengths and weaknesses of your institution better than the management? To get the biggest bang for your buck, why not tie the audit scope into the results of your risk assessment?

Ultimately, it is the responsibility of the Board to ensure that the internal audit is effectively testing the strength of internal controls.

[1] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

[2] See for example, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations

[3] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

Sunday, February 23, 2020

Part One- A New System of Review

Starting in 2017, the FFIEC (the organization that is comprised of the major financial institution regulators) changed the way compliance programs are rated. Instead of a one grade for the program there is now actually a three-prong test that makes up the final rating. The three-parts of the test are

The overall compliance program including the written program, resources dedicated to the program compared to the overall risk profile of the portfolio, experience and competency of management
Board and management oversight- essentially the level and quality of reporting to management. In addition, the follow-up to problems noted and remediation implemented
Harm to consumers- The violations that are discovered have varying degrees of potential for harm to consumers. Some are very technical in nature and can be remedied by a small fix. Other violations might require the dreaded ‘look-back” and reimbursement.

In its press release describing the new rating system, the FFIEC wrote extensively about the goals for using this approach for compliance going forward. ^{^[1]} Among the goals are to make the compliance examination more risk based and to allow each institution the opportunity to develop and maintain a compliance program that is tailored to the risk profile of the institution

One of the aspects of this new rating system that is often overlooked is the focus on the “self-policing”

Opportunities Provided by These Changes

The new compliance rating represents significant changes in the ability of banks to alter their compliance destiny. The emphasis on self- detection and self-policing allows financial institutions to perform self-evaluation and diagnose compliance issues internally.

In the new rating system, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change. To impress the regulators that an organization is truly engaged in self-policing, there must be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be. For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification. This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff. The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders. This may seem like a reasonable response, but it is incomplete.

This response does not rise to the level of self-policing that is discussed in the FFIEC memo; a further step is necessary. What is the follow-up from senior management? Will senior management follow up to make sure that the classes have been attended by all commercial lending staff? Will there be consequences for those who do not attend the classes? The answers to these questions will greatly impact the determination of whether there is self-policing that is effective. Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management. The more the regulators trust the self-policing effort, the more the risk profile decreases, and the less likely enforcement action will be imposed.

Self-Reporting

At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all! The over-arching idea from the FFIEC guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action. Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program. The key here is to report at the right time. Once the extent of the violation and the cause of it have been determined, the time to report is imminent. While it may seem that the best time to report is when the issue is resolved, this will generally not be the case. The regulators may want to be involved in the correction process. In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week).

Remediation

What will your institution do to correct the problem? Has there been research to determine the extent of the problem and how many potential customers have been affected? How did management make sure the problem has been stopped and won’t be repeated? What practices, policies and procedures have been changed as a result of the discovery of the problem? These are all questions that the regulators will consider when reviewing efforts at remediation. For example, if it turns out that loan staff has been improperly disclosing transfer taxes on the Loan Estimate, an example of strong mediation would include:

A determination if the problem was systemic or with a particular staff member
A “look back” on loan files that for the past 12 months
Reimbursement of any customers who qualify
Documentation of the steps that were taken to verify the problem and the reimbursements
Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
Disciplinary action (if appropriate for affected employees)
A plan for follow-up to ensure that the problem is not re-occurring

Self-policing allows an institution the ability to positively impact its regulatory fortunes. The goal under this new system is to document the effectiveness of the system of controls in place. The effectiveness of the control environment will impact all three of these ratings. Generally, more favorable ratings will extend the amount of time before your next examination is scheduled.

Ultimately, the new compliance ratings system highlights a financial institutions ability to establish its control environment.

In part Two we will discuss the control environment

*** James Defrantz is Principal at Virtual Compliance Management Services LLC***

***For More Information Please Feel free to contact Us at WWW.VCM4you.com***

[1] The full press release can be found at www.ffiec.gov/press/pr110716.htm

Monday, February 17, 2020

Who are the Unbanked and Underbanked?

And Why should a Community Bank Care?

Every year, as part of the strategic planning process, financial institutions consider the best ways to expand customers bases. One area that should be considered is addressing the large numbers of unbanked and underbanked families spread throughout the country. The unbanked and underbanked are defined as households that have either no (unbanked) or minimal (underbanked) banking products. When one considers who the unbanked and underbanked are, at first blush it may seem that these are people who might not be a good for financial institutions. But nothing could be further from the truth. This group of families represents an important opportunity for expansion and growth in the financial services industry. In fact, this group is so important that the FDIC conducts a study on these household bi-annually.

Unbanked and Underbanked Defined

The unbanked have no ties to an insured economic institution. Essentially, they have no checking or savings account and no debit or ATM card. Meanwhile, the underbanked do use some of these services – often a checking account – but they also used alternative financial options within the past year. This population has been estimated to be as many as 30 million people.

Around 20 percent of Americans are underbanked, according to the FDIC, which means they have either a checking or savings account, though rarely both. Households are also usually given the underbanked distinction if they've used alternative financing options during the previous year, such as money orders or rent-to-own services. Around 67 million Americans are underbanked, or the equivalent of 24.5 million households, based on 2015 figures from the most up to date FDIC survey.^{^[1]}

Just as important as the number of people who are unbanked and underbanked are the reasons that they have limited contact with banks. The most recent FDIC study on the unbanked and underbanked was published in 2017. In the study, the main reasons for not having bank accounts included:

• “Do not have enough money to keep in an account”.

• “Don’t trust banks”

• “Bank account fees are too high”

• “Bank account fees are unpredictable”

• Higher proportions of unbanked households that were not at all likely or not very likely to open a bank account in the next 12 months cited “Don’t trust banks” (36.2 and 31.5 percent, respectively) in 2017, compared with unbanked households that were somewhat likely or very likely to open a bank account in the next 12 months (24.7 and 21.0 percent, respectively).[2]

As far as demographics are concerned, millennials are among the most likely to be underbanked, with 31 percent of them under the age of 24, according to federal figures. This is the population that has driven the growth of Fintech and other alternate banking services, such as money service business.

The thing is that just because these household have limited banking accounts doesn’t mean that they don’t need banking services. For example, Remittances are a growing market that continues to grow according to the world bank statistics $138,165,000,000 in remittances was sent from United States to other countries in 2016. In 2018, the market is expected to grow more than in the previous two years for several reasons. The average size of an individual remittance remains $200.00, leaving open the potential for large fee income.

Fintech companies have developed many products that allow customers to have many of the same services and abilities as a bank account. Digital wallets for example, allow customers to receive payroll, reload debit cards, payment bills and purchase gift cards among other things. These platforms also allow customers to send wires, ACH’s or other transfers without using a bank. As a result, more and more underbanked people are conducting their banking business on the smart phone. Speed of delivery and the ability to tailor products and services is a key component to success. The products and services that financial institutions must offer to stay relevant are also changing.

Another area for development is micro lending. This is a product that is designed to let a customer grow into a full-fledged profitable relationship. A small dollar loan with reasonable terms allows the bank to report favorable information to credit reporting agencies. It further allows the bank to reach to communities that have been traditionally under banked.

Though micro lending has been very popular in several foreign countries, the industry is fairly new in the United States. Micro businesses are defined as “a business with five or fewer employees that requires no more than $35,000 in start-up capital.” [3] There is a surprisingly large number of businesses in the United States that meet this definition. In 2011, there were approximately 26 million micro businesses. [4] Each of these businesses represents a group of people that working towards self-sufficiency, greater wealth and ultimately, the potential to be significant customers at commercial banks.

In the United States, the Small Business Administration defines a microloan as one at or below $50,000. Data as of 2012 showed that the average loan for a microenterprise was $14,000. [^7] Currently there are several sources for obtaining microloans, including nonprofit organizations, community development financial institutions and private equity funds

A formal micro lending program would be the ultimate in innovation. Such a program would greatly enhance the reputation of a bank within its community. It is worth nothing that micro lending programs have been very profitable both internationally and in the United States.

The FFIEC’s proposed Interagency Questions and Answers Regarding Community Reinvestment make it clear that the focus in the future will be on innovation in lending and creativity in delivering banking services. Credit will be given to lenders for innovation in lending. ^[^8]

Embracing Credit Needs

For banks, embracing the concept of determining and meeting the credit needs of the community can yield very positive results. The list of factors that make up the consideration of credit needs from the Federal Reserve Bank of Atlanta’s publication “Community Reinvestment – Does Your Bank Measure Up?” includes the following;

The makeup of the community;
What the local and regional economic conditions are;
What kind of opportunities exist for serving the community through lending and investments;
What your banks business strategy and products are; how is your bank doing financially;
What your bank sees as the credit needs of the community; and
What individuals, community and civic organizations, and business-as well as state, local, and tribal government-think about your banks efforts toward meeting the community credit needs.

If your institution is considering developing such a program, it is an excellent idea to get the input of your regulator. By collaborating, you have the benefit of strengthening your relationship with your regulator, working through any troubles with the program and getting the “halo” effect of developing the program in the first place.

The unbaked and the underbanked continue to create opportunities for community banks that are innovative.

[1] Unbanked vs. Underbanked: Who they are and how they differ

Dec 23, 2017 Walt Wojciechowski

[2] FDIC National Survey of Unbanked and Underbanked Households

[3] Elaine L. Edgcomb and Joyce A. Klein, “Opening Opportunities, Building Ownership: Fulfilling the Promise of Microenterprises in the United States,” FIELD, February 2005, http://www.fieldus.org/ publications/FulfillingthePromise.pdf.

[4] [6] Microenterprise Development: A Primer,” FDIC Quarterly 5, No. 1 (2011):

[5] Community Reinvestment Act; Interagency Questions and Answers Regarding Community Reinvestment; Notice September 3, 2014