Compliance Questions & Answers

While the Right to Financial Privacy does state that a government agency is not to access customer records without proper authorization – including a subpoena, for a SAR it is different. F

inCEN has issued guidance stating that while it is important for banks to have procedures to ensure that the requesting person/agency is verified, disclosure of SARs to appropriate law enforcement and supervisory agencies is protected by the safe harbor provisions applicable to both voluntary and mandatory suspicious activity reporting by financial institutions.

Reference: Right to Financial Privacy 12 USC 3402 FIN-2007-G003, Suspicious Activity Report Supporting Documentation, June 13, 2007

The bank may provide all the error resolution notices together, however they should be easily discernable regarding the requirements under Regulation E. (e.g., government benefit accounts, remittance of transfers, etc.).

Reference: Regulation E 12 CFR 1005.4; 1005.7

Red flags that may indicate elder abuse include:

• Older consumers confused by or unaware of account changes.
• New third party speaking for an older adult
• Address changes followed by account changes
• Older consumer appears newly distressed, unkempt
• Sudden increase in monthly cash withdrawals
• Uncharacteristic non-sufficient funds activity
• Atypical ATM withdrawals
• New spending patterns followed by the addition of an authorized user.

Reference: FFIEC BSA AML Examination Manual (Appendix F).

ANSWER:

The key to the effective and successful use of a third party in any capacity is for the institution’s management to appropriately assess, measure, monitor, and control the risks associated with the relationship and weave that process into its compliance management system (CMS).

While engaging another entity may aid management and the board in achieving strategic goals, such an arrangement reduces management’s direct control. Therefore, the use of a third party increases the need for robust oversight of the process from start to finish.

There are four main elements of an effective third-party risk compliance management process:

• Risk Assessment – The process of assessing risks and options for controlling third-party arrangements.
• Due Diligence in Selecting a Third Party – The process of selecting a qualified entity to implement the activity or program.
• Contract Structuring and Review – The process of ensuring that the specific expectations and obligations of both the institution and the third party are outlined in a written contract prior to entering into the arrangement—a contract should act as a map to the relationship and define its structure.
• Oversight – The process of reviewing the operational and financial performance of third-party activities over those products and services performed through third-party arrangements on an ongoing basis, to ensure that the third party meets and can continue to meet the terms of the contractual arrangement.

Reference: FDIC Compliance Examination Manual - March 2017, VII-4.4.

ANSWER:

In general, a fee can be charged for an extension. However, there are several other issues that need to be considered, including but not limited to:

• Has the existing loan already matured?
• Is it a modification where there is only a short maturity extension?
• Will the extension be done before maturity?
• Is it a refinancing under 1026.20(a)?
• Is there new money?
• Does the fee change the APR? New disclosures would need to be provided, as required under Regulation Z.

Review 1026.37(m)(8) and the accompanying staff interpretation comments. These comments address construction loans and the need for redisclosure – citing that redisclosure may be done if a statement is included addressing redisclosure, (from the staff interpretation):

“You may receive a revised Loan Estimate at any time prior to 60 days before consummation” under the master heading “Additional Information About This Loan” and the heading “Other Considerations” pursuant to § 1026.37(m)(8) satisfies the requirements set forth in § 1026.19(e)(3)(iv)(F) that the statement be made clearly and conspicuously on the disclosure.

Reference: Regulation Z: 12 CFR 1026.20(a). See also: Official Staff Interpretation 1026.20

ANSWER:

Yes. Although the texts aren’t personal, i.e., the texts don’t include any account information, cybersecurity is always a concern. For example, if a hacking incident occurs, does the bank have in place procedures to respond; to ensure that those affected are notified; to ensure that those who regularly receive the texts know that it is not the bank but a hacker requesting information.

In addition, the bank needs to be aware of compliance regulations that may pertain to social media messages e.g., in the context of student loans – Regulation Z and any advertising requirements that may apply; FCRA; Reg B and fair lending to guard against discrimination; privacy laws; and information security, consumer complaint response, etc. In addition, a consumer complaint process should be established.

Reference: Regulation Z: 12 CFR 1026.24; 1026 Subpart G Fair lending and Regulation B: 12 CFR 1002 Regulation P (privacy): 12 CFR 1016 Information Security Guidelines Fair Credit Reporting Act. See also: FFIEC: Social Media; Consumer Compliance Risk Management Guidance, 2013. FFIEC IT information Security, 2016