Where and How to Prioritize Your Compliance Resources
Although 2018 may bring some surprises, there is little doubt about the major regulatory challenges that financial institutions will wrestle with this year. They will face effective dates for the Customer Due Diligence (CDD) and Home Mortgage Disclosure Act (HMDA) final rules, while also dealing with ongoing consumer protection and vendor management issues that remain hot examination topics.
An initial review of our 2018 Banking Priorities Study indicates that banks have correctly identified these areas of concern. Now, it’s time to ensure they understand the full complexity of these issues and the actions needed to effectively tackle them.
Bank Secrecy Act Expansion
When asked about their greatest compliance challenges heading into 2018, 53 percent of the 263 executives who took our survey answered Bank Secrecy Act/Anti-Money Laundering (BSA/AML). Another 19 percent answered BSA-related Know Your Customer (KYC) obligations, also known as the Customer Identification Program (CIP). About 75 percent of respondents are worried about some facet of BSA compliance, and rightly so.
Consulting firm Deloitte’s “2018 Banking Regulatory Outlook” notes an uptick in BSA/AML scrutiny: “Over the past few years, the number of civil and criminal enforcement actions related to anti-money laundering (AML) has increased around the world.” A tally of the BSA/AML civil money penalties as tracked by BankersOnline reveals $58.2 million fines levied during 2017 and $66.6 million levied during 2016, plus a $6 million forfeiture.
Regulatory interest in BSA/AML compliance remains at the forefront because the war on terror is showing no signs of stopping, and the BSA is one of the United States’ foremost tools for cutting off terrorist funding. The Financial Crimes Enforcement Network’s (FinCEN) CDD final rule expands that ability by further shrinking an area where terrorists still enjoy anonymity for money laundering—legal entities such as corporations and partnerships.
As of May 11, 2018, financial institutions will have to perform enhanced due diligence on any legal entity’s beneficial owner with 25 percent or more ownership, as well as on any individual with significant control of the entity. Ballard Spahr’s Money Laundering Watch blog explains that in some cases this will mean having “to look through several layers of legal entities to determine whether an actual person is a 25 percent owner of the applicant.”
Because it will require significant effort, institutions are squarely focused on this beneficial ownership requirement. However, it is crucial that they also prepare for the “fifth pillar” of BSA/AML compliance that the rule adds. According to Ballard Spahr, it “requires covered institutions to understand the nature and purpose of relationships to develop a customer risk profile, conduct ongoing monitoring for reporting suspicious transactions, and, using a risk-based approach, maintain and update customer information.”
BSA/AML Action Plan:
- Make sure your core provider has updated its system accordingly
- Update your policy to fully incorporate the rule
- Present the updated policy to your board for approval before May 11
- Revise related processes and procedures, including OFAC screening of beneficial owners
- Train all employees on your policy, processes and procedures
- Develop a communication plan for explaining this rule to business customers, who may otherwise resist answering ownership questions
Consumer Protection Landmines
Almost 45 percent of Banking Priorities respondents identified consumer protections as a challenge for 2018. Deloitte explains this apprehension: “When operational breakdowns cause real or perceived consumer harm, a firm’s reputation can suffer materially from negative press, social media attacks, enforcement actions and fines, as well as bipartisan condemnation from Congress.” Equifax is a perfect example, as it faced criticism from both sides of the aisle for its massive data breach, and its response to the incident.
The statistics on data breaches alone are staggering. The Identity Theft Resource Center reported 1,253 breaches through mid-December 2017, about 15 percent more than 2016, which was a 40 percent increase over 2015. More than 387 million records were exposed in that three-year period, not including the breaches that go unreported. Unfortunately, this high frequency desensitizes many of us, but motivates regulatory agencies to redouble their cybersecurity focus.
Unfair, deceptive or abusive acts or practices (UDAAP) compliance is another important element of consumer protections. Recent leadership upheaval within the Consumer Financial Protection Bureau (CFPB) and potential structural changes to the agency may lead institutions to dismiss UDAAP compliance. But Deloitte emphasizes that, “the topic of consumer protection isn’t going away.” In reality, the broad and somewhat vague scope of UDAAP has made it a favorite violation catch-all of prudential regulatory examiners. And a UDAAP violation can be far worse than that of a specific regulation because multiple agencies get involved, potentially including the FBI.
Consumer Protection Action Plan
- Per Deloitte, implement a risk-based inventory of your entire compliance management process and a robust system for handling customer complaints and other investigations
- Regularly assess and update your cybersecurity program based on emerging threats
- Review your policies, procedures and disclosures to ensure nothing within them causes unintended harm to consumers
- Shore up your Incident Response Plan
- Continuously train your employees on cybersecurity and UDAAP
Mortgage Compliance Carryover
More than 42 percent of our survey respondents identified mortgage compliance as a major challenge heading into 2018. The Jan. 1, 2018, effective date for the HMDA final rule is a major factor in this response, as the rule’s updated institutional and transactional coverage definitions are now in play.
Financial institutions that closed at least 25 closed-end mortgage loans in 2017 and 2016 must report all 48 HMDA data fields (25 new, 14 modified and 9 unchanged) on such loans for 2018. The same reporting is required of institutions that closed at least 500 open-end loans in 2017 and 2016.
HMDA Action Plan:
- Ensure your institution has a consistent HMDA strategy for the overlap period in which 2017 loan applications close in 2018
- Use the first quarter to ensure your processes are accurately capturing all HMDA data and you are ready to appropriately report
- Monitor the CFPB to see if the 500 open-end loan threshold is made permanent beyond 2019
HMDA is not the only mortgage-related compliance issue driving bank anxiety. Although mostly minor, CFPB adjustments to the TILA-RESPA Integrated Disclosure (TRID) rule have created a moving compliance target for financial institutions as they tweak policies and procedures with each change.
Overall Mortgage Compliance Action Plan:
- Make sure your compliance office stays updated on TRID and other mortgage compliance changes
- Adjust policies and procedures and provide related staff training as changes go into effect
- Advise your board and senior management of any changes requiring a financial investment
Vendor Management Examination
Vendor management compliance remains a high priority for regulatory examiners, and over one-third of our respondents cited this issue as a challenge this year. Regulators are still quite concerned that bank third-party risk management, especially of critical vendors, is not adequate given the impact that a vendor failure, outage or breach could have on institutional operations and the harm it could cause consumers.
Vendor Management Action Plan:
- Make sure your vendor management program follows the joint interagency guidance and any specific guidance from your prudential regulator
- Conduct your own risk-based due diligence on all vendors as you cannot rely on referrals or verbal assurances
- Review the Service Organization Controls (SOC) Report for all critical vendors, paying particular attention to any identified weaknesses and carefully considering whether to request corrective action or accept the risk
- Keep thorough documentation of all your vendor due diligence
Regulatory Uncertainty Also Looms in 2018
These four areas are certainly not the only issues financial institutions will contend with this year. Other compliance programs need to be monitored and managed, and other upcoming rules require preparation. If your institution offers prepaid cards, appropriate disclosures must be in place by April 1, 2018, when the CFPB’s Prepaid final rule goes into effect. And all institutions need to keep their Current Expected Credit Loss (CECL) model preparations on track for its 2020 (SEC registrants) and 2021 (for all other banks) effective dates.
Finally, as the Trump administration heads into its second year, its continued talk of deregulation, while welcome, may create another major challenge for 2018—regulatory uncertainty. Most regulatory repeals or modifications occur over a protracted period of time. The same is true for the future of the CFPB. With Mick Mulvaney at its helm, wholesale changes to its structure and authority could take place, but until those changes are fully implemented, financial institutions must still adhere to its current guidance and regulatory authority.
Institutions that can effectively handle these major compliance challenges, including regulatory ambiguity and uncertainty, will be the biggest winners in 2018.
If you would like to view the full results of our survey, download the Executive Report: 2018 Banking Priorities Study.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.