By Keith E. Monson
Now that 2016 is in full swing, it’s a fitting time to check in on some of the biggest regulatory compliance priorities for the months ahead.
Without a doubt, mortgage-related regulations are one of banks’ greatest concerns currently, with TRID, HFIAA and HMDA all stirring the pot. However, regulations surrounding consumer protections, vendor management and BSA/AML aren’t going anywhere, and final word on the Current Expected Credit Loss (CECL) model likely is just around the corner.
1. Mortgage Compliance Continues to Trip Up Banks
TRID compliance seems to be living up to bank executives’ worst fears, as the integration of updated disclosure systems and the corresponding staff training are proving difficult.
By now, the headaches from installing and testing related software should be easing, but bank employees still are trying to comprehend the intricacies of the new disclosures. And related anxiety is not without cause: penalty fees run as high as $5,000 per day per violation for non-compliance, $25,000 per day per violation for reckless non-compliance, and $1 million per day for knowing non-compliance.
On the bright side, regulators have said they would be lenient in the initial phase-in period as long as banks make a good faith effort to comply. While they did not specify what constitutes a good faith effort, assume it means showing that you planned appropriately for the TRID implementation and have good policies and procedures in place to follow the rule.
And following on TRID’s heals is HFIAA. On Jan. 1, 2016, the final piece of HFIAA went into effect. Covered institutions (primarily banks with more than $1 billion in assets; see the Final Rule for small bank exemption rule details) must now have procedures in place to ensure the following:
- Mandatory flood insurance is escrowed on all residential real estate and mobile home loans originated, refinanced, increased, extended, or renewed on or after Jan. 1, 2016.
- Written notice of the option to escrow for flood insurance premiums and fees is provided to all borrowers of outstanding covered loans booked prior to Jan. 1, 2016.
It’s important to understand what constitutes a covered and non-covered loan. HFIAA exempts business, commercial, and agricultural purpose loans; subordinate liens; loans where a homeowners association pays the premiums; home equity lines of credit; loans with terms of less than 12 months; and non-performing loans.
Now, with everything else going on, the temptation to procrastinate on your HMDA implementation will be great, especially since the effective dates still feel very distant. In reality, they will come quickly enough. So the sooner you get ready to implement HMDA the better off your institution will be.
2. The Consumer Rules the Roost
Since the moment the CFPB opened its doors, the area of Consumer Protections has shot up the regulatory angst ladder, as it encompasses a number of complex issues, including cybersecurity and consumer fraud. Today, the two are practically one and the same, as most fraud is perpetrated via cyberattacks. This makes regulators extremely nervous, so banks should expect significant action surrounding cybersecurity.
What form that action takes is still up for debate. It could mean additional regulatory guidance, like further updates to the FFIEC Information Technology Handbook; or it could mean that regulators make the FFIEC Cyber Security Assessment Tool mandatory for all banks. Even now, some smaller institutions have indicated that local examiners are requiring it.
In addition, another consumer-related dilemma is EMV. The relief financial institutions feel as merchants take on more of the burden for debit and credit card breaches is double-edged. As of last October, retailers who haven’t converted to EMV are responsible for any losses incurred in a breach, but many merchants missed or ignored the deadline. This creates a different issue for banks: reputational risk. The average consumers are unlikely to care about the liability shift, and they will still look to their bank or credit card issuer to cover their losses. Institutions will need a plan for handling such situations.
Finally, Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) continues to stymie banks. Linda Albrecht, a principal with the CPA and business advisory firm Eide Bailly, recommends banks review such consumer areas as customer communications, policies and procedures, customer complaints and third-party relationships for possible UDAAP violations.
3. Vendors Take on More Onus
The vital relationship between financial institutions and third-party vendors is under significant regulatory scrutiny. With Appendix J of the FFIEC’s IT Handbook, regulators are expecting institutions to further ensure the resilience of their outsourced technology services. Now that institutions have had more than a year to digest this guidance, examiners will expect business continuity plans that recognize and mitigate the possibility of business disruptions with their technology service providers (TSPs).
In recognizing the third-party responsibility in this equation, the FFIEC updated the Management booklet of its IT Handbook in November. In effect, TSPs are now held to the same standards as financial institutions in terms of risk management and security. But that updated booklet also makes clear that this does not relieve banks of responsibility, and specifically calls for greater board of director focus on IT governance.
4. CECL Awaits
More than three years after its currently-proposed CECL model was published, the FASB is expected to issue its final guidance in the first part of 2016. CECL will fundamentally change the way our entire industry accounts for loan loss reserves, and no institutions are exempt from this, despite some lingering assumptions to the contrary. All banks will need to adjust their data collection and parsing to comply with CECL guidance, and they will take a potentially significant, one-time hit to capital when that change goes into effect.
5. BSA/AML Must Not be Forgotten
While your institution is rightly focused on what are arguably more pressing compliance areas, don’t let other issues slip through the cracks. BSA/AML, including OFAC watch list screening, continues to be a key tool in the United States’ war on terror, which is heating up as terrorist attacks escalate beyond the Middle East.
And it is yet to be seen whether the OCC’s heightened risk management guidance will trickle down to smaller banks, but as the 18-month period looms for larger institutions to implement the agency’s ERM framework, all institutions should keep ERM in their sights.
These compliance challenges no doubt are weighing heavily on your shoulders. But planning how you’ll navigate them now will make for a smoother ride along the way.
Keith E. Monson serves as chief risk officer for Computer Services, Inc. (CSI). In this role, Keith maintains focus on CSI’s compliance initiatives to establish and build out an enterprise-wide compliance framework for risk assessment and reporting, issue management and other key components of CSI’s corporate compliance program. He also works closely with CSI’s Board of Directors Audit Committee as well as other compliance teams across the organization to promote a culture of engagement and connectivity while implementing and advising on practices and related standards.