March 1, 2023

In Good Company or Low Hanging Fruit? – A Year in Review

banner

During our audits, we’re often asked, “do you frequently see this same finding at other financial institutions?” We thought it might be helpful to share some of our most common findings from our 2022 consumer lending and deposit compliance audit, as well as BSA engagements, in hopes that you may identify if these common issues exist at your institution... before they become low hanging fruit for an examiner.

To provide some context, 10-D Compliance’s clients range from small rural, financial institutions to multi-state and multi-billion-dollar holding companies and institutions, although most are somewhere in between the two.


Lending Compliance

Reg Z - Truth in Lending

  • 1026.20 - Establishes disclosure requirements regarding post consummation events. If the creditor or servicer cancels the escrow account at the consumer's request, the creditor or servicer shall ensure that the consumer receives the disclosures required by paragraph (e)(2) of this section no later than three (3) business days before the closure of the consumer's escrow account. We noted that providing this disclosure was frequently missed.


Reg C - Home Mortgage Disclosure Act
Reminder: HMDA applicability is determined at the time of application. If the loan will be secured by a dwelling and the money will be used for a HMDA purpose, it is reportable regardless of whether or not it results in origination.

  • 1003.4(a) - Describes a financial institution’s obligation to collect data on covered applications and loans. We noted several instances of loans with the purpose of home purchase, home improvement, or refinance not being reported on the LAR, including withdrawn loans. Don’t forget to review commercial loans. Any portion of the loan that is used for home improvement, such as adding a pool to the business owner’s home, is HMDA reportable.


Reg B – ECOA – Equal Credit Opportunity Act
Reminder: Reg. B requirements apply to all loans, not just those for consumer purposes.

  • 1002.9 - Requires financial institutions to provide notification of action within thirty (30) days of receiving a completed application. We identified issues related to timing and content of adverse action notices, as well as the absence of required notifications on incomplete, non-originated applications.

  • 1002.14(a) - Requires financial institutions to provide a written notice of the right to receive a copy of appraisals within three (3) business days after receiving an application. Reg B does not contain an exception to the notice requirement for applications denied or withdrawn within three (3) business days of application. We noted deficiencies in documenting that the right to receive an appraisal disclosure was provided on both originated and non-originated loans.


Reg X – Real Estate Settlement Procedures Act & E-Sign

  • 1024.3 - Defines that the disclosures required by this part may be provided in electronic form, subject to compliance with the consumer consent and other applicable provisions of the Electronic Signatures in Global and National Commerce Act (E-Sign Act) (15 U.S.C. 7001 et seq.). We noted instances where financial institutions were providing loan documents electronically without the proper E-Sign agreement in place.


Reg H- Flood Insurance

  • 339.9 / 208.25(i) / 22.9 / 760.9 - Requires financial institutions to furnish a written notice to the borrower when there is a M.I.R.E. (making, increasing, renewing, extending) event on any loan secured by improved real estate or a mobile home located, or to be located, in a flood hazard area. The notice must be mailed or delivered as soon as feasible in advance of closing and must state: (1) that the property securing the loan is, or will be, located in a flood hazard area; and (2) whether federal disaster relief assistance is available. Written acknowledgement on behalf of the borrower must be received prior to closing. Over the last year, we have noted many M.I.R.E. events in which financial institutions did not retain evidence that the flood notice was provided prior to consummation or provided in a timely manner.


Reg V – FACTA Red Flags Program

  • 681.2/ 717.90 - Requires a financial institution to implement appropriate procedures for validating and reconciling a customer’s address information when discrepancies are noted if a financial institution establishes a continuing relationship with the consumer and regularly, and in the ordinary course of business, furnishes information to the consumer reporting agency. We’ve noted that financial institutions are not identifying, mitigating, or retaining documentation of mitigation efforts for credit bureau alerts, especially where address discrepancies are concerned.


Deposit Compliance

Reg CC – Funds Availability Act

  • 229.13 - The “Exception Holds” section establishes the circumstances, amounts and timing for which deposits can be held. Our most frequently identified findings include the following:

    • Only $225 made available the next business on large deposits when $5,525 should have been made available
    • Large new account deposits were not made available by the ninth (9th) business day following the date of deposit
    • Deposits to new accounts of existing customers were receiving extended new account holds.


Reg E – Electronic Funds Transfer Act

  • 1105.11(c) - Establishes the notification and timing requirements to resolve errors on consumer accounts when an unauthorized electronic transaction or other error is reported. Non-compliance issues included the following:

    • Error resolution letters did not include the consumer’s right to request documents the institution relied upon in its investigation
    • Required notifications upon debiting a provisionally credited amount were not provided
    • Investigations on POS items were not completed timely
    • Investigations were delayed until written documentation was received
    • Interest and fees resulting from the error were not refunded to consumers


BSA/AML/OFAC

Enhanced Due Diligence (EDD) Certain customer types pose higher money laundering risks. Financial institutions should establish due diligence policies, procedures and processes to address higher risk customer reviews. We frequently noted the following deficiencies:

  • Inconsistent collection and analysis of enhanced diligence documentation on higher risk customers such as MSB, PATM, NRAs, CRBs
  • Failure to analyze the entire relationship, period over period activity trends, or SAR filings during the review period
  • Neglecting to perform EDD according to the financial institution’s procedures or failure to establish such procedures

BSA/AML/OFAC Risk Assessment A well-defined risk assessment aids the financial institution in identifying BSA/AML/OFAC risks and developing an appropriate regulatory program. During our audits from 2022, we identified many financial institutions failed to note the following in their risk assessments:

  • Changes to customer risk scoring methodology, including quantifying how many customers have not been risk scored due to lack of sufficient information
  • Year over year quantitative information related to products/services/customer
  • BSA staffing levels
  • Emerging risks such as cannabis, virtual currency and human trafficking
  • Growth through acquisitions, including when such took place & related impact on the institution’s BSA program
  • OFAC monitoring and/or the existence of blocked property

CTR Designation of Exempt Persons (DOEP) Although financial institutions may exempt certain customers from currency transaction reporting, such may only be completed following defined regulatory steps. The following were commonly identified gaps in our 2022 audits:

  • No procedures for filing CTR exemptions
  • Improperly completed exemption filing form
  • Inadequate process/procedure for documenting reviews of continued eligibility

SAR – Suspicious Activity Reports Suspicious activity reports are the cornerstone of the BSA reporting system. Given the crucial information provided in SARs, it is imperative financial institutions complete such reports accurately and timely. With that being said, we routinely saw these exceptions:

  • Misunderstanding of filing deadlines related to recurring suspicious activity and the need to file continuous SARs
  • Failing to complete reports using FinCEN filing instructions resulting in technical report errors
  • Poorly documented decisions to justify “no file” determinations

Regardless of what type of audit has been completed, financial institution management should prioritize remediation efforts for all audit exceptions, especially those of a repeat nature. Additionally, risk management should ensure that internal or external audits are routinely conducted and consider performing compliance reviews when new industry enforcement actions are released. Learning from other’s mistakes is a crucial part of avoiding low hanging fruit for examiners.

We often hear comments of how thorough we are with our compliance engagements. We have a wealth of knowledge in our compliance audit team and the best part is, we’ve all done the work and have hands on experience with the regulations and the operational processes that implement them. Visit our website at https://10dsecurity.com for a complete list of the compliance audit and operational review services that we offer.

PDF Icon  Download Blog

Authored By: Melanie Fletcher, CRCM, CAMS, CCBIA, CCBP, AAP
Contributing Author: Josh Mourning, CCBP

SIEM Image

Deploying a Simple
Open Source SIEM
MFA Image

The Low Down on
Multi-Factor Authentication
Play-Evan Image

Keep Yourself
from being Roasted – WST

Keep your institution off the evening news.


Contact Us