The Online Compliance Consulting Dashboard has been enhanced!

Visit compliance.smslp.com for more information.

Featured Content

New Observations in UDAAP

As our readers are aware, even if you comply with the myriad of compliance regulations and provisions that apply to our day-to-day activities, an institution can still run afoul when it comes to Unfair, Deceptive, and Abusive Acts and Practices (UDAAP).

Because of that, it is very important to remain continually aware of what the UDAAP “hot spots” are. To that end, the CFPB’s recently-issued “Supervisory Highlights” covers a lot of ground.

The latest issue of Supervisory Highlights reports on CFPB findings of UDAAP across a wide array of consumer financial product lines.

What UDAAP Issues are the CFPB Finding?

In keeping up with this topic, institutions should be aware of the following areas and findings as reported by the CFPB:   

• Auto Loan Origination – The CFPB noted deception in advertising in instances where pictured automobiles were significantly larger, more expensive, and newer than the advertised loan offers were good for. 

• Key Takeaway – Consider representations made in your advertisements, even graphics and pictures, to ensure they are not misleading.

• Auto Loan Servicing – The CFPB noted various servicing practices that were deemed to be either unfair or abusive. This included: a) the charging of interest on options that were not actually part of the collateral, b) the discontinuation of ACH payments for the final payment made on the loan without sufficient notice, and c) the engagement of a “blanket practice of cross-collateralizing loans” that impacted the consumer from redeeming their repossessed vehicles.

• Key Takeaway – Ensure systemic settings are adjustable to support the terms of individual transactions. Review impactful terms that can get lost in the fine print and consider meaningful communication where needed. Review practices related to cross-collateralization for unfairness.

• Debt Collection – The CFPB observed deception in multiple areas of debt collection. They note that debt collectors were using deceptive representations in the collection of work-related medical debt. They also noted, as a deceptive practice, promises to reverse interest assessed on debt, when the debt collector failed to do so.

• Key Takeaway – While compliance with the Fair Debt Collection Practices Act is integral for compliance, ensure that collectors do not implement deceptive strategies in their processes.

• Deposits – In the area of deposits, the CFPB observed as unfair the assessment of both an NSF fee and a line of credit transfer fee on the same transaction. It was noted that a consumer could not avoid this substantial injury and would be contrary to the consumer’s expectations when enrolling in the line of credit program. It was noted that the institutions where this was observed believed they had safeguards in place to not assess both fees on the same transaction. 

• Key Takeaways – When implementing systemic safeguards, ensure that they are properly checked for effectiveness and will work in a variety of situations. 

• Information Technology – In the CFPB’s review of information technology controls, it was noted that institutions engaged in unfair acts or practices due to their failure to implement adequate technology controls.

• Key Takeaway - In the scope of strengthening UDAAP controls, don’t overlook this area of your institution. Consumers do not have control over an institution’s security controls and are unable to avoid injury if they are not adequate. This can include controls related to password management, number of log-in attempts, and multi-factor authentication.

• Mortgage Servicing – In the area of Mortgage Servicing, the CFPB noted two UDAAP-related issues. First, it was noted that servicers engaged in an unfair practice when they delayed processing borrower requests to enroll in loss mitigation options, based on incomplete applications. Second, the CFPB observed that servicers engaged in deception in informing consumers that they would evaluate a loss mitigation application, but then proceeded with foreclosure without completing the evaluation. 

• Key Takeaway – Servicers should review loss mitigation practices related to the processing and evaluation of applications to ensure that consumer communications do not misrepresent the process or result in unfair delays.

Institutions that participate in payday and small-dollar lending will want to review the CFPB’s Supervisory Highlights for other UDAAP-related observations.

What Else Does the Supervisory Highlights Say?

As the CFPB’s report covers observations from their supervisory activities, the contents also include findings related to compliance with Federal consumer financial law that goes beyond UDAAP. It also covers recent developments in the CFPB’s supervision program as well as a recap of recent remedial actions.

Interested persons are encouraged to review the Supervisory Highlights - Summer 2023 in its entirety for additional details. 

FinCEN Update - Growing Concerns on Tax Evasion

In a recent issuance, FinCEN details increasing concerns related to tax evasion and workers’ compensation insurance fraud in the residential and commercial real estate construction sector.

These fraudulent schemes result in the loss of hundreds of millions of dollars to state and federal tax authorities. These activities are often carried out by networks of individuals and shell companies, using banks and check cashers. Besides the loss of tax revenue, these schemes can also have a devastating impact on the local and national construction job market.

What Does This Look Like?

FinCEN describes these schemes as being perpetuated through shell companies that have been set up to allow certain construction contractors to avoid paying workers’ compensation premiums as well as payroll taxes. The shell company takes out a “minimal workers’ compensation” policy and rents or sells that policy to other contractors that employ a much larger number of workers than the policy is designed to cover, thereby committing insurance fraud. Also, the shell company facilitates tax fraud because the contractors use the shell company to pay their workers “off the books.”

A FinCEN graphic reflects a typical representation of the establishment of a shell company, followed by compensation fraud, as follows:

Financial institutions should be aware of various red flags that can serve as indicators for this type of fraud, such as:

• The customer is a new (i.e., less than two years old) small construction company specializing in one type of construction trade (e.g., framing, drywall, stucco, masonry, painting, etc.) with minimal to no online presence and has indicators of being a shell company for illicit activity.

• Large volumes of checks for under $1,000 are drawn on the company’s bank account and made payable to separate individuals (i.e., the workers), which are subsequently negotiated for cash by the payee.

BSA Officers, related staff, and other interested parties should review FinCEN’s Notice in its entirety, making note of all red flags and SAR filing instructions. The Notice may be found here. 

Credit Unions...The Time Has Arrived!

The NCUA final rule, to implement cyber incident notification requirements, becomes effective on September 1^st.   

Under that rule, federally insured credit unions must provide notification to the NCUA, within 72 hours, after it reasonably believes that a reportable cyber incident has occurred. 

A new resource focused on these notification requirements is now available. Earlier this month, the NCUA issued 23-CU-07 that provides summary information, along with a notification framework. Implementation guidelines were also provided that touch on:

• updating your incident response plan,
• reviewing service provider contracts,
• training employees,
• monitoring and reviewing your reporting process, and
• documenting incidents.

All federally insured credit unions should ensure a framework for adhering to these newly effective requirements is in place and ready for use. Interested parties may find the NCUA’s published final rule here. Also of interest is the NCUA’s 23-CU-07 and their Cyber Incident Reporting Quick Reference Guide.

What's New in the BSA/AML Exam Manual?

Just in case you missed it…earlier this month, the FFIEC announced some updates to the BSA/AML examination manual. The updates are not to be considered as new instructions, but offer greater transparency.  

Updates include the following:

• REVISED Section: Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity Updated and retitled the previous Information Sharing section to align with the regulations at 31 CFR 1010.520 and 31 CFR 1010.540.

• REVISED Section: Due Diligence Programs for Correspondent Accounts for Foreign Financial Institutions Updated and combined the previous Foreign Correspondent Account Recordkeeping, Reporting and Due Diligence section and Correspondent Accounts (Foreign) sections and retitled to align with the regulation at 31 CFR 1010.610.

• REVISED Section: Due Diligence Programs for Private Banking Accounts Updated and combined the previous Private Banking Due Diligence Program (Non-US Persons) and Private Banking sections and retitled to align with the regulation at 31 CFR 1010.620.

• NEW Section: Prohibition on Correspondent Accounts for Foreign Shell Banks; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process Created a new stand-alone section from the previous Foreign Correspondent Account Recordkeeping, Reporting, and Due Diligence section and titled it to align with the regulation at 31 CFR 1010.630.

• NEW Section: Summons or Subpoena of Foreign Bank Records; Termination of Correspondent Relationship; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process Created a new stand-alone section from the previous Foreign Correspondent Account Recordkeeping, Reporting, and Due Diligence section and titled it to align with the regulation at 31 CFR 1010.670.

• NEW Section: Reporting Obligations on Foreign Bank Relationships with Iranian-Linked Financial Institutions Created new stand-alone section from the existing Foreign Correspondent Account Recordkeeping, Reporting, and Due Diligence section and titled it to align with the regulation at 31 CFR 1060.300.

While links to the updated sections are included in the bullet list above, interested persons may find the FFIEC announcement here.