KNOWLEDGE.CLARITY.

RELIABILITY.

NEWSLETTERMay 2016

Why Are We Still Talking about Regulation AA?: UDAAP & the Repeal of Regulation AA

by: Silvia Garcia Maggio, Associate General Counsel

1www.compliancealliance.com

IN THIS

ISSUE

• Feature Article ...............................1

• Regulation AA Puzzle .....................3

• Secuirty Checkpoint ......................4

• Regulatory Updates ......................5

• Directors Article ............................7

• Compliance Hotline ................... 10

Facebook “f ” Logo CMYK / .eps Facebook “f ” Logo CMYK / .eps

On February 11, 2016 the Federal Reserve Board repealed Regulation AA (12 CFR 227), aka the Credit Practices Act, two years after the proposal to repeal was published. Up until that point, a popular question on Compliance Alliance’s hotline was, “Why are we still talking about Regulation AA?!” and the answer was simply that the regulation had not been repealed and replaced. Now that the regulation has been repealed, we have the repeal but there’s been nothing to replace it. So, the age UDAAP is over, right? Not at all - the agencies have made it clear that they intend to enforce UDAAP standards during exams. As such, ensuring that the bank does not engage in unfair, deceptive and/or abusive acts and practices per the available guidance is still imper-ative. The only practical effect of the repeal is the FRB is handing over authority of unfair and deceptive acts to the CFPB, as required by the

Dodd Frank Act. However, since the CFPB has not created a new regulation to replace Regulation AA, we’re going to have to look at what sources we have to look at in order to get our standard.

Dodd Frank Act §§ 1031 & 1036 First and foremost, the rulemaking authority to prohibit against unfair, deceptive or abuse actions or practices and the two main definitions for UDAAP comes directly from the Dodd-Frank Act. §1031 defines both “Unfairness” and “Deceptive”. Unfairness is defined as “…(A) the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers; and (B) such substantial injury is not outweighed by countervailing benefits to consumers or to competition.” con’t on pg 2.

UPCOMING EVENTS

2www.compliancealliance.com

Why Are We Still Talking About Regulation AA? (cont.)

“Abusive” is defined as an act that “…(1) materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) takes unreason-able advantage of— (A) a lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; (B) the inability of the consumer to protect the interests of the consumer in selecting or using a consumer financial product or service; or (C) the reasonable reliance by the consumer on a covered person to act in the interests of the consumer.” That being said, both sections referred to in the Dodd-Frank Act as establishing UDAAP authority are relatively short and don’t have actual requirements for banks. At which point, we’re re-quired to look at other types of regulatory sources.

2014 Interagency Guidance Regarding Unfair and Deceptive PracticesIt’s imperative to realize that the regulators have been aware that this repeal was coming and prepared accordingly. As such, the interagency guidance from August 22, 2014 made it clear that the agencies have supervisory and enforcement authority regarding the unfair or deceptive acts regardless of the transfer of regulatory authority to the CFPB. In that guidance, the agencies specifically reference Regulation AA and the fact that they have regulatory authority to enforce THOSE standards. That clearly indicates that when we’re going through and updating our policies, procedures, standards and training, we shouldn’t just be removing the references to the Credit Practices Act, but rather it would be prudent to update bank documentation to show that the bank understands that authority still exists and that the bank intends to comply with the guidance and definitions that we have available to us until there is updated guidance and/or a new regulation. This includes a commitment to not engage in or include: 1) unfair credit provisions; 2) unfair or deceptive practices involving cosigners; and 3) unfair late charges.

FTC Section 5 As the Interagency Guidance is fairly limited to the fact that the regulators still have the ability to enforce, we have to get our definitions from somewhere. First, of course, the Dodd-Frank Act

and repealed Regulation AA provide us with definitions, but also notice that FTC Section 5 is referenced in the Interagency Guidance, the CFPB Exam Manual and repealed Regulation AA. It’s important to note that while the FTC does not have enforcement authority over banks; the dis-cussion of Unfair and Deceptive Acts and Practic-es originates from that Act so understanding the definitions from that Act will allow banks to have a more comprehensive understanding of the UDAAP prohibitions. The FTC is also a good reference for violation examples as there are good examples of how advertisements can violate UDAAP standards.

CFPB Exam Manual Another good resource is the CFPB UDAAP Examination Manual. While the CFPB has regular examination authority over larger entities, this is a still a good reference for UDAAP definitions and also examples of violations that the CFPB has cultivated over the years. The examples are helpful in determining what practices are likely to viewed as an unfair, deceptive or abusive acts or practices since the CFPB gives examples of each type of violation and a non-exhaustive list of common violations. This is also useful in pinpointing the overlap between other consumer regulations and UDAAP. Being, at the very least, familiar with this exam manual allows for a broader source for employee training and understanding.

The big picture is that UDAAP is still very present and a very real compliance consideration. Lenders should ensure that they have a clear understanding of pertinent definitions and also, should document what source their definitions and policies are coming from even if that’s just including language that shows the lender is aware Regulation AA has been repealed but will continue to adhere to those standards until there is a new regulation. It’s important to remember that UDAAP violations often overlap violations of other consumer regula-tions so a clear policy related to UDAAP standards will also assist with understanding how violations can cause a multitude of issues and are not, for example, just Regulation Z issues. As there has been some confusion about what comes next for UDAAP, employee training and updated procedures will help to fill in the gap between the repeal and when/if the CFPB replaces it with a new regulation.

• ABUSE• AUTHORITY• COMPLIANCE• CREDIT• DECEPTIVE• PRACTICES

• REGULATION• REPEAL• UDAAP• UNFAIR• VIOLATION

Find the following words hidden throughout the puzzle. Words are hidden vertically, horizontally, forwards, backwards, and diagonally. Answers are located on pg. 6. Good luck!

3www.compliancealliance.com

REGULATION AA PUZZLE

SECURITY CHECKPOINT

By: Aaron Boyd, FederalTimes.com

The House Committee on Science, Space and Technology is asking the Federal Deposit Insurance Corporation for a host of documents around a major data breach in October as part of a Congressional investigation, according to a letter Committee Chairman Lamar Smith, R-Texas, sent to FDIC Chair-man Martin Gruenberg, obtained by Federal Times.

The letter — dated April 20 — relates to an October incident in which a former employee walked out with thousands of sensitive records stored on a thumb drive, including at least 10,000 Social Security numbers. The FDIC didn’t recover the data until December and failed to report the breach to Congress for almost four months, all while the CIO and inspector general battled over whether the leakage constituted a “major” incident.

Federal Times first broke this story on April 20, citing an internal IG memo detailing the incident and the ensuing deliberation.

FDIC officials reported a similar breach to Congress in February — in which a former employee left with thousands of sensitive records that were returned days later — however the Committee is particularly interested in this breach because of how long the files were outside government networks.

“Given the severity of the breach — compromising over 10,000 individuals’ sensitive information — the nearly two-month time frame the FDIC required to recover the device raises serious questions about the FDIC’s cybersecurity posture and preparedness to appropriately minimize damage in the aftermath of a breach,” the letter reads.

Furthermore, Smith said the Committee is concerned about FDIC’s failure to promptly report

the breach to Congress, as required by law.

“The FDIC’s apparent hesitation to inform Congress of the security incident not only raises concerns about the agency’s willingness to be transparent and forthcoming with Congress but raises further ques-tions about whether additional information stored in FDIC systems has been compromised without being brought to the attention of Congress,” he wrote.

In fact, FDIC officials told Committee staff during an April 21 briefing there are “additional ‘major breaches’” that have yet to be reported, a Committee aide told Federal Times. During that meeting, officials told Committee staff they plan to retroactively report any outstanding breaches.

“The FDIC waited over four months to report a ma-jor security breach that left more than 10,000 cus-tomers’ personally identifiable information exposed,” the aide said. “Even more concerning is that the FDIC has apparently withheld reporting additional major breaches to Congress.”

The letter asks for detailed documentation on four specific topics:

• All documents and communications referring to relating to the October 2015 security incident, including all communications with FDIC OIG.

• A detailed description of the position, grade and duty location of the former FDIC employee responsible for the breach.

• A detailed description of the sensitive information copied onto the former FDIC em-ployee’s portable storage device.

• All documents and communications referring or relating to OMB memo M-16-03.

The Committee gave FDIC officials until noon on May 4 to comply.

Congress Investigating October FDIC Data Breach

4www.compliancealliance.com

5www.compliancealliance.com

REGULATORY UPDATES

CFPB Credit Card Agreement Submission Deadline

The Truth in Lending Act (TILA) and Regulation Z (12 CFR 1026) require credit card issuers to submit their currently-offered credit card agree-ments to the Consumer Financial Protection Bureau (Bureau), to be posted on the Bureau’s website. In April 2015, the Bureau suspended that submission obligation for a period of one year. That suspension has expired, and the next submission is due from issuers on May 2, 2016.

Comment Period: Covered Broker-Dealer Provisions Under Title II

The Agencies, in accordance with section 205(h) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), are jointly proposing a rule to implement provisions applicable to the orderly liquidation of covered brokers and dealers under Title II of the Dodd-Frank Act (“Title II”). The comment period closes Monday, May 2nd. Click here for more information.

Comment Period: Agency Information Collection Activities In accordance with the Paperwork Reduction Act of 1995 (PRA), the Consumer Financial Pro-

tection Bureau (Bureau) is requesting to renew the Office of Management and Budget (OMB) approval for an existing information collection titled, ‘‘Generic Information Collection Plan for Qualitative Consumer Education and Engage-ment Information Collections.’ The deadline for submissions is Monday, May 9th.

Click here for more information.

Comment Period: FinCEN - Ammendment to the BSA Regulations - Reports of Foreign Financial Accounts

FinCEN, a bureau of the Department of the Treasury (“Treasury”), is proposing to revise the regulations implementing the Bank Secrecy Act (“BSA”) regarding Reports of Foreign Bank and Financial Accounts (“FBAR”). The proposed rule would expand and clarify the exemptions for certain U.S. persons with signature or other authority over foreign financial accounts. In addition, the proposed rule would remove the special rules permitting limited account infor-mation to be reported when a U.S. person has financial interest in or signature authority over 25 or more foreign financial accounts. The proposed rule would also make several other changes, including a change to the filing date for FBAR reports due in 2017 and a revision to reflect electronic filing of FBARs. The comment period closes Monday, May 9th.

Click here for more information.

Comment Period: Economic Growth and Regulatory Paperword Reduction Act of 1996 As part of its review under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA), the Office of the Comptroller of the Currency (OCC) issued on March 14, 2016, a notice of proposed rulemaking that would re-move outdated or otherwise unnecessary provi-sions in certain rules to reduce regulatory burden on national banks and federal savings associa-tions (FSA). The proposed rule also integrates the OCC’s national bank and FSA rules relating to fidelity bonds, Securities Exchange Act of 1934 disclosures, securities offering disclosures, and insider and affiliate lending. While the OCC is conducting the EGRPRA review jointly with the Federal Deposit Insurance Corporation and the Board of Governors of the Federal Reserve Sys-tem (the federal banking agencies), this proposal affects rules exclusive to the OCC and its super-vision of national banks and FSAs. The proposed rule has a 60-day comment period, ending on May 13, 2016.

Click here for more information.

Comment Period: Record Keeping for Timely Deposit Insurance Determination

The FDIC is seeking comment on a proposed rule that would facilitate prompt payment of FDIC-insured deposits when large insured de-pository institutions fail. The proposal would require insured depository institutions that have two million or more deposit accounts to maintain complete and accurate data on each depositor’s ownership interest by right and capacity for all of the institution’s deposit accounts, and to develop the capability to calculate the insured and unin-sured amounts for each deposit owner by own-ership right and capacity for all deposit accounts, which would be used by the FDIC to make de-posit insurance determinations in the event of the insured depository institution’s failure.

Click here for more information.

6www.compliancealliance.com

1. TRID Tolerance Matrix2. The First 24 Hours Checklist for Incident

Response3. Characteristics of a Long Request Matrix4. TILA/RESPA Integrated Disclosure

Cheatsheet 5. Cyber Security Policy6. FCRA Employment Denial Form 7. Flood Insurance Minimum Coverage

Calculation & Documentation Calculator8. Military Lending Act Summary9. Loan File Audit Checklist

TOP 10 MOST DOWNLOADED COMPLIANCE ALLIANCE TOOLS

Acceptable Use for E-Sign Internet Banking Program Cheat Sheet

10.

Regulatory Updates

Reg AA Puzzle Answers

In the prolonged consequences of the financial market meltdown, there has been an increase in litigation and regulatory investigations against banks and bank directors. Over the course of these investigations, it is becoming increasingly evident that banks can (and should) improve the way they create and maintain accurate and adequate board meeting minutes. Board meeting minutes are too often treated as an afterthought, but have taken on new significance as they are increasingly subject to enhanced scrutiny by shareholders, government regulators, auditors, potential acquirers and others.

That being said, it is important in light of the cur-rent economic and regulatory environment for the Boards of banks to re-examine best practices for minutes, which serve as the official record of board activity.

In most states, a corporation is required by law to keep a record of all meetings of its board of direc-tors. Many states also require corporations to des-ignate an officer to prepare board meeting minutes.

Maintaining proper board minutes is more than just a law requirement—board minutes serve a critical purpose. Minutes of a board meeting are consid-ered prima facie evidence of board actions. Min-utes are often scrutinized to determine whether a board fulfilled its fiduciary duties of due care and loyalty, avoided conflicts of interest, determined matters on an informed decision basis, relied on the advice of experts, or duly approved particular transactions. Because corporate shareholders typi-

cally have a legal right to access and inspect board minutes, board minutes may be used as the basis of a lawsuit or an investigation.

Shareholder litigation, such as In re Walt Disney Company Litigation and In re Netsmart Technol-ogies, Inc. Shareholders Litigation, highlights the importance of adopting minute-taking best prac-tices. In the Disney case, the Delaware Supreme Court acknowledged that effective minute-taking practices would have cut short what turned out to be drawn-out and costly litigation. In the Netsmart case, the court was critical of the defendant’s “tar-dy omnibus consideration of meeting minutes” and failure of the board to promptly review and approve meeting minutes.

In our review of regulatory administrative actions and through conversations with regulatory author-ities, we came up with a list we believe are “best practices” in preparing for and documenting board meetings. Obviously there is not a “one size fits all” approach for all financial institutions; the key is finding the right balance between too much con-tent and too little content. Minutes should not be a verbatim transcript of the meeting, proceedings or bury important actions within pages of minutes. Minutes should convey the appropriate amount of deliberation, due care and thoughtful review.

To prepare for an effective and informed Board meeting the Board should:

• Schedule regular board meetings in advance;• Aim for full board participation;

Director’s Article

Why Minutes Matter

by: Darlia Fogarty, Director of Compliance & COO

7www.compliancealliance.com

• Have the Board Secretary circulate board materials (agenda, proposed resolutions, material agreements, filings, policies and policy amendments) to board members several days in advance of each regularly scheduled meeting ;• Circulate minutes of prior meeting(s) for review and approval; and• Consider asking the bank’s legal counsel to attend your board meetings—he or she should agree to do so without charge

The objective of the minutes should be to:• Make the minutes a summary, not a transcript;• Preserve official record of proceedings, noting: date; approximate time of meeting being called to order; directors present and absent; invited guests present; determination of quorum; minutes of previous meeting approved; matters reported on; matters voted on; any privileged discussions with legal counsel; approximate time of adjournment; and the signature of the secretary of the meeting;• Achieve best possible level of detail, i. e.;

• avoid verbatim recitation;• avoid vague comments or descriptions;• always, include, the abstention or recusal of any board member who has a conflict of inter-est regarding the matter at hand; and describe votes as either “unanimous” or “passed” and note any directors who voted against or abstained, but avoid recording each director who “moved” and “seconded” items on which action is taken; and• The secretary should not be a board member or member of senior management who is presenting at the meeting (i.e. your chief financial officer should not be presenting the financial statement and taking minutes) preferably, the minute taker should be the corporate secretary.

• Discussions with legal counsel should be identified as privileged and describe only the topics covered, not the advice provided;• If you are a director who raised a material

issue as a result of a “red flag” or otherwise, you should want the minutes to reflect that these issues were raised and, if applicable, addressed by management; and• Note all breaks taken for executive sessions outside the presence of senior management.

The length of the minutes will vary, but should:• Adequately cover the actual discussions and the actual importance of the matter; and• Convey board reflection, review, and information-gathering proportional to issue significance.

The minutes should maintain:• A neutral, objective tone;• Avoid opinionated/judgmental language, editorials; and• Always use straightforward language.

It is important to remember who the audience is and who the audience “could be”, i.e.

• Shareholders;• Bank regulatory examiners/investigators;• Auditors;• Plaintiffs’ counsel; and/or• Underwriters/placement agents and their legal counsel

Housekeeping “best practices” for minutes are to remember:

• Sloppy minutes may cause an auditor or regulator to assume the bank has sloppy internal controls or a nonchalant attitude regarding compliance with internal policies.• Implement clear document retention policy as to source materials for minutes.• Generally, avoid retention of extra copies of additional materials (notes/drafts/investment bankers’ pitch books).• Notes/drafts have been held as discoverable and not protected by privilege or work- product protection.• Directors should not keep their own notes during or after meetings; the minutes as approved should be the official, and only, record of the meeting.

Why Minutes Matter cont.

8www.compliancealliance.com

The Board Secretary should: • Maintain consistency in minute writing style; and• Maintain subject-matter consistency with public disclosures: SEC reports and call reports, for example.

The Board should:• Each board member should carefully read/review minutes and raise any issues prior to final approval;• For public banks/bank holding companies, directors should carefully consider Form 8-K reporting requirements. Some decisions re-quire an 8-K filing. Discussion without a decision does not require an 8-K filing;• Ensure the Board Secretary promptly prepares the minutes, this will assist the external auditor quarterly reviews, and could protect against forgetfulness or issues that come from hastily and less thoughtfully prepared minutes;• Check your bylaws—Robert’s Rules of Order or other rules of parliamentary procedure are generally not required and not necessary for the conduct of your meetings;• Do not use written consent actions, or

phone calls to a quorum of members, in lieu of meetings to take action on significant matters; • Do not style a document “minutes” if a meeting was not duly called and held, as was reported to have occurred in the WorldCom and Enron cases; and• A bank and its parent holding company are not the same legal person, even if they share common boards of directors; to the extent practicable, maintain separate sets of min-utes. (Don’t hand plaintiffs two defendants at once.

At the end of the day, as a board member, ask yourself:“How would I feel if these minutes were printed on the front page of The Wall Street Journal?” “How would I feel answering questions of a Senate subcommittee regarding the content of my bank’s minutes?”

If the answer to both of these questions is “good,” or better yet, “great,” your job is done.

Why Minutes Matter cont.

9www.compliancealliance.com

Security Tip: Passwords are on the front lines when it comes to protecting accounts against hackers, and a strong password is one that includes both capital and lower case letters as well as numbers and special characters. Even strong passwords can be compromised so you want to be sure to use different passwords for all your accounts.

Follow us on social media! Facebook “f ” Logo CMYK / .eps Facebook “f ” Logo CMYK / .eps

QUESTION: What is the CRA Annual Public File Update due on April 1? ANSWER: Banks are required to update their CRA public file every year by April 1 pursuant to 12 CFR 228.43(e):(e) Updating. Except as otherwise provided in this section, a bank shall ensure that the infor-mation required by this section is current as of April 1 of each year.This Is What Your Bank’s Public CRA File Must Show.Your bank must maintain a public file, updated as of April 1 each year, that includes the following information:

• For the current year and two previous years, all written comments from the public about how your bank is helping meet community credit needs. The file must also include your bank’s response to these comments.• A copy of the public section of your bank’s most recent CRA performance evaluation. Your bank must place the copy in its public files within 30 business days after receiving it. If your bank received a less-than-satisfac-tory rating during its most recent examina-tion, it must include a description of efforts

to improve its performance and update that report every three months.

• A list of your bank’s current branches with their street addresses and the geographic areas they serve. The list must also show this information for any branches your bank has opened or closed during the current year and previous two years.

• A list of services—including hours of oper-ation, available loan and deposit products, and fees—offered at your bank’s branches. This list must note any significant differences in services at particular branches.

• A map of the bank’s assessment area showing its boundaries and identifying the various geographic areas within it, either on the map or in a separate list.Information on loans that are included in your bank’s review.• A copy of your bank’s strategic plan if the bank is evaluated by one • For a large bank, its CRA disclosure statement, prepared every year by its regulator. The statement contains informa-tion about small business and small farm loans and the population’s income levels for each county where the bank operates.

COMPLIANCE HOTLINE

This section features Q & A’s recived from our members

over the past month.

Questions? Contact us! (888) 353-3933 , info@compliancealliance.com

10www.compliancealliance.com

QUESTION: Do construction-permanent loans qualify for the 12-month exception from flood escrow if the construction phase is for 12 months or less?

ANSWER: No. While construction-permanent loans typically have an interest-only construction phase of around one year, the total loan term is generally 20 to 30 years. The exception from the new escrow rules requires that the total loan term be 12 months or less. Since both the construction and perma-nent phases have to be considered in the loan term, a construction-permanent loan would not qualify for the exception, even if the construction phase is for 12 months or less.

QUESTION: For loans to insiders, are we required to make the loans on condition that the bank may, at the option of the bank, make the loan due and payable at any time?

ANSWER: This is a Reg O requirement, bit it only applies to executive officers, not all insiders. While you don’t need the demand feature on loans to shareholders and directors, you will need to include the due-on-demand clause for any loan made di-rectly to an executive officer. (12 CFR 215.5)

QUESTION: I know we have the option to report HELOCs for home purchase or home improvement on the HMDA LAR. Further, HELOCs are not on the list for transactions not to be reported. So if we have an application for a HELOC that clearly states the pur-pose is to purchase another dwelling (that they will eventually move into as their primary residence and then rent the current home out), would we be okay not reporting it if we choose not to report HELOCs and are consistent?

ANSWER: Yes, absolutely. HELOCs for home pur-chase or home improvement are voluntary report-ing. So, even if the loan is secured by a dwelling for the purpose to purchase a dwelling and would oth-erwise be reported as a purchase, it’s not required

to be reported if the institution does not report any HELOCs.HMDA GIR:Home equity lines of credit (HELOCs) for home purchase or home improvement may be reported at the institution’s option. Report only the amount that is intended for home purchase or home improvement purposes. An institution that reports home equity credit line originations must alsoreport any applications that do not result in an orig-ination.

QUESTION: What is the required Patriot Act Signage?

ANSWER:While there is no specifically required language, FinCEN does provide model language for your new account desks here.IMPORTANT INFORMATION ABOUT PROCE-DURES FOR OPENING A NEW ACCOUNT — To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.

QUESTION: Question on change of product on a loan estimate. If the product changes and loan numbers are specific to product, when we re-disclose, can the loan ID # be changed on the re-disclosure? Do we have a new waiting period?

ANSWER: Unfortunately, no, the ID on the LE and CD needs to stay the same throughout the application process. The only difference can be to add a sequential number to the end of the ID to identify which LE/CD it is in the sequence. Also, because you changed the product, there will be a 3 day wait after the customer receives the new disclosure before you can consummate the loan.

COMPLIANCE HOTLINE

11www.compliancealliance.com

Convention season is well underway at Compliance Alliance. Take a look at some pictures from the conventions our staff has had an oppertunity to attend!

Keeping Up With Compliance Alliance

Oklahoma Bankers Association Convention May 2016

Maine Bankers Association Convention April 2016

12www.compliancealliance.com

Keeping Up With Compliance Alliance

Texas Bankers Association Convention; Grapevine, TX May 2016

13www.compliancealliance.com

Keeping Up With Compliance Alliance

Massachusetts Bankers Association Convention April 2016

Are you interested in having a Compliance Alliance staff member speak or exhibit at your convention? If so, contact Sam Desmond, or call (888) 353-3933 today!

Colorado Bankers Association Convention; Colorado Springs, CO May 2016

14www.compliancealliance.com