Compliance Insights - March 2020 Download Protiviti is committed to remaining the source for insights on the latest news in compliance you’ve come to expect. While the articles in this issue were developed prior to the escalation of events regarding COVID-19, we know they may still be impacting your organisations amid the current circumstances.Seek out our upcoming April issue for analysis of the impacts on specific areas of regulatory compliance. Download Using AI to Reduce Bias in Financial Services On February 12, 2020, the House Financial Services Committee’s Task Force on Artificial Intelligence (AI) held a hearing titled “Equitable Algorithms: Examining Ways to Reduce AI Bias in Financial Services.” The hearing highlighted lawmakers’ continued concerns with AI – specifically, the use of machine learning (ML) models in credit underwriting. The issues raised included defining “fairness” and the use of biased data within ML models. The task force also discussed potential solutions to these issues. In a previous issue of Compliance Insights, we covered the formation of the task force and the concerns it raised related to model explainability and disparate impact at a hearing in May 2019.. During the February hearing, policymakers and witnesses acknowledged that competing definitions of fairness exist as it applies to ML models. Policymakers also acknowledged that they need to specify what types of fairness they want, and that applying analog fair lending laws to ML models is a difficult task. Witnesses noted that although ML models can preclude various types of unfair behaviors across a variety of applications, models cannot simultaneously apply multiple definitions of fairness. Witnesses also emphasised that policymakers must avoid bad definitions of fairness. One example addressed is forbidding the use of race in lending decisions and hoping that doing so will prevent discrimination; however, explicitly avoiding race is not possible because proxies such as ZIP codes could be used. Furthermore, incorporating fairness constraints on a model will unfortunately make it less accurate. As a result, policymakers must decide the right balance between accuracy and fairness. The use of biased data in training ML models was another issue explored at the hearing. Witnesses testified that there is a clear link between biased outcomes and flawed training data. ML models that train on historical data may discriminate against minority groups because they are less well represented in the historical data. A possible solution to this issue is adding constraints that the model must not have significantly different false rejection rates across different racial groups. Ensuring that fairness is clearly defined and groups that need to be protected are identified are essential in applying these model constraints. In the hearing memorandum, the task force expanded on the issue of using biased data within ML. Specifically, the memo described concerns on the use of dirty, or substandard, data, described as incomplete data sets, data sets with errors, and/or data that contains historical and societal inequities. It noted that given that members of some groups have in the past been less likely to be approved for loans, historical loan data sets may be made up of non-representative samples of the population. If historical dirty data is used within an ML model to determine the likelihood of a loan being paid back, the programme could learn to rank groups historically unaffected by bias and discrimination as better candidates for loans. In addition, the memo indicated that models must be able to explain to regulators why something happened, why something else did not happen, how failure and success are defined, and how errors are corrected. At the hearing, policymakers recommended several solutions that institutions should consider to ensure that they are not using models that generate biased results, including benchmarking techniques, audits by third-party experts, regular self-testing and submission of the self-test results to regulators. The task force also suggested that financial institutions maintain thorough records of the data being used to train ML models. The model data, too, should be ranked in a way that explains the factors that contribute the most to model outcomes. This process, known as logging, would help explain model outcomes and biased decisions. Witnesses during the hearing also highlighted that ML models can be programmed to be fair, but policymakers and regulators first need to develop a definition for fairness. Consumer Financial Protection Bureau Files Complaint Against Financial Institution for Alleged TILA Violations In January, the Consumer Financial Protection Bureau (CFPB) filed a complaint against a financial institution for alleged violations of the Truth in Lending Act (TILA) and Regulation Z. The complaint alleged that the financial institution failed to properly manage and respond to consumer credit card disputes and claims of unauthorised use and did not provide credit counseling to consumers as required by Regulation Z. When a consumer disagrees with a transaction, a payment or another item appearing on a periodic statement, Regulation Z provides a process by which the consumer can submit a dispute to the creditor. After the dispute, also known as a billing error notice, is submitted, the creditor is required to investigate the alleged error, send certain notifications to the consumer and refund any amount found in error, including any related charges arising from such error. Consumers have similar protections if they experience unauthorised use of their credit card. The complaint alleges three primary failings on the part of the financial institution when responding to billing error notices and claims of unauthorised use between approximately 2010 and 2016. First, the CFPB alleged that the financial institution, when responding to billing error notices and claims of unauthorised use, would require consumers to file a fraud affidavit, representing, under penalty of perjury, to agree to appear as a witness in court and to testify to the facts stated in the affidavit. Where a consumer failed to comply with the affidavit requirement, the claim was, in many instances, immediately denied. Second, the bureau found that the institution consistently failed to refund all charges, including finance charges and fees, when it resolved billing error notices and claims of unauthorised use in the consumer’s favor. According to the complaint, the errors resulted from the institution incorrectly determining the period for which the consumer was owed refunded finance charges and manually miscalculating the amount of finance charges and fees that should be refunded. Third, the bureau found that the institution did not comply with the notification requirements of the regulation when it received billing error notices. Specifically, it consistently failed to provide consumers with a written acknowledgment of the claim within 30 days of receipt and often did not send each consumer a timely notice when it determined that no billing error had occurred. The CFPB found the alleged actions above to be violations of Regulation Z. The complaint alleges one additional finding unrelated to the institution’s response to billing error notices and claims of unauthorised use. It found that, in numerous instances, when consumers called the toll-free number designated for credit counseling referrals, the institution failed to provide referrals to credit counseling services. Card issuers are required to send periodic statements to credit card account holders containing various information as required by Section 1026.7 of Regulation Z. One piece of required information is a toll-free number at which a consumer may obtain from the card issuer information about credit counseling services. As part of the complaint, the CFPB seeks an injunction against the institution, remediation to impacted consumers and the imposition of civil money penalties, among other actions. This complaint reinforces the importance of having effective and strong governance processes, establishing policies and procedures, and ensuring that employees adhere to them. The CFPB expects financial institutions to maintain appropriate policies and procedures related to the investigation and resolution of consumer billing disputes and unauthorised transactions. Additionally, this complaint highlights the vulnerability around the reliance on manual processes. Financial institutions should evaluate the risk involved in relying on manual intervention and look for opportunities to automate some of these manual processes and implement appropriate controls that ensure adherence to the regulation. Fair Lending Implications of Targeted Internet Marketing For many years now, financial institutions and regulatory agencies have been working to apply pre-internet regulatory requirements to the realities of the digital age. While laws and regulations have slowly adapted to the online world, until recently, the primary concerns have related to the delivery of written disclosures electronically. However, as technology continues to advance, new opportunities and compliance risks are evolving and, at the same time, getting more complex. An article in the most recent edition of the Federal Reserve Board’s Consumer Compliance Outlook highlights an evolving risk pertaining to fair lending. The article, “From Catalogs to Clicks: Fair Lending Implications of Targeted Internet Marketing,” explores the advances in targeted internet marketing and the corresponding fair lending risk that can result. It explains how advances in targeted marketing techniques have allowed online businesses to gather a wealth of information on potential customers through tools such as cross-site tracking, lead generators and e-scores. This technology allows businesses, including creditors, to compile detailed information on prospective customers such as their habits, preferences and financial patterns. While effective for marketing purposes, access to such information also presents the risk that its use could create the potential for discrimination in the form of digital steering or redlining. The article provides an example of this concern by highlighting Facebook’s March 2019 settlement with the U.S. Department of Housing and Urban Development (HUD) regarding potentially discriminatory practices. Facebook’s platform effectively allowed advertisers to show advertisements to certain users while excluding others based on sex or age, or on interests, behaviors, demographics or geography that related to or were associated with race, national origin, sex, age or family status. The HUD charges demonstrated that there is risk in relying on decision-making processes based on ML models alone without appropriate controls in place. Financial institutions that rely on targeted marketing practices can address the risks of redlining and steering by understanding how they are deploying their marketing and whether any vendors are using such marketing on their behalf. Additionally, financial institutions should take appropriate steps to ensure that they monitor the terms used for any filters, as well as any reports they receive documenting the audience(s) reached by their advertising. Clarified CTR Filing Instructions In February 2020, the Financial Crimes Enforcement Network (FinCEN) issued a new administrative ruling to clarify currency transaction report (CTR) FinCEN Form 112 filing obligations when reporting transactions involving sole proprietorships and legal entities operating under a doing business as (DBA) name. The FinCEN ruling, FIN-2020-R001, is intended to help improve the CTR filing process by making it more efficient and comprehensive. The new ruling replaces and rescinds two prior rulings: FIN-2006-R003 and FIN 2008-R001, which were based on FinCEN Form 104. The new ruling addresses filing CTRs on sole proprietorship when the sole proprietor is operating under his or her own name or under one or more DBAs. The ruling also addresses similar issues related to CTR filings for legal entities. Summarised below are the key updates to the FinCEN CTR Form 112 filing requirements. As defined by the new ruling, a sole proprietorship is a business in which one person, operating in his or her own personal capacity, owns all the business’s assets and is responsible for all the business’s liabilities. When preparing a CTR on a sole proprietorship, a financial institution should be aware of the following key instructions: Within Part I, complete Items 4 through 7 and Item 17 relating to name, gender and date of birth. Ensure that Part I reflects the business owner’s information, when the individual owner is doing business in his or her own name. When the business owner is operating with a DBA name, ensure that the DBA name appears in Item 8 and that the rest of Part I (other than Items 4–6, 7 and 17, which identify the individual owner) is completed with reference to the DBA name. If the individual owner operates under several DBAs, a separate Part I section should be completed for each DBA involved in the transactions. The Cash In and Cash Out amounts and account number(s) relevant to Items 21 and 22, respectively, should be reflective of the location for the reported transaction. A legal entity is defined as an entity (e.g., a partnership, incorporated business or limited liability company) that owns the assets of the business and is responsible for its liabilities. When preparing a CTR on a legal entity, a financial institution should be aware of the following key instructions. Within Part I, supply information related to the home office of the legal entity, including address, telephone number and identification number. Prepare a separate Part I section when more than one legal entity location is involved in an aggregated CTR. Ensure that the information provided in Item 21 and Item 22, “Cash In” and “Cash Out,” respectively, reflect the amount and account number(s) associated with the specific location. Ensure that the initial Part I section on the entity home office/headquarters reflects the total amount and all account numbers supplied in Item 21 or 22. Leave Item 8, “Alternate name,” blank in the entity home office Part 1 section when multiple DBA names are involved in the transactions. Complete only a single home office Part I section when the entity home office address is the same as the transaction location. The new filing is effective April 6, 2020, and September 1, 2020, for BSA E-filing batch filers. The current FinCEN CTR electronic filing user guide is located here. Financial institutions should ensure that all lines of defense are aware of and familiar with these updated filing requirements. Targeted training should be developed and deployed to help ensure compliance and effectiveness of meeting obligations when filing CTR Form 112.