Compliance Insights - August 2020 Download Your monthly compliance news roundup CFPB Issues Interim Final Rule to Amend Regulation X Offering Relief to Consumers In light of the ongoing COVID-19 pandemic, the Consumer Financial Protection Bureau (CFPB) has issued an interim rule permitting mortgage servicers to offer new loss mitigation options following the evaluation of an incomplete loss mitigation application. In March 2020, Congress passed the CARES Act, which required that borrowers with federally backed mortgage loans have access to payment forbearance plans. The new interim rule, which became effective July 1, 2020, creates an exception to the existing Regulation X (RESPA) requirements that would now allow loan servicers to offer loss mitigation options to borrowers affected by COVID-19, without taking a complete loss mitigation application. Download Under the new rule, servicers may accept and review incomplete applications only if the borrowers have received a forbearance payment plan due directly or indirectly to the COVID-19 pandemic, or have principal and interest payments that are due and unpaid due directly or indirectly to the COVID-19 pandemic. For borrowers to be eligible under this amendment to Regulation X, the loss mitigation option offered by a servicer must satisfy the following three conditions, which are intended to ensure that borrowers are properly protected, even without the servicer evaluation of a complete loss mitigation application: The loss mitigation option must permit the borrower to delay paying certain amounts until the mortgage loan is refinanced, the mortgaged property is sold, the term of the mortgage loan ends, or, for a mortgage insured by FHA, the mortgage insurance terminates. Any amounts that the borrower may delay paying through the loss mitigation option do not accrue interest; the servicer does not charge any fee in connection with the loss mitigation option; and the servicer waives all existing late charges, penalties, stop payment fees, or similar charges promptly upon the borrower’s acceptance of the loss mitigation option. The borrower’s acceptance of the loss mitigation offer must resolve any prior delinquency. Should a borrower accept a loss mitigation option offered that complies with the three conditions outlined above, the servicer will not be required to continue its reasonable due diligence efforts and will be exempt from sending the acknowledgement required under § 1024.41(b)(2) review of loss mitigation application submission. Summary Financial institutions impacted by this interim rule should adjust their loss mitigation procedures to account for the ability to review and accept incomplete loss mitigation applications. Servicers should also be aware of borrower and plan eligibility requirements and adjust their internal processes accordingly. Institutions aware of these requirements should make efforts to begin reviewing incomplete loss mitigation applications for applicability. With this interim final rule, the CFPB has signaled its support for payment deferral programmes and banks working with borrowers to alleviate the hardship they are experiencing as a result of COVID-19. Credit Builder Loans: Offering Consumers an Alternative Product to Establish and Build Credit To provide consumers an opportunity to establish a credit record and build a positive repayment history, financial institutions have generated new credit products such as Credit Builder Loans (CBLs). CBLs are designed to help consumers who are new to credit to establish a credit score and improve their repayment history if they have lower scores. This product would allow consumers to gain access to credit or qualify for lower interest rates. How do CBLs work? The terms of a CBL may vary across financial institutions, however, the main and central feature of the loan is the requirement that the borrower makes payments before receiving the loan funds. These loans are typically in the amounts of $300 to $1,000, divided in installments of 6 months to 24 months. Interest rate and fees will vary depending on the financial institution and the amount of the loan. For example, for a CBL in the amount of $600, the lender moves $600 of its own funds into a locked savings account. The borrower is then required to make 12 monthly payments of $50 plus interest and any applicable fees (generally about $4 per month). After each payment of $50, the lender releases $50 to the borrower’s regular savings account. The lender reports the borrower’s repayment history, as positive (<30 days late) or negative (>=30 days late), as a standard installment to the major credit reporting companies: Experian, Equifax, and TransUnion. Recently, the CFPB conducted a study to determine the real impact of CBLs on consumers’ credit score and help both consumers and financial institutions decide which products are most suitable for individual consumers. According to the study, consumers who participated in the study without a credit score or those with no existing debt found CBLs beneficial. These participants were significantly more likely to have a credit score established or have their credit score improved by the end of the study. Participants who joined the study with existing debt or credit score had a lower likelihood of increasing their credit score using a CBL. Key findings from the CFPB study and the overall impact that CBLs had on consumers’ credit are highlighted in the table below. Outcome Results Likelihood of having a credit score For participants without existing loans, opening a CBL increased their likelihood of having a credit score by 24%. Almost all participants with existing debt already had a credit score, therefore, the CBL had a minimal effect on their likelihood of having a score. Credit score Participants without existing debt saw their credit scores increase by 60 points compared to participants with existing debt. Per the study, the CBL appeared to cause a decrease in scores for participants with existing debt. Late payments on the CBL 39% of participants who opened a CBL made at least one late CBL payment. Late payments on non-CBL loans The CBL is associated with increases in late payments on non-CBL loans, particularly for those who entered the study with existing loans. Savings balances Average savings increased by $253, but this finding is less conclusive than other studies. Source: Targeting Credit Builder Loans; CFPB The CFPB study reported that of the approximately 26 million participants examined, one out of 10 lack a credit record and are “credit invisible,” meaning, the participants lack a credit score and have no credit record with the credit reporting agencies. Another 19 million participants have a credit record, but no established credit score because their credit history is too new or out-of-date. Without an established credit score, consumers may find it difficult to access credit or obtain favorable loan terms, such as a low interest rate. The CBLs’ structure, terms and conditions limit the risk to lenders as the loan is fully secured by the customer prepaying the loan amount. Consumers are protected from a cycle of debt as these loans will not result in an outstanding balance. However, failure to repay CBLs on time could decrease credit score, similar to any other loan reported to the credit bureau. The study results came from one single lender offering. Other results may vary based on the financial institution as each serves a unique customer base, and the structure of CBLs may differ from one institution to another. Of the 26 million participants in the study, 82% had a credit score. Among the participants with a credit score, the average credit score was 560 (below the national average just under 700). Sixty percent of the participants had an annual income under $30,000 and the majority were female. Ninety percent were African- American, the average age was 43, and one out of four had a college degree. Opportunities for Lenders, Financial Capability Practitioners and Consumers For lenders considering adding CBLs to their product and service offering, this opportunity provides an alternative to serve consumers looking to build their credit. Lenders may consider pairing this product offering with existing financial counseling services. When developing the product offering, lenders should clearly explain how CBLs function, including how to manage a CBL repayment obligation and the pros and cons of withdrawing versus saving the funds that are deposited into the borrower’s accounts after each payment. Practitioners of financial capability should counsel consumers on how CBLs can help them based on their current credit profile and build partnerships with financial institutions to provide wrap-around services such as financial and credit education to help consumers manage their existing credit obligations. Consumers without an established credit score or those with no existing debt may find CBLs beneficial. Consumers who have debt may want to consider paying down existing loans before choosing to open a CBL or other products and services to help them build credit. Conclusion The CBLs appear to be particularly beneficial for consumers who need to establish a credit history and credit score with the consumer credit bureaus. However, CBLs can be detrimental to the consumer if payments are made late. Before extending a CBL, financial institutions should explain all the terms associated with a CBL and the negative implications when CBL payments are late or not paid at all. For consumers with existing debt or looking to improve their credit score, the CBLs did not prove to have a positive impact on their overall credit score. With the help and guidance of a financial institution, these consumers may want to pursue other ways to improve their credit history and credit score. What to Expect from the CFPB Semi-Annual Report and Interagency Examiner Guidance In July 2020, the Consumer Financial Protection Bureau (CFPB) released its Semi-Annual Report to Congress for the period beginning September 30, 2019 and ending March 31, 2020. The report covers all major activities undertaken by the CFPB during the period and highlights upcoming initiatives. The release of the Semi-Annual Report provides an opportunity for compliance officers to review the significant rule changes during the period, reflect on their organisation’s risk monitoring programmes, and prepare for anticipated regulatory changes. According to the report, the CFPB will engage in several rulemaking to implement directives mandated in the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA), the Dodd-Frank Act, and other statutes. Details can be found on the Agency Rule List, which was released as part of the Spring 2020 Unified Agenda of Federal Regulatory and Deregulatory Actions. These rules are the regulatory matters that the CFPB anticipates having under consideration during the period from May 1, 2020, to April 30, 2021. The Unified Agenda also contains additional details on the Bureau’s Long-Term Actions List, which include consumer access to financial records, abusive acts and practices, and artificial intelligence, to name a few. Given the Unified Agenda planning process began months before publication in the Federal Register, the goals do not necessarily consider the COVID-19 pandemic. The CFPB states that it will continue to provide timely content and updates to help consumers protect and manage their finances during the coronavirus pandemic in addition to pursuing other regulatory work. The report includes a list of COVID-19 related guidance that has been issued and provides links to statements, interpretive rules, and FAQs published by the CFPB during the period. The report is a useful resource for compliance teams to reference to ensure that their processes have been adjusted for the relevant regulatory changes. This COVID-19 related guidance should be reviewed in parallel with the Interagency Examiner Guidance that was issued in June of 2020 by the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and the Federal Reserve Board (FRB). In this guidance, the agencies state that examiners will continue to assess institutions in accordance with existing agency policies and procedures and may provide supervisory feedback or downgrade an institution’s composite or component ratings when conditions deteriorate. The agencies acknowledge that numerous statements related to supervisory policy have been issued since the declaration of the national emergency and that appropriate actions taken by institutions in good faith reliance and within applicable timeframes described in such statements may not be subject to supervisory action. When assigning the composite and component ratings, examiners will review management’s assessment of risk presented by the pandemic considering the institution’s size, complexity, and risk profile. The agencies will focus on whether an institution’s management has appropriately planned for financial resiliency and continuity of operations, implemented prudent policies, and is pursuing a realistic resolution for any issues confronting the institution. Operational risk and audit were highlighted as main factors for rating management and institutions will be assessed on their risk identification and reporting processes given the level of information available. The agencies identify increasing fraud and cyber threats resulting from rapid changes in operational processes as a risk. Examiners will be reviewing the steps management has taken to assess and implement effective controls for new and modified operational processes. Examiners will also evaluate how management has assessed institutions’ third party (vendor management) performance and controls. Holistically, examiners will review an institution’s performance capabilities post crisis. In addition, examiners will consider the impacts on the control environment from instances of imprudent cost cutting and insufficient staffing. Audit monitoring of programmes that support consumers and businesses, like PPP, mortgage deferrals, loan forbearance, and other new programmes, will also be reviewed by examiners to ensure that any credit, legal, and compliance risks are properly managed. Conclusion Issues confronting financial institutions are complex, evolving and may involve protracted resolution due to the pandemic. While examiners are expected to be mindful that the localised impact of the pandemic may be materially different from regional or national impacts, there is the potential for rating downgrades and enforcement actions if risks related to COVID-19 are not properly managed. Institutions should ensure they have robust policies and procedures in place for any operational changes resulting from the pandemic. In addition, it is critical that financial institutions have agile risk reporting that management regularly reviews, assesses, and updates as conditions change. Lastly, financial institutions should demonstrate that their internal controls and audit monitoring are operating effectively throughout the pandemic. Know Your Customer: It’s All About Risk In early 2017, Protiviti published a white paper entitled Remediate Risk, Not Files. Primarily authored by my colleague Matt Taylor, the paper proffered that one of the main reasons financial institutions have found themselves caught in an endless cycle of Know Your Customer (KYC) remediation is that their remediation efforts are focused on papering the file and not truly assessing the risk.Two recent issuances, one an update to the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence FAQs and the other a publication by The Wolfsberg Group (Wolfsberg) on Source of Wealth/Source of Funds of Private Banking Clients, reinforce the importance of developing and implementing risk-based KYC standards. The FinCEN update focuses on answering questions about information that should be gathered at account opening, requirements for risk rating customers, and KYC file refresh. Specifically, the questions are: Q1: Is it a requirement under the CDD Rule that covered financial institutions: collect information about expected activity on all customers at account opening, or on an ongoing or periodic basis; conduct media searches or screening for news articles on all customers or other related parties, such as beneficial owners, either at account opening, or on an ongoing or periodic basis; or collect information that identifies underlying transacting parties when a financial institution offers correspondent banking or omnibus accounts to other financial institutions (i.e., a customer’s customer)? Q2: Is it a requirement under the CDD Rule that covered financial institutions: use a specific method or categorisation to risk rate customers; or automatically categorise as “high risk” products and customer types that are identified in government publications as having characteristics that could potentially expose the institution to risks? Q3: Is it a requirement under the CDD Rule that financial institutions update customer information on a specific schedule? The answer to all three questions is: no requirement, it depends on the risk. To some institutions, FinCEN’s responses to these questions may provide welcome flexibility for how they manage each of these phases of KYC. To others that may prefer more prescriptive guidance, the responses introduce added uncertainty. Whichever the reaction, however, financial institutions have the undeniable responsibility to identify risk accurately and fully. While AML risk assessment methodologies have advanced significantly from the early days when geography was the major, if not only, determinant of risk, many institutions still struggle with developing sustainable risk assessment processes that appropriately balance quantitative and qualitative considerations and are dynamic enough to address rapidly evolving innovation and changing world events. Also structured as FAQs, The Wolfsberg Group publication focuses on the relevance of source of wealth (SOW) and source of funds (SOF) checks to the assessment of customer risk. The following are among the key points included in the responses: The due diligence process, when it includes SoW, involves the collection of relevant information and may include corroboration. This should not be seen as a documentary exercise and consideration should be given as to whether the customer’s SoW appears legitimate and the collected information is plausible (i.e. the information provided by the customer is reasonable) with regards to the customer’s overall wealth and other information that has been collected about the customer. SoF may relate closely to the purpose of the account and, in accordance with its risk-based approach, the FI should understand both the origin of initial deposits and, where other risk factors may be present, inquire about subsequent funding. SoF information may also be helpful for monitoring and reviewing of account activities. Consistent with Protiviti’s whitepaper, the message here is that performing customer due diligence is not a documentary exercise and should be based on reasoned assessment of the risks. The Wolfsberg paper even goes on to suggest that in certain circumstances it may be necessary to use experts who understand the unique risks of certain markets/segments and any specific considerations that may apply. The questions that AML Compliance Officers and their senior management should be asking as they consider these two publications are: Are we confident that we have the expertise in-house to assess all our AML risks? If not, what is our plan to address any gaps? Is our risk assessment methodology, and documentation of the results, reliable and defensible so that we can support our risk-based decisions? Is our risk assessment methodology applied accurately and consistently across the enterprise? Does our methodology or execution thereof result in excessive overrides or exceptions, suggesting either that the methodology is poor designed or that some people may be gaming the system which, in turn, distorts the risk profile? Has our risk assessment methodology stood the test of time or are we frequently surprised to find we have taken on risks we did not anticipate? How are we enriching our risk assessment methodology and improving our execution? Are we keeping pace with competitors that are deploying advanced digital capabilities to assess and manage risk? If we do have gaps in data or process, what is our plan for addressing these efficiently and effectively? Getting customer risk right up front and recognising promptly when the risk has changed are foundational to an effective AML compliance programme. Topics Risk Management and Regulatory Compliance Industries Financial Services