March 2017 Newsletters
FFIEC Strreamlined Call Report Webinar: A Brief Review
Banks and Cyberwarfare: FinCEN’s Guidance on Cyberattacks and Reporting
If you’re looking to see what regulators are going to look for next, complaints are a good place to start. The February complaint report from the CFPB spotlights credit reporting complaints, so it may be a good time to review your FCRA policies and procedures.
The three big credit reporting agencies - Equifax, TransUnion, and Experian - have consistently topped the charts for complaints received from consumers at the CFPB. Only one financial institution, Wells Fargo, beat the credit bureaus out in the number of complaints received, likely due to a number of recent scandals at the company. To be fair, the credit bureaus are used by just about every financial institution in the country. The CRAs, by far, handle more consumer information than any other financial institution.
Incorrect information on credit reports was the number one complaint levied on the reporting agencies. Complaints related to incorrect information account for 76% of the total credit reporting complaints. Complaints related to credit reporting company investigation came in a distant second at 9%, followed by an inability to obtain a report or score, improper use of a credit report, and credit monitoring or ID protection.
Some of the more specific complaints include:
- Difficult process for disputing information.
- Consumer reporting agencies attempting to refer consumers to the data furnisher first (i.e. the creditor) instead of trying to address the complaint directly.
- Process for removing information due to ID theft was too complicated.
- Incorrect information such as false addresses and unrecognized names appearing on the consumers credit report – reports often include information from people with similar names or other family members.
- Complaints of unauthorized requests for credit information,
- Transparency of “factors” in credit reporting.
- Reporting accounts in bankruptcy.
As these complaints on CRAs continue to pour in, it is expected that regulators will continue putting pressure on the CRAs to fix their problems. This will inevitably roll downhill with the CRAs putting more pressure on furnishers, including financial institutions, to improve on the accuracy of the information provided. Now is a good time to go back and review how your bank handles credit information.
What can you do to get ahead of the ball?
Go over your current policies and procedures. Your bank may have grown in size, complexity, and the services you offer over the last few years. If your policies, procedures and controls haven’t kept up, then it is time to review and revamp them.
Next, look at how you bank verifies and furnishes information. Review any complaints, either direct or through a CRA, about the accuracy of information provided to the bureaus. Complaints are the best way to identify which areas need attention, and also one of the first areas where examiners will probe.
Additionally, you should also go back and check when your bank pulls credit reports, and who pulls them. The FCRA provides specific permissible purposes of when a creditor can pull a consumer repot, the most common for financial institutions being: written consent, in connection with a credit transaction (i.e an application for credit), employment purposes, in connection with buying or selling a loan to or from an investor, or to “review” a current account.
As noted above, many of the complaints received by the CFPB were in regards to creditors pulling credit without authorization. Transparency is a best practice here. Even if you have a legitimate reason to pull credit without consent, such as a credit application, best practice would dictate that you be upfront with the customer and let them know that you are pulling credit on them to avoid surprises.
On a positive note, the CFPB did mention that Equifax, TransUnion and Experian all provided timely responses to complaints and inquiries. Your bank should endeavor to do the same, though many banks are finding certain consumers are abusing the complaint process, often utilizing an attorney or “debt relief” service that send out robo-complaints like clockwork. Unfortunately there isn’t much a bank can do with these sorts of complaints other than to respond to each and every duplicative and frivolous claim.
The FCRA has now been around for decades and all of the requirements and complaints should be familiar. The difference now is that consumers have a direct line to the CFPB to launch complaints. Unfortunately it isn’t clear how or if the CFPB actually vets these complaints. Many of the complaints are no doubt legitimate, however it is difficult to determine how many complaints are actually true. The CFPB does little to investigate the veracity of such claims. Indeed, a consumer who’s denied a loan is more likely to take their frustration out on creditors than a happy customer. Perhaps the CFPB should solicit remarks from satisfied customers as well, that way the industry would at least know what it was doing well.
On December 30, 2016, the Federal Financial Institutions Examination Council (FFIEC) announced a new “streamlined” call report — the FFIEC 051 Call Report — in an effort to reduce the reporting burden on certain small institutions. Those "eligible small institutions" are generally banks that only have domestic offices and total assets of less than $1 billion.
On Wednesday of last week, the FFIEC conducted a webinar to introduce the new 051 Call Report and how it differs from the existing 041 Call Report. Most importantly, the webinar featured a live question and answer session to address many concerns.
One of the first points of clarification was that although the FFIEC 051 is set to be effective on March 31, 2017, the Office of Management and Budget (OMB) technically must approve the revisions before they can actually be implemented. One participant asked whether banks and their vendors should proceed with making programming and operational changes prior to final approval. While the FFIEC recognized that the OMB tends to wait “until the last minute” to approve, it also pointed out that the OMB has not declined to approve changes like this in decades and generally advised that banks operate under the assumption that the new call report will be approved.
The FFIEC also clarified that even if a bank is allowed to file the 051, it is never required to do so. In fact, a bank may choose to file the 051 one year, and then switch back to the 041 the next year. The speaker did note that the filings should at least remain consistent within any given reporting year, so if the 051 were chosen for March 2018, for example, the bank wouldn’t be able to switch back to the 041 until March 2019.
The exception to this rule, however, is during the initial implementation year — 2017. Institutions are allowed to continue filing the 041 if their systems have not yet been adapted to the new changes, but may then switch to the 051 as of the June 30, 2017, or in a subsequent quarter of 2017.
Banks that may want to consider not switching to the more streamlined 051 are those who are approaching the $1 billion mark within the next year or two. Although the 051 will likely eventually be less burdensome, the hassle of readapting to a new call report only to have to switch back to the 041 in a year could prove to be inefficient.
The FFIEC also offered that it is planning to create a table that would show the relationship between the FFIEC 041 and FFIEC 051 by comparing what has stayed the same, what has been eliminated and what has changed. The speaker also confirmed that although many line items will be deleted or changed, the line numbers themselves would not be changing, which is intended to cut down on the learning curve a bit.
The recording of the webinar has yet to be published, but the presentation materials can be found here. Slides 23 and 24 list various valuable resources and the whole webinar is worth listening to once it has been uploaded to the FFIEC’s website.
By Elizabeth K. Madlem, Associate General Counsel
Cyberattacks – despite sounding like a concept out of a science fiction novel – have become a growing battleground with far-reaching security and privacy implications.
Ransomware attacks, high-stakes wire transfer fraud and other incidents are constant threats with damaging results to banks. No longer wanting to be victims, banks have begun to take proactive steps to get ahead of a cyber breach before it happens and the practice of thinking like a criminal is now more common within a bank’s IT and risk departments. In many financial institutions, management has specifically-formulated plans and assigned responsibilities, implemented chains of command, developed policies and procedures, and allocated adequate resources to perform the monitoring for cyber security. These tools ensure the bank is better prepared for a cyber-attack. Being proactive in cyberwarfare better protects customers as well as the bank.
Last October, FinCEN issued an advisory to financial institutions on cyber events and cyber-enabled crime. Cybercriminals are targeting financial systems with more force, attempting to defraud these institutions as well as their customers. Advisory FIN-2016-A005 attempts to aid financial institutions in understanding their Bank Secrecy Act (BSA) reporting obligations of cyber events and cyber-enabled crime. Though the advisory does not change existing regulatory expectations, it does provide insight into several areas:
- Guidance is now provided on how to file a SAR to report cyber events, including the proper completion of SARs as well as examples of potential events that would lead to SAR reporting;
- Communication and collaboration are key components to defeating a cyber threat – BSA, fraud prevention, cybersecurity and other areas of an institution must work together to conduct a more comprehensive threat assessment to identify, report and mitigate cyber-events; and
- Lastly, to aid in communication, FinCEN is seeking to promote information sharing between financial institutions and the safe harbor under Section 314(b) of the USA PATRIOT Act.
SAR reporting of cyber events is mandatory – the FinCEN Advisory does provide several non-exclusive examples of this type of cause of action. First, if a cybercriminal gains access to a bank’s systems and information through malware intrusion, the bank must determine the amount implicated (with $5,000 in funds or assets being the minimum), and denote all relevant SAR information of the suspicious activity. Additionally, even if the amount did not meet the $5,000 required minimum to trigger a mandatory cyber-reporting event, FinCEN is adamant that voluntary reporting will play a crucial role in preempting an attack. FinCEN is seeking an active commitment from financial institutions to voluntarily provide SAR reporting, as well as work closely with BSA/AML and cybersecurity units, on top of sharing with other financial institutions.
For further information regarding Advisory FIN-2016-A005 and its Frequently Asked Questions, please refer to the following hyperlinks: FinCEN Advisory and FAQs.