May 2016 Newsletters
This past Thursday, the U.S. House of Representatives voted unanimously in favor of a bill that’s designed to open the floodgates, if you will, to private flood insurance in the market. The Flood Insurance Market Parity and Modernization Act (H.R. 2901) passed by a 419-0 vote and is intended to make it easier for private flood insurance policies to meet the mandatory purchase of flood insurance requirements for designated loans.
Prior to this, private flood insurance could already be obtained and, in fact, was required to be accepted if it satisfied certain criteria. Despite this, there continues to be a huge bias in favor of policies issued by the National Flood Insurance Program (NFIP) and, indeed, the government program currently underwrites the vast majority of commercial and consumer policies.
The main reason for this is probably because private insurance policies have been required to meet such stringent criteria to qualify, there has been little incentive for private competitors to enter the market. The Biggert-Waters Flood Insurance Reform Act mandated acceptance of private flood insurance policies if the policy met certain standards, which essentially amounted to being “at least as broad as” an NFIP policy.
The new bill intends to loosen these prohibitive restrictions on private flood insurance and open up the market to competition from private insurers. State insurance regulators will now be given the authority to determine the criteria for acceptable private flood insurance policies, rather than having uniform standards apply nationwide.
Another unique part of the bill is that it truly gives the borrower the freedom to shop for the best coverage—whether it be from a private insurer or from the NFIP. A borrower won’t have to choose permanently between the two providers from the outset, but rather, will be allowed to try a private flood insurance policy and then move back to an NFIP policy if it better suits her needs. Further, the borrower’s policy rate will remain grandfathered as long as she doesn’t allow coverage to lapse.
Flood insurance will never cease to be a complex regulatory requirement and an onerous one to many. Most will agree, however, that this new bill is probably as close to a win-win-win situation as you can get. Private flood insurers will finally find it profitable enough to seriously enter the market, consumers will benefit from reduced costs as a result of increased competition, and to be honest, the debt-ridden NFIP will likely be thankful that some of its load will be lifted. There’s a host of other potential benefits that should not be overlooked either, like more comprehensive coverage and new types of insurance that hadn’t been available previously through the NFIP.
The bill will move to the Senate next, but is expected to pass given the overwhelming support it got in the House. Read more about the Flood Insurance Market Parity and Modernization Act here:https://www.congress.gov/bill/114th-congress/house-bill/2901.
On April 28, 2016, the PCI Security Standards Council announced new standards for payment data security. These will require anyone accessing cardholder information to use multiple methods of authenticating the identity of those who are able to access systems that hold said data. The PCI Data Security Standard version 3.1 is scheduled to expire on October 31, 2016 and this version, 3.2, will replace that version in an attempt to stem the ongoing threat of security breaches related to customer payment information. The PCI Security Standards Council strongly suggests beginning to follow these practices as soon as possible instead of waiting for the deadline. The hope is that these standards will help find, prevent and react to cyberattacks on payment information.
What are multi-factor authentication standards?
The current PCI standards require a two-factor authentication process that calls for two validation methods for any one request to access a system. As PCI notes, authentication identifiers revolve around three basic points: 1) Something you know (like your password); 2) Something you have (like a card or a FOB); and 3) Something you are (like a fingerprint or biometric ID). For example, when you purchase something at a store you physically have the card and in addition, you have a pin number. Another example is when you need to create a new account or verify an existing account by entering your password, but then get a text message with a code to enter or a security question to answer. Those are examples of two-factor authentication. Multi-factor, of course, indicates that combinations of at least three or more factors are to be utilized.
What is the PCI and do we have to follow their standards?
The PCI Security Standards Council is a global council that works to set and improve standards for payment account security. Payment account systems include card brand networks. Visa, MasterCard, Discover, JCB International and American Express were all founding members and incorporate the Data Security Standards as part of the requirements for their compliance program. It’s really important to note that these standards are discussing access to systems that have cardholder data and do not, for example, require quadruple authentication for customers to use their debit card. So, do financial institutions have to be concerned with PCI? Most likely - if your bank distributes/issues/uses those types of branded cards, it is almost certainly part of your agreement with the card brand. So whether your cybersecurity is dealt with mostly in house or by a vendor or both, it’s imperative to ensure these updated requirements are understood and complied with. It’s also crucial to note that even if the actual procedures related to accessing systems with card data are mandated or handled by a vendor, financial institutions should ensure that the standards being followed are those required by regulatory guidance and also, contractual requirements set forth by business relationships. As such, it may be time for your information systems or cybersecurity team and/or vendors to look into updating systems or policies, as needed, to move towards multi-factor authentication.
You can find more information about the new standards, the PCI Security Standards Council and Authentication standards here:https://www.pcisecuritystandards.org/.
On May 18, 2016, the FRB, CFPB, FDIC, NCUA and OCC issued guidance on regulators’ expectations regarding deposit reconciliation practices. Deposit reconciliation relates to discrepancies between what a customer indicates they are depositing versus the actual check amount. These issues can be customer-based – incorrectly filling out the deposit slip or indicating the wrong amount during an ATM or RDC deposit or technology-based – system errors or illegible deposit capture.
This guidance relates to the fact that many banks have had a de minimus practice related to resolving these discrepancies set at various amounts. As you may remember, a CFPB Consent Order was entered against RBS Citizens Group, Inc., who had a system in place wherein if the amount of a discrepancy was below a certain threshold, the bank would not verify the discrepancies between the deposit slip and the item. The bank’s general ledger was then credited or debited with the difference between the amounts to the tune of $12.3 million dollars in total. Additionally, the bank’s advertising and account agreements were found to have either explicitly stated or implied that every deposit would be verified when they weren’t. Citizen had their thresholds set quite high - $25 to $50 whereas many banks use much lower thresholds for example, one to five dollars. As such, since last summer, banks have wondered what this consent order really meant for their deposit reconciliation practices which the agencies have now clarified. Most importantly, the Agencies did not use this guidance to set any sort of de minimus threshold, not even for amounts under one dollar. The expectation from this guidance is that technological processes allow fully reconciled discrepancies (except of course, where the item is completely damaged or illegible).
In addition to the expectation of full reconciliation, the agencies have indicated that Deposit Reconciliation programs could lead to Regulation CC violations and issues since the full amount of the customer’s deposit isn’t being made available within the regulatory time frames. The Agencies have also indicated that not providing the customer the full amount of their deposit may lead to violations of the FTC Act’s and Dodd-Frank’s prohibitions against unfair or deceptive acts or practices. While many banks have discussed the issues with manpower related to reconciling every penny, the Agencies’ bottom line relates to bank’s adding to the general ledger, even penny-by-penny, via unearned funds due to not fully reconciling amount. The general supervisory expectation is looking at procedures and policies that allow banks to avoid reconciling at the detriment of their customers.
Therefore, if your bank does have a threshold amount for deposit verifications, now would be a good time to ensure that the appropriate checks are in place to avoid under-crediting your customers and if there is any room for improvement the accuracy of crediting customer deposits. In addition, it’s critical to ensure disclosures and advertising is accurate as to deposit verification. As with any change or update in regulation, guidance or bank policy, employee training on this matter is important, as well. Given that there has been guidance AND a consent order on this issue, this is a red flag item that may come up on your next exam.
Wouldn’t it be wonderful if there were just one standard by which banks could qualify as “small banks” and therefore be exempt from, or be subject to less exacting standards under, certain federal regulations? Alas, in an industry regulated at the federal level by four distinct agencies overseeing a myriad of different laws, this is far from the case. As a potentially small creditor or servicer, it’s helpful to have a handy roadmap that can guide you in the right direction in this regard, so we’ll cover the steps needed to constitute a “small” institution in four key areas: examinations; the Community Reinvestment Act (CRA); the RESPA servicing and Truth in Lending Act (TILA) billing statement provisions; and the rest of TILA.
Regarding examinations, just this past December, the FAST Act changed the threshold for an 18-month safety and soundness exam cycle from assets of less than $500 million to assets less than $1 billion. Accordingly, if your assets are under $1 billion, you now will only be subjected to a safety and soundness exam from your federal regulator once every 18 months. This change has been reflected in the most recent version of 12 CFR §337.12(b), and was made effective in the Federal Register on February 2. See 81 FR 10069, foundhere. (As an additional wrinkle, note the prior regulation containing the examination frequency, 12 CFR § 390.351, was removed for redundancy.)
For the CRA, the “small bank” standard is adjusted annually, based on the current average in the Consumer Price Index for Urban Wage Earners and Clerical Workers (CPI-W). Currently, that threshold sits at assets of less than $1.216 billion. Within that subset of “small bank,” the “intermediate small bank” category, which requires an additional community development test for CRA performance standards, is any institution with assets between $304 million and 1.216 billion.
RESPA and the billing statement requirement in TILA both have identical requirements for smaller institutions. To be exempt from most of the RESPA servicing provisions and also the TILA periodic statement requirements as a “small servicer,” an institution must be currently servicing 5,000 or fewer mortgage loans as either the main servicer, an affiliate of the main servicer, or an assignee of the loans. This exemption does not get you out of all the RESPA servicing provisions—for example, you still must wait 120 days from delinquency in order to bring a foreclosure action. Nevertheless, being a small servicer does relieve you of most of the loss mitigation and billing requirements.
For the Higher-Priced Mortgage Loan (HPML), Ability to Repay/Qualified Mortgage (ATR/QM) and Home Ownership and Equity Protection Act (HOEPA) provisions of TILA, which apply to “small creditors” rather than “small servicers,” the standard is different. It’s less than $2,060,000,000 (2.06 billion) in assets, and no more than 2,000 closed-end, consumer-purpose and dwelling-secured transactions originated in the last year, excluding loans held in portfolio. Keep in mind that HPML, HOEPA and QM Balloon loan exemptions carry the additional requirement of “rural or underserved”—as of March 31st, 2016, the creditor must make at least one loan in a “rural” or “underserved” area as defined by the regulation within the last two calendar years in order to be exempt under those provisions.
Is your head spinning yet? Let’s recap: for federal safety and soundness examinations of an 18-month cycle, a “small institution” has $1 billion or less in assets. For CRA, a “small bank” has less than $1.216 billion in assets (“intermediate small bank” has between $304 million and $1.216 billion). For RESPA Servicing and TILA Monthly Billing, a “small servicer” has less than 5,000 serviced mortgages. And for the rest of TILA, a “small creditor” has less than $2.06 billion in assets and less than 2,000 non-portfolio Regulation Z loans originated in the past year, with the possible kicker of needing one loan in a “rural” or “underserved” area within the past two years. Whew! The federal agencies have stated numerous times that they both recognize the added regulatory burden on small institutions and wish to alleviate it, but based on a tangled web like this, it sure doesn’t seem like it. Hopefully there will be an attempt in Congress to streamline all of these exemptions into one single, easy-to-reference rule or regulation soon—until then, the best course of action is simply to keep track of all these separate requirements, stay alert for any changes or threshold updates, and contactCompliance Alliance if you have any concerns.