Staying On Top of Vendor Risk Management News: Week of August 20

An update on the OCC fintech charter, the latest in regtech, Merrill Lynch pays $8.9 million fine in SEC action with major third party implications, ECOA on third parties and more! Read below for this week's most important third party risk related news.

Industry News for the Week of August 20

Please be sure to do your own due diligence on GooglePay – not saying there’s a problem but responsible due diligence is a requirement of third party risk management: Read here

No applications yet for the OCC fintech charter: Read here

How to start a bank – what it’s really like: Read here

The headline of this article is something I say all of the time! Read here

States trying to serve as “mini CFPBs” – With CFPB dialing back, state AG’s and agencies lining up to step in: Read here

The challenge of compliance and the role of regtech – article asserts a bank must comply with 160 regulations (I actually think it’s much more): Read here

The challenges of creating a culture of compliance: Read here

Merrill Lynch pays $8.9 million fine in SEC action with major third party implications: Read here

Regulatory reform has not led to relaxed enforcement: Read here

Follow the money – the importance of SARs: Read here

I applaud the airport’s business continuity preparation using the "old school” greaseboard: Read here

Third Parties

Here’s the scenario: Blue Sky Credit Union has an indirect lending agreement with Bob’s Cars. John finds a car he likes at Bob’s and applies for financing. Blue Sky CU is among three financial institutions that receives John’s application from Bob’s. After reviewing the application, Blue Sky CU determines not to offer credit to John. Does Blue Sky CU have to send John an adverse action notice?

Section 1002.9(g) provides a special notice rule for applications received through third parties, such as through an indirect lending agreement. Where a third party sends an application to multiple creditors, no notice is required if the applicant accepts or uses one of the offers. If the applicant does not accept any credit, then notice may be sent directly to the applicant or through the third party.

If one of the other institutions offers John credit and he accepts it, then Blue Sky CU does not have to send him an adverse action notice. If John does not accept any credit offered by the three institutions or if all three institutions deny his application, then each one must send an adverse action notice. Bob’s may send the notices to John on behalf of the creditors. As Blue Sky CU may not know whether John accepted another offer, this scenario often requires creditors to rely on the third party to determine whether an adverse action notice is required. This is usually addressed in the indirect lending agreement.

The commentary explains that when notice comes from a third party, the third party may provide a notice for each creditor or may provide a combined notice that identifies each creditor. A creditor is not liable for any violation of the rule made by the third party as long as the creditor provides the third party with the information necessary for the notification and maintains reasonable procedures to avoid violations.

In each of the two scenario’s above, while an adverse action notice may not be required under Regulation B, one may still be required under the FCRA. If a consumer report was used as part of the decision to deny the application, the credit union will want to ensure it also reviews the adverse action notice rules under the FCRA. This article from the Minneapolis Federal Reserve provides a good overview of the rules under both Regulation B and the FCRA: Adverse Action Notice Requirements Under the ECOA and the FCRA.

You’ll notice that many of the bulleted issues listed in this article could have third party implications:

One of the sessions during the 12th Annual Mid-Atlantic Anti-Money Laundering (AML) Conference that I recently attended was on current compliance topics. Panelists from the FDIC, OCC, FINRA, FinCEN and the Federal Reserve Board discussed some of the issues they had noted during financial institution examinations for Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance. Under the current landscape, as institutions merge, they obviously grow but also get more complex. An institution’s risks therefore increase and make internal controls even more important. This increases the importance of independent testing performed by a qualified entity. 

The panelists indicated some financial institutions had been cited for lax review procedures. These included:

• Insufficient reviews of accounts;
• Conclusions inadequately supported;
• Inappropriate risk rating of accounts and customers;
• Inadequate screening for OFAC; and
• Inadequate testing and monitoring systems;
• Missing or ignoring risks;
• Insufficient monitoring of suspicious activity; and
• AML program not evolving with an institution’s business and/or risks.

The regulators also discussed what they consider makes for strong governance and oversight for BSA/AML compliance. An institution should have:

• A strong risk assessment;
• Good board reporting (not just a data dump); and
• Good policies/plans on what actions to take to ensure BSA/AML compliance.

Several of the banking agencies are reviewing the way they examine for BSA with a goal to more efficiency and effectiveness, burden reduction and clarity with risk-based management of BSA/AML compliance. The panelists also indicated a zero tolerance policy when it comes to BSA/AML non-compliance.

Also of interest, FinCEN recognizes BSA is decades old and that it’s time for a review of the regulations. Its end goal is to support law enforcement investigations, protect the U.S. financial system and gain insight into illicit schemes. Any comments on current regulations should state not just how a change would ease regulatory burden but also how it would continue to protect the system. Credit unions with any such comments can forward them to NAFCU’s Regulatory Affairs division, care of Ann Kossachev at akosschev@nafcu.org.

Here at Venminder, we stress the importance of regulatory compliance – but did you know that it's equally as important to make sure that your vendors are in compliance with their regulations as well? Their regulatory compliance impacts you, too! Download our infographic to learn more about managing and mitigating third party compliance risk.