Regulatory Compliance: 8 Issues of Impact in '09Safety & Soundness, Consumer Protection are Dominant Priorities of Regulators
A look at federal regulators' enforcement actions from the first half of 2009 (as compiled by Sai Huda, Chairman and CEO of Compliance Coach, a risk management service provider) shows Safety and Soundness exam actions top the list at 54 percent of total enforcement actions taken; Flood Disaster Protection Act totaled 22 percent; the Bank Secrecy Act has 12 percent; Real Estate Appraisal Rules have 4 percent; Regulation W (transactions with affiliates) 3 percent; HMDA has 3 percent and Regulation O (insider lending) has 2 percent of the actions.
The majority of enforcement actions were taken by the Federal Deposit Insurance Corporation (FDIC) at 44 percent; The Federal Reserve Board had 25 percent of enforcement actions; the Office of Thrift Supervision (OTS) 16 percent and the Office of the Comptroller of the Currency (OCC) 14 percent.
Following is an overview of the top regulatory priorities so far -- and going forward -- in 2009.
1. Safety and Soundness
Given the global economic turmoil that culminated last fall with the failure of Lehman Brothers and the near collapse of the financial sector, regulators have been asking fundamentally "Is the institution operating in a safe and sound manner?" Diving a little deeper, Huda says, regulators are evaluating institutions in terms of: Are they well capitalized? Are they liquid? Are they complying with the FFIEC Safety and Soundness Standards? Are they making safe and sound loans and complying with related rules such as Real Estate Appraisal Rules, Regulation W, and Regulation O among others? This extra scrutiny will continue as the industry pulls itself out of recession.
2. ID Theft Red Flags
Other areas that have to be on the radar screen for institutions include ID Theft Red Flags, says Tom Wills, Senior Analyst, Security, Fraud & Compliance at Javelin Research. "Unless the Federal Trade Commission doesn't start enforcing it," Wills says. The ID Theft Red Flags were issued jointly by the OCC, FRB, FDIC, OTS, NCUA and the FTC in 2007. These final rules and guidelines require financial institutions or creditors to develop and implement a written identity theft prevention program to detect, prevent, and mitigate identity theft in connection with covered accounts and to establish policies and procedures to assess the validity of a change of address. The FTC so far has granted two extensions for non-banking institutions, delaying its enforcement from Nov. 1 of last year until this August 1. Bank and credit unions have being examined on this rule since last Nov. 1 and have encountered significant issues in meeting full compliance.
The Payment Card Industry Data Security Standard, also known as PCI-DSS, while not a banking regulation, should be a focus for institutions, Wills notes. "The Heartland breach that was disclosed earlier this year has called the effectiveness PCI-DSS into question, because Heartland had been certified as PCI compliant when the breach took place."
With banking institutions reeling from the costs and labor spent recovering from Heartland, both the private and public sectors are scrutinizing PCI-DSS and asking "Is it enough?"
Rebecca Herold, a privacy and information security expert, says PCI-DSS will continue to have an impact on financial institutions. "They will especially be interested in seeing what happens in the Merrick Bank vs. Savvis case." [The CardSystems Solutions data breach resulted in a 2008 lawsuit brought by Merrick Bank, a merchant bank against CardSystem's security assessment company, Savvis. Merrick Bank's suit alleges Savvis negligently certified CardSystem's security as compliant with Visa's Card Information Security Program (CISP), the precursor to the Payment Card Industry's Data Security Standard (PCI-DSS) and negligently represented the payment processor was compliant.] "I do not see that lawsuit being judged in favor of the bank," Herold says.
4. The Bank Secrecy Act and Anti-Money Laundering
Money laundering concerns aren't going away - and, in fact, are exacerbated by the bad economy and heightened insider threat. Recent sanctions by Japan's Financial Services Agency against Citigroup over lax money-laundering controls and the demand that the bank suspend some of its retail business operations are an example of this trend. "It has (also) been interesting that the regulators' focus is not shifted away from BSA/AML to cover credit-crisis issues," notes Debra Geister, Director of Fraud Prevention & Compliance Solutions at Lexis-Nexis, an Alexandria, VA-based risk management consulting company. "Instead, the aperture is opened for deep dives into multiple areas," she observes. The Suspicious Activity Report (SARs) continues to be important issue. There is concern at institutions she's heard over "What is adequate for my risk - and whether the regulator agrees with my adequacy," Geister notes.
5. Vendor Governance Reviews
One of the regulatory areas that continues to significant impact on financial institutions is vendor management, especially because of a number of regulatory requirements include vendor governance reviews, including ID Theft Red Flags and the recent Remote Deposit Capture guidance, notes Herold. Third-party vendor and vendor business associate security program reviews will be impacted by the American Recovery and Reinvestment Act of 2009, she adds.
6. Consumer Protection
The focus on safety and soundness now extends beyond financial institutions to their customers. "The regulators will continue to check out safety and soundness," says Huda. "However, given the current thinking in Congress that consumers need more protection against unfair and deceptive practices by banks (and non-banking financial organizations), regulators will start to focus more on consumer protection laws in the second half of 2009."
The call for an additional consumer watchdog for financial services and products by President Barack Obama is one sign. Plus, several significant consumer protection laws become effective in the second half, including:
- Truth in Lending Act / Regulation Z Early Disclosure Rule: This kicks in on July 30, 2009. Now on all mortgage loans (purchase, refinance, home equity) a lender must provide an early disclosure within three days of receiving an application and must wait seven days before closing the loan. If the disclosure becomes inaccurate, it must provide corrected disclosures and wait three days after the consumer receives it before it can close the loan.
- Truth in Lending Act / Regulation Z Higher Priced Loans Rule: This kicks in October 1, 2009. It affects loans that are between prime and sub-prime and requires new disclosures and waiting periods before loan closing. Also, unfair or deceptive advertising are outlawed.
- Real Estate Settlement Procedures Act / Regulation X: This kicks in January 1, 2010. Now on all mortgage loans, a lender must provide a new Good Faith Estimate (GFE) disclosure within 3 days of receiving an application. The GFE form has been completely changed and all lenders must use this uniform disclosure. The definition of an application has been changed. There are also certain fees that have no tolerance for errors and some have 10% tolerance. Also, a new HUD-1 disclosure must be provided at settlement.
7. Fair and Responsible Lending Program
There are sleeper regulatory risk issues that banks must proactively manage in the second half of 2009. Regulators will be taking a very close look at an institution's compliance with Fair Lending laws, notes Huda. "The regulators are under pressure from Congress to make sure that banks lend in their communities to eliminate the current credit crunch, but also that they lend fairly and do not discriminate."
In particular the regulator's expectation is that an institution will have implemented a "Fair and Responsible Lending Program." They will look to see if lending polices and practices are not only non-discriminatory and compliant with ECOA and FHA, but also compliant with Unfair and Deceptive Acts and Practices (UDAP) laws. The big focus will also be on loan pricing. Also another point to remember -- an institution's CRA rating will be downgraded for Fair and Responsible Lending issues, he says.
8. Federal and State Data Breach Laws
The pending federal data breach legislation, although it may not pass before the end of 2009, will also be on the radar for financial institutions, says Javelin's Wills. Consideration should also be given to the number of state data breach laws, such as the ones passed in Massachusetts and Nevada's new PCI mandate, notes Herold. (Nevada passed a law mandating PCI compliance for companies that do business in the state, making it the first state to mandate PCI.) "Institutions should look at implementing encryption and need to know where to encrypt to meet compliance with growing numbers of laws that require this, such as the Massachusetts and Nevada laws." She sees there are likely more states to pass similar legislation requiring comprehensive information security programs be implemented at businesses and entities that hold personal data on its citizens.
The impact of Massachusetts' data breach law is something that the banking industry particularly should consider, says Larry Ponemon, President of the Ponemon Institute, a privacy research firm. "It is very strict and prescriptive in nature and, using the example of California's landmark data breach law SB1386, it is highly plausible that the law could have national implications," he says. The law, which goes into effect January 1, 2010, outlines various security measures that must be employed to safeguard consumer data, and even though banks should already be following these provisions, it also dictates how organizations that experience a breach must notify their customers. Failure to comply may result in stiff fines, so any bank with customers in Massachusetts needs to understand and prepare for this law," Ponemon advises.