Category: Financial Institutions and Banking

Categories
Financial Institutions and Banking

Get Ready for General Qualified Mortgage Final Rule

In April 2021, the Consumer Financial Protection Bureau (CFPB) delayed the deadline for compliance with its revised general qualified mortgage (QM) rule to October 1, 2022. But it’s a good idea for banks to start reviewing the requirements now and determine how they’ll need to update their procedures to incorporate the new rule. QMs — which avoid certain risky features and meet other requirements designed to make them safer and easier for borrowers to understand — are presumed to comply with ability-to-repay rules.

Currently, for a loan to be a QM, the borrower must have a total monthly debt-to-income ratio (including mortgage payments) of 43% or less. The revised rule greatly simplifies the definition of a QM by discarding the debt-to-income limit in favor of a price-based model. For loan applications received on or after March 1, 2021, but before October 1, 2022, lenders have the option of complying with either the current or the revised general QM loan definition. (Note: Separate rules apply to “seasoned” QMs.)

New lease accounting rules back on banks’ radar

After several delays — including a one-year postponement due to COVID-19 — the new lease accounting standard is scheduled to take effect for private companies for fiscal years beginning after December 15, 2021, and interim periods within fiscal years beginning after December 15, 2022. If your compliance efforts have been on hold, it’s time to ramp them up again. The upcoming transition to the new rules may influence current negotiations between banks and their loan customers, and banks that lease their facilities, equipment or other fixed assets should prepare for the rules’ potential impact on their balance sheets and regulatory capital. Plus, the standard’s transition approach may require banks to implement certain changes before the rules take effect.

Guide to conducting due diligence on FinTech companies

Community banks are under increasing pressure to provide their customers with digital products and services, and many banks are partnering with financial technology (FinTech) companies as a strategy for developing innovative, customized, cost-effective solutions. These partnerships can be complex ventures that involve a variety of risks, so thorough due diligence is critical. To assist banks with these efforts, federal banking agencies have published “Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks.”

The due diligence practices described in the guide are voluntary and don’t establish any new risk-management requirements. But they provide valuable guidance on what community banks should be looking for when they evaluate potential FinTech providers in six areas: 1) business experience and qualifications, 2) financial condition, 3) legal and regulatory compliance, 4) risk management and controls, 5) information security, and 6) operational resilience.

For more guidance regarding your bank’s compliance, contact Jack Matthis at jmatthis@atacpa.net.

© 2022

Categories
Financial Institutions and Banking Milan, TN

What’s Your Bank’s Plan to Counter Ransomware Attacks?

Cybersecurity continues to be a key risk that businesses face today, and banking is among the industries most affected by cyberattacks. Some experts estimate that around a quarter of all malware attacks target financial institutions. Of particular concern are ransomware attacks, which have increased dramatically in the past couple of years.

The threat of ransomware is so serious that the National Institute of Standards and Technology (NIST) — developer of a widely used cybersecurity framework — recently published a draft Cybersecurity Framework Profile for Ransomware Risk Management (the Ransomware Profile).

Ransomware and risk management

Ransomware is a type of malware that encrypts an organization’s data. Once malware has infected a system, the attackers demand payment in exchange for the encryption key that unlocks the data. In some cases, they may also steal an organization’s information and demand additional payment to avoid disclosure of that information to authorities, competitors or the public.

The Ransomware Profile outlines several basic preventive steps organizations can take to protect themselves against the ransomware threat, including:

  • Use antivirus software at all times,
  • Keep computers updated with the latest security patches,
  • Segment internal networks to prevent malware from proliferating among potential target systems,
  • Continuously monitor for indicators of compromise or active attack,
  • Block access to potentially malicious web resources,
  • Allow only authorized apps, and avoid use of personal apps — such as email, chat and social media — on work computers,
  • Use standard user accounts, rather than accounts with administrative privileges, whenever possible,
  • Restrict personally owned devices on work networks,
  • Educate employees about social engineering (for example, to not open files or click on links from unknown sources without scanning for viruses or taking other precautions), and
  • Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has only the appropriate access.

Organizations also should take steps that will help them recover from future ransomware events, including developing and implementing rigorous backup and incident recovery plans.

Backup strategies and incident response plans

Simply keeping backups of data isn’t enough. Any significant gaps in recoverable data or delays in restoring systems can be devastating for banks. So, they must back up data daily and test and periodically validate it. Also, banks should store backups offline to prevent a ransomware attack.

A well-designed backup strategy is worthless, however, without a solid incident response plan. This critical step helps banks restore systems quickly and minimize downtime in the event of a ransomware or other attack. A cyberattack is highly stressful. So, to avoid a paralyzing panic, your response plan should provide step-by-step instructions on who does what and when. The plan also should be kept offline to ensure that it’s accessible if your systems aren’t.

Be prepared

All banks should have a comprehensive cybersecurity plan to prevent ransomware and other cyberattacks and to minimize damages should an attack occur. If your bank doesn’t have a plan or you’re unsure whether your plan provides the protection you need, contact one of our industry leaders about conducting a cybersecurity risk assessment with ATA Secure.

© 2022

Categories
Financial Institutions and Banking Helpful Articles

Keeping Branch Banking Profitable in the Digital Age

The COVID-19 pandemic has led to an increase in online banking; however, the transition to virtual banking was already well underway. As community banks look to the future, they need to re-imagine branch banking for the digital age. This means strengthening what’s working and getting rid of what isn’t. Direct banking at branches can still be vital to community banks’ financial health as long as they measure branch performance and correct as necessary.

Customer location

A significant challenge in measuring branch performance is assigning customers to particular locations. Traditional measures (such as new accounts opened or teller activity) no longer suffice. Just because a customer opened an account at a branch doesn’t necessarily mean that account should count toward the branch’s performance.

What if the customer relocated? What if he or she uses more than one branch? What if the customer does everything online and doesn’t visit branches at all? There are no easy answers to these questions. To get an accurate picture of branch performance, banks need to develop models that better reflect a branch’s interactions with customers and its contribution to the bank’s overall performance.

Measurement strategies

Some banks are developing point systems to measure the value of products sold, customer service and retention. For example, core accounts like checking accounts generally are more valuable than CDs, which often constitute “hot money” — that is, funds frequently transferred between financial institutions in an attempt to maximize returns. The analysis might be different, however, if a checking account has a small average monthly balance or if a CD has a relatively long term.

For services, one set of point values might be assigned to transaction processing — such as cashing checks or accepting deposits — with higher values assigned to loans or consultative services.

According to financial services technology provider Fiserv, customers with one banking product stay with a bank around 18 months on average. The average relationship increases to four years for customers with two products and to almost seven years for customers with three products. So, branches with more customers purchasing multiple products tend to contribute more value, and transfers of funds among branches affect branch profitability.

Differences in markets

Too often, banks’ business development plans fail to reflect the differences among their branches’ local markets, which can be dramatic. Many simply allocate their budgets uniformly among locations and demand that each branch achieve similar profitability and growth goals.

There are two problems with this approach. First, it establishes unachievable goals for branches in some markets, while allowing other locations to coast. Second, it may cause a bank to miss opportunities to enhance branch performance.

A better approach is to benchmark the bank’s performance against that of its peers. After identifying areas in which performance is falling short, the bank can examine individual branches, analyze their local markets and develop strategies for enhancing performance.

It’s important to analyze each branch’s current customer base as well as the various commercial and consumer segments that make up its local market. Armed with this information, you can develop marketing strategies that make the most of each location’s unique profitability and growth opportunities.

For example, a branch in an area with a lot of high-income consumers might target those consumers and also focus on cross-selling to existing customers. (Of course, it’s important to keep in mind fair lending exposure and Community Reinvestment Act considerations.) As noted above, providing multiple products to customers improves retention rates. On the commercial side, analyzing local markets may reveal opportunities to serve previously untapped commercial sectors or business niches.

Analysis and measurement are key

Your community bank will thrive if its branches thrive. Understanding your local customers and their banking preferences has never been more challenging — or more important. Closing branches if they’re no longer profitable is one solution, but developing them in ways that make them more useful to customers might be the best strategy over the long run.

© 2022

Categories
Financial Institutions and Banking Helpful Articles

CFPB Issues Guidance on Unauthorized EFTs

The Consumer Financial Protection Bureau (CFPB) has issued guidance — in the form of answers to FAQs — on unauthorized electronic fund transfers (EFTs). Here are some of the highlights:

  • Unauthorized EFTs include situations in which a third party fraudulently induces a consumer into sharing account access information that’s used to initiate an EFT from the consumer’s account. And subsequent EFTs initiated using that information are not excluded from the definition of unauthorized EFTs as transfers initiated by “a person who was furnished the access device to the consumer’s account by the consumer.”
  • Banks can’t consider a consumer’s negligence when determining liability for unauthorized EFTs under Regulation E.
  • In determining whether an EFT was unauthorized and whether any liability protections apply, a bank can’t rely on a consumer agreement that “includes a provision that modifies or waives certain protections granted by Regulation E, such as waiving Regulation E liability protections if a consumer has shared account information with a third party.”

You can find the complete FAQs by visiting consumerfinance.gov and typing “EFT FAQs” in the search box.

Federal Reserve tool simplifies CECL implementation

For most community banks, the current expected credit loss (CECL) accounting standard will take effect in 2023, and many banks are concerned about the complexity involved in complying with the updated standard. In an effort to simplify the process, the Federal Reserve in July unveiled its Scaled CECL Allowance for Losses Estimator (SCALE), a spreadsheet-based tool that “draws on publicly available regulatory and industry data to aid community banks with assets of less than $1 billion in calculating their CECL allowances.”

Your advisors can help you determine whether the SCALE is appropriate for your institution. For more information, visit supervisionoutreach.org/cecl.

OCC will rescind 2020 CRA rule

In July, the OCC announced its intent to rescind its May 2020 final rule, which was designed to modernize and strengthen the regulatory framework for implementing the Community Reinvestment Act (CRA). Notably, neither the Federal Reserve nor the FDIC joined the OCC in advancing the final rule. In a statement, acting comptroller Michael Hsu said: “To ensure fairness in the face of persistent and rising inequality and changes in banking, the CRA must be strengthened and modernized.” He went on to observe that “the disproportionate impacts of the pandemic on low- and moderate-income communities, the comments provided on the [Fed’s] Advanced Notice of Proposed Rulemaking, and our experience with implementation of the 2020 rule have highlighted the criticality of strengthening the CRA jointly with the [Fed] and FDIC.”

©2021

Categories
Financial Institutions and Banking

Maintaining Internal Controls in a Post-Pandemic Environment

Internal controls are the lifeblood of a bank’s risk management system. Weak or ineffective controls can lead to operational losses and expose a bank to a higher risk of fraud. As we continue to recover from the COVID-19 pandemic, banks need to assess the pandemic’s impact on their internal control systems and make appropriate adjustments.

Many banks continue to rely on remote workers, and it’s likely that many employees will continue to work remotely long after the pandemic is behind us. In addition, some banks are operating with reduced workforces. In this environment, maintaining key internal controls — segregation of duties, in particular — can be a challenge. In addition, as workers’ duties are adjusted to accommodate remote work and leaner staffs, these changes can inadvertently render some controls ineffective.

Evaluate the impact on segregation of duties

Segregation of duties is a simple yet powerful control that substantially reduces the risks of fraud and error. By assigning different people responsibility for authorizing or reviewing transactions, recording transactions and maintaining custody of assets, a bank makes it virtually impossible for a single employee to perpetrate a fraud or make an error and conceal it. If workforce changes reduce segregation of duties, they can significantly weaken a bank’s internal controls.

Consider this example: ABC Bank has been operating with a reduced staff since early in the pandemic. As lending activity has increased, its staff has struggled to keep up with the growing volume of loan applications. To avoid falling behind, the bank provides Jane Doe, its vice president for loan servicing, with the ability to record transactions on the bank’s loan system. Because Jane is also responsible for reviewing loan file maintenance changes, she now lacks independence with respect to her review of loan file maintenance reports. In other words, the duties associated with recording and reviewing transactions are no longer segregated.

How can your bank avoid this situation? When employees’ operational responsibilities change, it’s important to evaluate any potential conflicts of interest with employees’ existing review responsibilities.

Digital approvals: Handle with care

A byproduct of the remote work environment is that reviewers may sign off on transactions via email or by typing their initials on an electronic document. This can be risky, as virtually anyone can enter the reviewer’s initials.

One solution is to use a digital signature platform, which requires the reviewer to enter a username and password. It also incorporates other protections to verify the signer’s identity and otherwise ensure the integrity of the approval process.

Review your controls

These are just a few examples of how a changing work environment can affect a bank’s internal control systems. The consequences aren’t always obvious, so be sure to review your internal control policies and procedures and conduct a risk assessment to anticipate the full impact of contemplated changes. Also consider implementing or strengthening other types of controls — such as surprise audits, management or director oversight, mandatory vacations, job rotation, employee support programs and fraud training — to help compensate for a lack of segregation of duties and other internal control weaknesses.

©2021

Categories
Financial Institutions and Banking Financial News Henderson, KY Henderson, TN Jackson, TN Martin, TN Memphis, TN Milan, TN Murray, KY Nashville, TN Owensboro, KY Paris, TN Trenton, TN Tupelo, MS Union City, TN

Keep Your Customers Satisfied

Over the past few years, community banking has withstood rapid technological changes, unprecedented economic challenges during a pandemic and new demands from its customer base. To maintain profitability amidst all this turmoil, you need to ensure that your bank retains its existing customers. After all, studies show that attracting a new customer typically costs five times more than retaining an existing one.

Here are three fundamental questions to help improve customer satisfaction and, ultimately, retention.

  1. What’s your core deposit base?

A good first step is to identify your core deposits and develop an understanding of customer behaviors. Differentiate loyal, long-term customers from those motivated primarily by interest rates. A core deposit study can help you distinguish between the two types of depositors and predict the impact of fluctuating interest rates on customer retention. Banking regulators strongly encourage banks to conduct these studies as part of their overall asset-liability management efforts.

Core deposit studies assess how much of your bank’s deposit base is interest-rate-sensitive by examining past depositor behavior. They also look at factors that tend to predict depositor longevity. For example, customers may be less likely to switch banks if they have higher average deposit balances and use multiple banking products (such as checking and savings accounts, mortgages and auto loans).

  1. How can you get to know your customers better?

To build customer loyalty, it’s critical to ensure that customers are engaged. According to research by Gallup, engaged customers are more loyal, and they’re more likely to recommend the bank to family and friends. They also represent a bigger “share of wallet” (that is, the percentage of a customer’s banking business captured by the bank).

Recent retail banking studies show that fewer than half of customers at community banks and small regional banks (less than $40 billion in deposits) are actively engaged. The percentages are even smaller at large regional banks (over $90 billion in deposits) and nationwide banks (over $500 billion in deposits). That’s the good news. The bad news is that 50% of customers at online-only banks are fully engaged.

So, how can community banks do a better job of engaging their customers to compete with online banks? The answer lies in leveraging their “local touch” by knowing their customers, delivering superior service, and providing customized solutions and advice. To do that, banks must ensure that their front-line employees — tellers, loan officers, branch managers and call center representatives — are fully engaged in their jobs.

Encouraging employees to engage with customers has little to do with competitive salaries and benefits. Rather, it means providing employees with opportunities for challenging work, responsibility, recognition and personal growth.

  1. How can you develop your online presence?

An increasing number of customers — younger people in particular — use multiple channels and devices to interact with their banks. These include online banking, mobile banking applications and two-way texting.

To build loyalty, banks should enable customers to use their preferred channels and ensure that their experiences across channels are seamless. And don’t overlook the importance of social media platforms. Younger customers are more likely to use these platforms to recommend your bank to their friends and families.

Ask the right questions

Your customer retention strategies shouldn’t be based on guesswork. Consider periodically engaging with customers concerning their level of satisfaction with your current systems and processes. Ask what they’d like to see improved. A brief survey, or even a short conversation, can provide valuable input on ways to keep your customers satisfied with your bank’s services over the long term.

©2021

Categories
Financial Institutions and Banking Financial News

Is Your Bank in Compliance?

The Dodd-Frank Act gives the Consumer Financial Protection Bureau (CFPB) broad authority to prosecute unfair, deceptive or abusive acts or practices (UDAAP) by banks and other financial providers. Early last year, the CFPB announced a new policy that gave institutions a reprieve from UDAAP enforcement actions. But in March 2021, it rescinded this policy, signaling a return to more aggressive enforcement.

UDAAP refresher

During the COVID-19 pandemic, many banks have changed the way they do business — for example, by reducing lobby hours, closing branches, and relying more on mobile banking apps and online transactions — and many of these changes may be here to stay. So, given the CFPB’s more aggressive enforcement stance, it’s a good idea for banks to review their UDAAP compliance policies and update them to reflect current business practices.

One reason UDAAP might be problematic is that its restrictions are quite broad and, in some cases, vague. Generally, an act or practice is unfair if it causes, or is likely to cause, substantial injury to consumers and such injury isn’t reasonably avoidable. Deceptive acts or practices are those that mislead or are likely to mislead consumers, provided the consumer’s interpretation is reasonable under the circumstances and the act or practice is material.

An act or practice is abusive if it materially interferes with a consumer’s ability to understand a product or service’s terms or conditions. Alternatively, abusive acts or practices may take unreasonable advantage of consumers’ 1) lack of understanding, 2) inability to protect their interests, or 3) reasonable reliance on banks to act in their interests.

CFPB guidance provides a nonexhaustive list of examples of conduct that may, depending on the facts and circumstances, constitute UDAAPs. They include:

  • Collecting or assessing a debt or additional amounts in connection with a debt (for example, interest, fees or charges) not expressly authorized by the agreement or permitted by law,
  • Failing to credit a consumer’s account with timely submitted payments and then imposing late fees,
  • Taking possession of property without the legal right to do so,
  • Revealing the consumer’s debt, without consent, to the consumer’s employer or coworkers,
  • Falsely representing the character, amount or legal status of the debt, and
  • Threatening any action that isn’t intended or authorized, including false threats of lawsuits, arrest, prosecution or imprisonment for nonpayment of debt.

Certain misrepresentations also may qualify as UDAAPs. For instance, a bank can’t falsely claim that a debt collection communication is from an attorney or government-affilitated source. Banks also can’t lie about whether information about a payment or nonpayment would be furnished to a credit reporting agency — or falsely promise to waive or forgive debts if consumers accept a settlement offer.

COVID-related updates

The COVID-19 pandemic has caused most businesses, including banks, to change the way they do things — so now’s a good time for a review. For example, have you permitted borrowers to skip loan payments under certain circumstances? Will that policy continue even after the pandemic ends? If so, you need to ensure that your policy is designed and communicated in a manner that isn’t unfair, deceptive or abusive to your customers.

During the pandemic, many banks have relied more heavily on electronic transactions in light of social distancing guidelines, a practice that may continue post-pandemic. If your bank permits customers to receive disclosures and other documents electronically, be sure that your policies and practices are fair, clearly communicated and don’t negatively impact customers without access to the necessary technology.

Even physical access and security practices may raise UDAAP concerns. For example, could reducing branch hours be perceived as unfair or abusive to specific customers? And what about masks or other face coverings? Ordinarily, banks prohibit them. But by necessity, exceptions have been made pursuant to mask mandates during the pandemic. In the absence of a mandate, what will your bank’s policy be going forward? Will you require customers to remove their masks, even if they’re at higher risk or simply feel more comfortable wearing one? Whatever your policy, it should be carefully designed and communicated to avoid UDAAP issues.

Training is key

Any time a bank changes its business practices or establishes new ones, it’s important to evaluate whether those changes raise UDAAP concerns. Even if your policies are fair on paper, they can still trigger UDAAP liability if they’re not put into practice properly. So be sure that bank staff or other representatives are adequately trained.

To ensure that your bank is still compliant after all of the recent changes, contact one of our financial institution experts today.

 

CFPB renews focus on UDAAP enforcement

In January 2020, the Consumer Financial Protection Bureau (CFPB) issued a policy statement providing some relief to banks for unfair, deceptive, or abusive acts or practices (UDAAP). Pursuant to the statement, the CFPB said it wouldn’t challenge conduct as abusive unless the harm to consumers outweighed the benefits. It also pledged to end “dual pleading” — that is, charging a bank with both abusiveness and unfairness or deception based on the same conduct — and to refrain from seeking monetary relief when a bank made a good-faith effort to comply with the law.

In March 2021, the CFPB rescinded the policy statement, finding it inconsistent with the CFPB’s mission. Going forward, it will exercise the “full scope” of its enforcement authority, although it will consider good faith and other relevant factors in using its prosecutorial discretion.

©2021

Categories
Financial Institutions and Banking

ALTA Best Practices Certification Services

Banks and mortgage lenders are under increased pressure by regulators to protect their customers’ non-public personal information (NPI)—especially within the context of their relationships with third-party vendors, including title  companies  and  attorneys.  This  pressure  has  resulted  in  lenders conducting due diligence on title companies and attorneys. The means of approaching due diligence has been inconsistent within the industry, with some  lenders  asking  vendors  to  complete  questionnaires,  others  asking vendors to submit their policies and procedures and still others conducting interviews  and  on-site  visits.  Lenders  have  struggled  to  find  the  “right” solution to conduct this due diligence.

The American  Land  Title Association  (ALTA)  responded  to  this  industry concern by developing a Best Practices Framework (ALTA Best Practices or the Best Practices). By choosing to pursue ALTA Best Practices, a title company or attorney can demonstrate to its mortgage lenders, underwriters and customers that it is following the industry’s established practices. This demonstration extends  beyond just  the protection of NPI.  As lenders have learned about the Best Practices, this guidance has quickly become their preferred method of conducting CFPB due diligence.

The Best Practices include seven areas of guidance known as pillars:

  • Licensing
  • Escrow Accounting Procedures
  • Privacy & Information Security
  • Settlement Procedures
  • Title Policy Production & Delivery
  • Professional Liability Insurance Coverage
  • Consumer Complaints

When  a  company  elects  to  pursue  Best  Practices,  it  must  first  develop policies and procedures to address each of the seven pillars. Once an organization has fully implemented its ALTA-compliant policies and procedures, it can then elect to work toward becoming certified. The certification must be performed  by  a  qualified,  independent  third  party  that  evaluates  the  title company’s compliance with its Best Practices policies and procedures.

ATA assists clients with:

  • The development of policies and procedures consistent with ALTA Best Practices.
  • Evaluation of previously prepared policies and procedures for compliance with the seven pillars of the Best Practices Framework.
  • Certification by providing an independent assessment of your organization’s operational processes, written policies, & procedures.

 

Contact partner and financial institutions expert Jack Matthis, CPA, CBA today at jmatthis@atacpa.net or by calling (731) 686-8371.

Categories
Financial Institutions and Banking

Bank Wire

CAA provides COVID-19 relief for banks

The Consolidated Appropriations Act (CAA), passed in late December 2020, contains a variety of COVID-19 relief provisions, including a second round of stimulus payments to individuals, enhanced unemployment benefits, and expansion of the Paycheck Protection Program (PPP). The act also offers some bank-specific relief. For example, it:

  • Delays the compliance deadline for the current expected credit loss (CECL) accounting standard until the earlier of 1) the first day of the bank’s fiscal year that begins after termination of the COVID-19 public health emergency, or 2) January 1, 2022; and
  • Extends the time during which banks may elect to temporarily suspend troubled debt restructuring (TDR) accounting for certain COVID-19-related loan modifications until the earlier of 1) 60 days after the public health emergency ends, or 2) January 1, 2022.

It also establishes a $9 billion fund to provide low-cost, long-term capital investments to qualifying banks. To qualify, they need to be community development financial institutions or minority depository institutions.

SBA guidance on PPP loans

After the CAA authorized “second-draw” forgivable PPP loans, the Small Business Administration (SBA) and Treasury Department issued rules for these loans. Among other things, the rules clarify that: the SBA will guarantee 100% of second-draw loans; no collateral or personal guarantees will be required; the interest rate will be 1%, calculated on a noncompounding, nonadjustable basis; maturity will be five years; and all loans will be processed by lenders under delegated authority.

It may rely on borrower certifications to determine the borrower’s eligibility and use of loan proceeds. (Note: The borrower must substantiate compliance with eligibility requirements by the time they submit a forgiveness application.)

Simplified PPP forgiveness application

The CAA simplifies the forgiveness application for businesses that borrow less than $150,000. These borrowers will submit a one-page application that includes the total loan value, the estimated portion of the loan spent on payroll, and the number of employees retained as a result.

Fintech partnership guide

Community banks are increasingly partnering with “fintech” companies to offer their customers access to the latest banking technology tools. But these partnerships are fraught with practical and regulatory compliance challenges. Recently, a member of the Federal Reserve Board announced that the Fed would work with other banking agencies to develop a fintech vendor due diligence guide for community banks as well as enhanced interagency guidance for third-party risk management. This guidance is expected to “eliminate the need for community banks to navigate multiple supervisory guidance documents on the same issue” and “enhance clarity on supervisory expectations for community bank partnerships with fintech companies.”

 

©2021

 

Categories
Financial Institutions and Banking

Online Account Opening: Managing the Risk

In recent years, banking customers have increasingly relied on electronic banking tools to open accounts, make deposits, transfer funds and otherwise manage their money — and the COVID-19 pandemic has accelerated this trend. All of these activities increase an institution’s Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance risks, particularly the opening of online accounts. So, while offering these conveniences can be attractive to current and prospective customers, you’ll need to implement policies, procedures and controls to mitigate the risk.

Recognizing risk factors

In its BSA/AML Manual, the Federal Financial Institutions Examination Council (FFIEC) emphasizes that accounts opened online — that is, without face-to-face contact — pose a greater risk for money laundering and terrorist financing because:

  • It’s more difficult to positively verify the applicant’s identity,
  • The customer may be outside the bank’s targeted geographic area or country,
  • Customers — particularly those with ill intent — may view online transactions as less transparent,
  • Transactions are instantaneous, and
  • Online accounts may be used by a “front” company or unknown third party.

In light of this enhanced risk, the FFIEC cautions banks to consider how an account was opened as a factor in determining the appropriate level of account monitoring.

Minimizing risks

To reduce the risks associated with online account opening, banks should develop an effective customer identification program (CIP) and ongoing customer due diligence (CDD) processes as part of a robust, risk-based BSA/AML compliance strategy.

To comply with CIP requirements, an individual opening an account must provide, at a minimum, his or her name, date of birth, address and taxpayer identification number (or other acceptable identification number for non-U.S. persons). In addition, if an account is opened for a legal entity — such as a corporation, partnership or LLC — the bank must verify the identities of the entity’s beneficial owners.

Verifying applicants’ identities

A significant challenge in electronic banking is verifying the identity of someone opening an account online (including a person opening an account on behalf of a legal entity). For in-person transactions, bank personnel often examine identification documents, such as driver’s licenses or passports, but this may not be possible for accounts opened online.

For online transactions, banks should develop reliable nondocumentary methods of verifying an individual’s identity. These may include comparing the information provided at account opening with information from a credit reporting agency, public database or other source. They also may include contacting the person (for example, calling them at work or sending them a piece of mail they must respond to), checking references with other financial institutions, obtaining a financial statement, or asking “out of wallet” questions, such as previous addresses, former employers or mortgage loan amounts.

The bank should develop alternate or backup verification methods for situations in which one of these methods fails. For example, if there’s an identification mismatch, the applicant may be required to bring identification in person to a bank branch.

In addition, as with accounts opened in person, the bank should check the person’s name against lists of known or suspected terrorists or terrorist organizations maintained by the Office of Foreign Assets Control. It’s also a good idea, for ongoing monitoring and CDD purposes, to collect information about the purpose of the account, the occupations of the account owners and the source of funds.

Due diligence

After an account is opened online and the applicant’s identity is verified, you’ll want to conduct ongoing customer due diligence. That means, among other things, monitoring account activity for unusual or suspicious activities.

©2021