Our bank's website has been “spoofed” by a foreign website. The foreign website has a different but very similar URL and content almost identical to our site. Do you have any tips on what steps we should take?
In addition to following your regular BSA/AML policies and procedures, we recommend contacting your federal regulator, and your state's cybercrimes unit or Attorney General as soon as possible. We also recommend adding a “pop-up” or greeting page on your own website that explains the issue to your online visitors, and keeping it up until the fake site is removed. Furthermore, consider sending out a warning e-mail to at least all your online banking customers--if not all your customers--notifying them of the issue.
For the beneficial ownership verification portion, does the bank need a copy of the drivers licenses for each identified beneficial owner?
No, the bank does not specifically need a DL for verification purposes. This is not saying that the bank does not have to verify using CIP procedures, but there is just not a specific requirement for the bank to get a DL. The bank can, for instance, verify through non-documentary methods.
(b) Identification and verification. With respect to legal entity customers, the covered financial institution's customer due diligence procedures shall enable the institution to:
(2) Verify the identity of each beneficial owner identified to the covered financial institution, according to risk-based procedures to the extent reasonable and practicable. At a minimum, these procedures must contain the elements required for verifying the identity of customers that are individuals under § 1020.220(a)(2) of this chapter (for banks); § 1023.220(a)(2) of this chapter (for brokers or dealers in securities); § 1024.220(a)(2) of this chapter (for mutual funds); or § 1026.220(a)(2) of this chapter (for futures commission merchants or introducing brokers in commodities); provided, that in the case of documentary verification, the financial institution may use photocopies or other reproductions of the documents listed in paragraph (a)(2)(ii)(A)(1) of § 1020.220 of this chapter (for banks); § 1023.220 of this chapter (for brokers or dealers in securities); § 1024.220 of this chapter (for mutual funds); or § 1026.220 of this chapter (for futures commission merchants or introducing brokers in commodities). A covered financial institution may rely on the information supplied by the legal entity customer regarding the identity of its beneficial owner or owners, provided that it has no knowledge of facts that would reasonably call into question the reliability of such information.
12 CFR § 1010.230(b)(2): https://www.fdic.gov/regulations/laws/rules/8000-1400.html#fdic8000fra1010.230
The CIP must contain risk-based procedures for verifying the identity of the customer within a reasonable period of time after the account is opened. The verification procedures must use "the information obtained in accordance with [31 CFR 1020.220] paragraph (a)(2)(i)," namely the identifying information obtained by the bank. A bank need not establish the accuracy of every element of identifying information obtained, but it must verify enough information to form a reasonable belief that it knows the true identity of the customer. The bank’s procedures must describe when it will use documents, nondocumentary methods, or a combination of both.
FFIEC, CIP-Overview: https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_011.htm
If we have four key factors already listed on an adverse action notice, but also took into account the number of inquiries, can we add that as a fifth factor? And, with this factor, do we have to list the number of inquiries?
Yes, you may add the number of inquiries as a fifth factor. Generally, you would only list four key factors for FCRA purposes, but there is an exception that expressly gives the bank the permission to tack this factor on. As to the actual number of inquiries, there is no requirement to list the actual number—just the factor, itself, is required.
For reference, see:
15 USC § 1681g(f)(9):
“Use of enquiries as a key factor. If a key factor that adversely affects the credit score of a consumer consists of the number of enquiries made with respect to a consumer report, that factor shall be included in the disclosure pursuant to paragraph (1)(C) without regard to the numerical limitation in such paragraph.”
When is the new TRID amendment regarding the black hole issue effective? And can we follow it before the rule is in effect?
The new rule is effective 30 days after publication in the Federal Register which still hasn't happened (as of writing on 04/30/2018). Unfortunately, there’s not an allowance for optional early adoption as there was with the general 2017 TRID amendments which were issued last year:
"The amendments in the final rule will become effective 30 days after publication in the
Federal Register. The Bureau believes the changes should enable industry to implement the
provisions set forth in the TILA-RESPA Rule more cost-effectively and that industry should be
able to implement these changes relatively quickly. Regarding some commenters’ requests for a
later effective date, an optional early compliance period, or an effective date that distinguishes
among transactions based on when a loan application was received, the Bureau declines to adopt
such approaches because the final rule does not impose any new burdens on creditors. Once the
final rule becomes effective, the ability to reset tolerances prior to consummation for a given
transaction will not be limited by when the application was received. The Bureau declines to
make this final rule retroactive, as retroactive rulemaking is disfavored by the courts and the
commenter has not established why it would be appropriate here. "
Does the bank need to expand our assessment area for CRA purposes when Loan Production Offices (LPOs) are opened in new counties or MSAs?
No, the bank does not need to automatically expand its CRA assessment area, because LPOs are not deposit taking facilities. However, when LPOs are outside of the bank's current assessment area, loan production can affect the bank's inside/outside ratio. If the ratio of loans outside of the bank's assessment area exceed the loans inside the assessment area, then the bank should consider whether it should open a branch and adjust the assessment area.
Are we allowed to charge for periodic mortgage statements if we are a “small servicer” for mortgage servicing purposes, per Regulations X and Z?
Possibly, but we wouldn’t recommend it.
12 CFR §1024.12 of Regulation X (RESPA) states, “No fee shall be imposed or charge made upon any other person, as a part of settlement costs or otherwise, by a [mortgage] lender . . . or by a servicer . . . for or on account of the preparation and distribution of the HUD-1 or HUD-1A settlement statement, escrow account statements required pursuant to section 10 of RESPA (12 U.S.C. 2609), or statements required by the Truth in Lending Act (15 U.S.C. 1601 et seq.) [emphasis added].” Regulation Z does have a small servicer exemption from the periodic statement requirement (12 CFR §1026.41(e)(4))—accordingly, periodic statements are not a required statement for small servicers under TILA. Nevertheless, charging for periodic mortgage statements raises UDAAP concerns, and may draw the unwanted attention of bank auditors or examiners. Mortgage statement fees should only be assessed, if at all, by small servicers that can demonstrate the fees are necessary to compensate the bank for an unusual cost or burden.
I am trying to research a few things for beneficial ownership. Our current new account process includes a pre-qualification piece for credit cards and lines of credit. This "soft hit" on credit is included in the customer verification process. Are we out of compliance for soft pulls on credit for beneficial owners who are not signers on an account?
Technically, beneficial owners are not owners/signers of the account. In order to pull credit, you'd need permission (written) from the beneficial owner. FCRA outlines permissible purposes to pull credit reports. FCRA 604(a)(3)(A) "...intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer..." https://www.consumer.ftc.gov/articles/pdf-0111-fair-credit-reporting-act.pdf
Are we allowed to provide a copy of the determination we have completed that is provided by our third party, if the borrower asks for it? And if so, do we have to get a signature saying it was received?
Yes—it’s not a statutory requirement, but the bank is allowed to provide a copy of the determination to the borrower. This may be used to provide it to the insurance agent so as to minimize discrepancies between the determination and the borrower’s policy. The bank would also need to make the determination available to the borrower in case of a special flood hazard determination review, which has to be requested jointly by the bank and the borrower.
If the bank does provide the determination form to the borrower, there’s not a specific signature requirement in the rules.
How does UDAAP relate to other laws?
An unfair, deceptive, or abusive act or practice may also violate other federal or state laws. For example, under TILA, you must “clearly and conspicuously” disclose the costs and terms of credit. An act or practice that does not comply with these requirements of TILA may also be unfair, deceptive, or abusive. On the other hand, a transaction that is technically in compliance with other federal or state laws may nevertheless be in violation of UDAAP. For example, an advertisement may comply with TILA, but contain additional statements that are untrue or misleading. So just complying with TILA’s disclosure requirements does not insulate the rest of the advertisement from the possibility of being deceptive under UDAAP.
For purposes of MLA safe harbor check, does the bank have to determine the covered borrower status exactly at application or 30 days before?
No. The bank may qualify for the safe harbor if it timely checks the status either at the time the consumer either initiates the transaction or submits an application to establish an account, or anytime during a 30-day period of time prior to either of these. The check may not be done earlier than this 30-day window, however. See Question #20 from the amended interpretive rule, here: https://www.federalregister.gov/d/2017-26974/p-28
Compliance Alliance offers a comprehensive suite of compliance management solutions.
To learn how to put them to work for your bank, call (888) 353-3933 or email firstname.lastname@example.org.