Triangle Background
The November 2022 WBA Compliance Journal is now available. In this edition, WBA Legal summarizes FinCEN’s final beneficial ownership information reporting rule and provides a highlight of recently released CFPB guidance documents. The “Regulatory Spotlight” section provides a summary of rules, proposals, and notices issued by federal agencies, and the “Compliance Notes” section reports on other important compliance-related updates for bankers. For Wisconsin lawyers needing to report Continued Legal Education (CLE) credits, the November edition also includes a listing of 2021 and 2022 WBA webinars and programs which received CLE credit from the Wisconsin Board of Bar Examiners. This month’s edition also includes a special section, “Insights of a Wisconsin Compliance Officer” which includes thoughts from Bev Downing, VP-Compliance, Royal Bank. Bev recently retired after 39 years in the industry.

The October 2022 WBA Compliance Journal is now available. In this edition, WBA Legal covers Part 2 of a two-part series regarding contracting with minors. In this second part, readers will find guidance on what banks should consider when banking minors, including the doctrine of incapacity. The publication also includes an article about a recent court action that overturned closed-end loan HMDA reporting thresholds for exempt institutions, a summary of recently published agency rules and notices and other important compliance-related updates for bankers.

The September 2022 WBA Compliance Journal is now available. In this edition, WBA Legal covers Part 1 of a two-part series regarding contracting with minors. In this first part, readers will find a series of Q&As regarding WUTMA accounts and a new reference chart. The publication also includes a summary of recently published agency rules and notices and other important compliance-related updates for bankers.    

Triangle Background

By WBA Legal

In late August, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued a new resource titled, Conducting Due Diligence on Financial Technology Companies, A Guide for Community Banks (Guide), which was intended to help community banks in conducting due diligence when considering relationships with fintech companies.

Use of the Guide is voluntary, and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the Guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity (herein, activities) offered by the fintech company.

While the Guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective guidance; which, for FRB-regulated banks is SR Letter 13-19, for FDIC-regulated banks is FIL-44-2008, and for OCC banks is Bulletin-2013-29.

During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight.

The Guide focuses on six key due diligence topics, including relevant considerations and a list of potential sources of information. The following is a summary of the key due diligence topics within the Guide.

Business Experience and Qualifications

The agencies have identified that by evaluating a fintech company’s business experience, strategic goals, and overall qualifications, a community bank can better consider a fintech company’s experience in conducting the activity and its ability to meet the bank’s needs. Review of operational history will provide insight into a fintech company’s ability to meet a community bank’s needs, including, for example, the ability to adequately provide the activities being considered in a manner that enables a community bank to comply with regulatory requirements and meet customer needs.

Review of client references and complaints about a fintech company may provide useful information when considering, among other things, whether a fintech company has adequate experience and expertise to meet a community bank’s needs and resolve issues, including experience with other community banking clients. Review of legal or regulatory actions against a fintech company can be indicators of the company’s track record in providing activities.

When a community bank is considering a third-party relationship, discussing a fintech company’s strategic plans can provide insight on key decisions it is considering, such as plans to launch new products or pursue new arrangements (such as acquisitions, joint ventures, or joint marketing initiatives). A community bank may subsequently consider whether the fintech company’s strategies or any planned initiatives would affect the prospective activity. Further, inquiring about a fintech company’s strategies and management style may help a community bank assess whether a fintech company’s culture, values, and business style fit those of the community bank.

The agencies further instruct that understanding the background and expertise of a fintech company’s directors and executive leadership may provide a community bank useful information on the fintech company’s board and management knowledge and experience related to the activity sought by the community bank. A community bank may also consider whether the company has sufficient management and staff with appropriate expertise to handle the prospective activity.

For example, imagine that a fintech company, its directors, or its management have varying levels of expertise conducting activities similar to what a community bank is seeking. A fintech company’s historical experience also may not include engaging in relationships with community banks. As part of due diligence, a community bank may therefore consider how a fintech company’s particular experiences could affect the success of the proposed activity and overall relationship. Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectations and support a community bank’s objectives. When evaluating the potential relationship, a community bank may consider a fintech company’s willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integration challenges with community bank systems and operations.

Financial Condition

Another step the agencies identified is for a bank to evaluate a fintech company’s financial condition to help the bank assess the company’s ability to remain in business and fulfill any obligations created by the relationship. Review of financial reports provide useful information when evaluating a fintech company’s capacity to provide the activity under consideration, remain a going concern, and fulfill any of its obligations, including its obligations to the community bank. Understanding funding sources provide useful information in assessing a fintech company’s financial condition. A fintech company may be able to fund operations and growth through cash flow and profitability or it may rely on other sources, such as loans, capital injections, venture capital, or planned public offerings.

Additionally, information about a fintech company’s competitive environment may provide additional insight on the company’s viability. Review of information on a fintech company’s client base can shed insight into any reliance a fintech company may have on a few significant clients. A few critical clients may provide key sources of operating cash flow and support growth but may also demand much of a fintech company’s resources. Loss of a critical client may negatively affect revenue and hinder a fintech company’s ability to fulfill its obligations with a community bank. A community bank may also consider a fintech company’s susceptibility to external risks, such as geopolitical events that may affect the company’s financial condition.

For example, some fintech companies, such as those in an early or expansion stage, have yet to achieve profitability or may not possess financial stability comparable to more established companies. Some newer fintech companies may also be unable to provide several years of financial reporting, which may impact a community bank’s ability to apply its traditional financial analysis processes. When audited financial statements are not available, a community bank may want to seek other financial information to gain confidence that a fintech company can continue to operate, provide the activity satisfactorily, and fulfill its obligations. For example, a community bank may consider a fintech company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect a fintech company’s overall financial performance.

Legal and Regulatory Compliance

The Guide further outlines how in evaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements applicable to the proposed activity, and its experience working within the legal and regulatory framework, better enables a community bank to verify a fintech company’s ability to comply with applicable laws and regulations.

A bank may want to consider reviewing organizational documents and business licenses, charters, and registrations as such documentation provides information on where a fintech company is domiciled and authorized to operate (for example, domestically or internationally) and legally permissible activities under governing laws and regulations. Reviewing the nature of the proposed relationship, including roles and responsibilities of each party involved, may also help a community bank identify legal considerations. Assessing any outstanding legal or regulatory issues may provide insight into a fintech company’s management, its operating environment, and its ability to provide certain activities.

A bank could also consider reviewing a fintech company’s risk and compliance processes to help assess the fintech company’s ability to support the community bank’s legal and regulatory requirements, including privacy, consumer protection, fair lending, anti-money-laundering, and other matters. A fintech company’s experience working with other community banks may provide insight into the fintech company’s familiarity with the community bank’s regulatory environment. Reviewing information surrounding any consumer-facing applications, delivery channels, disclosures, and marketing materials for community bank customers can assist a community bank to anticipate and address potential consumer compliance issues. Considering industry ratings (for example, Better Business Bureau) and the nature of any complaints against a fintech company may provide insight into potential customer service and compliance issues or other consumer protection matters.

For example, some fintech companies may have limited experience working within the legal and regulatory framework in which a community bank operates. To protect its interests, community banks may consider including contract terms requiring (a) compliance with relevant legal and regulatory requirements, including federal consumer protection laws and regulations, as applicable; (b) authorization for a community bank and the bank’s primary supervisory agency to access a fintech company’s records; or (c) authorization for a community bank to monitor and periodically review or audit a fintech company for compliance with the agreed-upon terms. Other approaches could include (1) instituting approval mechanisms (for example, community bank signs off on any changes to marketing materials related to the activity), or (2) periodically reviewing customer complaints, if available, related to the activity.

Risk Management and Controls

The agencies have also identified that by banks evaluating the effectiveness of a fintech company’s risk management policies, processes, and controls, such review helps a community bank to assess the company’s ability to conduct the activity in a safe and sound manner, consistent with the community bank’s risk appetite and in compliance with relevant legal and regulatory requirements.

Banks should consider reviewing a fintech company’s policies and procedures governing the applicable activity as it will provide insight into how the fintech company outlines risk management responsibilities and reporting processes, and how the fintech company’s employees are responsible for complying with policies and procedures. A community bank may also use the information to assess whether a fintech company’s processes are in line with its own risk appetite, policies, and procedures. Information about the nature, scope, and frequency of control reviews, especially those related to the prospective activity, provides a community bank with insight into the quality of the fintech company’s risk management and control environment. A community bank may also want to consider the relative independence and qualifications of those involved in testing. A fintech company may employ an audit function (either in-house or outsourced). In these cases, evaluating the scope and results of relevant audit work may help a community bank determine how a fintech company ensures that its risk management and internal control processes are effective.

Banks should also consider the findings, conclusions, and any related action plans from recent control reviews and audits as the information may provide insight into the effectiveness of a fintech company’s program and the appropriateness and timeliness of any related action plans. Evaluating a fintech company’s reporting helps a community bank to consider how the fintech company monitors key risk, performance, and control indicators; how those indicators relate to the community bank’s desired service-level agreements; and how the fintech company’s reporting processes identify and escalate risk issues and control testing results. A community bank may also consider how it would incorporate such reporting into the bank’s own issue management processes. Review of information on a fintech company’s staffing and expertise, including for risk and compliance, provide a means to assess the overall adequacy of the fintech company’s risk and control processes for the proposed activity.

Information on a fintech company’s training program also assists in considering how the fintech company ensures that its staff remains knowledgeable about regulatory requirements, risks, technology, and other factors that may affect the quality of the activities provided to a community bank.

For example, a fintech company’s audit, risk, and compliance functions will vary with the maturity of the company and the nature and complexity of activities offered. As a result, a fintech company may not have supporting information that responds in full to a community bank’s typical due diligence questionnaires. In other cases, a fintech company may be hesitant to provide certain information that is considered proprietary or a trade secret (for example, their development methodology or model components). In these situations, a community bank may take other steps to identify and manage risks in the third-party relationship and gain confidence that the fintech company can provide the activity satisfactorily.

For example, a community bank may consider on-site visits to help evaluate a fintech company’s operations and control environment, or a community bank’s auditors (or another independent party) may evaluate a fintech company’s operations as part of due diligence. Other approaches could include (a) accepting due diligence limitations, with any necessary approvals and/or exception reporting, compared to the community bank’s normal processes, commensurate with the criticality of the arrangement and in line with the bank’s risk appetite and applicable third-party risk management procedures; (b) incorporating contract provisions that establish the right to audit, conduct on-site visits, monitor performance, and require remediation when issues are identified; (c) establishing a community bank’s right to terminate a third-party relationship, based on a fintech company’s failure to meet specified technical and operational requirements or performance standards. Contract provisions may also provide for a smooth transition to another party (for example, ownership of records and data by the community bank and reasonable termination fees); or (d) outlining risk and performance expectations and related metrics within the contract to address a community bank’s requirements

Information Security

In understanding a fintech company’s operations infrastructure and the security measures for managing operational risk, a community bank may better evaluate whether the measures are appropriate for the prospective activity. A community bank may evaluate whether the proposed activity can be performed using existing systems, or if additional IT investment would be needed at the community bank or at the fintech company to successfully perform the activity. For example, a community bank may evaluate whether the fintech company’s systems can support the bank’s business, customers, and transaction volumes (current and projected). A fintech company’s procedures for deploying new hardware or software, and its policy toward patching and using unsupported (end-of-life) hardware or software, will provide a community bank with information on the prospective third party’s potential security and business impacts to the community bank.

For example, fintech companies’ information security processes may vary, particularly for fintech companies in an early or expansion stage. Community banks may evaluate whether a fintech company’s information security processes are appropriate and commensurate with the risk of the proposed activity. Depending on the activity provided, community banks may also seek to understand a fintech company’s oversight of its subcontractors, including data and information security risks and controls.

For a fintech company that provides transaction processing or that accesses customer data, for example, community banks may request information about how the fintech company restricts access to its systems and data, identifies and corrects vulnerabilities, and updates and replaces hardware or software. The bank may also consider risks and related controls pertaining to its customers’ data, in the event of the fintech company’s security failure. Also, contractual terms that authorize a community bank to access fintech company records can better enable the bank to validate compliance with the laws and regulations related to information security and customer privacy.

Operational Resilience

A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, a community bank may look to the fintech company’s processes to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events. It is important that third-party continuity and resilience planning be commensurate with the nature and criticality of activities performed for the bank.

Evaluating a fintech company’s business continuity plan, incident response plan, disaster recovery plan and related testing can help a community bank determine the fintech company’s ability to continue operations in the event of a disruption. Also, evaluating a fintech company’s recovery objectives, such as any established recovery time objectives and recovery point objectives, helps to ascertain whether the company’s tolerances for downtime and data loss align with a community bank’s expectations. A community bank that contemplates how a fintech company considers changing operational resilience processes to account for changing conditions, threats, or incidents, as well as how the company handles threat detection (both in-house and outsourced) may provide a community bank with additional information on incident preparation. Discussions with a fintech company, as well as online research, could provide insights into how the company responded to any actual cyber events or operational outages and any impact they had on other clients or customers.

Understanding where a fintech company’s data centers are or will reside, domestically or internationally, helps a community bank to consider which laws or regulations would apply to the community bank’s business and customer data. Another matter for a community bank to consider is whether a fintech company has appropriate insurance policies (for example, hazard insurance or cyber insurance) and whether the fintech company has the financial ability to make the community bank whole in the event of loss.

Service level agreements between a community bank and a fintech company set forth the rights and responsibilities of each party with regard to expected activities and functions. A community bank may consider the reasonableness of the proposed service level agreement and incorporate performance standards to ensure key obligations are met, including activity uptime. A community bank may also consider whether to define default triggers and recourse in the event that a fintech company fails to meet performance standards.

A fintech company’s monitoring of its subcontractors (if used) may offer insight into the company’s own operational resilience. For example, a community bank may inquire as to whether the fintech company depends on a small number of subcontractors for operations, what activities they provide, and how the fintech company will address a subcontractors’ inability to perform. A community bank may assess a fintech company’s processes for conducting background checks on subcontractors, particularly if subcontractors have access to critical systems related to the proposed activity.

For example, as with previous due diligence scenarios, fintech companies may exhibit a range of resiliency and continuity processes, depending on the activities offered. Community banks may evaluate whether a fintech company’s planning and related processes are commensurate with the nature and criticality of activities performed for the bank. For example, community banks may evaluate a fintech company’s ability to meet the community bank’s recovery expectations and identify any subcontractors the fintech company relies upon for recovery operations. A fintech company may have recovery time objectives for the proposed activity that exceed the desired recovery time objectives of a community bank. If a fintech company can meet the community bank’s desired recovery time objectives, the bank may consider including related contractual terms, such as a contract stipulation that the community bank can participate in business continuity testing exercises and that provides appropriate recourse if the recovery time objective is missed in the event of an actual service disruption.

A community bank may also consider appropriate contingency plans, such as the availability of substitutable service providers, in case the fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities. In addition to potential contractual clauses and requirements, a community bank’s management may also consider how it would wind down or transfer the activity in the event the fintech company fails to recover in a timely manner.


The agencies have outlined a number of relevant considerations, non-exhaustive lists of potential sources of information, and illustrative examples to assist community banks with identifying strengths and potential risks when considering relationships with fintech companies. The voluntary Guide helps provide a starting point for banks with their due diligence efforts. The Guide may be viewed here.

Highlighted Special Focus From the October 2021 Compliance Journal

The long awaited proposed rule regarding the collection and reporting of small business lending data as required by Section 1071 of the Dodd-Frank Act has finally been released by the Bureau of Consumer Financial Protection (CFPB). Unfortunately, the proposed rule is as broad and onerous as the industry expected it to be as it will be costly to train, implement, and monitor. The proposal would revise Regulation B, which implements the Equal Credit Opportunity Act (ECOA), to require the collection and reporting to CFPB certain data on applications for credit by small businesses. The proposal is substantial; however, below is a brief summary of the proposed rule.

Who Must Collect Data

The first step of analysis for any proposal is to identify whether it will apply to the bank. In this case, the proposal is broad and will very likely apply to all banks in Wisconsin. As proposed, if a bank originates at least 25 credit transactions that are considered “covered credit transactions” to “small businesses” in each of the two preceding years, the proposed rule will apply to the bank. Generally, a “small business” under the proposal is a business that had $5 million or less in gross annual revenue for its preceding fiscal year.

What CFPB has proposed be considered a “covered credit transaction” is a bit trickier an analysis but is generally the same as what is considered an application under the existing Regulation B definition of “application.” The proposed term does; however, exclude reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts; also excluded is an inquiry or prequalification request.

What Data is to be Collected

Next, the data to be collected. Dodd-Frank Act Section 1071 identified certain data that must be collected by CFPB; the law also gave CFPB discretion to collect additional data. CFPB has incorporated all Dodd-Frank Act required data and several discretional data into its proposal. In particular, banks must collect a unique identifier of each application, application date, application method, application recipient, action taken by bank on the application, date action taken, denial reasons, amount applied for, amount originated or approved, and pricing information including interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties.

Banks must also collect credit type, credit purpose, information related to the applicant’s business such as census tract, NAICS code and gross annual revenue for applicant’s preceding fiscal year, number of applicant’s non-owner workers, applicant’s time in business, and number of applicant’s principal owners.

There is also demographic information about the applicant’s principal owners to collect. These data points include minority- and women-owned business status, and the ethnicity, race, and sex of the applicant’s principal owners. The proposal also requires banks to maintain procedures to collect applicant-provided data at a time and in a manner that is reasonably designed to obtain a response, addresses how banks are to report certain data if data are not obtainable from an applicant, when banks are permitted to rely on statements made by an applicant, when banks must verify applicant’s responses to certain data collected, and when banks may reuse certain data collected in certain circumstances such as when data was collected within the same calendar year as a current covered application and when the bank has no reason to believe the data are inaccurate.

When and How Data Must be Reported

Banks would be required to collect data on a calendar-year basis and report the data to CFPB by June 1 of the following year. CFPB has proposed to provide technical instructions for the submission of data in a Filing Instructions Guide and related materials.

The submitted data is also to be made available to the public on an annual basis. Banks would be required to make the reported data available on their website, or otherwise upon request, or must provide a statement that the bank’s small business lending application register is available on CFPB’s website. Model language for such statement has been proposed by CFPB.

Limit of Certain Bank Personnel’s Access to Certain Data

The proposed rule implements a requirement under Section 1071 that banks limit certain employees’ and officers’ access to certain data. CFPB refers to this as the “firewall.” Pursuant to the proposed rule, an employee or officer of a bank or bank’s affiliate who are involved in making any determination concerning the applicant’s covered application would be prohibited from accessing an applicant’s responses to inquiries that the bank made regarding whether the applicant is a minority- or woman-owned business. Such employees are also restricted from information about an applicant’s ethnicity, race, and sex of the applicant’s principal owners.

There are exceptions to the requirement if it is not feasible to limit such access, as that factor is further set forth in the proposal. If an exception is permissible under the proposal, notice must be given to the application regarding such access. Again, CFPB has created model language for such notice.

Recordkeeping and Enforcement

The proposal establishes certain recordkeeping requirements, including a three year retention period for small business lending application registers. The proposal also includes a requirement to maintain an applicant’s responses to Section 1071 inquiries regarding whether an applicant is a minority- or women-owned business, and responses regarding the ethnicity, race, and sex of the applicant’s principal owners, separate from the rest of the application and accompanying information.

The proposal does include enforcement for violations of the new rules, addresses bona fide errors, and provides for a safe harbor.

Learn More and Get Involved

The proposal and additional information, including a chart of the proposed data collection points, may be viewed at:

WBA will comment on the proposal and will create a template letter for bankers to use in providing their own comments to CFPB regarding the impact the proposal will have on the bank. Comments are due 90 days from publication of the proposed rule in the Federal Register. At time of publication of the article, the proposal had not yet been published. CFPB has proposed mandatory compliance of a final rule be eighteen months after its effective date. WBA Legal is creating a working group to collect data and concerns from Wisconsin’s bankers on the proposal. If you wish to be part of the working group, please contact WBA Legal at

This article originally ran in the September 2021 edition of the WBA Compliance Journal, to view the entire publication, click here.

The Wisconsin Supreme Court (Court) recently decided two cases to allow the Wisconsin Department of Natural Resources (DNR) to place permit restrictions on large livestock farms and high-capacity wells as a way to protect Wisconsin’s water. The issue in both cases is whether DNR had the authority under Wisconsin law to issue permits with conditions. 

In both cases, the Court looked to language used in Sec. 227.10(2m) Wis. Stats. and determined that (1) agencies’ actions under administrative law need be supported by explicit, not specific, statutory or regulatory authority; and (2) that explicit authority can be broad in scope. As a result of the two decisions, DNR was given broader authority than many believed was permissible since enactment of 2011 Wisconsin Act 21 (Act 21) because the agency actions authorized by the Court are not specifically stated in the statute sections in question. The following is a summary of the two cases.   

Kinnard Farms  

In the first case, Kinnard operates a large, concentrated animal feeding operation (CAFO). Kinnard wanted to expand its dairy operations by building a second site and adding 3,000 dairy cows. The expansion required Kinnard to apply to DNR for reissuance of its Wisconsin Pollutant Discharge Elimination System (WPDES) permit to include both the original site and the proposed expansion. DNR approved the application and reissued Kinnard’s WPDES permit.  

Persons (petitioners) living near the CAFO sought review of the reissued WPDES permit because of their proximity to the farm, had private drinking wells, and were concerned the proposed expansion would exacerbate current groundwater contamination issues. The petitioners alleged that the reissued WPDES permit was inadequate because, among other things, it did not set a “maximum number of animal units” or “require monitoring to evaluate impacts to groundwater.”  

DNR granted the petitioners a contested case hearing and the matters were referred to an administrative law judge (ALJ). Kinnard filed for summary judgment alleging DNR lacked statutory authority to impose the conditions, citing Act 21. The ALJ denied the motion and conducted a four-day evidentiary hearing during which community members who lived or worked near the CAFO testified about contamination of well water and the impact the contamination had on their businesses, homes, and daily lives. Based upon evidence presented by residents and experts, the ALJ determined that DNR had “clear regulatory authority” to impose the two conditions disputed upon Kinnard’s reissued WPDES permit.  

Ultimately the matter was argued to the Court. The issue in the case involved sec. 227.10(2m), Wis. Stats., which dictates that “[n]o agency may implement or enforce any standard, requirement, or threshold…unless that standard, requirement, or threshold is explicitly required or explicitly permitted by statute or by a rule that has been promulgated in accordance with this subchapter.” (emphasis added). The parties disputed the meaning of “explicitly required or explicitly permitted” in the context of DNR imposing conditions upon Kinnard’s reissued WPDES permit.  

Kinnard asserted that explicit means specific, and that in the absence of statutory or administrative authority, DNR must first promulgate a rule in order to impose the conditions upon its reissued WPDES permit. The DNR and petitioners counter that such a reading of “explicitly required or explicitly permitted” was too narrow, and that Kinnard had overlooked the explicit, but broad, authority given to DNR in Secs. 283.31(3) – (5) Wis. Stats. to prescribe such conditions.  

The Court first looked to dictionary definitions of the term “explicit” and revised Sec. 227.10(2m) in context and determined explicit authority can be broad in scope. The court next examined the text of Secs. 283.31(3) – (5), and related regulations, to determine whether DNR had explicit authority to impose an animal unit maximum and off-site groundwater monitoring conditions upon Kinnard’s reissued WPDES permit. The Court held that while the statute sections do not specifically state an animal unit limit or off-site ground water monitoring, DNR did have explicit authority to prescribe both conditions when it reissues the WPDES permit.  

The Court determined that (1) agencies’ actions under administrative law need be supported by explicit, not specific, statutory or regulatory authority; and (2) that explicit authority can be broad in scope.   

High-Capacity Wells 

In a second case, the Court also reviewed whether Sec. 227.10(2m) Wis. Stats. allowed for DNR to consider the potential environmental effects of proposed high-capacity wells when such consideration is not required under Sec. 281.34(4) Wis. Stats.  

For some types of wells, DNR is required to follow a specific process in its environmental review of a well application. For other types of wells, a specific process is not required; however, DNR often still considers the potential environmental impact of a proposed well when considering a well application. Eight well applications in dispute in the case where the type that no specific environmental review was required. DNR did have information that the wells would negatively impact the environment. DNR approved the eight applications knowing of the wells impact having concluded it did not have the authority to consider the proposed wells’ environmental impact. 

Clean Wisconsin and the Pleasant Lake Management District (collectively, Clean Wisconsin) appealed DNR’s action arguing DNR’s decision was contrary to the Court’s decision in the Lake Beulah Management District v. DNR (2011 WI 54, 335 Wis. 2d 47, 799 N.W.2d 73) case. In Lake Beulah, the Court held that DNR had the authority and discretion to consider the environmental effects of all proposed high-capacity wells under the public trust doctrine when it determined that a proposed well would harm other waters in Wisconsin.  

DNR argued the Lake Beulah court case was no longer good law because Act 21 had since become law and the law limits an agency’s action to only those “explicitly required or explicitly permitted to state or by a rule.” The eight well applications were for the type of wells for which there was no formal environmental review under Sec. 281.34 Wis. Stats. DNR had also relied on a past Attorney General opinion which stated the agency could not rely on the public-trust authority and could not rely upon the Lake Beulah case as that would not withstand the requirements under Wis. Stats. Sec. 227.10(2m) (OAG-01-16).   

With respect to the high-capacity well applications, the Court ruled in favor of Clean Wisconsin having determined DNR has explicit authority, based upon its broad public trust authority under Secs. 281.11 and 281.22 Wis. Stats., to determine the environmental impact of high-capacity wells despite the fact that Sec. 281.34 does not specifically state such requirement. The Court’s finding reaffirmed the Court’s Lake Beulah decision despite enactment of Act 21.  

Take Away from Cases 

The interesting and concerning parts of the decisions is that after the passage of Act 21, many took the revised language of Sec. 227.10(2m) Wis. Stats. to mean that for an agency to act, the action had to be specifically stated or provided for within statutory language or administrative rule. If the action was not within such language, the agency would first have to promulgate a rule or otherwise change statutory language for the agency to take the actions desired.  

However, given how the Court has interpreted “explicit” in the two cases, that may not be the case. It is possible that because of the two Court decisions, an agency make act regardless of the action not being stated within statutory language or administrative rule. Instead, it is possible an agency may rely on its broader authority for action.  

Financial institutions should keep the decisions of the two Court cases in mind when considering whether an agency has the authority to act in a particular manner. Financial institutions should be cautious that just because an action is not specifically found within statute or rule, the action may still be authorized under a broader, explicit authority. Despite the passage of Act 21, agency action could be broad.  

As is often the case, one should read the dissenting opinions of both cases. The dissenting opinions outline the concerns of many regarding how broad an agency may act despite Act 21, despite the fact the agency’s actions were not specifically stated within statute or administrative rule in connection with reissuing an WPDES permit or when approving the type of well applications involved in the high-capacity well case, and despite the Court’s previous decision under Tetra Tech EC Inc. v. Wisconsin Dep’t of Revenue, 2018 WI 75, 373 Wis.2d 2387, 890 N.W.2d. 598. The decisions appear to give back to agencies potentially broad authority.  


In both cases, the Court looked to language used in Wis. Stats. Sec. 227.10(2m) and determined that (1) agencies’ actions under administrative law need be supported by explicit, not specific, statutory or regulatory authority; and (2) that explicit authority can be broad in scope. As a result of the two decisions, DNR was given broader authority than many believed was permissible since enactment of Act 21 and Tetra Tech. Financial institutions need be aware of the Court decisions and be cautious that just because an action is not specifically found within statute or rule, the action may still be authorized under an agency’s broader, explicit authority. 

Clean Wisconsin et. Al v. Wis. Dep’t of Natural Resources, 2021 WI 71 (Kinnard Farm) decision may be viewed at:  

Clean Wisconsin and Pleasant Lake Mgmt. Dist. v. Wis. Dep’t of Natural Resources, 2021 WI 72 (High-Capacity Wells) decision may be viewed at:  

By, Ally Bates

This was the Special Focus section for the May 2020 Compliance Journal, click here to view the entire edition.

Title II, Subpart B of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) consists of provisions that affect retirement account distributions, charitable contributions, and employer payments on student loans. The following is a summary of the provision affecting retirement accounts. 

Several sections of Subpart B effect distributions from retirement accounts including: temporary treatment for coronavirus-related distributions, limited repayment and income tax treatments for qualified individuals, and waivers from required minimum distributions.

Coronavirus-related Distributions  

The new law allows for temporary treatment for distributions referred to as “coronavirus-related distributions” (CRDs). For a distribution to be considered a CRD, the distribution need be:  

  1. Made on or after January 1, 2020 and before December 31, 2020; and 
  2. Made to an individual:   
    • Who is diagnosed with the virus SARS-CoV-2 or with coronavirus disease 2019 (COVID-19) by a test approved by the Centers for Disease Control and Prevention;  
    • Whose spouse or dependent (as defined in section 152 of the Internal Revenue Code) is diagnosed with such virus or disease by such a test; or 
    • Who experiences adverse financial consequences as a result of being: 
      • Quarantined;  
      • Furloughed or laid off or having work hours reduced due to such virus or disease; or 
      • Unable to work due to lack of childcare due to such virus or disease, closing or reducing hours of a business owned or operated by the individual due to such virus or disease, or other factors as determined by the Secretary of the Treasury. 

CRDs are permitted for up to $100,000 (in the aggregate) from eligible retirement accounts and are not subject to the standard 10% withholding tax penalty that would otherwise apply to a distribution taken before the participant was 59½. Eligible retirement accounts include qualified defined contribution retirement plans, including 401(k), 403(b), 457(b), and IRAs.  

The new law does allow for retirement plan administrators to rely upon an employee certification that he/she meets the CARES Act conditions to make a CRD. There is no further detail in the CARES Act regarding what specific certification should be made for reliance there upon.  

CRDs will automatically be included as qualified individual taxable income ratably over a 3-taxable year period beginning with the year withdrawn. The participant may voluntarily elect income treatment differently—such as including CRDs as qualified taxable income all in one tax year.  

The CARES Act also allows participants to repay CRDs back to eligible retirement plans and IRAs for which they are beneficiaries and for which a rollover contribution of such distributions can be made. The repayment period is three years from date the distribution was received. Repayments will be treated as satisfying general 60-day rollover requirements and will generally require the participant to file an amended tax return.  

Loans from Qualified Retirement Plans 

Separate from options available for CRDs, the CARES Act increases the amount qualified individuals may borrow from a qualified retirement plan. From the date of enactment until 180 days thereafter, qualified individuals may borrow up to 100% of the individual’s vested account balance or $100,000, whichever is less. This is an increase from current thresholds of 50% and $50,000. A qualified individual is someone that meets the criteria listed in item 2. above. Not all retirement plans allow for participant loans; plan participants should discuss loan options with retirement plan administrators.  

In the case of a qualified individual with an outstanding loan from a qualified retirement plan on or after the date of enactment of the CARES Act (March 27, 2020), if the due date for any repayment of the outstanding loan occurs during the period beginning March 27, 2020 and ending December 31, 2020, such due date is delayed for one year. In determining the traditional 5-year period for when a loan from a qualified retirement plan must be repaid, the traditional time period disregards the delayed period.   

Waiver of Required Minimum Distribution for 2020 

The rules for required minimum distributions (RMDs) for defined contribution plans (such as 403(b) and certain 457(b) accounts) and IRAs have also been impacted by the CARES Act. Under section 2203 of the Act, RMDs are waived for 2020. Due to the changes, an accountholder who was otherwise required to take an RMD in 2020 is no longer required to take the RMD. Additionally, an accountholder who turned 70½ in 2019 but had not yet taken the first RMD by April 1, 2020, is not required to take the first RMD; nor is that accountholder required to take a 2020 RMD.  

The RMD changes also impact inherited IRA-holders. If an accountholder inherited an IRA from a person who died before January 1, 2020, the accountholder is not required to take a 2020 RMD. If the accountholder inherited an IRA as a designated beneficiary, the accountholder is generally required have the IRA funds distributed to him/her within a ten-year time period. Under the CARES Act, if the death occurred after December 2019, the ten-year period does not start until 2021—skipping 2020. A non-designated beneficiary (i.e., estate, charity) normally is required to receive the inherited IRA funds over a 5-year period. Under the CARES Act, 2020 is skipped giving the non-designated beneficiary six years to have the IRA funds fully distributed.  

A change made by the CARES Act is independent of the Setting Every Community up for Retirement Enhancement Act (SECURE Act). The CARES Act made no changes to the new timing rules of the SECURE Act. Thus, under the SECURE Act, it remains that if an IRA-holder reached 70½ prior to January 1, 2020, or if the IRA-holder is not yet 70½, once the IRA-holder reaches 72 after December 31, 2019, he/she must take an RMD.  

Bank Considerations 

Given the new distribution flexibilities for retirement accounts, banks should consider whether further tracking of withdrawals should be implemented for distributions made pursuant to the CARES Act. For example, is the bank be able to track the amount of CRDs taken by a qualified individual from an IRA to help ensure the customer did not exceed the $100,000 threshold. Or whether the bank should track CRDs to then anticipate repayments thereof and perhaps monitor both the timing and amount of repayment.   

Bank should also consider whether any type of automatic RMD activity need be ceased before an otherwise pre-arranged RMD is disbursed to the customer. Banks should be in contact with those IRA customers in distribution regarding the changes made to RMDs. IRA customers may still decide to voluntarily receive an RMD even though the CARES Act waives the distribution requirement for 2020. 

Banks should also become familiar with the frequently asked questions released by the Internal Revenue Service (IRS) regarding the changes made by the CARES Act. In the guidance, IRS references past guidance issued after Hurricane Katrina. It is expected IRS will use the practices implemented in that past disaster in its implementation of the CARES Act changes. IRS needs to issue further guidance for some of the changes made by the CARES Act; banks should keep an eye on the IRS website for that further guidance. The IRS guidance may be viewed at:  


Title II, Subpart B of CARES Act affect retirement account distributions, charitable contributions, and employer payments on student loans. The changes made to retirement accounts include CRDs, limited repayment and income tax treatments for certain withdrawals made by qualified individuals, and waivers from RMDs for 2020. 

Banks should be familiar with guidance issued by the IRS, including a series of frequently asked questions and should consider how the changes may impact IRA operations. Bank should also consider reaching out to IRA customers currently in distribution regarding the opportunity to waive RMDs for 2020.

By, Ally Bates

This was the Special Focus section for the May 2020 Compliance Journal, click here to view the entire edition.

On Tuesday, April 28, 2020, the Board of Governors of the Federal Reserve System (FRB) issued an interim final rule to amend Regulation D to delete the numeric limits on certain kinds of transfers and withdrawals that may be made each month from “savings deposits” (interim final rule or IFR). The interim final rule is effective immediately. 


The Federal Reserve Act authorizes FRB to impose reserve requirements on certain types of deposits of depository institutions. Regulation D distinguishes between reservable “transaction accounts” and non-reservable “savings deposits” based on the ease with which the depositor may make transfers or withdrawals from the account. Prior to the interim final rule, Regulation D defined the term “savings deposit” to require, under the terms of the deposit contract or by practice of the depository institution, that the depositor be permitted to make no more than six transfers or withdrawals (in any combination) per calendar month or statement cycle of at least four weeks (six transfer limit).

In January 2019, the Federal Open Market Committee (FOMC) announced its intention to implement monetary policy in an ample reserves regime. Considering that shift, on March 15, 2020, FRB reduced reserve requirement ratios to zero percent effective March 26, 2020, eliminating reserve requirements for all depository institutions. Because of the elimination of reserve requirements on all transaction accounts, the regulatory distinction between reservable “transaction accounts” and non-reservable “savings deposits” is no longer necessary. Thus, FRB issued the IFR to delete the six transfer limit from the definition of “savings deposit.”

Impact of the Change and Considerations for Banks 

The IFR allows depository institutions to immediately suspend enforcement of the six transfer limit, but does not require any mandatory changes. Because the six transfer limit was deleted, financial institutions may, but are not required to, permit their customers to make an unlimited number of convenient transfers and withdrawals from their savings deposits. 

Many financial institutions have questioned whether the deletion of the six transfer limit is permanent. FRB has stated that, as discussed above, the underlying reason enabling the changes in Regulation D is the FOMC’s choice of monetary policy framework of an ample reserve regime. In such a regime, reserve requirements are not needed. Thus, the distinction made by the transfer limit between reservable and non-reservable accounts is also not necessary. The FOMC’s choice of a monetary policy framework is not a short-term choice. FRB does not have plans to re-impose transfer limits but may make adjustments to the definition of savings accounts in response to comments received on its interim final rule and, in the future, if conditions warrant. 

In short, based upon the IFR, and FRB’s clarifying statements above, the deletion of the six transfer limit is indefinite. The interim final rule amends Regulation D with no time limitations. FRB could later re-implement the six transfer limit, but would be required to issue a new rule. As discussed above, FRB currently has no plans to re-implement the six transfer limit. 

FRB has answered additional frequently asked questions. Some of the more common questions and answers are provided below: 

  1. May depository institutions continue to report accounts as “savings deposits” on their FR 2900 reports even after they suspend enforcement of the six-transfer limit on those accounts? 
    Yes. Depository institutions may continue to report these accounts as “savings deposits” on their FR 2900 reports after they suspend enforcement of the six-transfer limit on those accounts. 
  2. If a depository institution suspends enforcement of the six-transfer limit on a “savings deposit,” may the depository institution report the account as a “transaction account” rather than as a “savings deposit”? 
    Yes. If a depository institution suspends enforcement of the six-transfer limit on a “savings deposit,” the depository institution may report that account as a “transaction account” on its FR 2900 reports. A depository institution may instead, if it chooses, continue to report the account as a “savings deposit.” 
  3. May depository institutions suspend enforcement of the six-transfer limit on a temporary basis, such as for six months? 
  4. How did the recent amendments to Reg D impact Reg CC? 
    Regulation CC provides that an “account” subject to Regulation CC includes accounts described in 12 CFR 204.2(e) (transaction accounts) but excludes accounts described in 12 CFR 204.2(d)(2) (savings deposits). Because Regulation CC continues to exclude accounts described in 12 CFR 204.2(d)(2) from the Reg CC “account” definition, the recent amendments to Regulation D did not result in savings deposits or accounts described in 12 CFR 204.2(d)(2) now being covered by Regulation CC. 

In its FAQs, FRB states that the IFR does not specify the manner in which depository institutions that choose to amend their account agreements may do so. Meaning, the IFR, and Regulation D in general, does not require or prescribe how a financial institution must modify its account agreements with respect to the six transaction limitation. However, WBA reminds financial institutions to consider Regulation DD, which implements the Truth in Savings Act.  

Regulation DD requires a depository institution to give its consumers 30 calendar days advance notice of any change in a term if the change may reduce the annual percentage yield or adversely affect the consumer. The notice shall include the effective date of the change. If a financial institution decides to remove the six transaction limitation, such a change is positive to the customer and would not require advance notice. Financial institutions might still decide to provide notice of the change from a customer service standpoint, however. 

There are other situations that might necessitate advanced notice of a change in terms under Regulation DD. As discussed above, the deletion of the six-month transaction limitation is indefinite. However, financial institutions have the flexibility to choose how to act on that change. Financial institutions could choose to maintain their current policies, procedures, and account agreements, or modify them, and could do so on a temporary basis. For example, a financial institution might decide to permit its customers to make unlimited transactions for a period of six months. At the end of the six-month period, if the financial institution decides to re-implement the six transaction limitation, 30 days advance notice would be required as the change would be adverse to the customer. 


FRB’s interim final rule deletes the six transaction limit from Regulation D without further limitation. The amendments are intended to allow depository institution customers more convenient access to their funds and to simplify account administration for depository institutions. The IFR permits, but does not require, depository institutions to suspend enforcement of the six transfer limit. Thus, financial institutions have the flexibility to determine whether, and how, to act upon the deletion of the six transfer limit. 

Additional Resources 

FRB’s Interim Final Rule 
FRB’s Monetary Policy and Reduction of Reserve Requirements 
FRB’s FAQ on Reserves 
FRB’s FAQ on Savings Deposits 
FRB on Reporting Changes

By, Ally Bates