Posts

WBA Legal has prepared a new toolkit to help senior management, commercial lenders, loan processors, compliance officers, and others involved with small business lending to better understand the impact of CFPB’s recently proposed small business rule on the bank. Once finalized, the requirement to collect and report certain data about small business credit applicants will have a dramatic impact on current application and processing operations and record retention.  

A PowerPoint summarizing CFPB’s proposed rule has been created for use by staff who seek to present the main components of the proposal to lending and processing staff. The PowerPoint provides a background, proposed compliance dates, information regarding covered financial institutions, definition of small business, minority-owned and women-owned business, definition of covered application and covered credit transaction, what data must be collected, and reporting information.  

In addition to the PowerPoint, the toolkit also includes a complete outline of the proposed rule, including the proposed commentary and several appendices. CFPB’s proposed rule summary and a data point chart are also included.  

CFPB is accepting comments regarding its proposal. WBA hopes each bank will take into consideration the information provided in this toolkit, assess the proposal’s impact on the bank, and provide comment to CFPB regarding such impact.  

WBA Legal will be creating a draft comment letter for use by members to reply to CFPB regarding concerns and impact of the proposal on banks. WBA encourages each bank to consider submitting its own letter reflecting bank-specific information.  

Feel free to contact WBA Legal at wbalegal@wisbank.com regarding CFPB’s proposal.

Triangle Background

The White House has just released the Occupational Safety and Health Administration’s (OSHA’s) emergency temporary standard (ETS) meant to protect unvaccinated employees of large employers (100 or more employees) from the risk of contracting COVID-19 by strongly encouraging vaccination. Under the ETS, covered employers must develop, implement, and enforce a mandatory COVID-19 vaccination policy, with an exception for employers that instead adopt a policy requiring employees to either get vaccinated or elect to undergo regular COVID-19 testing and wear a face covering at work in lieu of vaccination.

Under the ETS, employees of covered employers must receive the vaccine or be required to produce a negative test on “at least a weekly basis.” Employers “must remove from the workplace any employee who receives a positive COVID-19 test or is diagnosed with COVID-19 by a licensed healthcare provider.”

Highlights from the ETS:

Explanation of Who is Included in the 100-Employee Threshold:  

The applicability of the ETS is based on the size of an employer, in terms of number of employees, rather than on the type or number of workplaces. Part-time employees do count towards the company total, but independent contractors do not. For a single corporate entity with multiple locations, all employees at all locations are counted for purposes of the 100-employee threshold for coverage under the ETS. The determination as to whether a particular employer is covered by the standard should be made separately from whether individual employees are covered by the standard’s requirements. For example,

  • If an employer has 75 part-time employees and 25 full-time employees, the employer would be within the scope of the ETS because it has 100 employees.
  • If an employer has 150 employees,100 of whom work from their homes full-time and  50 of whom work in the office at least part of the time, the employer would be within the scope of the ETS because it has more than 100 employees. (NOTE: See the  information below regarding mandatory vaccination not being applicable to some employees.)
  • If an employer has 102 employees and only 3 ever report to an office location, that employer would be covered.

January4 Deadline to Begin Weekly Testing of Unvaccinated Employees: 

Employees of covered employers have until January 4 to become fully vaccinated (either two doses of Pfizer or Moderna, or one dose of Johnson & Johnson). After that date, employers must ensure that any employees who have not received the necessary shots begin producing a verified negative test to their employer on at least a weekly basis. Therefore, employers with unvaccinated workers need to have a testing regime in place by January 4, unless the ETS is enjoined.

Paid Time Off to Get Vaccinated:

Covered employers must provide four hours of paid time off for employees to get vaccinated.

Unvaccinated Employees Must be Masked: 

Unvaccinated employees of covered employers must wear a face mask while in the workplace.

Proof of Vaccination Status and Record Retention:

Covered employers must require employees to provide proof of vaccination status, which can take the form of immunization record, COVID-19 vaccination record card, or other official medical record documenting the vaccine. The employer must maintain a “record” of that  vaccination and a roster of each employee’s vaccination status. There is no suggestion that the employer must copy the vaccination document presented by the employee to show proof of vaccination.

Mandatory Vaccination Not Applicable to Certain Employees: 

Employers are not required to mandate vaccination by employees for whom a vaccine is  medically contraindicated, for whom medical necessity requires a delay in vaccination (e.g., the  vaccine is in conflict with other medical treatment received by the employee), or those legally entitled to a reasonable accommodation under the Americans with Disabilities Act or other federal civil rights law because the employee has a disability or sincerely-held religious belief, practice, or observance that conflicts with the vaccination requirement.

The vaccination requirement also does not apply to employees who do not report to a workplace where other individuals (such as coworkers or customers) are present, employees while they are working from home, or employees who work exclusively outdoors. An employee who switches back and forth from teleworking from home to working from the office is covered by the ETS.

ETS Not Applicable to Workplaces Subject to E.O. 14042:

The ETS does not apply to workplaces covered by Executive Order 14042, which requires federal  contractors to have employees whose work relates to a federal contract be vaccinated against COVID-19. (This provision differs from the administration’s prior suggestion that employers subject to both the ETS and executive order would need to comply with both actions.)

The requirement to test unvaccinated employees weekly begins on January 4. Compliance with all other requirements of the ETS is required by December 5. It is WBA’s understanding that several state attorneys general and private entities are expected to file lawsuits in the coming days that seek to enjoin the ETS from taking effect.

View the full ETS here.

By WBA Legal

In late August, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued a new resource titled, Conducting Due Diligence on Financial Technology Companies, A Guide for Community Banks (Guide), which was intended to help community banks in conducting due diligence when considering relationships with fintech companies.

Use of the Guide is voluntary, and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the Guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity (herein, activities) offered by the fintech company.

While the Guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective guidance; which, for FRB-regulated banks is SR Letter 13-19, for FDIC-regulated banks is FIL-44-2008, and for OCC banks is Bulletin-2013-29.

During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight.

The Guide focuses on six key due diligence topics, including relevant considerations and a list of potential sources of information. The following is a summary of the key due diligence topics within the Guide.

Business Experience and Qualifications

The agencies have identified that by evaluating a fintech company’s business experience, strategic goals, and overall qualifications, a community bank can better consider a fintech company’s experience in conducting the activity and its ability to meet the bank’s needs. Review of operational history will provide insight into a fintech company’s ability to meet a community bank’s needs, including, for example, the ability to adequately provide the activities being considered in a manner that enables a community bank to comply with regulatory requirements and meet customer needs.

Review of client references and complaints about a fintech company may provide useful information when considering, among other things, whether a fintech company has adequate experience and expertise to meet a community bank’s needs and resolve issues, including experience with other community banking clients. Review of legal or regulatory actions against a fintech company can be indicators of the company’s track record in providing activities.

When a community bank is considering a third-party relationship, discussing a fintech company’s strategic plans can provide insight on key decisions it is considering, such as plans to launch new products or pursue new arrangements (such as acquisitions, joint ventures, or joint marketing initiatives). A community bank may subsequently consider whether the fintech company’s strategies or any planned initiatives would affect the prospective activity. Further, inquiring about a fintech company’s strategies and management style may help a community bank assess whether a fintech company’s culture, values, and business style fit those of the community bank.

The agencies further instruct that understanding the background and expertise of a fintech company’s directors and executive leadership may provide a community bank useful information on the fintech company’s board and management knowledge and experience related to the activity sought by the community bank. A community bank may also consider whether the company has sufficient management and staff with appropriate expertise to handle the prospective activity.

For example, imagine that a fintech company, its directors, or its management have varying levels of expertise conducting activities similar to what a community bank is seeking. A fintech company’s historical experience also may not include engaging in relationships with community banks. As part of due diligence, a community bank may therefore consider how a fintech company’s particular experiences could affect the success of the proposed activity and overall relationship. Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectations and support a community bank’s objectives. When evaluating the potential relationship, a community bank may consider a fintech company’s willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integration challenges with community bank systems and operations.

Financial Condition

Another step the agencies identified is for a bank to evaluate a fintech company’s financial condition to help the bank assess the company’s ability to remain in business and fulfill any obligations created by the relationship. Review of financial reports provide useful information when evaluating a fintech company’s capacity to provide the activity under consideration, remain a going concern, and fulfill any of its obligations, including its obligations to the community bank. Understanding funding sources provide useful information in assessing a fintech company’s financial condition. A fintech company may be able to fund operations and growth through cash flow and profitability or it may rely on other sources, such as loans, capital injections, venture capital, or planned public offerings.

Additionally, information about a fintech company’s competitive environment may provide additional insight on the company’s viability. Review of information on a fintech company’s client base can shed insight into any reliance a fintech company may have on a few significant clients. A few critical clients may provide key sources of operating cash flow and support growth but may also demand much of a fintech company’s resources. Loss of a critical client may negatively affect revenue and hinder a fintech company’s ability to fulfill its obligations with a community bank. A community bank may also consider a fintech company’s susceptibility to external risks, such as geopolitical events that may affect the company’s financial condition.

For example, some fintech companies, such as those in an early or expansion stage, have yet to achieve profitability or may not possess financial stability comparable to more established companies. Some newer fintech companies may also be unable to provide several years of financial reporting, which may impact a community bank’s ability to apply its traditional financial analysis processes. When audited financial statements are not available, a community bank may want to seek other financial information to gain confidence that a fintech company can continue to operate, provide the activity satisfactorily, and fulfill its obligations. For example, a community bank may consider a fintech company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect a fintech company’s overall financial performance.

Legal and Regulatory Compliance

The Guide further outlines how in evaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements applicable to the proposed activity, and its experience working within the legal and regulatory framework, better enables a community bank to verify a fintech company’s ability to comply with applicable laws and regulations.

A bank may want to consider reviewing organizational documents and business licenses, charters, and registrations as such documentation provides information on where a fintech company is domiciled and authorized to operate (for example, domestically or internationally) and legally permissible activities under governing laws and regulations. Reviewing the nature of the proposed relationship, including roles and responsibilities of each party involved, may also help a community bank identify legal considerations. Assessing any outstanding legal or regulatory issues may provide insight into a fintech company’s management, its operating environment, and its ability to provide certain activities.

A bank could also consider reviewing a fintech company’s risk and compliance processes to help assess the fintech company’s ability to support the community bank’s legal and regulatory requirements, including privacy, consumer protection, fair lending, anti-money-laundering, and other matters. A fintech company’s experience working with other community banks may provide insight into the fintech company’s familiarity with the community bank’s regulatory environment. Reviewing information surrounding any consumer-facing applications, delivery channels, disclosures, and marketing materials for community bank customers can assist a community bank to anticipate and address potential consumer compliance issues. Considering industry ratings (for example, Better Business Bureau) and the nature of any complaints against a fintech company may provide insight into potential customer service and compliance issues or other consumer protection matters.

For example, some fintech companies may have limited experience working within the legal and regulatory framework in which a community bank operates. To protect its interests, community banks may consider including contract terms requiring (a) compliance with relevant legal and regulatory requirements, including federal consumer protection laws and regulations, as applicable; (b) authorization for a community bank and the bank’s primary supervisory agency to access a fintech company’s records; or (c) authorization for a community bank to monitor and periodically review or audit a fintech company for compliance with the agreed-upon terms. Other approaches could include (1) instituting approval mechanisms (for example, community bank signs off on any changes to marketing materials related to the activity), or (2) periodically reviewing customer complaints, if available, related to the activity.

Risk Management and Controls

The agencies have also identified that by banks evaluating the effectiveness of a fintech company’s risk management policies, processes, and controls, such review helps a community bank to assess the company’s ability to conduct the activity in a safe and sound manner, consistent with the community bank’s risk appetite and in compliance with relevant legal and regulatory requirements.

Banks should consider reviewing a fintech company’s policies and procedures governing the applicable activity as it will provide insight into how the fintech company outlines risk management responsibilities and reporting processes, and how the fintech company’s employees are responsible for complying with policies and procedures. A community bank may also use the information to assess whether a fintech company’s processes are in line with its own risk appetite, policies, and procedures. Information about the nature, scope, and frequency of control reviews, especially those related to the prospective activity, provides a community bank with insight into the quality of the fintech company’s risk management and control environment. A community bank may also want to consider the relative independence and qualifications of those involved in testing. A fintech company may employ an audit function (either in-house or outsourced). In these cases, evaluating the scope and results of relevant audit work may help a community bank determine how a fintech company ensures that its risk management and internal control processes are effective.

Banks should also consider the findings, conclusions, and any related action plans from recent control reviews and audits as the information may provide insight into the effectiveness of a fintech company’s program and the appropriateness and timeliness of any related action plans. Evaluating a fintech company’s reporting helps a community bank to consider how the fintech company monitors key risk, performance, and control indicators; how those indicators relate to the community bank’s desired service-level agreements; and how the fintech company’s reporting processes identify and escalate risk issues and control testing results. A community bank may also consider how it would incorporate such reporting into the bank’s own issue management processes. Review of information on a fintech company’s staffing and expertise, including for risk and compliance, provide a means to assess the overall adequacy of the fintech company’s risk and control processes for the proposed activity.

Information on a fintech company’s training program also assists in considering how the fintech company ensures that its staff remains knowledgeable about regulatory requirements, risks, technology, and other factors that may affect the quality of the activities provided to a community bank.

For example, a fintech company’s audit, risk, and compliance functions will vary with the maturity of the company and the nature and complexity of activities offered. As a result, a fintech company may not have supporting information that responds in full to a community bank’s typical due diligence questionnaires. In other cases, a fintech company may be hesitant to provide certain information that is considered proprietary or a trade secret (for example, their development methodology or model components). In these situations, a community bank may take other steps to identify and manage risks in the third-party relationship and gain confidence that the fintech company can provide the activity satisfactorily.

For example, a community bank may consider on-site visits to help evaluate a fintech company’s operations and control environment, or a community bank’s auditors (or another independent party) may evaluate a fintech company’s operations as part of due diligence. Other approaches could include (a) accepting due diligence limitations, with any necessary approvals and/or exception reporting, compared to the community bank’s normal processes, commensurate with the criticality of the arrangement and in line with the bank’s risk appetite and applicable third-party risk management procedures; (b) incorporating contract provisions that establish the right to audit, conduct on-site visits, monitor performance, and require remediation when issues are identified; (c) establishing a community bank’s right to terminate a third-party relationship, based on a fintech company’s failure to meet specified technical and operational requirements or performance standards. Contract provisions may also provide for a smooth transition to another party (for example, ownership of records and data by the community bank and reasonable termination fees); or (d) outlining risk and performance expectations and related metrics within the contract to address a community bank’s requirements

Information Security

In understanding a fintech company’s operations infrastructure and the security measures for managing operational risk, a community bank may better evaluate whether the measures are appropriate for the prospective activity. A community bank may evaluate whether the proposed activity can be performed using existing systems, or if additional IT investment would be needed at the community bank or at the fintech company to successfully perform the activity. For example, a community bank may evaluate whether the fintech company’s systems can support the bank’s business, customers, and transaction volumes (current and projected). A fintech company’s procedures for deploying new hardware or software, and its policy toward patching and using unsupported (end-of-life) hardware or software, will provide a community bank with information on the prospective third party’s potential security and business impacts to the community bank.

For example, fintech companies’ information security processes may vary, particularly for fintech companies in an early or expansion stage. Community banks may evaluate whether a fintech company’s information security processes are appropriate and commensurate with the risk of the proposed activity. Depending on the activity provided, community banks may also seek to understand a fintech company’s oversight of its subcontractors, including data and information security risks and controls.

For a fintech company that provides transaction processing or that accesses customer data, for example, community banks may request information about how the fintech company restricts access to its systems and data, identifies and corrects vulnerabilities, and updates and replaces hardware or software. The bank may also consider risks and related controls pertaining to its customers’ data, in the event of the fintech company’s security failure. Also, contractual terms that authorize a community bank to access fintech company records can better enable the bank to validate compliance with the laws and regulations related to information security and customer privacy.

Operational Resilience

A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, a community bank may look to the fintech company’s processes to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events. It is important that third-party continuity and resilience planning be commensurate with the nature and criticality of activities performed for the bank.

Evaluating a fintech company’s business continuity plan, incident response plan, disaster recovery plan and related testing can help a community bank determine the fintech company’s ability to continue operations in the event of a disruption. Also, evaluating a fintech company’s recovery objectives, such as any established recovery time objectives and recovery point objectives, helps to ascertain whether the company’s tolerances for downtime and data loss align with a community bank’s expectations. A community bank that contemplates how a fintech company considers changing operational resilience processes to account for changing conditions, threats, or incidents, as well as how the company handles threat detection (both in-house and outsourced) may provide a community bank with additional information on incident preparation. Discussions with a fintech company, as well as online research, could provide insights into how the company responded to any actual cyber events or operational outages and any impact they had on other clients or customers.

Understanding where a fintech company’s data centers are or will reside, domestically or internationally, helps a community bank to consider which laws or regulations would apply to the community bank’s business and customer data. Another matter for a community bank to consider is whether a fintech company has appropriate insurance policies (for example, hazard insurance or cyber insurance) and whether the fintech company has the financial ability to make the community bank whole in the event of loss.

Service level agreements between a community bank and a fintech company set forth the rights and responsibilities of each party with regard to expected activities and functions. A community bank may consider the reasonableness of the proposed service level agreement and incorporate performance standards to ensure key obligations are met, including activity uptime. A community bank may also consider whether to define default triggers and recourse in the event that a fintech company fails to meet performance standards.

A fintech company’s monitoring of its subcontractors (if used) may offer insight into the company’s own operational resilience. For example, a community bank may inquire as to whether the fintech company depends on a small number of subcontractors for operations, what activities they provide, and how the fintech company will address a subcontractors’ inability to perform. A community bank may assess a fintech company’s processes for conducting background checks on subcontractors, particularly if subcontractors have access to critical systems related to the proposed activity.

For example, as with previous due diligence scenarios, fintech companies may exhibit a range of resiliency and continuity processes, depending on the activities offered. Community banks may evaluate whether a fintech company’s planning and related processes are commensurate with the nature and criticality of activities performed for the bank. For example, community banks may evaluate a fintech company’s ability to meet the community bank’s recovery expectations and identify any subcontractors the fintech company relies upon for recovery operations. A fintech company may have recovery time objectives for the proposed activity that exceed the desired recovery time objectives of a community bank. If a fintech company can meet the community bank’s desired recovery time objectives, the bank may consider including related contractual terms, such as a contract stipulation that the community bank can participate in business continuity testing exercises and that provides appropriate recourse if the recovery time objective is missed in the event of an actual service disruption.

A community bank may also consider appropriate contingency plans, such as the availability of substitutable service providers, in case the fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities. In addition to potential contractual clauses and requirements, a community bank’s management may also consider how it would wind down or transfer the activity in the event the fintech company fails to recover in a timely manner.

Conclusion

The agencies have outlined a number of relevant considerations, non-exhaustive lists of potential sources of information, and illustrative examples to assist community banks with identifying strengths and potential risks when considering relationships with fintech companies. The voluntary Guide helps provide a starting point for banks with their due diligence efforts. The Guide may be viewed here.

Highlighted Special Focus From the October 2021 Compliance Journal

By Scott Birrenkott

WBA filed comments this week with FRB, FDIC, and OCC (agencies) on their proposed guidance on managing risks associated with third-party relationships (proposal).

Over the years, the agencies have issued guidance on third-party management for their respective supervised institutions. The agencies have issued the proposal in an effort to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management. The proposal is based on the OCC’s existing third-party risk management guidance from 2013.

WBA commented that the proposal presents a welcome opportunity to consolidate and update each agency’s individual existing guidance, and generally supported the effort. In addition to general comments reflecting member experiences in third-party management, WBA did recommend that the agencies consider specific examination procedures in accordance with the guidance, and provide banks with sufficient time to adapt to any final guidance.

Click here to view the letter.

Triangle Background

By Scott Birrenkott

Q: Does RESPA Prohibit Kickbacks for Referrals Related to Settlement Services?

A: Yes. WBA has received a few inquiries recently regarding Real Estate Settlement Procedures Act’s prohibition against kickbacks and unearned fees, and has created this summary as a quick refresher.

RESPA Section 8 prohibits certain actions related to federally related mortgage loans, including a prohibition against giving or accepting a fee, kickback, or thing of value pursuant to an agreement or understanding (oral or otherwise), for referrals of business incident to or part of a settlement service involving a federally related mortgage loan. There are definitions within that prohibition which help determine what might be covered.

“Thing of value” is defined broadly and can include a number of arrangements. “Settlement service” is also defined broadly and includes any service provided in connection with a real estate settlement. Referrals include oral or written action directed to a person that has the effect of affirmatively influencing a person’s selection of a provider of a settlement service or business incident to or part of a settlement service. For example, if a settlement service provider gives referral sources tickets to attend professional sporting events in exchange for referrals as part of an agreement or understanding, such conduct violates RESPA Section 8.

Certain arrangements, such as affiliated business arrangements and marketing services agreements are not violations of RESPA Section 8. Such determinations are fact-specific, however, and may require discussion with a bank’s legal counsel.

Further resources are available in CFPB’s helpful Real Estate Settlement Procedures Act FAQs.

If you have any questions on this topic or other matters of compliance, contact WBA’s legal call program at 608-441-1200 or wbalegal@wisbank.com.

Note: The above information is not intended to provide legal advice; rather, it is intended to provide general information about banking issues. Consult your institution’s attorney for special legal advice or assistance. 

Vaccination Card

By Jennifer Mirus, Boardman Clark, a WBA Gold Associate Member

On September 24, 2021, the Biden Administration released guidance regarding the scope of Executive Order 14042 which mandates that employees of covered federal contractors demonstrate proof of full vaccination against COVID-19 by December 8, 2021That guidance is available here.

The guidance lists several categories which, if applicable to an employer, will trigger its obligation to ensure its employees have been fully vaccinated. The guidance defines “contract” broadly to include: “all contracts and any subcontracts of any tier thereunder, whether negotiated or advertised, including any procurement actions, lease agreements, cooperative agreements, provider agreements, intergovernmental service agreements, service agreements, licenses, permits, or any other type of agreement, regardless of nomenclature, type, or particular form, and whether entered into verbally or in writing.” 

This broad guidance left certain questions unanswered regarding which entities qualify as a covered federal contractor. Notably, it is unclear whether banks are considered federal contractors due to their FDIC relationship with the federal government. Because the guidance is written in broad terms, it could be construed to mean that banks are considered federal contractors because they obtain a “service” from the federal government in the form of FDIC insurance and thus have a “service agreement” for the purposes of the vaccination requirement. However, this is a very literal reading of the guidance which may not be how the Executive Order and guidance are intended to be interpreted. Additionally, an earlier executive order regarding minimum wage used a similar definition of “contract,” and there is no clear guidance or rulings that banks were subject to that order.  

Thus, at this time, it is a reasonable conclusion that banking institutions are not covered federal contractors that must comply with the vaccination mandate. More guidance and clarification will be needed before it is clear whether banks are considered federal contractors under the Executive Order.  Banks that have explicit contracts with the federal government likely do qualify as federal contractors, even if they are not federal contractors by virtue of FDIC programs.  

Banks with 100 or more employees might be subject to the anticipated emergency temporary standard under the Occupational Health and Safety Administration (OSHA) that will require COVID-19 testing or vaccination. Details on OSHA’s standard are anticipated in the near future. 

The long awaited proposed rule regarding the collection and reporting of small business lending data as required by Section 1071 of the Dodd-Frank Act has finally been released by the Bureau of Consumer Financial Protection (CFPB). Unfortunately, the proposed rule is as broad and onerous as the industry expected it to be as it will be costly to train, implement, and monitor. The proposal would revise Regulation B, which implements the Equal Credit Opportunity Act (ECOA), to require the collection and reporting to CFPB certain data on applications for credit by small businesses. The proposal is substantial; however, below is a brief summary of the proposed rule.

Who Must Collect Data

The first step of analysis for any proposal is to identify whether it will apply to the bank. In this case, the proposal is broad and will very likely apply to all banks in Wisconsin. As proposed, if a bank originates at least 25 credit transactions that are considered “covered credit transactions” to “small businesses” in each of the two preceding years, the proposed rule will apply to the bank. Generally, a “small business” under the proposal is a business that had $5 million or less in gross annual revenue for its preceding fiscal year.

What CFPB has proposed be considered a “covered credit transaction” is a bit trickier an analysis but is generally the same as what is considered an application under the existing Regulation B definition of “application.” The proposed term does; however, exclude reevaluation requests, extension requests, or renewal requests on an existing business credit account, unless the request seeks additional credit amounts; also excluded is an inquiry or prequalification request.

What Data is to be Collected

Next, the data to be collected. Dodd-Frank Act Section 1071 identified certain data that must be collected by CFPB; the law also gave CFPB discretion to collect additional data. CFPB has incorporated all Dodd-Frank Act required data and several discretional data into its proposal. In particular, banks must collect a unique identifier of each application, application date, application method, application recipient, action taken by bank on the application, date action taken, denial reasons, amount applied for, amount originated or approved, and pricing information including interest rate, total origination charges, broker fees, initial annual charges, additional cost for merchant cash advances or other sales-based financing, and prepayment penalties.

Banks must also collect credit type, credit purpose, information related to the applicant’s business such as census tract, NAICS code and gross annual revenue for applicant’s preceding fiscal year, number of applicant’s non-owner workers, applicant’s time in business, and number of applicant’s principal owners.

There is also demographic information about the applicant’s principal owners to collect. These data points include minority- and women-owned business status, and the ethnicity, race, and sex of the applicant’s principal owners. The proposal also requires banks to maintain procedures to collect applicant-provided data at a time and in a manner that is reasonably designed to obtain a response, addresses how banks are to report certain data if data are not obtainable from an applicant, when banks are permitted to rely on statements made by an applicant, when banks must verify applicant’s responses to certain data collected, and when banks may reuse certain data collected in certain circumstances such as when data was collected within the same calendar year as a current covered application and when the bank has no reason to believe the data are inaccurate.

When and How Data Must be Reported

Banks would be required to collect data on a calendar-year basis and report the data to CFPB by June 1 of the following year. CFPB has proposed to provide technical instructions for the submission of data in a Filing Instructions Guide and related materials.

The submitted data is also to be made available to the public on an annual basis. Banks would be required to make the reported data available on their website, or otherwise upon request, or must provide a statement that the bank’s small business lending application register is available on CFPB’s website. Model language for such statement has been proposed by CFPB.

Limit of Certain Bank Personnel’s Access to Certain Data

The proposed rule implements a requirement under Section 1071 that banks limit certain employees’ and officers’ access to certain data. CFPB refers to this as the “firewall.” Pursuant to the proposed rule, an employee or officer of a bank or bank’s affiliate who are involved in making any determination concerning the applicant’s covered application would be prohibited from accessing an applicant’s responses to inquiries that the bank made regarding whether the applicant is a minority- or woman-owned business. Such employees are also restricted from information about an applicant’s ethnicity, race, and sex of the applicant’s principal owners.

There are exceptions to the requirement if it is not feasible to limit such access, as that factor is further set forth in the proposal. If an exception is permissible under the proposal, notice must be given to the application regarding such access. Again, CFPB has created model language for such notice.

Recordkeeping and Enforcement

The proposal establishes certain recordkeeping requirements, including a three year retention period for small business lending application registers. The proposal also includes a requirement to maintain an applicant’s responses to Section 1071 inquiries regarding whether an applicant is a minority- or women-owned business, and responses regarding the ethnicity, race, and sex of the applicant’s principal owners, separate from the rest of the application and accompanying information.

The proposal does include enforcement for violations of the new rules, addresses bona fide errors, and provides for a safe harbor.

Learn More and Get Involved

The proposal and additional information, including a chart of the proposed data collection points, may be viewed at: https://www.consumerfinance.gov/rules-policy/rules-under-development/small-businesslending-data-collection-under-equal-credit-opportunity-act-regulation-b/

WBA will comment on the proposal and will create a template letter for bankers to use in providing their own comments to CFPB regarding the impact the proposal will have on the bank. Comments are due 90 days from publication of the proposed rule in the Federal Register. At time of publication of the article, the proposal had not yet been published. CFPB has proposed mandatory compliance of a final rule be eighteen months after its effective date. WBA Legal is creating a working group to collect data and concerns from Wisconsin’s bankers on the proposal. If you wish to be part of the working group, please contact WBA Legal at wbalegal@wisbank.com.

This article originally ran in the September 2021 edition of the WBA Compliance Journal, to view the entire publication, click here.

Person holding Covid 19 Vaccination card

As was first reported in the September 10 WBA Wisconsin Banker Daily, President Biden released a plan on September 9 meant to reduce the number of unvaccinated Americans.

By way of background, to implement the plan, Department of Labor’s Occupational Safety and Health Administration (OSHA) is developing a rule that will require all employers with 100 or more employees to ensure their workforce is fully vaccinated or require any workers who remain unvaccinated to produce a negative test result on at least a weekly basis before coming to work. OSHA will issue an Emergency Temporary Standard (ETS) to implement the requirement.

OSHA is also developing a rule that will require employers with more than 100 employees to provide paid time off for the time to takes for workers to get vaccinated or to recover if they are under the weather post-vaccination. This requirement will also be implemented through an ETS.

President Biden executed a second order to take similar steps to require vaccinations for all federal workers and federal contractors that do business with the federal government. The Safer Federal Workforce Task Force had until this past Friday to describe new safety protocols, per the order.

Guidance was released last Friday; however, it unfortunately did not clarify whether banks are considered federal contractors under the vaccine mandate. WBA will continue to closely monitor the developing law and update the membership once coverage of the order is clarified.

Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors

Path Out of the Pandemic Order

Order of COVID Safety for Federal Contractors

 

By Heather MacKinnon

By Scott Birrenkott

Q: Are Banks Required To Provide Notice When Changing Lobby Hours?

A: Not by rule or law, but some form of notification is recommended.

There exists no specific requirement to notify bank customers, or its regulators, when changing its hours of operation. This includes branch hours, lobby hours, drive up hours, or other times of access, such as whether a location is open on a Saturday.

However, specific requirements do exist for closure of branch banks, requiring notice in writing to the Wisconsin Department of Financial Institution (DFI) at least 30 days in advance of the closure, along with notices in the bank’s lobby which is to be closed. While such notice is not required for a change of hours, bank might consider following that procedure as a matter of courtesy and update to DFI, even though it is not closing a branch.

Additionally, while no specific notice requirement to customers exists, some form of communication would be prudent. For example: a posting in lobbies, through mail, or online via the bank’s website, social media, or other applications, would likely be beneficial and appreciated by those customers who use the affected lobbies, drive-ups, deposit box, etc.

Lastly, the bank should also consider the implications of its change of hours. While there might not be specific notice requirements related to the shift in hours alone, if the shift in hours affect other areas, additional requirements may apply. For example, if cutoff times are changing, or funds availability, stop payment, or other time-sensitive matters are changing, the bank may need to update its disclosures and any associated deposit account rules.

If you have any questions on this topic or other matters of compliance, contact WBA’s legal call program at 608-441-1200 or wbalegal@wisbank.com.

Note: The above information is not intended to provide legal advice; rather, it is intended to provide general information about banking issues. Consult your institution’s attorney for special legal advice or assistance. 

The Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) jointly issued a new guide created with the intention to help community banks conduct due diligence on financial technologies companies (a/d/a fintechs). Use of the guide is voluntary and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activities offered by the fintech company. While the guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships.  

Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective third-party, vendor guidance. During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements.  

The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight. The guide focuses on six key due diligence topics, including relevant considerations, potential sources of information and illustrative examples. There may be other topics, considerations, and sources of information to consider, depending on the unique relationship and the role of the fintech company.

Access the Guide on the Fed's website.

By, Cassie Krause

Events

OSHA released its Emergency Temporary Standard on November 4, which includes significant obligations for Banks with 100 or more employees. The Administration also clarified the scope and timing of mandated vaccinations under the Biden COVID Executive Order, which could apply more broadly. The required weekly COVID testing and the required vaccination status, generally become effective on January 4, 2022. However, the other obligations in the OSHA Standard, become effective on December 5. The OSHA Standard includes requirements for a specific policy, response procedures, vaccination status surveys, and employee communications. These items were not suggested in information supplied by the administration or OSHA up to this point.

In this session, we will focus very specifically on how these duties apply to the banking industry, with the most up-to-date information. We will also provide model forms and documents, corresponding to the requirements detailed on November 4. This session will also include time for questions to address specific areas of interest.

Highlights
New Obligations effective December 5, 2021 explained
New Obligations effective January 4, 2022 explained
Discuss and review model Bank COVID-19 vaccination policy
Discuss and review Vaccination Status Survey form
Discuss and review COVID-19 Posting for Employees
Record Retention Obligations
Sample Employee Communication

Who Should Attend?
HR, senior leaders, compliance, audit and bank counsel.

Presenter
Steve Greene specializes in employment litigation, employee benefit issues and compensation matters for community banks. Steve founded Employment Law Compliance twenty years ago to support community banks. He regularly speaks to employment lawyers and human resources professionals in the banking industry. During the past 35 years, Steve has assisted financial institutions evaluate compliance obligations and has managed federal and state regulatory investigations and litigation across the country. His work has also includes working with the American Bankers Association and other industry associations to influence the DOL and Congress.

Registration Options
Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

The Commercial Loan Documentation checklist typically lists “Evidence of Insurance”. Don’t check that off your list without making sure you have reviewed the Certificate of Insurance and assessed your borrower’s coverage. This fast-paced program will discuss the many different types of insurance coverage for commercial businesses including those which can be included in the general terms “comprehensive” and “general liability” as well as specialized types of coverage based on the business sector in which your borrower operates. Collateral protection insurance, including valuation of a loss claim, co-insurance requirements and contractual provisions addressing the lender’s right to proceeds will be covered. Issues such as deductibles and self-insurance will be discussed. The methods for obtaining and perfecting liens on insurance policies and insurance proceeds, including key person life insurance, will also be reviewed.

What You Will Learn
Reasons for Requiring Insurance
Governmental Insurance Requirements
Commercial Property Insurance: Claims and Common Exclusions
Deductibles
The Lender’s Security Interest in Policies and Proceeds
Claim of Lender as Lender’s Loss Payee or Co-Loss Payee
Co-Insurance Issues and Reductions
Green Insurance
Flood Insurance
Lease Insurance: Residual Value and Enhancement
Self-Insurance
Commercial General Liability (CGL): Coverage A, B and C
Business Interruption Insurance
Professional Liability Insurance
Errors and Omissions Policies
Coverage for Officers & Directors
Employment Practices Liability Insurance (EPLI)
Data Breach & Cyber Liability Insurance
Coverage for Business Autos
Examples of Optimum Coverage for Various Types of Commercial Businesses
Certificates of Insurance and Borrower Reporting Requirements
Key Person Life Insurance

Who Should Attend?
This program will benefit commercial loan officers, as well as compliance and loan documentation team members.

Presenter
Robin Russell has practiced law for 30 years and is licensed in Texas, New York and Massachusetts. She is a fellow in the American College of Bankruptcy and of the American Law Institute. She combines a depth of experience in bankruptcy restructuring and litigation with financial transactions. She has represented corporate debtors, independent directors, liquidating trustees, bondholders, unsecured creditors’ committees, bank groups, private equity funds, landlords, trade creditors and bidders for estate assets in Chapter 11 and Chapter 7 bankruptcy proceedings. She has also represented banks, institutional lenders and corporate borrowers in commercial loan transactions and debt restructurings.

Robin is the principal author of Thomson Reuters’ Texas Practice Guides for both Creditors’ Rights and Financial Transactions and the Texas Bankers Association’s Texas Secured Lending Guide, Texas Problem Loan Guide, Texas Real Estate Lending Guide and Texas Account Documentation Guide. She is a frequent speaker on banking, bankruptcy and financial restructuring related topics and has served as a Chapter 7 Trustee. Robin received her LL.M. in Banking Law from Boston University and her J.D. from Baylor University where she was Editor-in-Chief of the Baylor Law Review and the highest ranking graduate in her class. She clerked for the Texas Supreme Court before beginning her legal career.

For 27 years, Anthony Cole Training Group has been helping banks and other financial service organizations close their sales opportunity gap by helping them sell better, coach better and hire better. Our Mission: Grow People, Grow Organizations.

Registration Options
Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

The past few years have seen significant developments in real estate appraisals and evaluation rules and regulations. Revised Interagency Guidelines and new rules under Reg Z have been issued, and we’ve seen additional requirements finalized recently due to Dodd-Frank. Just in the last year we’ve seen significant proposed and final regulations changing some thresholds and proposing some additional exceptions from the requirement. In some cases (called “flipping transactions”), lenders will even have to obtain two appraisals on the same property for one loan.

Because breakdowns in appraisal practices have been partly blamed for the mortgage crisis, regulators raised their expectations; lenders’ appraisal and evaluation programs must include more elements than ever before. Some themes now emphasized by the agencies are independence of the appraiser, and evaluator, reviews, and qualifications.

There are also restrictions against using AVMs (automated valuation models), BPOs (broker price opinions), and tax valuations that have upset many in the industry.

Do you know the requirements? We’ll provide in-depth details of the appraisal and valuation process, from both the lender and appraiser side of the game, to provide a thorough understanding of what is required and what you need.

The “Dealing with Appraisals: Regulations and Requirements” webinar has been approved for 2.5 CRCM credits. This statement is not an endorsement of this program or its sponsor. Credits are redeemable for Live attendance only. Certification holders must report these credits at https://aba.csod.com.

Covered Topics
New rules and proposals around exemptions, threshold amounts, and appraisals in rural areas
CFPB mortgage regulations under Reg Z – additional requirements for certain loan types
Regulations and Interagency Guidelines – requirements for lenders and brokers
Clarified independence requirements and their importance to examiners
The many forms of appraisals and evaluations – what can you use and when? AVMs and BPOs aren’t what they used to be
Can you accept a previous appraisal? Dealing with “readdressed” and “transferred” appraisals
USPAP rules and standards – how do appraiser rules influence what lenders must do?
How to achieve appraiser independence – you’ve got to prove it
Anti-coercion and undue influence provisions of Reg Z – what can you NOT do (or say)?

Who Should Attend?
Real estate lenders, compliance officers, auditors, underwriters, appraisers (in-house or external), closing agents, management, and anyone else involved in the real estate or residential lending process with a need to understand the current state of appraisal regulation and requirements.

Presenter
Carl Pry is a Certified Regulatory Compliance Manager (CRCM) and Certified Risk Professional (CRP) who is a Managing Director for Treliant Risk Advisors in Washington, DC. Through his working career, as well as through his experience as a banking attorney and officer, he has provided a variety of regulatory compliance and financial performance services to financial institutions and other clients throughout the country. He has written extensively regarding consumer and commercial compliance, tax, audit, and financial institution legal issues, and is a frequent contributor to and currently serves on the Editorial Advisory Board for the ABA Bank Compliance magazine. He has spoken at scores of banking, compliance, and state bar associations, and has conducted training sessions for financial institutions across the country.

Registration Options
Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

This webinar will take a deep dive into the proposal that will implement the small business data collection and reporting requirements found in Section 1071 of the Dodd-Frank Act. This rule will have a major impact within the commercial lending areas of most financial institutions. Start planning today!

This proposal requires covered institutions to collect and report certain data for small business credit applications. This includes information specific to the credit request, such as the purpose and amount; information specific to the business, such as the number of workers and time in business; and information on the demographics of the principal owners or ownership status. This data would need to be reported annually to the CFPB.

While this is still a proposal, it will happen. Now is the time to learn what you can about the proposed requirements and what the potential impact will be to your institution.

What You Will Learn

Does the Rule Apply to Your Financial Institution?
Covered Applications, Transactions & Exclusions in Detail
What is a Small Business?
Detailed Breakdown of the Required Data
Recommendations for Your CMS, Change Management & Action Plan
Proposed Effective Dates & Mandatory Compliance Dates
Your Questions, Plain English Answers & Much More

Who Should Attend?

This webinar is designed for the management, compliance officers, auditors, loan officers, loan processors and other loan operations personnel.

Presenter

Jerod Moyer is the leader of Banker’s Compliance Consulting’s training productions. He is a nationally recognized speaker. Whether it’s a conference, seminar, school, webinar or luncheon, it’s easy to stay engaged when he presents due to the amount of passion and energy he brings to each and every compliance topic. Jerod has spoken on behalf of the American Banker’s Association, BankersOnline, many state banking associations, private compliance groups and financial institutions. He is a Certified Regulatory Compliance Manager (CRCM) and BankersOnline Guru.

Jerod likes to spend his time (between reading regulations and producing compliance training!) relaxing at the lake with his wife and three children, following their activities or engaged in something sports related!

Registration Options

Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

The Fair Credit Reporting Act (FCRA), like many consumer protection statutes represents a unique challenge for creditors and other data furnishers of consumer credit information. Although the language of the FCRA has not substantially changed over the years, the interpretation and enforcement of it has drastically changed in the last 10 years and navigating through those changes can be daunting.

During this informative ninety (90) minute webinar the basics of proper credit reporting will be discussed along with a more in-depth conversation regarding specific pitfalls and challenges that creditors and other data furnishers encounter. You will learn how to navigate these challenges by ensuring that proper policies and procedures are in place to ensure compliance with current CFPB directives in addition to recent changes instituted as a result of the Covid-19 legislation.

Covered Topics

  • FCRA Definitions and Key Terms
  • Reporting Requirements of the FCRA
  • Types of credit reporting disputes
  • Responding to disputes through e-Oscar and Metro 2
  • Responding to Direct Consumer Disputes
  • The Role of the CFPB in Credit Reporting
  • Recent CFPB Rulings and Interpretations
  • Recent FCRA case law
  • Impacts of Covid-19 on credit reporting
  • Compliance tips

Who Should Attend?
Anyone who is involved in day to day credit reporting along with decision makers tasked with ensuring rigorous policies and procedures are in place and being complied with.

Presenter
Matthew D. Urban, is a Shareholder who manages the Pittsburgh Local Law Office and oversees credit union work across Pennsylvania. In addition he practices in the area of Consumer Collections, focusing on a wide variety of collection and compliance matters. Matt regularly speaks on issues such as FCRA compliance and the proper handling of writs of executions. Matt earned a B.A. magna cum laude in History from West Virginia University in 2000, and a J.D. from Duquesne University School of Law in 2003. He is licensed in Pennsylvania and is admitted to practice before the U.S. District Court for the Western and Middle Districts of Pennsylvania. He serves on the Board of Directors for the Pennsylvania Creditors’ Bar Association.

Registration Options
Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

Fintech companies are dramatically changing the financial services industry. Many community banks are entering into business relationships with fintech companies to provide innovative products to enhance customer satisfaction, increase the bank’s efficiency, and reduce costs. Due diligence and risk evaluation have always been important components in a bank’s third-party risk management process, and this is especially important when “partnering” with fintech companies. This webinar will detail the specific items that bank regulators require you to consider when conducting due diligence and evaluating a fintech company. You’ll also learn the practical business issues to address when entering into such a relationship.

Attendance certificate provided to self-report CE credits.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
Understand the regulatory and legal requirements of partnering with a fintech company
Explain both the bank and the fintech company’s roles and responsibilities in their relationship
Conduct the required regulatory due diligence
Properly evaluate the risks and benefits before entering into a relationship
Create the best relationship structure with a fintech company
Negotiate with a fintech company to obtain favorable contract terms

WHO SHOULD ATTEND?
This informative session will benefit bank management, loan and deposit operations personnel, technology staff, new product staff, vendor management personnel, compliance officers, auditors, attorneys, and others involved in the strategic planning, due diligence, and evaluation processes.

TAKE-AWAY TOOLKIT
Guide for community banks (published by the FDIC, OCC, and Federal Reserve) titled Conducting Due Diligence on Financial Technology Companies – A Guide for Community Banks
Due diligence checklist specifically designed to evaluate fintech companies
Employee training log
Interactive quiz

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your financial institution is prohibited. Print materials may be copied for eligible participants only.

MEET THE PRESENTER
Elizabeth Fast, JD & CPA, Spencer Fane LLP

Elizabeth Fast is a partner with Spencer Fane Britt & Browne LLP where she specializes in the representation of financial institutions. Elizabeth is the head of the firm’s training division. She received her law degree from the University of Kansas and her undergraduate degree from Pittsburg State University. In addition, she has a Master of Business Administration degree and she is a Certified Public Accountant. Before joining Spencer Fane, she was General Counsel, Senior Vice President, and Corporate Secretary of a $9 billion bank with more than 130 branches, where she managed all legal, regulatory, and compliance functions.

REGISTRATION OPTIONS

Live Webinar Access – $245
On-Demand Access + Digital Download _ $245
Both Live & On-Demand Access + Digital Download – $350

Outsourced Third Party (Vendor) Risk Management is a top priority with the regulators. Therefore, ensuring your Program is not only going to be effective but also meet with their expectations needs to be a priority for financial institutions. When you outsource, you are placing your confidential customer information in someone else’s hands along with the availability and security of that information, but you still retain the responsibility for ensuring the integrity, confidentiality, availability and security of the information making this Program a crucial part of your overall Information and Cyber Security Program.

Demonstrating the importance of this Program, the OCC and the FRB both issued updated guidance relating to third party relationships in October and December of 2013, respectively while the FDIC reissued its Technology Outsourcing Informational Tools in April of 2014. Then on February 6, 2015, the FFIEC released an update to the Business Continuity Planning Handbook adding Appendix J: Strengthening the Resilience of Outsourced Technology Services. On November 14, 2019, a revised Business Continuity Planning handbook was released that addresses: Third Party Management, Third Party Capacity, Testing with Third-Party Technology Service Providers, and Cyber Resilience. The FFIEC Cybersecurity Assessment Tool (CAT) also includes declarative statements relating to Outsourced Third Party Risk Management practices. Susan Orr has assisted numerous institutions with developing their Outsourced Third Party Risk Management Program and will share her insights into developing an effective program in this webinar.

What You Will Learn
FFIEC agencies expectations for your Program
The latest guidance:
November 2019 BCP Handbook
Appendix D of the FFIEC Outsourced Technology Services Handbook
FFIEC Supervision of Technology Service Providers, September 2012
FDIC April 2014 Tools to Manage Technology Providers Informational Brochures
OCC October 2013 Third Party Relationships
FRB December 2013 Guidance on Managing Outsourcing Risk
Classification and Risk Rating criteria
Required Program elements and essentials
Responsibilities
Needs Assessment
Due Diligence/Selection
Contracting
Risk Assessing
Oversight

Who Should Attend?
Senior Management, Information Security Officers, Compliance Officers, Risk Managers, IT Managers, Operations Managers.

Presenter
Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.

As an auditor and consultant, Susan is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist banks in developing and updating policies and procedures and risk assessments, performing third party risk management, and facilitating testing and training. Susan is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC).

Registration Options
Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395

Financial institutions are required to file Form 1099-A and/or Form 1099-C when foreclosing or repossessing collateral and when forgiving or cancelling debt. For example, Form 1099-A must be filed when foreclosing on collateral (but there are many exceptions that you need to know), and Form 1099-C must be filed when cancelling a debt. And these rules apply even though your institution hasn’t actually forgiven the debt. Join us to learn how, when, and what to report on Form 1099-A and Form 1099-C – line by line.

Attendance certificate provided to self-report CE credits.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
Properly complete Form 1099-A: Acquisition or Abandonment of Secured Property and Form 1099-C: Cancellation of Debt
Understand which forms must be filed when foreclosing on real property versus repossessing personal property – and the exclusions
Explain the process if the property isn’t acquired at a foreclosure sale
Distinguish what constitutes cancellation of debt for purposes of Form 1099-C
Handle debtors who file bankruptcy

WHO SHOULD ATTEND?
This informative session will be useful for all loan operations personnel, accounting clerks, tax personnel, accountants, management, compliance officers, auditors, and attorneys.

TAKE-AWAY TOOLKIT
IRS General Instructions for Certain Information Returns
IRS Instructions for Forms 1099-A and 1099-C
Employee training log
Interactive quiz

PRESENTER – Elizabeth Fast, JD & CPA, Spencer Fane LLP
Elizabeth Fast is a partner with Spencer Fane Britt & Browne LLP where she specializes in the representation of financial institutions. Elizabeth is the head of the firm’s training division. She received her law degree from the University of Kansas and her undergraduate degree from Pittsburg State University. In addition, she has a Master of Business Administration degree and she is a Certified Public Accountant. Before joining Spencer Fane, she was General Counsel, Senior Vice President, and Corporate Secretary of a $9 billion bank with more than 130 branches, where she managed all legal, regulatory, and compliance functions.

REGISTRATION OPTIONS
Live Webinar Access – $245
On-Demand Access + Digital Download _ $245
Both Live & On-Demand Access + Digital Download – $350

Whether you file one suspicious activity report (SAR) or hundreds of them, proper completion and timely submission are critically important to the protection of the US (and global) financial system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial transactions. SAR reports provide crucial information about persons and activities to law enforcement, agencies, and analysts that pursue criminal, tax, and regulatory investigations, and provide useful evidence for prosecuting money laundering and other financial crimes.

Attendance certificate provided to self-report CE credits.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
Use the User Guide information for proper form completion
Define the various SAR-related parties – filing institution, branch location, subject, victim, and others
Explain the proper use of the file attachment for supporting data/transactions
Distinguish between required fields and other fields to be completed if the information is available
Understand the importance of well-written SAR narrative

WHO SHOULD ATTEND?
This informative session is directed to BSA officers and departments, compliance officers, fraud and risk managers, auditors, and other employees who contribute to completing SARs, such as branch managers and wire, EFT, or plastic card departments.

TAKE-AWAY TOOLKIT
User guide summary
SAR narrative guidance
FinCEN filing note listing
Employee training log
Interactive quiz

PRESENTER – Mary-Lou Heighes, Compliance Plus, Inc.
Mary-Lou Heighes is President and founder of Compliance Plus, Inc., which has assisted financial institutions with the development of compliance programs since 2000. She provides compliance training for trade associations and financial institutions. Mary-Lou has been an instructor at regulatory compliance schools, conducts dozens of webinars, and speaks at numerous conferences throughout the country.

Involved with financial institutions since 1989, Mary-Lou has over 25 years’ compliance experience. Before starting Compliance Plus in 2000, she spent five years working as a loan officer, marketer, and collector. She also worked at a state trade association for seven years providing compliance assistance and advising on state and federal legislative issues that affect financial institutions.

REGISTRATION OPTIONS
Live Webinar Access – $245
On-Demand Access + Digital Download _ $245
Both Live & On-Demand Access + Digital Download – $350

Risk assessments are an essential element of overall risk management along with providing the basis for many of your policies, plans, and programs like your information security program, audit program, and business continuity plan. The basis for the risk assessment mandated by GLBA in 2000 was initially thought to be oriented to IT, thus the requirement for an IT Risk Assessment after all it is the IT examiners that are evaluating it. However, today the focus has shifted to an enterprise-wide information security risk assessment that encompasses the entire organization where IT is a key component. Even today, the content of this risk assessment continues to cause some confusion and the fact that the regulators do not prescribe to any specific format, only content, many organizations are finding their assessment being criticized during their exams and audits; and then add the requirement for a cyber security risk assessment to the mix! How can anyone keep it all straight?

Performing risk assessments is a prominent requirement with just about everything you do today. A properly structured enterprise-wide information security risk assessment will not only help you focus your resources and budget dollars where they are needed, but provide the basis for your information security program and IT audit program. The right approach will also get you off to a running start on your all those other risk assessments you need to complete. This presentation will provide an approach for developing an enterprise-wide information security risk assessment and a framework that can be adapted to the other numerous risk assessments now required.

What You Will Learn
What is meant by enterprise-wide?
Where do I start?
Can I outsource the risk assessment?
Is there an approved format or template?
Understanding the difference between IT and enterprise-wide risk assessments
Simplifying the approach
Developing a matrix

Who Should Attend?
Anyone responsible for developing a risk assessment or leading a risk assessment team.

Presenter
Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.

As an auditor and consultant, Susan is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist banks in developing and updating policies and procedures and risk assessments, performing third party risk management, and facilitating testing and training. Susan is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC).

You may contact Susan by phone or email: 630.248.7788 or susan@susanorrconsulting.com

Registration Options

Live Plus Five (days) – $265
OnDemand Recording – $295
CD-ROM – $345
Live Plus Six (months) – $365
Premier Package – $395