Tag Archive for: Compliance

Posts

,

SBA Releases New Procedure for SBA Loan Review of Partial Approval Forgiveness Decisions

On January 28, SBA released Procedural Notice 5000-827666 regarding SBA loan reviews of PPP Lender partial approval forgiveness decisions. The notice outlines a new process to allow PPP Borrowers to request an SBA loan review of partial approval forgiveness decisions issued by their PPP Lenders. The procedures in the notice apply to loan forgiveness decisions submitted by Lenders to SBA through both the regular forgiveness process as well as the Direct Borrower Forgiveness process. The notice is effective January 27, 2022.

The notice reiterates the process for a partial approval forgiveness decision and the steps that need to be taken by the Lender when it receives a forgiveness application from a Borrower. The notice also outlines a new process for borrower requests of SBA loan review of a partial approval forgiveness decision.

Starting from the effective date of the notice, when a Lender receives a forgiveness remittance from SBA on a partial approval decision, including where the Lender required the borrower to apply for forgiveness in an amount less than the full amount of the loan, the Lender’s post-forgiveness remittance notification must inform the borrower that the borrower has 30 calendar days from receipt of the notification to seek, through the Lender, an SBA loan review of the Lender’s partial approval decision. Within five calendar days of a Lender’s receipt of a borrower’s timely request for an SBA loan review, the Lender must notify SBA through the Platform. The Lender’s notice to SBA of the borrower’s timely request for review must include a copy of the Lender’s notice to the borrower of the reason(s) for the Lender’s partial approval decision. SBA reserves the right to review the Lender’s decision at its sole discretion.

Additionally, within 30 calendar days of the date of the notice, Lenders must notify all of their borrowers on loans that previously received a partial forgiveness remittance from SBA as a result of Lender partial approval decisions, including where the Lender required the borrower to apply for forgiveness in an amount less than the full amount of the PPP loan, that the borrower has 30 calendar days from receipt of the Lender notification to seek, through the Lender, an SBA loan review of the Lender’s partial approval decision. Within five calendar days of the Lender’s receipt of a borrower’s timely request for an SBA loan review, the Lender must notify SBA through the Platform. The Lender’s notice to SBA of the borrower’s timely request for review must include a copy of the Lender’s prior notice to the borrower of the reason(s) for the Lender’s partial approval decision. Again, SBA reserves the right to review the Lender’s partial approval decision at its sole discretion.

In either circumstance, if SBA selects the loan for an SBA loan review as a result of the borrower’s request, the borrower must continue to make payments on the remaining balance of the loan, and the loan is not deferred.

If SBA determines, as a result of the SBA loan review, that the borrower is entitled to forgiveness in an amount greater than the Lender’s partial approval decision and SBA has previously remitted a partial forgiveness payment to the Lender, SBA will remit an additional forgiveness payment to the Lender to make up the difference. SBA will issue an additional Notice of Paycheck Protection Program Forgiveness Payment (Payment Notice) to the Lender.

If the SBA loan review results in a higher forgiveness amount, but less than full forgiveness, SBA will also issue a final SBA loan review decision to the Lender. The Lender must provide a copy of the Payment Notice and, if applicable, the final SBA loan review decision, to the borrower within 5 business days of the remittance and comply with applicable requirements of the Lender Responsibilities Notice. If a borrower has begun making payments on their loan and the SBA loan review results in full forgiveness, the Lender must refund all payments made by the borrower.

If the SBA loan review results in a higher forgiveness amount, but less than full forgiveness, the lender must re-amortize the PPP loan and refund any excess payments made by the borrower.

Note: PPP Borrowers that have received full denial forgiveness decisions from their Lenders should continue to follow the process outlined in the Interim Final Rule on Loan Forgiveness Requirements and Loan Review Procedures as amended by the Economic Aid Act (86 FR 8283, February 5, 2021), as amended.

Lenders may call the Lender Hotline at (833) 572-0502 for live assistance regarding PPP access and support, policy questions and procedures, and Capital Access Financial System (CAFS) and SBA’s Electronic Transmission (E-Tran) systems support. Questions concerning the notice may be directed to the Lender Relations Specialist in the local SBA Field Office.

Notice 5000-827666 is posted on the WBA website.

/by
,

Executive Letter: WI Supreme Court Finds Garage is Part of Residence Used by Consumer as Dwelling under WCA

By Rose Oswald Poels

In a four-three opinion filed late last week, the Wisconsin Supreme Court concluded that a “dwelling used by the customer as a residence” under the Wisconsin Consumer Act (WCA) includes a garage attached to the residential building in which the customer lives for purposes of rules that need be followed when creditors proceed with nonjudicial repossession.

On behalf of the membership, WBA participated as an amicus curie in the case of Duncan v Asset Recovery Specialists, Inc. as the case involved the interpretation of statutory language used within the repossession rules of the WCA.

The facts of the case were undisputed by the parties and include that Duncan purchased a vehicle from a dealership; she financed the purchase with a loan. Duncan failed to make payments that came due and eventually was in default. The vehicle served as collateral for the loan, and the bank followed the procedure allowed under Wisconsin law for a “nonjudicial” repossession under Wis. Stat. §425.206(1)(d). The bank met all statutory requirements to proceed with nonjudicial repossession and ultimately retained Asset Recovery Specialists to repossess Duncan’s vehicle. At the time, Duncan rented an apartment unit in a multi-story apartment building. The ground floor of the building consisted entirely of a private parking garage for tenants, and Duncan sometimes kept her vehicle in it.

The central dispute between the parties is whether Asset Recovery Specialists violated Wis. Stat. §425.206(2)(b) when they entered the garage shared by residents in Duncan’s apartment building to repossess her vehicle. The court reviewed language within §425.206(2) which provides in full: In taking possession of collateral or leased goods, no merchant may do any of the following: (a) Commit a breach of the peace. (b) Enter a dwelling used by the customer as a residence except at the voluntary request of a customer. The court focused its review on the statutory language in italics.

Although “dwelling” is undefined in the WCA, the court looked to the word’s ordinary, dictionary definition, and to the use of the word in other sections of the WCA and its Administrative Code. In taking that approach, the court concluded a “dwelling” means, at minimum, a building in which at least one person lives. In proceeding in this manner, the court concluded that “dwelling used by the customer as a residence” in Wis. Stat. §425.206(2)(b) includes a garage attached to the residential building in which the customer lives. In making its conclusion, Asset Recovery Specialists was found to have violated §425.206(2)(b) when they repossessed Duncan’s car from the parking garage of her apartment building without her consent.

While I am disappointed in the court’s opinion, I do not regret WBA’s involvement in the case as an amicus on behalf of the membership as the court’s opinion does offer clarity of the term “dwelling.” This in turn helps members further fine-tune any nonjudicial repossession procedures. Fortunately, Wisconsin’s banks are not heavily engaged in nonjudicial repossession of vehicles, so the impact of the court’s decision in this context I believe is likely minimum. That said, as the effect of the court’s decision broadens the plain language of Wis. Stat. §425.206(2)(b), banks need be aware of the court’s new interpretation to ensure there is no violation of the WCA when repossessing vehicles in a similar setting.

The Wisconsin Supreme Court opinion may be viewed here.

/by
, ,

Time to Gear Up for First-Quarter Reporting Requirements

By Jodie Norquist, CIP, CHSP; Ascensus, a WBA Associate Member 

If your financial organization administers IRAs, health savings accounts (HSAs), and Coverdell education savings accounts (ESAs), you are likely aware of the many reporting deadlines looming in the first quarter of the coming year. Performing these annual administrative tasks can be stressful. After all, compliance errors or missed deadlines can lead to costly financial penalties.

Here’s a rundown of the impending due dates, along with a brief description of the financial organization’s requirements. Please note that if any of these deadlines fall on a Saturday, Sunday, or legal holiday, the deadline is extended to the following business day.

January 31

Fair Market Value Statement

Financial organizations must provide an annual fair market value (FMV) statement to IRA owners and beneficiaries by January 31. These statements must be provided to Traditional, Roth, and SIMPLE IRA owners. They must also be provided to Traditional IRA owners that have received simplified employee pension (SEP) plan contributions. FMV statements are required for both IR accounts and IR annuities, including those that have been annuitized.

NOTE: FMV statements are not required but are recommended for HSAs.

The FMV statement must

  • show the IRA’s FMV as of December 31 of the previous year;

  • be presented in any type of written format;

  • be provided to IRA owners even if no contributions were made to the IRA for that year; and

  • contain a legend designating which information is being furnished to the IRS on Form 5498, IRA Contribution Information.

Required Minimum Distribution (RMD) Statement

If an IRA owner is age 72 or older and is required to take a distribution from an IRA for the year, the financial organization holding the IRA on December 31 of the prior year must provide an RMD statement to the IRA owner by January 31. RMD statements are not required for beneficiaries or for Roth IRA owners. This statement may be combined with the FMV statement.

The RMD statement must

  • inform the IRA owner that an RMD is due for the calendar year,

  • notify the IRA owner of the date by which the RMD must be taken,

  • include an offer to provide a calculation of the RMD amount, upon request, and

  • communicate what information is being reported to the IRS for the year.

This requirement may also be satisfied if a Form 5498 is sent to the IRA owner by January 31. If a financial organization opts to use Form 5498 to satisfy the RMD statement, then the date by which the RMD must be distributed should be entered in Box 12a, RMD date, and the RMD amount in Box 12b, RMD amount. However, keep in mind that if an IRA owner must take an RMD for the year, the financial organization is not required to report any RMD information to the IRS on Form 5498, other than the fact that an RMD is due.

SIMPLE IRA Account Statement

Financial organizations must provide SIMPLE IRA owners with an account statement by January 31. Although the IRS hasn’t provided any specific guidance on the form that the account statement must take, the SIMPLE IRA account statement must include

  • the SIMPLE IRA’s account balance as of the end of the previous calendar year;

  • a summary of the account activity throughout the previous calendar year; along with

  • any distributions taken or fees charged against the account, as well as all contributions.

Coverdell ESA Year-End Statement

While year-end statements for Coverdell ESAs are not required, they are recommended. Before 2003, the FMV of an ESA—originally known as an Education IRA—was reported on Form 5498, IRA Contribution Information, which suggests reporting ESA FMVs as a “best practice.” The recommended deadline for providing a year-end statement to the designated beneficiary is January 31. This statement should show

  • the ESA’s FMV as of December 31 of the previous year, and

  • contribution activity for the calendar year.

IRS Form 1099-R

Financial organizations must report Traditional, Roth, and SIMPLE IRA distributions made during the calendar year on Form 1099-R, Distributions from Pensions, Annuities, Retirement or Profit-Sharing Plans, IRAs, Insurance Contracts, etc., to IRA owners and beneficiaries by January 31.

Distributions reported on Form 1099-R include

  • rollovers,

  • recharacterizations, and

  • conversions.

IRS Form 1099-SA

HSA and medical savings account (MSA) owners must be sent a Form 1099-SA, Distributions from HSA, Archer MSA, or Medicare Advantage MSA, by January 31, which reports their distributions for the previous year.

IRS Form 1099-Q

ESA distributions that were taken during the previous calendar year are reported on IRS Form 1099-Q, Payments From Qualified Education Programs, which is due to recipients by January 31.

IRS Form 945 and 945-A

Financial organizations must report amounts withheld by payers to the IRS on Form 945, Annual Return of Withheld Federal Income Tax. Form 945 is due to the IRS by January 31 of the year following the year the taxes are withheld.

NOTE: If withholding deposits are made on time and in full, the due date for filing Forms 945 and 945-A is February 10, rather than January 31. 

Some payers are required to file Form 945-A, Annual Record of Federal Tax Liability, in addition to Form 945, depending upon the payer’s withholding depositor status. Monthly depositors file only Form 945, which lists the amount of nonpayroll withholding collected for each month. Semiweekly depositors, however, file Form 945-A with Form 945 to report nonpayroll withholding. Form 945-A reports the amount of nonpayroll withholding collected each day. The IRS uses Form 945-A to match the tax liability to deposits to determine whether the withholding tax liabilities have been timely deposited.

Employer SEP Contribution Notice

Employers that make SEP plan contributions for employees must notify employees of all discretionary contributions by the later of

  • January 31 of the year following the year for which the contribution is made, or

  • 30 days after the contribution is made (potentially as late as the SEP plan sponsor’s tax return due date, including extensions).

February 28

IRS Forms 1099-R, 1099-Q, and 1099-SA

Forms to report distributions are due to the IRS by February 28 if filing on paper. The paper form must be filed with a Form 1096, Annual Summary and Transmittal of U.S. Information Returns.

March 15

IRS Forms 1099-R, 1099-Q, and 1099-SA

Forms 1042 and 1042-Srm 1042, Annual Withholding Tax Return for U.S. Source Income of Foreign Persons, is filed to report tax withheld by the payor on certain payments (including IRA distributions) to foreign persons, including nonresident aliens. Form 1042 must be filed with recipients’ Forms 1042-S, Foreign Person’s U.S. Source Income Subject to Withholding, by March 15 of the year following the year of distribution.

March 31

IRS Forms 1099-R, 1099-Q, and 1099-SA

These forms used to report distributions from IRAs, Coverdell ESAs, HSAs, and MSAs are due to the IRS by March 31 if filing electronically. Financial organizations must file electronically if there are 250 or more returns of any one type.

/by
, ,

WBA Programs Receive Continuing Legal Education Designation

Wisconsin Bank AttorneyThe Board of Bar Examiners of the Supreme Court of Wisconsin has approved the following completed WBA educational programs for use toward the Wisconsin mandatory Continuing Legal Education (CLE) requirement for attorneys. None of the activities listed below include Ethics and Professional Responsibility (EPR) hours or qualify for GAL education.  

WBA Compliance Forum, February 2020
3.0 CLE Hours

February 18, 2020 – Stevens Point
February 19, 2020 – Wisconsin Dells
February 20, 2020 – Pewaukee

WBA Compliance ForumJune 2020
3.0 CLE Hours

June 23, 2020 – live webcast

WBA Compliance ForumOctober 2020
1.5 CLE Hours

October 28, 2020 – live webcast 

WBA Compliance Forum, June 2021
3.0 CLE Hours

June 22, 2021 – Stevens Point
June 23, 2021 – Madison

WBA Trust Conference, May 2021
5.5 CLE Hours
May 18, 2021 – live webcast

WBA Compliance Forum, November 2021
4.0 CLE Hours

November 9, 2021 – Wausau 
November 10, 2021 – Madison

WBA In-House Legal Counsel Webinar Series  

September 2021: Mergers and Acquisitions, Pre and Post M/A Issues to Consider
2.0 CLE Hours 

October 2021: Troubled Business Borrowers, Deal with Real and Personal Property in a Defaulted Loan
2.0 CLE Hours 

 

 

 

/by
, ,

Draft Comment Letter Coming Soon: Section 1071 Dodd-Frank Act Proposal

Earlier this year the CFPB issued its long-awaited proposal for implementing Section 1071 of the Dodd-Frank Act, which requires collection of credit application data for small businesses, including women-owned and minority-owned small businesses. Comments on the proposal are due January 6, 2022. WBA will be creating a draft comment letter for use by members to reply to CFPB regarding concerns and impact of the proposal on banks. WBA encourages each bank to consider submitting its own letter reflecting bank-specific information. In preparation for these comments, WBA has prepared the following considerations regarding the rule.

What specific burdens will your institution face as a result the proposal? Some examples might include:

  • Costs, technology, training, staffing, customer-facing educational information needs.
  • Review of application process (based upon the rule’s definition of application).
  • Is the proposed “firewall” process workable for the bank?
  • What sort of implementation period will be necessary?

More specifically you might consider:

  • Will bank need to hire new staff (compliance, processor, etc.)?
  • Technology costs, such as a new platform, or 1071 data software.
  • Costs associated with updating existing systems, testing, applications, training, development of new policies and procedures, legal consultation, review of implementation, etc.
  • New annual costs related to collection such as customer service, data management, resolution of errors, exam prep, etc.

In preparation for filing comments, banks should plan to provide specific estimates where possible. For example, if bank predicts new software will be necessary to capture the data, be prepared to provide CFPB with a specific cost if possible.

As mentioned above, WBA will be creating a draft comment letter for use by members to reply to CFPB. The letter will be released shortly to allow banks time to personalize their letter with bank-specific information. For more information about CFPB’s Section 1071 proposal, please see the WBA Toolkit and PowerPoint materials.

/by
,

Year-end Frequently Asked Escrow Questions

While there has not been a recent significant change to escrow requirements, it is WBA’s understanding that many banks pay taxes from escrow by December 20 every year. Around this time, many questions arise as to State and Federal requirements regarding escrow accounts. Furthermore, given the lingering impacts of the COVID-19 pandemic, many borrowers may have been, or currently are, in deferral or forbearance, resulting in insufficient escrow balances. This article presents several questions and answers to refresh banks on relevant requirements, and important considerations, regarding escrow accounts both with respect to the pandemic, and more generally.

Q1: Does Wisconsin have rules regarding disbursements from tax escrows?

A1: Yes. Wis. Stat. section 138.052(5m) governs escrow accounts required to be maintained to pay taxes or insurance in connection with consumer-purpose loans secured by a first lien real estate mortgage or equivalent security interest in the borrower’s principal dwelling. For example, the requirement applies to covered purchase money, refinance, and home equity transactions but does not apply to loans that are business or agricultural purpose, or manufactured home transactions. It also does not apply to voluntary escrow accounts. If a bank maintains a voluntary escrow account, it should ensure it has adequate documentation to evidence that fact. 

For covered loans, banks must provide an escrow notice before closing giving the borrower options regarding how the bank will make payments from the amount escrowed: 

Escrow agent sends a check by December 20 to the borrower for the amount held in escrow for the payment of property taxes made payable to the borrower or to the borrower and the taxing authority. 

  1. Escrow agent pays the property taxes by December 31 if the escrow agent has received a tax statement for the property by December 20.  
  1. Escrow agent pays the property taxes when due.  

This notice is not required under section 138.052(5m) if the escrow agent’s practice is to pay the borrower the amount held in escrow for the payment of property taxes by December 20, or to send a check in the amount of the funds held in escrow for the payment of property taxes, made payable to the borrower and taxing authority. 

Regardless of whether a notice under state law may not be required, banks are reminded that a voluntary agreement is still required under the Real Estate Settlement Procedures Act (RESPA) to pay property taxes annually as permitted under Wis. Stat. section 138.052(5m). See the discussion below regarding the interconnection between state and federal law.  

Q2: Does RESPA have rules regarding disbursements from tax escrows? 

A2: Yes. RESPA section 1024.17(k) prescribes rules that apply to escrow accounts established in connection with RESPA-covered loans to pay taxes, insurance, or other charges. If the terms of the loan require the borrower to make payments to an escrow account, the bank must make disbursements in a timely manner. A timely manner means payment by the disbursement date, so long as the loan account is not more than 30 days overdue. 

If a taxing authority offers a bank a choice between annual and installment disbursements, RESPA includes additional requirements. Generally, disbursements must be made on an installment basis depending on whether the taxing authority offers a discount, or charges additional fees, for installment disbursements.  In Wisconsin, where taxes may be paid in annual or installment payments, and the taxing authority does not offer a discount for payments on an annual basis nor does it impose any additional charge or fee for installment payments, the bank must make disbursements on an installment basis, unless the bank and borrower agree to another disbursement alternative. 

Most property taxes in Wisconsin may be payable in two installments. If the first installment is paid by January 31, the second installment may be paid by July 31. Because no discount is available for making annual payments, and no penalty is imposed for making installment payments, RESPA requires property taxes payable in this manner to be disbursed on an installment basis, unless the borrower voluntarily agrees, in writing, to an annual disbursement.

Q3: How do the requirements under Wis. Stat section 138.052(5m) and RESPA section 1024.17 work together?

A3: RESPA preempts State law only to the extent of any inconsistency. Generally, escrows governed by section 138.052(5m) must also comply with RESPA, and banks must disburse tax escrows in installments, or as otherwise agreed to by the borrower. Thus, banks will want to consider their written agreement as to the borrower’s choice of disbursement methods, and as discussed in Q1 above, a bank may pay by December 20 by check.  

As RESPA requires taxes to be disbursed in installments, and State law allows more flexibility in how taxes are paid, in order for bank to disburse money from a required escrow account, annually under the section 138.052(5m) December 20 method, RESPA requires the customer’s voluntary agreement of that option. And, while notice under section 138.052(5m) may not be required, RESPA still requires the customer’s voluntary agreement to pay by December 20; see the discussion in Q2. FIPCO’s WBA Tax Escrow Option Election form meets the requirements under Wis. Stat. 138.052(5m) and also serves as the voluntary agreement to disburse property taxes out of escrow in any method other than installments to comply with RESPA.  

Q4: What if a deficiency occurs before disbursement?

A4: As discussed in Q2, RESPA generally requires the bank to disburse funds in a timely manner. If a deficiency exists, the bank must still cover the amount due. Upon advancing the funds, the bank may seek repayment from the borrower after performing an escrow account analysis.  

If the deficiency is less than one month’s escrow account payment, then the bank: 

  1. May allow the deficiency to exist and do nothing to change it; 
  1. May require the borrower to repay the deficiency within 30 days; or 
  1. May require the borrower to repay the deficiency in 2 or more equal monthly payments. 

If the deficiency is greater than or equal to 1 month’s escrow payment, the bank may allow the deficiency to exist and do nothing to change it or may require the borrower to repay the deficiency in two or more equal monthly payments. 

If the borrower is not current, then the bank may recover the deficiency pursuant to the terms of the mortgage loan documents. For example, language within the WBA 428 Real Estate Mortgage states that if the escrowed funds held by bank are not sufficient to pay the escrow account items when due, bank may notify consumer in writing, and consumer shall pay bank the amount necessary to make up the deficiency in a manner described by bank or as otherwise required by applicable law.  

Furthermore, for loans that are not covered by RESPA (i.e., the escrow account is not required), the bank will need to determine how the deficiency will be covered, either by the borrower, or the bank, pursuant to the terms of its agreement. 

Q5: How does a payment deferral or forbearance affect escrow considerations? 

A5: As a result of the pandemic, bank may have deferred or forborne payments for some of its borrowers. Bank should consider its deferral and forbearance agreements to confirm whether this deferral or forbearance included escrow payments. Even if it did not, financial distress caused by the pandemic may have resulted in more escrow shortages and deficiencies than typical. Banks should consider how they are monitoring loans for payments, and accounting for expected, and unexpected shortages. Specific attention may need to be paid to escrow balances for loans in deferral, forbearance, or modification. Banks should identify loans that will be short, and determine how the deficiency will be handled, with the above considerations in mind.

Q6: What is the escrow rate for 2022, as set by 138.052? 

A6: At time of this release, the Wisconsin Department of Financial Institutions, Division of Banking, has not yet released the 2022 interest rate required to be paid on escrow accounts for residential mortgage loans subject to Wisconsin Statute Section 138.052(5). WBA will continue to monitor and will report the 2022 rate once released. Once set, the 2022 interest rate shall remain in effect through December 31, 2022.

Q7: Does 138.052 require Wisconsin banks to pay interest on escrow accounts?  

A7: Not for loans originated after April 18, 2018. 2017 Wisconsin Act 340 eliminated the requirement that a financial institution pay interest on escrow accounts for residential mortgage loans originated on or after the effective date of the Act. Thus, a Wisconsin financial institution is not required by law to pay interest on any escrow account maintained in association with a loan originated on or after April 18, 2018. 

Wisconsin Section 138.052 previously required financial institutions to pay interest on the balance on any required escrow accounts. As discussed above, 138.052 applies to consumer-purpose loans secured by a first lien or first lien equivalent in a 1-4 family dwelling that is used as the borrower’s principal residence. Banks must continue to pay interest on escrow accounts they required prior to the effective date of Act 340. However, for any escrow account associated with a loan originated after the effective date of Act 340, 138.052 no longer requires payment of interest. A bank should also consider the terms of its contract as to whether any payment of interest is part of the agreement.

Q8: Bank is closing loan in December for which bank will require escrow for the payment of taxes. The first mortgage payment will be February. Can bank escrow for 2020 taxes to be paid in 2021? 

A8. No. RESPA’s escrow collection rules are prospective in nature. Bank should only collect for 2021 taxes to be paid either in December 2021 in a lump sum (with borrower’s permission as outlined above) or in installments. Bank should not collect for anything between December 1 and 31 because nothing is owing during that time as the bank should only be collecting for 2021 taxes. Bank should not be collecting for 2020 taxes for payment in 2021. Borrower should be on his/her own to pay 2020 taxes.  

/by
, ,

WBA Creates New Toolkit and PowerPoint to Help Explain CFPB’s Proposed Small Business Data Collection Rule

WBA Legal has prepared a new toolkit to help senior management, commercial lenders, loan processors, compliance officers, and others involved with small business lending to better understand the impact of CFPB’s recently proposed small business rule on the bank. Once finalized, the requirement to collect and report certain data about small business credit applicants will have a dramatic impact on current application and processing operations and record retention.  

A PowerPoint summarizing CFPB’s proposed rule has been created for use by staff who seek to present the main components of the proposal to lending and processing staff. The PowerPoint provides a background, proposed compliance dates, information regarding covered financial institutions, definition of small business, minority-owned and women-owned business, definition of covered application and covered credit transaction, what data must be collected, and reporting information.  

In addition to the PowerPoint, the toolkit also includes a complete outline of the proposed rule, including the proposed commentary and several appendices. CFPB’s proposed rule summary and a data point chart are also included.  

CFPB is accepting comments regarding its proposal. WBA hopes each bank will take into consideration the information provided in this toolkit, assess the proposal’s impact on the bank, and provide comment to CFPB regarding such impact.  

WBA Legal will be creating a draft comment letter for use by members to reply to CFPB regarding concerns and impact of the proposal on banks. WBA encourages each bank to consider submitting its own letter reflecting bank-specific information.  

Feel free to contact WBA Legal at wbalegal@wisbank.com regarding CFPB’s proposal.

/by
,

OSHA COVID-19 Vaccination and Testing: Emergency Temporary Standard Released

The White House has just released the Occupational Safety and Health Administration’s (OSHA’s) emergency temporary standard (ETS) meant to protect unvaccinated employees of large employers (100 or more employees) from the risk of contracting COVID-19 by strongly encouraging vaccination. Under the ETS, covered employers must develop, implement, and enforce a mandatory COVID-19 vaccination policy, with an exception for employers that instead adopt a policy requiring employees to either get vaccinated or elect to undergo regular COVID-19 testing and wear a face covering at work in lieu of vaccination.

Under the ETS, employees of covered employers must receive the vaccine or be required to produce a negative test on “at least a weekly basis.” Employers “must remove from the workplace any employee who receives a positive COVID-19 test or is diagnosed with COVID-19 by a licensed healthcare provider.”

Highlights from the ETS:

Explanation of Who is Included in the 100-Employee Threshold:  

The applicability of the ETS is based on the size of an employer, in terms of number of employees, rather than on the type or number of workplaces. Part-time employees do count towards the company total, but independent contractors do not. For a single corporate entity with multiple locations, all employees at all locations are counted for purposes of the 100-employee threshold for coverage under the ETS. The determination as to whether a particular employer is covered by the standard should be made separately from whether individual employees are covered by the standard’s requirements. For example,

  • If an employer has 75 part-time employees and 25 full-time employees, the employer would be within the scope of the ETS because it has 100 employees.
  • If an employer has 150 employees,100 of whom work from their homes full-time and  50 of whom work in the office at least part of the time, the employer would be within the scope of the ETS because it has more than 100 employees. (NOTE: See the  information below regarding mandatory vaccination not being applicable to some employees.)
  • If an employer has 102 employees and only 3 ever report to an office location, that employer would be covered.

January4 Deadline to Begin Weekly Testing of Unvaccinated Employees: 

Employees of covered employers have until January 4 to become fully vaccinated (either two doses of Pfizer or Moderna, or one dose of Johnson & Johnson). After that date, employers must ensure that any employees who have not received the necessary shots begin producing a verified negative test to their employer on at least a weekly basis. Therefore, employers with unvaccinated workers need to have a testing regime in place by January 4, unless the ETS is enjoined.

Paid Time Off to Get Vaccinated:

Covered employers must provide four hours of paid time off for employees to get vaccinated.

Unvaccinated Employees Must be Masked: 

Unvaccinated employees of covered employers must wear a face mask while in the workplace.

Proof of Vaccination Status and Record Retention:

Covered employers must require employees to provide proof of vaccination status, which can take the form of immunization record, COVID-19 vaccination record card, or other official medical record documenting the vaccine. The employer must maintain a “record” of that  vaccination and a roster of each employee’s vaccination status. There is no suggestion that the employer must copy the vaccination document presented by the employee to show proof of vaccination.

Mandatory Vaccination Not Applicable to Certain Employees: 

Employers are not required to mandate vaccination by employees for whom a vaccine is  medically contraindicated, for whom medical necessity requires a delay in vaccination (e.g., the  vaccine is in conflict with other medical treatment received by the employee), or those legally entitled to a reasonable accommodation under the Americans with Disabilities Act or other federal civil rights law because the employee has a disability or sincerely-held religious belief, practice, or observance that conflicts with the vaccination requirement.

The vaccination requirement also does not apply to employees who do not report to a workplace where other individuals (such as coworkers or customers) are present, employees while they are working from home, or employees who work exclusively outdoors. An employee who switches back and forth from teleworking from home to working from the office is covered by the ETS.

ETS Not Applicable to Workplaces Subject to E.O. 14042:

The ETS does not apply to workplaces covered by Executive Order 14042, which requires federal  contractors to have employees whose work relates to a federal contract be vaccinated against COVID-19. (This provision differs from the administration’s prior suggestion that employers subject to both the ETS and executive order would need to comply with both actions.)

The requirement to test unvaccinated employees weekly begins on January 4. Compliance with all other requirements of the ETS is required by December 5. It is WBA’s understanding that several state attorneys general and private entities are expected to file lawsuits in the coming days that seek to enjoin the ETS from taking effect.

View the full ETS here.

/by
Businesswoman interacting with various holographic displays
,

Due Diligence Resource for Community Banks to Consider When Partnering with Fintech Companies

By WBA Legal

In late August, the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued a new resource titled, Conducting Due Diligence on Financial Technology Companies, A Guide for Community Banks (Guide), which was intended to help community banks in conducting due diligence when considering relationships with fintech companies.

Use of the Guide is voluntary, and it does not anticipate all types of third-party relationships and risks. Therefore, a community bank can tailor how it uses relevant information in the Guide, based on its specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity (herein, activities) offered by the fintech company.

While the Guide is written from a community bank perspective, the fundamental concepts may be useful for banks of varying size and for other types of third-party relationships. Due diligence is an important component of an effective third-party risk management process, as highlighted in the federal banking agencies’ respective guidance; which, for FRB-regulated banks is SR Letter 13-19, for FDIC-regulated banks is FIL-44-2008, and for OCC banks is Bulletin-2013-29.

During due diligence, a community bank collects and analyzes information to determine whether third-party relationships would support its strategic and financial goals and whether the relationship can be implemented in a safe and sound manner, consistent with applicable legal and regulatory requirements. The scope and depth of due diligence performed by a community bank will depend on the risk to the bank from the nature and criticality of the prospective activity. Banks may also choose to supplement or augment their due diligence efforts with other resources as appropriate, such as use of industry utilities or consortiums that focus on third-party oversight.

The Guide focuses on six key due diligence topics, including relevant considerations and a list of potential sources of information. The following is a summary of the key due diligence topics within the Guide.

Business Experience and Qualifications

The agencies have identified that by evaluating a fintech company’s business experience, strategic goals, and overall qualifications, a community bank can better consider a fintech company’s experience in conducting the activity and its ability to meet the bank’s needs. Review of operational history will provide insight into a fintech company’s ability to meet a community bank’s needs, including, for example, the ability to adequately provide the activities being considered in a manner that enables a community bank to comply with regulatory requirements and meet customer needs.

Review of client references and complaints about a fintech company may provide useful information when considering, among other things, whether a fintech company has adequate experience and expertise to meet a community bank’s needs and resolve issues, including experience with other community banking clients. Review of legal or regulatory actions against a fintech company can be indicators of the company’s track record in providing activities.

When a community bank is considering a third-party relationship, discussing a fintech company’s strategic plans can provide insight on key decisions it is considering, such as plans to launch new products or pursue new arrangements (such as acquisitions, joint ventures, or joint marketing initiatives). A community bank may subsequently consider whether the fintech company’s strategies or any planned initiatives would affect the prospective activity. Further, inquiring about a fintech company’s strategies and management style may help a community bank assess whether a fintech company’s culture, values, and business style fit those of the community bank.

The agencies further instruct that understanding the background and expertise of a fintech company’s directors and executive leadership may provide a community bank useful information on the fintech company’s board and management knowledge and experience related to the activity sought by the community bank. A community bank may also consider whether the company has sufficient management and staff with appropriate expertise to handle the prospective activity.

For example, imagine that a fintech company, its directors, or its management have varying levels of expertise conducting activities similar to what a community bank is seeking. A fintech company’s historical experience also may not include engaging in relationships with community banks. As part of due diligence, a community bank may therefore consider how a fintech company’s particular experiences could affect the success of the proposed activity and overall relationship. Understanding a fintech company’s qualifications and strategic direction will help a community bank assess the fintech company’s ability to meet the community bank’s expectations and support a community bank’s objectives. When evaluating the potential relationship, a community bank may consider a fintech company’s willingness and ability to align the proposed activity with the community bank’s needs, its plans to adapt activities for the community bank’s regulatory environment, and whether there is a need to address any integration challenges with community bank systems and operations.

Financial Condition

Another step the agencies identified is for a bank to evaluate a fintech company’s financial condition to help the bank assess the company’s ability to remain in business and fulfill any obligations created by the relationship. Review of financial reports provide useful information when evaluating a fintech company’s capacity to provide the activity under consideration, remain a going concern, and fulfill any of its obligations, including its obligations to the community bank. Understanding funding sources provide useful information in assessing a fintech company’s financial condition. A fintech company may be able to fund operations and growth through cash flow and profitability or it may rely on other sources, such as loans, capital injections, venture capital, or planned public offerings.

Additionally, information about a fintech company’s competitive environment may provide additional insight on the company’s viability. Review of information on a fintech company’s client base can shed insight into any reliance a fintech company may have on a few significant clients. A few critical clients may provide key sources of operating cash flow and support growth but may also demand much of a fintech company’s resources. Loss of a critical client may negatively affect revenue and hinder a fintech company’s ability to fulfill its obligations with a community bank. A community bank may also consider a fintech company’s susceptibility to external risks, such as geopolitical events that may affect the company’s financial condition.

For example, some fintech companies, such as those in an early or expansion stage, have yet to achieve profitability or may not possess financial stability comparable to more established companies. Some newer fintech companies may also be unable to provide several years of financial reporting, which may impact a community bank’s ability to apply its traditional financial analysis processes. When audited financial statements are not available, a community bank may want to seek other financial information to gain confidence that a fintech company can continue to operate, provide the activity satisfactorily, and fulfill its obligations. For example, a community bank may consider a fintech company’s access to funds, its funding sources, earnings, net cash flow, expected growth, projected borrowing capacity, and other factors that may affect a fintech company’s overall financial performance.

Legal and Regulatory Compliance

The Guide further outlines how in evaluating a fintech company’s legal standing, its knowledge about legal and regulatory requirements applicable to the proposed activity, and its experience working within the legal and regulatory framework, better enables a community bank to verify a fintech company’s ability to comply with applicable laws and regulations.

A bank may want to consider reviewing organizational documents and business licenses, charters, and registrations as such documentation provides information on where a fintech company is domiciled and authorized to operate (for example, domestically or internationally) and legally permissible activities under governing laws and regulations. Reviewing the nature of the proposed relationship, including roles and responsibilities of each party involved, may also help a community bank identify legal considerations. Assessing any outstanding legal or regulatory issues may provide insight into a fintech company’s management, its operating environment, and its ability to provide certain activities.

A bank could also consider reviewing a fintech company’s risk and compliance processes to help assess the fintech company’s ability to support the community bank’s legal and regulatory requirements, including privacy, consumer protection, fair lending, anti-money-laundering, and other matters. A fintech company’s experience working with other community banks may provide insight into the fintech company’s familiarity with the community bank’s regulatory environment. Reviewing information surrounding any consumer-facing applications, delivery channels, disclosures, and marketing materials for community bank customers can assist a community bank to anticipate and address potential consumer compliance issues. Considering industry ratings (for example, Better Business Bureau) and the nature of any complaints against a fintech company may provide insight into potential customer service and compliance issues or other consumer protection matters.

For example, some fintech companies may have limited experience working within the legal and regulatory framework in which a community bank operates. To protect its interests, community banks may consider including contract terms requiring (a) compliance with relevant legal and regulatory requirements, including federal consumer protection laws and regulations, as applicable; (b) authorization for a community bank and the bank’s primary supervisory agency to access a fintech company’s records; or (c) authorization for a community bank to monitor and periodically review or audit a fintech company for compliance with the agreed-upon terms. Other approaches could include (1) instituting approval mechanisms (for example, community bank signs off on any changes to marketing materials related to the activity), or (2) periodically reviewing customer complaints, if available, related to the activity.

Risk Management and Controls

The agencies have also identified that by banks evaluating the effectiveness of a fintech company’s risk management policies, processes, and controls, such review helps a community bank to assess the company’s ability to conduct the activity in a safe and sound manner, consistent with the community bank’s risk appetite and in compliance with relevant legal and regulatory requirements.

Banks should consider reviewing a fintech company’s policies and procedures governing the applicable activity as it will provide insight into how the fintech company outlines risk management responsibilities and reporting processes, and how the fintech company’s employees are responsible for complying with policies and procedures. A community bank may also use the information to assess whether a fintech company’s processes are in line with its own risk appetite, policies, and procedures. Information about the nature, scope, and frequency of control reviews, especially those related to the prospective activity, provides a community bank with insight into the quality of the fintech company’s risk management and control environment. A community bank may also want to consider the relative independence and qualifications of those involved in testing. A fintech company may employ an audit function (either in-house or outsourced). In these cases, evaluating the scope and results of relevant audit work may help a community bank determine how a fintech company ensures that its risk management and internal control processes are effective.

Banks should also consider the findings, conclusions, and any related action plans from recent control reviews and audits as the information may provide insight into the effectiveness of a fintech company’s program and the appropriateness and timeliness of any related action plans. Evaluating a fintech company’s reporting helps a community bank to consider how the fintech company monitors key risk, performance, and control indicators; how those indicators relate to the community bank’s desired service-level agreements; and how the fintech company’s reporting processes identify and escalate risk issues and control testing results. A community bank may also consider how it would incorporate such reporting into the bank’s own issue management processes. Review of information on a fintech company’s staffing and expertise, including for risk and compliance, provide a means to assess the overall adequacy of the fintech company’s risk and control processes for the proposed activity.

Information on a fintech company’s training program also assists in considering how the fintech company ensures that its staff remains knowledgeable about regulatory requirements, risks, technology, and other factors that may affect the quality of the activities provided to a community bank.

For example, a fintech company’s audit, risk, and compliance functions will vary with the maturity of the company and the nature and complexity of activities offered. As a result, a fintech company may not have supporting information that responds in full to a community bank’s typical due diligence questionnaires. In other cases, a fintech company may be hesitant to provide certain information that is considered proprietary or a trade secret (for example, their development methodology or model components). In these situations, a community bank may take other steps to identify and manage risks in the third-party relationship and gain confidence that the fintech company can provide the activity satisfactorily.

For example, a community bank may consider on-site visits to help evaluate a fintech company’s operations and control environment, or a community bank’s auditors (or another independent party) may evaluate a fintech company’s operations as part of due diligence. Other approaches could include (a) accepting due diligence limitations, with any necessary approvals and/or exception reporting, compared to the community bank’s normal processes, commensurate with the criticality of the arrangement and in line with the bank’s risk appetite and applicable third-party risk management procedures; (b) incorporating contract provisions that establish the right to audit, conduct on-site visits, monitor performance, and require remediation when issues are identified; (c) establishing a community bank’s right to terminate a third-party relationship, based on a fintech company’s failure to meet specified technical and operational requirements or performance standards. Contract provisions may also provide for a smooth transition to another party (for example, ownership of records and data by the community bank and reasonable termination fees); or (d) outlining risk and performance expectations and related metrics within the contract to address a community bank’s requirements

Information Security

In understanding a fintech company’s operations infrastructure and the security measures for managing operational risk, a community bank may better evaluate whether the measures are appropriate for the prospective activity. A community bank may evaluate whether the proposed activity can be performed using existing systems, or if additional IT investment would be needed at the community bank or at the fintech company to successfully perform the activity. For example, a community bank may evaluate whether the fintech company’s systems can support the bank’s business, customers, and transaction volumes (current and projected). A fintech company’s procedures for deploying new hardware or software, and its policy toward patching and using unsupported (end-of-life) hardware or software, will provide a community bank with information on the prospective third party’s potential security and business impacts to the community bank.

For example, fintech companies’ information security processes may vary, particularly for fintech companies in an early or expansion stage. Community banks may evaluate whether a fintech company’s information security processes are appropriate and commensurate with the risk of the proposed activity. Depending on the activity provided, community banks may also seek to understand a fintech company’s oversight of its subcontractors, including data and information security risks and controls.

For a fintech company that provides transaction processing or that accesses customer data, for example, community banks may request information about how the fintech company restricts access to its systems and data, identifies and corrects vulnerabilities, and updates and replaces hardware or software. The bank may also consider risks and related controls pertaining to its customers’ data, in the event of the fintech company’s security failure. Also, contractual terms that authorize a community bank to access fintech company records can better enable the bank to validate compliance with the laws and regulations related to information security and customer privacy.

Operational Resilience

A community bank may evaluate a fintech company’s ability to continue operations through a disruption. Depending on the activity, a community bank may look to the fintech company’s processes to identify, respond to, and protect itself and customers from threats and potential failures, as well as recover and learn from disruptive events. It is important that third-party continuity and resilience planning be commensurate with the nature and criticality of activities performed for the bank.

Evaluating a fintech company’s business continuity plan, incident response plan, disaster recovery plan and related testing can help a community bank determine the fintech company’s ability to continue operations in the event of a disruption. Also, evaluating a fintech company’s recovery objectives, such as any established recovery time objectives and recovery point objectives, helps to ascertain whether the company’s tolerances for downtime and data loss align with a community bank’s expectations. A community bank that contemplates how a fintech company considers changing operational resilience processes to account for changing conditions, threats, or incidents, as well as how the company handles threat detection (both in-house and outsourced) may provide a community bank with additional information on incident preparation. Discussions with a fintech company, as well as online research, could provide insights into how the company responded to any actual cyber events or operational outages and any impact they had on other clients or customers.

Understanding where a fintech company’s data centers are or will reside, domestically or internationally, helps a community bank to consider which laws or regulations would apply to the community bank’s business and customer data. Another matter for a community bank to consider is whether a fintech company has appropriate insurance policies (for example, hazard insurance or cyber insurance) and whether the fintech company has the financial ability to make the community bank whole in the event of loss.

Service level agreements between a community bank and a fintech company set forth the rights and responsibilities of each party with regard to expected activities and functions. A community bank may consider the reasonableness of the proposed service level agreement and incorporate performance standards to ensure key obligations are met, including activity uptime. A community bank may also consider whether to define default triggers and recourse in the event that a fintech company fails to meet performance standards.

A fintech company’s monitoring of its subcontractors (if used) may offer insight into the company’s own operational resilience. For example, a community bank may inquire as to whether the fintech company depends on a small number of subcontractors for operations, what activities they provide, and how the fintech company will address a subcontractors’ inability to perform. A community bank may assess a fintech company’s processes for conducting background checks on subcontractors, particularly if subcontractors have access to critical systems related to the proposed activity.

For example, as with previous due diligence scenarios, fintech companies may exhibit a range of resiliency and continuity processes, depending on the activities offered. Community banks may evaluate whether a fintech company’s planning and related processes are commensurate with the nature and criticality of activities performed for the bank. For example, community banks may evaluate a fintech company’s ability to meet the community bank’s recovery expectations and identify any subcontractors the fintech company relies upon for recovery operations. A fintech company may have recovery time objectives for the proposed activity that exceed the desired recovery time objectives of a community bank. If a fintech company can meet the community bank’s desired recovery time objectives, the bank may consider including related contractual terms, such as a contract stipulation that the community bank can participate in business continuity testing exercises and that provides appropriate recourse if the recovery time objective is missed in the event of an actual service disruption.

A community bank may also consider appropriate contingency plans, such as the availability of substitutable service providers, in case the fintech company experiences a business interruption, fails, or declares bankruptcy and is unable to perform the agreed-upon activities. In addition to potential contractual clauses and requirements, a community bank’s management may also consider how it would wind down or transfer the activity in the event the fintech company fails to recover in a timely manner.

Conclusion

The agencies have outlined a number of relevant considerations, non-exhaustive lists of potential sources of information, and illustrative examples to assist community banks with identifying strengths and potential risks when considering relationships with fintech companies. The voluntary Guide helps provide a starting point for banks with their due diligence efforts. The Guide may be viewed here.

Highlighted Special Focus From the October 2021 Compliance Journal

/by
,

WBA Comments on Proposed Interagency Guidance on Third-Party Relationships

By Scott Birrenkott

WBA filed comments this week with FRB, FDIC, and OCC (agencies) on their proposed guidance on managing risks associated with third-party relationships (proposal).

Over the years, the agencies have issued guidance on third-party management for their respective supervised institutions. The agencies have issued the proposal in an effort to promote consistency in their third-party risk management guidance and to clearly articulate risk-based principles on third-party risk management. The proposal is based on the OCC’s existing third-party risk management guidance from 2013.

WBA commented that the proposal presents a welcome opportunity to consolidate and update each agency’s individual existing guidance, and generally supported the effort. In addition to general comments reflecting member experiences in third-party management, WBA did recommend that the agencies consider specific examination procedures in accordance with the guidance, and provide banks with sufficient time to adapt to any final guidance.

Click here to view the letter.

/by
Wisconsin Bankers Association logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe