Computer Services : 6 Compliance Themes That Will Impact 2017

Understanding the Unpredictable, Preparing for the Predictable

As a contentious 2016 fills our rearview mirror, 2017 is shaping up to be a year unlike any other. When businessman-turned-politician Donald Trump takes office as the 45th president of the United States, his administration is predicted to be as unprecedented as his campaign.

Mr. Trump appears poised to shake up the regulatory environment, but that isn't the only thing looming on the 2017 compliance radar. While financial institutions should keep an eye on potential legislation changes, several other themes are sure to be top-of-mind for regulators, no matter what changes the new administration sets in motion. Is your institution ready for 2017?

Trump's First 100 Days: What Will It Reveal?

President-elect Trump advocates reducing regulatory burdens to boost the economy. In his Transition 2017 video outlining the plan for his first 100 days in office, he announced that he 'will formulate a rule which says that for every one new regulation, two old regulations must be eliminated.'

One of those regulations could be the Dodd-Frank Act, which he has referred to as 'a sprawling and complex piece of legislation that has unleashed hundreds of new rules and several new bureaucratic agencies,' resulting in the growth of big banks and the decline of community banks. To combat this trend, he has stated that, 'The Financial Services Policy Implementation team will be working to dismantle the Dodd-Frank Act and replace it with new policies to encourage economic growth and job creation.'

Will Mr. Trump fully repeal Dodd-Frank during his first 100 days in office? An analysis by NPR doubts that possibility: 'Repealing the entire law probably would take more time and attention than Congress could muster in a 100-day rush.' Rather, the analysis anticipates a scenario in which the Republican-controlled Congress would be eager to approve big revisions to the act. U.S. Rep. Blaine Luetkemeyer, R-MO, has already proposed one such bill to weaken Dodd-Frank, which successfully passed the House in December, providing existing momentum for further revision efforts.

As Trump's first 100 days begin, financial institutions, especially community banks, will be watching intently for any regulatory changes to Dodd-Frank.

HMDA Final Rule: What Is Required?

Unless otherwise changed by the new administration, starting in 2018, the uniform volume thresholds set by the CFPB's Home Mortgage Disclosure Act (HMDA) Final Rule go into effect. Institutions that meet all other criteria (i.e., asset size, Metropolitan Statistical Area, etc.) and originated at least 25 closed-end mortgage loans or 100 open-end lines of credit in each of the two preceding years will be responsible for collecting 48 HMDA data points on those types of transactions starting on Jan. 1, 2018.

Automated HMDA compliance systems will need to be updated to account for the 25 new and 14 modified HMDA data fields by the start of 2018. They will also need to be programmed to adjust to the rule's extended integration timeline:

• 2017 Data: Collect and report per current rule and submit to the Fed in 2018.
• 2018 Data: Collect and report per new rule and submit per current rule to the CFPB in 2019.
• 2019 Data: Collect and report under new rule and submit it under new rule to the CFPB.

HMDA processes and procedures will also need to be updated and staff fully trained on the new requirements before the end of this year.

FinCEN Enhanced CDD Rule: Is Your Institution Prepared?

On May 11, 2018, financial institutions will need expanded Bank Secrecy Act (BSA) policies, procedures and practices in place that 1) identify and verify beneficial owners of covered legal entities, and 2) allow a more complete understanding of customer relationships-what the rule calls the fifth pillar of anti-money laundering (AML) programs. But financial institutions cannot wait until 2018 to prepare for this.

Ring in 2017 by assessing your institution's progress. Start by comparing CSI's recommended quarter-by-quarter timeline for Customer Due Diligence (CDD) Final Rule preparations to your own efforts. By now, your institution should have a project team in place that has identified and begun work on the policies, processes and systems that require changes as a result of this rule.

While preparing, keep this in mind:

• Institutions will need to identify and verify beneficial ownership for any new account opened, even if that account is for an existing customer.
• Beneficial owner covers the ownership prong (anyone with 25 percent ownership) and the control prong (someone with significant responsibility).
• Use of FinCEN's Certification Form is optional, but the identifying information it captures is not (name, date of birth, address and social security number).
• The Fifth Pillar means that institutions are now explicitly required to understand the nature and purpose of all customer relationships by creating a customer risk profile that supports ongoing monitoring and reporting of suspicious activity.

TRID and Construction Loans: Where Does Your Institution Stand?

The September 2015 Consumer Financial Protection Bureau (CFPB) 'Dodd-Frank Mortgage Rules Readiness Guide ' indicated that the CFPB would 'be sensitive to the progress made by those entities that have been squarely focused on making good-faith efforts to come into compliance with the rule on time.' We are now most likely past the initial implementation phase during which CFPB Director Richard Cordray indicated examinations would be 'corrective and diagnostic, rather than punitive.'

Unfortunately, many financial institutions are still struggling to appropriately apply the TILA-RESPA Integrated Disclosure (TRID) rule to construction loans. This challenge carries significant and costly consequences, in particular when it comes to TRID tolerance levels: the difference between the amount disclosed on the Loan Estimate and the amount paid by the customer. The rule identifies three tolerance categories:

• Zero Tolerance: No disparity is allowed for required services that cannot be shopped and are paid to either the institution or an unaffiliated third party.
• 10 Percent Tolerance: The cumulative amount of all recording fees and unaffiliated third-party fees that can be shopped must not exceed 10 percent of the quoted total.
• Unlimited Tolerance: No tolerance limit is placed on required services over which institutions have minimal control, e.g., required services that can be shopped. Prepaid interest, property insurance premiums and escrow items round out this category.

If your institution is struggling with this, review the CFPB webinar, 'Know Before You Owe Mortgage Disclosure Rule - Construction Lending,' which provides specific details on completing the Loan Estimate for construction loans, including how to calculate various payments.

Vendor Management: Who Poses a Risk and How?

In 2016, for the third year in a row, a regulatory agency issued updated guidance on vendor management. In late October, the CFPB joined the Office of the Comptroller of the Currency (OCC, updated guidance in 2014) and the Federal Financial Institutions Examination Council (FFIEC, updated guidance in 2015) in reiterating the importance of a robust vendor management program, signaling a sharp regulatory focus on the same.

The CFPB's 'Compliance Bulletin and Policy Guidance; 2016-02, Service Providers' clarifies 'that the depth and formality of the risk management program for service providers may vary depending upon the service being performed-its size, scope, complexity, importance and potential for consumer harm-and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.'

In response to the OCC and FFIEC guidance updates, CSI published 'Demystifying Vendor Management,' which closely mirrors the CFPB clarification. It noted that vendor due diligence should be based on the type and amount of risk involved in the relationship and classified vendors into three risk-based categories:

• Strategic vendors: Indispensable vendors require the most extensive due diligence.
• GLBA vendors: Those with access to your sensitive data require significant due diligence.
• General vendors: All other vendors require standard due diligence.

Use this article's detailed advice to re-evaluate your institution's vendor management program for 2017.

Cybersecurity: How Will the Industry Fight Back This Year?

Mr. Trump campaigned on a message of bolstering national security, which specifically included cybersecurity. It's safe to say that protecting our vital infrastructure and information from cyberattacks will remain a hot topic in the foreseeable future.

Financial institutions must be prepared to do their part to protect our financial system in 2017. Compare your Information Security program to the FFIEC's recent Information Security Booklet update to ensure it is elevated to the level expected by regulators and needed to protect against cyberattacks. To help you get started, CSI identified seven key takeaways from the FFIEC's updated Information Security Booklet.

Staying Compliant in 2017 … and Beyond

In order to maintain a strong compliance stance this year, financial institutions should keep a close eye on the themes discussed in this article. Of course, they don't represent the sum total of compliance obligations required or changes anticipated in 2017.

The Volker Rule takes effect in July, although some suggest it may be one of Mr. Trump's repeal targets. In 2017, institutions should also be preparing for the complex new accounting standard, Current Expected Credit Losses (CECL), which goes into effect between 2020 and 2021. Not to mention, the potential changes in the pre-rule stage (e.g., debt collection and overdraft) and in the proposed rule stage (Regulations P, CC, etc.).

For all of this and more, count on CSI to continue to monitor and report on the regulatory environment this year and beyond to assist your overall compliance efforts.

Keith Monson serves as CSI's chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI's corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.