Changing Your Outlook on Internal Audits -a Two-Part Series


Part One- A New System of Review    

Starting in 2017, the FFIEC (the organization that is comprised of the major financial institution regulators) changed the way compliance programs are rated.  Instead of a one grade for the program there is now actually a three-prong test that makes up the final rating.   The three-parts of the test are

  1. The overall compliance program including the written program, resources dedicated to the program compared to the overall risk profile of the portfolio, experience and competency of management
  2. Board and management oversight- essentially the level and quality of reporting to management.  In addition, the follow-up to problems noted and remediation implemented
  3. Harm to consumers- The violations that are discovered have varying degrees of potential for harm to consumers.  Some are very technical in nature and can be remedied by a small fix.  Other violations might require the dreaded ‘look-back” and reimbursement.

In its press release describing the new rating system, the FFIEC wrote extensively about the goals for using this approach for compliance going forward. [1] Among the goals are to make the compliance examination more risk based and to allow each institution the opportunity to develop and maintain a compliance program that is tailored to the risk profile of the institution

One of the aspects of this new rating system that is often overlooked is the focus on the “self-policing”

Opportunities Provided by These Changes

The new compliance rating represents significant changes in the ability of banks to alter their compliance destiny.   The emphasis on self- detection and self-policing allows financial institutions to perform self-evaluation and diagnose compliance issues internally.

In the new rating system, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  To impress the regulators that an organization is truly engaged in self-policing, there must be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This may seem like a reasonable response, but it is incomplete.

This response does not rise to the level of self-policing that is discussed in the FFIEC memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile decreases, and the less likely enforcement action will be imposed.


At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all!   The over-arching idea from the FFIEC guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  The regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week).


What will your institution do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did management make sure the problem has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  For example, if it turns out that loan staff has been improperly disclosing transfer taxes on the Loan Estimate, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files that for the past 12 months
  • Reimbursement of any customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring

Self-policing allows an institution the ability to positively impact its regulatory fortunes.   The goal under this new system is to document the effectiveness of the system of controls in place.  The effectiveness of the control environment will impact all three of these ratings.  Generally, more favorable ratings will extend the amount of time before your next examination is scheduled.

Ultimately, the new compliance ratings system highlights a financial institutions ability to establish its control environment.

In part Two we will discuss the control environment


*** James Defrantz is Principal at Virtual Compliance Management Services LLC***

***For More Information Please Feel free to contact Us at***

[1] The full press release can be found at



Why IS There a Regulation B


As anyone in compliance can attest to, there are Myriad consumer compliance regulations.  For bankers, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks.  However, the truth is, there are no bank consumer regulations that were not earned by the misbehavior of banks in the past.  Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices.   We believe that one of the keys to strengthening a compliance program is to get your staff to understand why regulations exist and what it is the regulations are designed to accomplish.  To further this cause, we have determined that we will from time to time through the year; address these questions about various banking regulations.  We call this series “Why is there….”

A Little History

The consumer credit market as we now know it grew up in the time period from World War II and the 1960’s.  It was during this time that the market for mortgages grew and developed and became the accepted means for acquiring property, financing businesses, developing wealth and upward mobility.  By the late 1960’s the consumer credit market was booming.

The Equal Credit Opportunity Act (“ECOA”) and regulation B are not nearly as old as you might think. In fact, the first attempt at regulating credit access was the Consumer Credit Protection Act of 1968.  This legislation was passed to protect consumer credit rights that up to that point been largely ignored.  The 1968 was passed as the result of a continuing growth in consumer credit its effects on the economy.  For example, in the year before the regulation was passed, consumers were paying fees and interest that equaled the government’s payments on the national debt!  One of the goals of the Consumer Credit protection Act then was to protect consumer rights and to preserve the consumer credit industry.

The Civil Rights Movement was occurring at the same time as the passage of the CCPA and in 1968, the Fair Housing act was passed by Congress.  The FHA was designed to assist communities that that had been excluded from credit markets obtain access to credit.  We will discuss the Fair Housing Act in more detail next month.

One of the things that the CCPA did was to empanel a commission of congress called the National Commission on Consumer Finance.  This commission was directed to hold hearings about the structure and operation of the consumer credit industry.  These hearings were conducted throughout 197.  The commission made its report and disbanded.

Unintended Consequences

While performing the duties they were assigned,   the members of the National Commission on Consumer Finance conducted several hearings about the credit approval process for consumer loans.  The stories and anecdotes from these hearings raised a tremendous public outcry about the behavior of banks and financial institutions that were in the business of granting credit.   One of the common themes of the testimonies given was that women and minorities were being left behind when it came to the growth of the consumer credit market.  Public pressure forced additional hearings on the consumer credit market, and the evidence showed that women in particular and minorities in general were being given unfair and unequal treatment by banks.


What was Going On? 

So what was it that bans were doing that was causing a concern?    There were several practices that had become normal and regular for banks when the applicant for consumer credit was a woman or a member of a racial minority group.

Women had more difficulty than men in obtaining or maintaining credit, more frequently were asked embarrassing questions when applying for credit, and more frequently were required to have cosigners or extra collateral. [1]  When a divorced or single woman applied for credit she was immediately asked questions about her life choices, sexual habits, and various other personal information that was both irrelevant to the credit decision and not asked of men.

Racial minorities had difficulty even obtaining credit applications let alone credit approvals.  In cases, where members of minority groups attempted to get a loan applicant, there were either told that the bank was not making consumer loans,  or that the area that the person lived was outside of the lending area of the bank.

For applicants that receive public assistance, child support of alimony, banks would not consider these as sources of income under the theory that they were temporary and might disappear.

Despite being subjected to embarrassing or incorrect information, in the cases where women and minorities persisted and completed a credit applications, banks would drag out the process for interminable time periods and would engage in strong efforts to discourage the applicant from going forward.

In many cases, when a person lived in a neighborhood that was predominately comprised of minorities, the borrower was told that the collateral did not have enough value without further explanation.


Though these stories created a great deal of interest, the CCPA was not amended until 1974 when the first Equal Credit Opportunity Act was passed.  This Act prevented discrimination in credit on the basis of sex and marital status.

In 1976, the ECOA was amended to prohibit credit discrimination on the basis of


  1. Race, color, religion, national origin, sex, marital status or age
  2. When all or part of the applicant’s income derives from public assistance
  3. If the applicant had filed a former claim of discrimination


The 1976 amendment also added the requirement that the financial institution had to notify the applicant of the reasons for a decline.   Regulation B establishes the rules that implement the ECOA.  .    These include the following:

  1. Limitations on the types of information that can be requested in a credit application.
  2. Limitations on the characteristics that can be considered about an applicant.
  3. Rules on when an applicant’s spouse can be requested to sign a loan applicant
  4. Rules on the time limits for when a credit decision can be made.
  5. Copy of Appraisals An applicant on a real estate secured loan now must receive a copy of the appraisal or evaluation used to establish the value of the collateral
  6. Collection of Government Monitoring Information- In cases of loan requests for the purchase or refinancing of a primary residence, government monitoring information (race, sex, and ethnicity) must be obtained.


What is Regulation B designed to do?

There are two main goals of the ECOA and its implementing regulation, Regulation B.


  • Enhanced Credit Opportunities for women and minorities


  • Greater consumer education


Credit Opportunities

One of the complaints about consumer banking regulation that is often raised is that it promotes bad loans.  However, for the inception of these regulations, Congress made clear that these laws apply only to credit worthy individuals.  It has never been the case that Congress or the regulators want banks to make bad loans.  The problem was and is that people who are truly creditworthy were being overlooked and excluded based on factors that were outside of their control.

The law then is designed to prevent discrimination on an   illegal basis.  Even today, a great deal of disagreement over what discrimination might mean.  Of course, each and even decision to make or not make a loan is a form of discrimination.  That is part of the natural process of decision making.  Instead here what is prevented is discriminating on an illegal basis; making the adverse action based on who the applicant is rather than their credit worthiness.

There are two tests for illegal discrimination. The first is the effects test.  Under this test, if the overall effect of a credit policy results in an uneven or disproportionate negative result, it may be in violation of the regulation.   Suppose for example, a bank decided that it would not include temporary work income as income for credit applications.  In this case, the decision to do so would be applied across all lines and to all borrowers.  However, the effect of this decision would impact women and minorities in greater numbers because temporary workers are way more likely to be women and minorities in the assessment area of the bank.  This would be an effects test violation of regulation B.

The second test is the intent test.  This test is pretty straight forward.  This would be cases where a lender intended to treat applicants differently based on who they are and in fact did so.  While this area was largely in evidence in the 1960’s when these laws were first enacted, the number of cases of intentional discrimination has significantly reduced over the years.

Borrower Education

The borrower education portion of the ECOA and Reg. B is typified by the notice requirements.  In an effort to make banks inform the applicant about the decision that was made, the regulations require a quick and concise decision process.  The notice requirement is designed to let the applicant know the specific reasons why their credit application was declined so that they can address the problem. If there are problems with the credit report, then the borrower needs to know what the problems are and who is reporting them.  In this manner the borrower is informed and the bank is kept “honest” about its decisions.

The reasons that the examiners test adverse actions for timing and accuracy is that borrowers should have the ability to know exactly what is wrong and have an opportunity to fix it.  This is the reasoning behind requiring a copy of an appraisal report.

Why are there a Regulation B and the ECOA?

The development of the consumer credit market brought with it a series of bad behaviors that directly and negatively impacted the ability of women and minorities to obtain credit.   These behaviors included asking women to check with their husbands before getting a loan, denying a single woman credit, discouraging minorities from applying for credit and outright refusal to grant credit.

The law and regulation are designed to open up credit to all who are worthy by limiting practices that unfairly exclude groups of people and by making sure that applicants are fairly informed of the reasons for a denial.

Embrace your inner compliance officer by knowing that this regulation is well earned, well intended and provides a good outcome for people who would otherwise not be able to obtain credit through no fault of their own.


[1] Gates, Margaret J., “Credit Discrimination Against WomenCauses and Solution,” Vanderbilt Law.

Why Don’t examiners Like MSB’s




For many thousands of workers in the United States, the end of the week renews a weekly ritual; payday.  For those workers who are expatriates, payday renews another ritual, the trip to the local money transmitter also known as Money Service Businesses.  Money Services businesses are defined by FinCEN as follows:

The term “money services business” includes any person doing business, whether on a regular basis or as an organized business concern, in one or more of the following capacities:

  • Currency dealer or exchanger.
    (2) Check casher.
    (3) Issuer of traveler’s checks, money orders or stored value.
    (4) Seller or redeemer of traveler’s checks, money orders or stored value.
    (5) Money transmitter.
    (6) U.S. Postal Service.


For many years MSB’s have served the needs of the expatriate workers who are sending money home.  The remittance market is a multi-billion-dollar business serving a large population of the people who tend to be underbanked or unbanked.

Storm Clouds

In 2013 the US Department of Justice initiated Operation Chokepoint.  This initiative was described in a 2013;

Operation Choke Point was a 2013 initiative of the United States Department of Justice, which would investigate banks in the United States and the business they do with firearm dealers, payday lenders, and other companies believed to be at higher risk for fraud and money laundering.[1]

The Justice Department’s decision to focus on the activities of MSB’s directly impacted their treatment by banks.  Soon, MSB’s became persona non-grata; the major theme was that these organizations have high potential for money laundering and therefore had to be given scrutiny.   There was a second theme that was less prominent; the better the monitoring the lower the risk.   Eventually the regulators were forced to cease the initiative.  Unfortunately, a great deal of the stigma associated with MSB’s remains.

Community Banking Transitions  

Today community banks are experiencing strong  competition for interest margins in traditional business lines.  Competition for C & I and CRE has become fierce, making lending in these areas more expensive.   In the meantime, the main reason for community banking- serving the underserved is still an area that has a great deal of space for growth.   In 2016, the FDIC estimated that 27% of all households were unbanked or underbanked.

The Remittance Market

Remittances are a growing market that continues to grow according to the world bank statistics $138,165,000,000 in remittances was sent from United States to other countries in 2016.  The market is expected to continue to grow in the next few years.   The average size of an individual remittance remains $200.00.   There are a number of money transfer business that have developed systems that are familiar to the customers and efficient in their delivery.  The forces created by operation chokepoint and growing remittance market are creating great opportunities.  Despite the huge demand and potential for fee income, many MSB’s are in search of a banking relationship.

Why Should a community bank consider an MSB relationship?    

Because of the history we have already discussed for many banks, the term MSB ends the discussion.  However, for those banks that are looking for ways to improve overall profitability; there are several positives to consider

o   Fee income:  Because the business model is built on small dollar transactions, there is a large volume of transaction.  Each transaction has the potential to generate fees.  The experience of banks that offer accounts to MSB’s has been a steady reliable source of fee income.

O  Small Expenditures of Capital:  The expenditure of capital that is necessary is largely dependent on the strength of your overall BSA compliance program.  At the end of the day, the financial institution must dedicate sufficient resources to monitor the activity of the MSB.

o   Extremely Low Cost:  The costs of the resources mentioned above can and often is covered by the client MSB.

o   Serving the Underserved:   As we previously noted, the vast majority of the customers using MSB’s are part of the larger underbanked and unbanked population.

o   Opportunities for new markets, projects and a whole new generation of bank customers: Today’s MSB customer can easily be tomorrow’s entrepreneur who opens a large business account at your bank.


MSB’s and Risk

For many institutions the decision has been made that the regulatory risk associated with Money Service Business is too great to justify offering the product.  Of course, most reason for this decision harkens back to the struct scrutiny of Operation Chokepoint.

The fact that so many MSB’s lost their banking relationships caused the FDIC (the main “tormentor of financial institutions in this area) to issue FIL 5-2015 which was directed at the mass “de-risking” that that banks were forcing on MSB’s.

The FDIC is aware that some institutions may be hesitant to provide certain types of banking services due to concerns that they will be unable to comply with the associated requirements of the Bank Secrecy Act (BSA). The FDIC and the other federal banking agencies recognize that as a practical matter, it is not possible for a financial institution to detect and report all potentially illicit transactions that flow through an institution.   Isolated or technical violations, which are limited instances of noncompliance with the BSA that occur within an otherwise adequate system of policies, procedures, and processes, generally do not prompt serious regulatory concern or reflect negatively on management’s supervision or commitment to BSA compliance. When an institution follows existing guidance and establishes and maintains an appropriate risk based program, the institution will be well-positioned to appropriately manage customer accounts, while generally detecting and deterring illicit financial transactions.[2]

Put another way, the regulators were noting that despite the appears otherwise the principles for managing the risks of MSB’s still applied; the better the monitoring, the lower the risk.   When considering whether to offer an MSB a bank account, your financial institutions should be able to administrate the account to keep risks low.  In addition to the guidance published by the FDIC, FinCen, the FFIEC and the other banking regulatory agencies have all published guidance making it clear that there are no absolute regulatory restrictions on banking MSB’s.


[1] Zibel, Alan; Kendall, Brent (August 8, 2013). “Probe Turns Up Heat on Banks”The Wall Street Journal

[2] FIL 5-2015