Pub 8 2020 Issue 2


Compliance Q&A – Summer 2020

Credit Practices Rule. Q: Regulation AA was rescinded some time ago, but is a Notice to Cosigner still required when we are doing a loan that has a cosigner?

A: Since the repeal of FRB Regulation AA (and similar rules by the Office of Thrift Supervision and National Credit Union Administration), there has not been an explicit requirement for banks, thrifts, and credit unions to give cosigners the Notice to Cosigner. Lenders under the enforcement authority of the Federal Trade Commission are subject to the FTC’s Credit Practices Rule, which requires such a notice (among other provisions).

However, at the time the Federal Reserve Board (and other agencies) proposed the repeal of its Regulation AA, the agencies issued Interagency Guidance Regarding Unfair or Deceptive Practices (8/22/2014). In this document is a footnote (#11) that states:

“The Agencies note that the FTC’s Credit Practices Rule requires — and the former credit practices rules applicable to banks, savings associations, and Federal credit unions required — creditors to provide a ‘Notice to Cosigner’ explaining the cosigner’s obligations and his or her liability if the borrower fails to pay. The Agencies believe that creditors have properly disclosed a cosigner’s liability if, prior to obligation, they continue to provide a ‘Notice to Cosigner.’”

So, providing the Notice to Cosigner continues to be the best way to document that the bank has properly disclosed the liability that a cosigner is taking on when signing on to someone else’s loan.

Red Flags. Q: Regarding an Identity Theft Prevention Program, what are the requirements for reporting to the bank’s board of directors?

A: There is nothing in the regulation about how you accomplish the board reporting or how often you do it. That is left up to the bank. The requirements in the rule are that the board (or appropriate committee) approves the “red flags” program initially and that they (or a designated senior management employee) be involved in the oversight, implementation and administration of the program. If the board (or committee) is involved in this latter role, periodic reporting will be needed to keep them current on what is happening in the outside world and inside the bank’s walls/systems regarding identity theft issues since things change constantly.

BSA. Q: I have filed a Suspicious Activity Report and need to report this to our board. How much should I disclose or need to disclose to them? Also, should the actual SAR filing be included in the board package?

A: There is nothing in the BSA rules that spells out what must be communicated to the board, just that the board is to be notified of a SAR filing. Of course, if a board member is the subject of the SAR, the fact that one was filed about them must not be communicated to that person (as with any other subject of a SAR).

We see a variety of how SAR filings are reported to the board (or applicable board committee). A common method seems to be to report that a SAR was filed about a person(s) structuring or regarding elder financial abuse or some other general description. Providing a copy of the actual SAR to board members is not required and is probably not a good idea, given the strict confidentiality requirements surrounding SARs — it opens up security issues, and so forth.

TILA/Flood Insurance. Q: Could we modify a current 15/1 ARM to a fixed-rate loan? They are looking to modify the note to the current rate for the rest of the 30-year term. If possible, what disclosure requirements exist?

A: Whether the bank can make such a change, and how to accomplish the modification, are questions you need to put to the bank’s legal counsel, as these issues are governed by state law. Another question for your attorney is whether this transaction would be considered under state law to satisfy/extinguish the original obligation and replace it with a new one — which is considered a “refinancing” under Regulation Z.

If the transaction is a “refinancing” and a consumer loan (for personal, family or household purposes), then full Regulation Z disclosures are required — Loan Estimate and Closing Disclosure. If there is any new money involved (it does not sound like it), then the right of rescission will also apply.

Another issue to be sure you address is the flood insurance regulation. Even a simple modification of an existing loan triggers the flood insurance rules if the loan is increased, renewed or extended. If the modification entails no increase in the loan amount, an extension of the loan maturity, or renewal of the loan (this latter issue would be defined by state law), then the flood insurance rule — hazard determination and customer notice — would not apply.

TILA. Q: We are in the process of purchasing five branches from another bank. Their HELOC statements cycle on the 1st of each month, while ours cycle on the 27th. We will be changing their schedule to match ours. What notification will be required about the cycle date, payment date and maturity date?

A: The bank is permitted by Regulation Z to make such “an insignificant change to terms” to home equity lines of credit accounts. No particular notice is mandated, but good customer service (and perhaps state contract law, check with your legal counsel) would call for some notice to affected customers, so they know what is going on.

EFTA. Q: A customer called yesterday about some charges that came out of his account from Dec. 24, 2018, through Aug. 23, 2019. The customer did not notice those transactions were coming out of his account monthly for that period of time.

He finally noticed them recently and called the car insurance company that was receiving the funds and they told him they could not find anything under his name. We did some research and found a debit card number associated with the account was marked stolen and closed, but the customer never stated at the time any charges that were not his.

The customer gave the debit card number to the insurance company and found out the money was being used to pay a guy’s insurance in Florida. They told him they could not do anything about it and that he would have to call the bank and have us refund his money back.

Due to the time frame, if we cannot get money back when disputed, would the bank be out this amount? It is over $4,000.00.

A: This customer is long past his time period to assert an EFT “error” or “unauthorized transaction.” You are not required by Regulation E to refund any money at this time.

To preserve their rights and limit their losses, customers must notify the bank of an unauthorized EFT within 60 days after the date the first periodic statement reflecting that the unauthorized EFT was sent to them (“sent” or “provided” can mean made available for pickup, for those customers who do not want statements mailed to them). In such a case, the customer’s liability is limited to those unauthorized transfers that occur after the 60-day period until notice is given to the bank. If an access device is involved, there may be other liability for transfers within the 60-day period, as discussed next.

If the alleged error involves a lost or stolen access device (such as a debit card), then there is a stepped liability structure. If the customer notifies the bank of the loss/theft within two business days after the customer discovers that the device (card) is lost/stolen, their loss is limited to no more than $50. If they fail to notify the bank within two business days after learning of the loss/theft, then their liability is limited to the lesser of $500 or the sum of $50 (or the actual amount of losses within the first two business days) plus the amount of unauthorized EFTs that occur after the first two business days up to the day they notify the bank.

BSA. Q: We have a legal entity customer that has credit cards for their employees with us. If they add another user — and authorize another card for an employee — is this considered a “triggering event” for getting a certification, etc., even though this employee is not a “beneficial owner”?

A: No. The mere addition of a new user to an existing account is not considered to be the opening of a “new account,” so no CDD/BO obligation is triggered at that time.

If the entity had changed signers on the account, that would be considered a trigger to ask if control or ownership had changed (and document that this was asked), but just adding a credit card user to the account would not necessarily be considered a trigger unless the bank has identified it as such in its own beneficial ownership policy and procedures.

By Bill Showalter, Senior Consultant, Young & Associates, Inc.

Young & Associates provides banks and thrifts with support for their compliance programs, independent reviews and in-bank training, as well as a full menu of management consulting, loan review, IT consulting and policy systems.

This story appears in Issue 2 2020 of the Community Banker Magazine.