Friday, July 28, 2017

Distinguishing between AML Compliance and OFAC Compliance

We know that you were among the first to provide anti-money laundering tests, which is required by statute. So, we think you would know the answer to our question. A banking examiner told us that our AML program needs more procedures for OFAC compliance. What is the difference between AML compliance and OFAC compliance?

We were the first to offer AML tests for non-banks and bank mortgage divisions.

This is a good question about AML and OFAC, as it highlights an important component of the AML program itself. Anti-Money Laundering (AML) compliance, often referred to as “AML compliance,” focuses on detecting and deterring money laundering and terrorist abuses in the financial system. AML programs are mandated for certain financial institutions by law under the Bank Secrecy Act (BSA). In fact, it is also suggested for other organizations under the Federal Sentencing Guidelines of the U. S. Sentencing Commission. [FFIEC Exam Manual]

Failure to comply with BSA requirements may result in civil monetary penalties and exposure to criminal liability. Violations of AML caused by non-compliance, as well as not implementing terrorist financing laws, can result in civil and criminal penalties, imprisonment, and asset forfeiture. [18 USC §§ 981, 982, 1956, 1957, 2339A, 2339B, 2339C]

Office of Foreign Assets Control (OFAC) compliance, commonly referred to as “OFAC compliance,” is derived from rules set forth by OFAC, which is part of the U.S. Department of the Treasury. Its purpose is to administer and enforce economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to national security, foreign policy or the economy of the United States.

Under national emergency powers and specific legislation, OFAC can impose controls on transactions and freeze assets subject to the jurisdiction of the United States. OFAC administers programs against targeted foreign countries and regimes, terrorists, international narcotics traffickers, entities involved in proliferation of weapons of mass destruction, and, in effect, other threats to national security, foreign policy or the U.S economy.

OFAC prepares and maintains a unique list, called the Specially Designated Nationals list, which is a compilation of names of persons, entities, and countries that are restricted or prohibited from transacting or dealing with U.S. persons. [U.S. Department of Treasury, Sanctions Programs] Failure to comply with OFAC’s restrictions or prohibitions can result in substantial civil penalties and potential fines. [U.S. Department of Treasure, Civil Penalties and Enforcement Information; also, Economic Sanctions Enforcement Guidelines, 31 CFR, Part 501, Appendix A]

Unlike BSA mandates, which requires an AML compliance program, OFAC does not require an organization to maintain an OFAC compliance program. However, OFAC has indicated that should a violation of law occur, the presence of a program could be a substantial mitigating factor in determining the nature and amount, if any, of a penalty. [31 CFR, Part 501, Appendix A] Consequently, federal financial institution regulators have determined that failure to maintain an OFAC compliance program is considered an unsafe and unsound banking practice.

Although BSA and OFAC requirements are distinct, the requirements are viewed as supporting the common policy goal of national security. Therefore, financial institutions that are subject to the BSA’s AML compliance program requirement are expected to treat OFAC compliance as related, especially with respect to the need to collect and analyze certain customer information.

Jonathan Foxx
Managing Director 
Lenders Compliance Group

Thursday, July 20, 2017

Record Retention: Evidence of Compliance under TILA

We are going paperless, but we are unsure about retaining documents under the Truth in Lending Act, since we know that regulatory enforcement requirements may cause us to hold on to evidence. That goes along with our concerns about retaining paper copies, too. You may have answered a question like this one before, but we are still unsure of what evidence we need to retain to show compliance. So, we want to know what is the timeline for retaining documents beyond the required time required in case of regulatory enforcement against us? Also, must we keep paper copies as evidence of compliance?

You have asked a complicated question about regulatory enforcement parameters, with respect to record retention. Because you have framed your question in the context of the Truth in Lending Act (TILA), this response will be narrowed to Regulation Z, the implementing regulation of TILA.

Except with respect to advertising, creditors must retain evidence of compliance with Regulation Z for a period of two years after the date the disclosures are required to be made or action is required to be taken. Enforcement of TILA, however, may require the creditor to retain records for longer periods necessary to carry out enforcement responsibilities and administrative actions.

In effect, this means that administrative agencies responsible for enforcing a subject regulation may require creditors under their jurisdictions to retain records for a longer period, if necessary to perform their enforcement responsibilities. [12 CFR § 226.25(a)]

As to paper retention, in terms of adequate evidence of compliance, actual paper copies of disclosures or other business records are not absolutely necessary to be retained. Evidence may be retained on microfilm, microfiche, computer programs, or by any other method that reproduces records accurately.

As a matter of fact, the creditor needs to retain only enough information to reconstruct the required disclosures or other records. By way of example, the creditor does not need to retain each open-end, periodic statement for purposes of complying with record retention of a home-equity plan's periodic statement, as long as the specific information on each statement can be retrieved. In other words, written procedures for compliance with the disclosure requirements and a sample periodic statement represent adequate evidence of compliance. [12 CFR Supplement I to 226, Official Staff Interpretations, § 226.25(a)-2]

Jonathan Foxx 
Managing Director

Thursday, July 13, 2017

Credit Reporting Agency Investigations

We received a notice from Transunion that our reported information is being disputed by the consumer. Transunion has contacted us to obtain information about the disputed reference. But we are not sure what steps Transunion is taking in its investigation. What are the procedures Transunion follows if a consumer disputes the information? What are the procedures we should be following in response to Transunion’s investigation?

Transunion is one of several consumer reporting agencies (“CRA”). If you furnished information about a consumer to a CRA and the consumer disputes the accuracy or integrity of the information contained therein, the following procedures should be followed in response to the CRA’s investigation.
  1. Conduct an investigation with respect to the disputed information;
  2. Review all relevant information provided by the CRA;
  3. Report the results of the investigation to the CRA;
  4.  If the investigation finds that the information is incomplete or inaccurate, report the results to all other CRAs to which you furnished the information and that compile and maintain files on consumers on a nationwide basis; and
  5. If an item of information disputed by the consumer is found to be inaccurate or incomplete or cannot be verified after any reinvestigation, for purposes of reporting to a CRA only, as appropriate, promptly:

a.       Modify the item of information;

b.       Delete the item of information; or

c.       Permanently block the reporting of the item of information. [15 USC § 1681s-2(b)(1)]

It is important to note that there is a timeline requirement. You must complete the required investigations, reviews, and reports before the expiration of the time period applicable for the CRA to complete actions required under the Fair Credit Reporting Act (FCRA) with respect to the information. [15 USC § 1681s-2(b)(2)]

This process is called a “reinvestigation” and the timeline is incumbent on the CRA, which conducts it free of charge, in order to determine whether the disputed information is inaccurate and records the current status of the disputed information, or deletes the item from the file, before the end of a 30-day period beginning on the date on which the CRA receives the notice of the dispute from the consumer or reseller.

As to extensions to the reinvestigation timeline, the 30-day period may be extended for not more than 15 additional days if the CRA receives information from the consumer during the 30-day period that is relevant to the reinvestigation, except this would not apply where, during the 30-day period, any reinvestigation of the information is found to be inaccurate or incomplete or the CRA determines that the information cannot be verified. [15 USC § 1681i (a)(1); 15 USC § 1681i(a)(2); FCRA § 611(a)(1)]

I strongly recommend that you have policies and procedures in place that set forth your obligations regarding how best to respond to a CRA investigation regarding a consumer dispute of information contained in the credit report. If you need assistance, please let us know.

Jonathan Foxx
Managing Director

Thursday, July 6, 2017

Affiliate Marketing: Eligibility Information

One thing we have always been confused about is how we can use eligibility information from affiliates. The part about affiliate marketing that particularly confuses me is if we do not use eligibility information from an affiliate, but the affiliate uses its own eligibility information to market on our behalf. So, our question is, if we do not use eligibility information from an affiliate, but the affiliate uses its own eligibility information to market on our behalf, is the marketing that the affiliate does on our behalf covered by affiliate marketing provisions?

I know this may seem somewhat complicated, but it is more straightforward than you think. If certain conditions are satisfied, the affiliate marketing provisions would not apply. But the details, like so much else, are important to consider.

So long as a financial institution does not use eligibility information in a manner that would constitute the making of a solicitation for marketing purposes, such solicitation is not covered by the affiliate marketing provisions where:

1.   The affiliate of an institution uses its own eligibility information that the affiliate obtained in connection with a pre-existing business relationship it has or had with the consumer to market the institution’s products or services to the consumer; or,
2.   The affiliate of the institution directs its service provider to use the affiliate’s own eligibility information that the affiliate obtained in connection with a pre-existing business relationship it has or had with the consumer to market the institution’s products or services to the consumer, and the institution does not communicate directly with the service provider regarding that use of the information. [12 CFR § 334.21(b)(4); 16 CFR § 680.21(b)(4); 12 CFR § 222.21(b)(4); 12 CFR § 41.21(b)(4); 12 CFR § 717.21(b)(4)]

One observation is worth considering: the ability of a financial institution to have an affiliate use the affiliate’s own eligibility information, as described above, to market the products or services of the financial institution provides a significant alternative to certain standard notice and opt out procedures.

Affiliate marketing rules of the federal financial institutions regulators and the FTC specify additional requirements regarding the involvement of service providers in a solicitation in order to avoid having the solicitation be subject to the affiliate marketing provisions. Refer to the FTC’s affiliate marketing rules for more details. [12 CFR § 334.21(b)(5); 16 CFR § 680.21(b)(5); 12 CFR § 222.21(b)(5); 12 CFR § 41.21(b)(5); 12 CFR § 717.21(b)(5)]

Jonathan Foxx
Managing Director 
Lenders Compliance Group