Compliance Management Program: Challenges

QUESTION
Recently, we were cited by our regulator for not having an adequate Compliance Management Program document that was consistent with our “size, complexity, and risk profile.” 

We had bought a manual for a Compliance Management Program from a policy publisher and adapted it to our use. The person who purchased the policy is no longer with the company, so now we’re scrambling to put together a program that will satisfy the examiners. We don’t want to buy another off-the-shelf policy at this point. Lesson learned. 

We’ve started to compile information, but this situation is getting overwhelming, and we’re running out of time. 

Since you do reviews for the Compliance Management Program, can you give us a way to focus our research?

ANSWER
As Erma Bombeck, the inimitable American humorist, once said, “When your mother asks, ‘Do you want a piece of advice?’ it is a mere formality. It doesn’t matter if you answer yes or no. You’re going to get it anyway.” So, I am going to put on my Mother Hen hat and tell you straight-out: if your company does not have a Compliance Management Program that represents its “size, complexity, and risk profile,” a world of hurt is coming your way! Getting policies from “manual mills,” as I call these policy purveyors, is an ineffective and dangerous way to manage your policies and procedures. And, getting a Compliance Management Program from a manual mill is particularly inappropriate because this outline is the foundational basis of all compliance-related areas of interest.

We realized this years ago when we began our Compliance Tune-up® audit series. The very first Compliance Tune-up® was the CMS Tune-up®, a targeted audit that evaluates the Compliance Management System or Program. Our review is affordable, collaborative, and quick. It reports a company’s strengths and weaknesses with respect to the compliance management program - plus, it provides a risk rating. If I were in your position, I would be getting the CMS Tune-up® done as soon as possible. Then, I would use the results to ensure that the CMS is responsive to the reported findings. 

Contact me HERE to discuss this matter or request more information HERE about the CMS Tune-up®.

Regulatory compliance management of consumer laws involves implementing policies and procedures that are designed to ensure the institution understands and follows applicable laws in a manner that avoids fines, lawsuits, and reputational issues. The Dodd-Frank Wall Street Reform and Consumer Protection Act established the Consumer Financial Protection Bureau (CFPB) that centralized the monitoring and enforcement of consumer protection laws. The CFPB issues regulations that institutions use to implement the laws that Congress passes. The risk that institutions face is that these regulations will not be followed as intended. The ramifications that could result include actions by the institution’s primary regulator, as well as potential fines, lawsuits, and reputation risk.

Thus, it is essential to have a robust Compliance Management Program in place to oversee the institution’s compliance with applicable laws and regulations. I will provide some high-level guidelines for you to consider. Keep in mind that drafting and implementing a review process is only the beginning. You should also implement a risk assessment program that addresses the need to periodically review and evaluate the adequacy of the institution’s CMS efforts to protect the institution.

The following brief outline offers a cursory highlight of the areas of interest that should be included in the Compliance Manager Program. It provides some insight into an evaluation generally, while also providing some understanding of risk assessment imperatives. It would be best if you used the CMS Tune-up® to get a focused review of your overall compliance program. Since I do not know if you have completed a recent internal audit, I am going to outline some features of a risk assessment; then discuss a compliance management system policy document; then mention two caveats. Finally, I will briefly discuss risk ratings and how these apply in the context of a Compliance Management Program.

Risk Assessment Objectives
A periodic risk assessment should determine the quality of the institution’s Compliance Management Program, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations. Moreover, it should assess whether the Compliance Management Program is effective at facilitating compliance; identify potential deficiencies in the Compliance Management Program and areas of most significant risk and concern; and, determine where transaction testing is necessary.

Identify Applicable Statutes and Regulations
Determine if the Compliance Management Program adequately addresses (viz., through oversight, policies and procedures, training, monitoring, and complaint response) all areas related to the following federal consumer laws, regulations, rules, and policy statements. Depending on the institutional structure and charter, this would include the areas of lending, deposits, and many other items, such as HMDA or CRA requirements, advertisements, banking format, privacy, leasing, debt collection, interstate banking, branch activation and closings, online protections, telemarketing, CAN-SPAM, marketing, and much more.

Evaluate Management Oversight
Review the Board and committee minutes. Review of these documents should give you an indication of conditions, such as the extent of Board governance and oversight in assuring compliance with consumer protection and fair lending laws and regulations; director and senior management training; policy and procedures rationalization; negative comments on rejected loan applications during loan committee or any other meeting; consideration of new loan or deposit products and strategies for their implementation; new software or software vendors; consideration of third parties for compliance audits; branch openings and closings rationalizations; and whether the Board maintains a reporting structure that documents discussions of recommendations for policy changes, adoption of revisions, and corrective actions and testing.

Evaluate the Compliance Management Program
To evaluate the Compliance Management Program, you should review the following, at a minimum:

Policies and Procedures Review
Policies and procedures, whether written or unwritten, should cover all of the department and function areas of the financial institution. An entity may have other policies or procedures related to compliance, but not specific to compliance, and those policies need to be reviewed as well, depending on the institution’s activities and risk profile.

Training
Review your institution’s training records and have sufficient discussions with management to answer a host of review topics, such as, among other things, whether every employee receives appropriate training given his or her compliance responsibilities; how often training is conducted; the acceptable frequency of training activity; if the training program is continuously updated to incorporate accurate, complete information on new products and services, regulatory changes, emerging issues; and if the effectiveness of the training is evaluated by management through delayed testing, before-and-after work product reviews, or other means.

Monitoring
Conduct documentation reviews and have discussions with management to answer specific review topics, such as, among other things, what monitoring programs are in place for loan transactions and deposit transactions; whether every transaction is subject to monitoring, and, if not, what is the level of transactional review; if the level of monitoring is adequate; if monitoring includes a review of the performance by third-party service providers; what are the appropriate personnel conducting the monitoring (i.e., someone with daily involvement in the monitored area and who has received adequate training); how errors are identified and documented during the monitoring process. Importantly, determine whether the institution’s monitoring efforts encompass all applicable regulations.

Consumer Complaint Response
Conduct documentation reviews and discuss with management whether, among other things, your institution implements policies and procedures to handle consumer complaints; if policies and procedures are in place, do they comply with all regulatory requirements regarding complaints (maximum time limits for a response, and documentation requirements); if your company has received consumer complaints, have all complaints been resolved satisfactorily; whether you cross-referenced the complaints to all other areas of the Compliance Management Program; and if the type or quantity of complaints suggest any other areas in need of in-depth review.

Multifamily Relief and Rental Protections under the CARES Act

QUESTION
We specialize in multifamily lending and servicing. 

The CARES Act provides for mortgage and rental relief based on the type of property. 

A recent internal audit showed us that we do not have adequate procedures in place to implement the relief provision of the CARES Act. So, we are particularly interested in knowing about multifamily relief and rental protections. 

In counseling your multifamily clients, what are some of the guidelines that you recommend with respect to procedures for mortgage and rental relief?

ANSWER
In conducting internal audits for our clients, we may show a finding for weakness in CARES Act procedures for both single and multifamily properties. This is not unusual, given the many new regulatory requirements in response to the COVID-19 pandemic. If you would like us to conduct an internal audit that targets such pandemic response regulations, or a full internal audit review, please contact me HERE.

The Coronavirus Aid Relief and Economic Security Act (CARES Act) indeed contains several provisions that are addressed at mortgage and rental relief. These provisions are in addition to existing sections 1024.39 through 1024.41 of RESPA. The type of relief available depends on the type of property involved.

One-to-Four Family real estate is covered in Section 4022 (Foreclosure Moratorium and Consumer Right to Request Forbearance) of the CARES Act, where it grants forbearance rights and protection against foreclosure to borrowers with a federally backed mortgage loan. Multifamily real estate - five or more families - are addressed in section 4023 of the CARES Act.

Let’s look at the Multifamily. Then, I will discuss rental protections.

Multifamily relief provisions apply to federally backed multifamily mortgage loans. These include any loan (other than temporary financing, such as a construction loan) that:

• Is secured by a first or subordinate lien on residential multifamily real property designed principally for the occupancy of five or more families.
• Is made, in whole or in part, or insured, guaranteed, supplemented, or assisted in any way by any officer or agency of the Federal Government or under or in connection with a housing or urban development program administrated by HUD, or is purchased or securitized by Fannie Mae or Freddie Mac.

Multifamily borrowers with a federally backed multifamily mortgage loan experiencing financial hardship due, directly or indirectly, to the COVID-19 emergency may request forbearance. The loan must have been current on its payments as of February 1, 2020. The request for relief must be submitted to the borrower’s servicer, and such a request may be verbal or written.

Upon receipt of an oral or written request, the servicer must:

• Document the hardship.
• Provide forbearance for up to 30 days.
• Extend forbearance for up to two additional 30-day periods, upon the request of the borrower, provided that such request is made during the covered period (viz., the covered period begins upon enactment (March 27, 2020) and ends on December 31, 2020, or, if sooner, the termination date of the COVID-19 national emergency as declared by the President); and at least 15 days prior to the end of the original 30-day period.

The borrower can discontinue forbearance at any time.

Now, let’s discuss rental protections.

A multifamily borrower receiving forbearance may not, for the duration of the forbearance:

• Evict or initiate the eviction of a tenant from a dwelling unit within the applicable property solely for nonpayment of rent or other fees.
• Charge late fees, penalties, or other charges to such tenant on account of the late payment of rent.
• Require a tenant to vacate a dwelling unit on the applicable property on fewer than 30 days’ notice (and such notice may not be issued during the forbearance period).

A related provision of the CARES Act provides a temporary moratorium on eviction in certain properties, including those that have a federally backed multifamily mortgage loan. The moratorium imposed by this provision applies irrespective of whether the borrower has sought or is granted forbearance relief.

Under this provision, during the 120-day period beginning on March 27, 2020, the lessor may not:

• File any action to recover possession of the covered dwelling on account of non-payment of rent or other fees or charges.
• Charge the tenant for fees, penalties, or other charges related to nonpayment of rent.

Also, the lessor may not require a tenant to vacate a dwelling unit on fewer than 30 days’ notice, and such notice may not be issued during the 120-day period.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

Fair Housing Act – Advertising Violations

QUESTION
We had a Fair Housing Act examination recently by our state banking department and got hit with a citation for violations. This came as a real shock to us. 

 We have 30 days to fix the issues and also prove that we have done a thorough review of our advertising to look for potential Fair Housing violations. We only have one person in compliance – me! I have done a lot of research for this response. But this seems like an overwhelming task. 

So, I’m turning to you for some guidance. 

Are there some basic things I should be looking for in our advertising?

ANSWER
I recognize this may cause some pressure, but you’ll do fine as long as you undertake the review in a careful and procedural way. You need to produce a report that provides specimens of the advertisements (before and after revisions), the remedial actions taken with respect to those particular advertisements, and the advertising policies and procedures that your financial institution implements. 

My firm does advertising compliance reviews all the time and, if you need assistance, please contact me HERE. I’ll have your advertisements reviewed immediately by competent subject matter experts.

Keep in mind, advertising compliance draws on numerous interlocking regulations, Acts, Best Practices, rules, disclosure mandates, and so forth. A small mistake can get magnified quickly into a litigious class action issue, let alone a federal or state administrative action. So, make it your business to review each advertisement before it is published. Seek appropriate compliance support if there is a scintilla of doubt or uncertainty.

As to a consideration of things to be on the look out for, I would put the following on the list. Though it is not comprehensive, I think it serves to set the tone for further reviews on your part. 

And, as I said, contact me if you need further support. 

My comments are based on Fair Housing Act mandates.

• Advertisements must include the equal housing logo a statement that you are an equal housing lender. In printed advertising, the logo must be no smaller than:
• 1/2 page or larger ad (2 × 2 inches) 
• 1/8 page up to 1/2 page ad (1 × 1 inch)
• 4 column inches to 1/8 page ad (1/2 × 1/2 inch)
• Less than 4 column inches (Need not use the logo, but must use the legend “Equal Housing Lender”) 

• In any advertising other than printed advertising, the logo must be at least as large as any other logo used. If no other logo is used, then the fair housing logo must be clearly visible in boldface type or at least 3 percent of the advertisement should be devoted to a statement of the fair housing policy.

• For oral advertising, you may satisfy the Fair Housing Act advertising requirement by stating that you are an “equal housing lender.”

• When advertising is both verbal and visual, you should use either method (a visual logo or a spoken statement) to meet the requirement.

• Each public office should prominently post an equal housing lender poster.

• Advertising may not contain any words, symbols, models, or other forms of communication suggesting a discriminatory preference or policy of exclusion because of race, color, religion, national origin, sex, handicap, or familial status. When using models in advertising, you should use models from different racial groups.

• You should avoid the following:

• Words descriptive of a dwelling, landlord, or tenants, such as white private home, colored home, Jewish home, Hispanic residence, or adult building.

• Words indicative of a prohibited basis, such as: 

— Race: Negro, Black, Caucasian, Oriental, American Indian.

— Color: White, Black, Colored.

— Religion: Protestant, Christian, Catholic, Jew.

— National Origin: Mexican American, Puerto Rican, Philippine, Polish, Hungarian, Irish, Italian, Chicano, African, Hispanic, Chinese, Indian, Latino.

— Sex: The exclusive use of words in advertisements (such as “he” or “she”), stating or tending to imply that the loans being advertised are available to persons of only one sex and not the other.

— Age: Senior citizens.

— Handicap: Crippled, blind, deaf, mentally ill, retarded, impaired, handicapped, physically fit.

— Familial Status: Adults, children, singles, mature persons.

• Words and phrases used in a discriminatory context, such as “restricted.”

• “Red light” words. Examples of “red light” words include “sports enthusiasts,” which could discourage the handicapped, and “quiet neighborhood,” which could be a code word for “no children.” 

• Symbols or logotypes that imply or suggest race, color, religion, sex, handicap, familial status, or national origin.

• Colloquialisms used regionally or locally that suggest race, color, religion, sex, handicap, familial status, or national origin.

• You should avoid the selective use of advertising media or content, such as:

• The use of the English language alone or the exclusive use of media catering to the majority population in an area, when non-English language or other minority media also are available.

• The strategic placement of billboards, brochures distributed within a limited geographic area, or displays or announcements only available in selected branches.

• The use of human models primarily in media that cater to one racial or national origin segment of the population without a complementary advertising campaign directed at other groups.

Be sensitive to the potential discriminatory effects of your marketing practices! For example, if you often focus on contacts with real estate agents and mortgage brokers as a primary marketing strategy to generate loan applications, you should be careful to include contact with minority real estate agents and loan brokers and other real estate agents and loan brokers serving predominantly minority areas.

Like the Equal Credit Opportunity Act, creditors under the Fair Housing Act may affirmatively solicit or encourage members of traditionally disadvantaged groups to apply for credit.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

COVID-19: Imposters and Money Mules

QUESTION

I am an attorney who handles compliance for a small bank here in the southeast. A customer came into our branch and indicated that a person claiming to represent a government agency contacted her by phone, followed up with email, and asked for bank account information to process an Economic Impact Payment.

Customers have told us about unsolicited communications from supposedly trusted sources or government programs related to COVID-19, instructing readers to open embedded links or files or to provide personal or financial information, including account credentials (i.e., usernames and passwords).

We even reported a SAR on a customer who made several atypical transactions involving an overseas account. When we asked about these transactions, the customer indicated they were for a person located overseas who needs financial assistance because of the COVID-19 pandemic.

I wonder if you would provide some possible scams relating to COVID-19. What are some illicit activities and consumer fraud schemes that are associated with COVID-19?

ANSWER

Most people want to obey the law. Unfortunately, there are plenty of bad actors who spend their time cooking up ways to defraud consumers. One set of responsibilities for a bank or nonbank is to detect, prevent, and report consumer fraud and other unlawful activities. COVID-19 has brought out the best and the worst in people, especially the worst of the worst: those who would stalk consumers to connive ways to filch their hard-earned assets amid a pandemic. Let’s face it, some people are just so broken that they don’t care about anyone but themselves. But everyone has a stake in a stable economy.

There has definitely been an increase in consumer fraud relating to COVID-19. I am going to briefly outline two types of fraudulent schemes: imposter scams and money mule schemes. Both of these deceptive tactics are described in your question.

Keep in mind that crooks are very creative. As soon as their scam is exposed, they come up with another way to commit fraud. So, even as I write a response, the bandits are continuing to find new ways to manipulate consumers, doing their illegal most to exploit vulnerabilities caused by the pandemic.

Imposter scams and money mule schemes happen where actors deceive victims by impersonating federal government agencies, international organizations, or charities. FinCEN has identified the financial red flag indicators to alert financial institutions to these frauds and to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with the COVID-19 pandemic. We have broadened our Anti-Money Laundering Program testing, policies, and training to include such red flags.

For AML compliance assistance, contact us HERE.

But no single financial red flag indicator is necessarily indicative of illicit or suspicious activity. Financial institutions should consider additional contextual information and the surrounding facts and circumstances. Such context-related information includes a customer’s historical, financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple indicators. Various criteria should be considered before determining if a transaction is suspicious or otherwise indicative of potentially fraudulent COVID-19-related activities.

In other words, your review should be “risk-based,” ensuring compliance with the Bank Secrecy Act (BSA). Therefore, perform additional inquiries and investigations where appropriate. Unfortunately, some of the financial red flag indicators may apply to multiple COVID-19-related fraudulent activities. Given that many scammers are targeting customers as opposed to financial institutions directly, financial institutions should remain on the alert for potential suspicious activities when interacting with their customers,

Let’s discuss imposter scams first, and then follow with a discussion about money mule schemes. I have given you numerous footnotes to help you to train yourself, train your staff, and inform your customers. I will conclude with some guidance on completing the Suspicious Activity Report. You can always contact me if you want to discuss your compliance needs in detail. Contact me HERE.

Imposter Scams

In imposter scams, criminals impersonate organizations such as government agencies, non-profit groups, universities, or charities to offer fraudulent services or otherwise defraud victims. While imposter scams can take multiple forms, the basic methodology involves an actor who (1) contacts a target under the pretense of representing an official organization, and then (2) coerces or convinces the target to provide funds or valuable information, including engaging in behavior that causes the target’s computer to be infected with malware, or spreading disinformation.[i] In the case of schemes connected to COVID-19, imposters may pose as officials or representatives from the Internal Revenue Service (IRS),[ii] the Centers for Disease Control and Prevention (CDC),[iii] the World Health Organization (WHO), other healthcare or non-profit groups, and academic institutions.[iv]

Imposters defraud and deceive the vulnerable, including the elderly and unemployed, through the solicitation of payments (such as digital payments and virtual currency), donations, or personal information via email, robocalls, text messages,[v] or other communication methods. For instance, an imposter may contact potential victims by phone, email, or text to require that the victim must verify personal information or send payments to scammers in return for COVID-19-related stimulus payments or benefits, including Economic Impact Payments (EIP)[vi] under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.[vii]

We have provided considerable information about EIPs in our free Checklist & Workbook, Business Continuity Plan, COVID-19 Pandemic Response (now on its Update # 7, with Update # 8 to be released soon). Get it HERE.

Another instance includes imposters contacting victims and posing as government or health care representatives engaged in COVID-19 contact tracing activities, implying that a victim must share personal or financial information as part of contact tracing efforts.[viii] I could give a host of multiple examples, including phishing schemes, where imposters send communications appearing to come from legitimate sources, to collect victims’ personal and financial data while potentially infecting their devices by convincing the target to download a malicious attachment or click malicious links.[ix]

Scammers may also impersonate legitimate charities or create sham charities, taking advantage of the generosity of the public and embezzling donations intended for COVID-19 response efforts.[x]

As to other communication methods, criminals often use social media accounts, door-to-door collections, flyers, mailings, telephone and robocalls, text messages, websites, and emails mimicking legitimate charities and non-profits to defraud the public. These operations may include words like “relief,” “fund,” “donation,” and “foundation” in their titles to give the illusion that they are a legitimate organization.[xi]

Money Mule Schemes

You may not have heard this term before. It’s a pretty nasty activity. A money mule is “a person who transfers illegally acquired money on behalf of or at the direction of another.”[xii] Money mule schemes, including those associated with the COVID-19 pandemic, span the spectrum of using unwitting, witting, or complicit money mules.[xiii] An unwitting or unknowing money mule is an individual who is “unaware that he or she is part of a larger criminal scheme.”

This crook is motivated by a host of reasons, most of them not worth mentioning.[xiv] A witting money mule is an individual who “chooses to ignore obvious red flags or acts willfully blind to his or her money movement activity.” The individual is motivated by financial gain or an unwillingness to acknowledge his or her role.[xv] A complicit money mule is an individual who is “aware of his or her role as a money mule and is complicit in the larger criminal scheme.” The individual is motivated by financial gain or loyalty to a criminal group.[xvi]

During the COVID-19 pandemic, U.S. authorities have been detecting recruiters using money mule schemes, such as good-Samaritan, romance, and work-from-home schemes.[xvii] In work-from-home schemes, for instance, COVID-19 money mule recruiters, under a false charity or company label, approach targets with a seemingly legitimate offer of employment under the pretense of work-from-home jobs, often through Internet or social media advertisements, emails, or text messages. Once the target accepts the “employment,” he or she receives instructions to move funds through accounts or to set up a new account in the target’s name for the bogus “business.” The target (i.e., the money mule) earns money by taking a percentage of the funds that he or she helps to transfer per the instructions of the bogus “employer.”[xviii]

U.S. authorities also have identified criminals using money mules to exploit unemployment insurance programs during the COVID-19 pandemic.[xix]