THE MOST COMPREHENSIVE MORTGAGE COMPLIANCE SOLUTIONS IN THE UNITED STATES.

LENDERS COMPLIANCE GROUP belongs to these National Organizations:

ABA | MBA | NAMB | AARMR | MISMO | ARMCP | ALTA | IIA | ACAMS | IAPP | MERSCORP

Thursday, September 24, 2020

Ignoring Ability-to-Repay

QUESTION
We had been requested to extend credit to a borrower whom our underwriter believed did not qualify based on the ability to repay the loan. I am an underwriter, but was not involved in this loan. I hate to say it, but politics got involved, and the powers-that-be took the loan into the credit committee, and the loan was approved. 

Now it is eight months after closing. The borrower stopped paying four months ago, and all efforts to collect have been in vain. This loan is heading into foreclosure. But the situation could have been avoided in the first place. 

We underwriters got together and decided to ask you to give us a statement of support to show the credit committee, so they know not to let this happen again. 

Our question is, what happens when a lender does not comply with the Ability-to-Repay regulation?

ANSWER
I agree with you; based on your brief outline, this should not be happening. When a borrower does not have the ability to repay, it puts not only the financial institution at risk but the borrower too. In the long run, everyone fails. For a statement of support, I will provide a cursory overview of Ability-to-Repay, followed by an outline of a case that demonstrates the kind of litigation that can be engendered.

The Truth-in-Lending Act (TILA), as amended by the Dodd-Frank Act, prohibits a creditor from extending a residential mortgage loan unless the creditor makes a reasonable and good faith determination based on verified and documented information that, at the time the loan is consummated, the consumer has a reasonable ability to repay (ATR) the loan, according to its terms, along with all applicable taxes, insurance, and assessments. The applicable statute is remarkably detailed about how a lender must determine ability-to-repay. Much of these procedures stem from the challenges that arose from the 2008 financial crisis.

The statute specifies that a determination of ATR must include consideration of the consumer’s credit history, current income, expected income the consumer is reasonably assured of receiving, current obligations, debt-to-income ratio, or the residual income the consumer will have after paying non-mortgage debt and mortgage-related obligations, employment status, and financial resources other than the consumer’s equity in the property that secures the repayment of the loan. TILA also requires the creditor to determine ATR using a payment schedule that fully amortizes the loan over its term. In addition, the statute requires the creditor to verify amounts of income or assets relied on to determine ATR, including expected income or assets, by reviewing the consumer’s IRS form W-2, tax returns, payroll receipts, financial institution records, or other third-party documents that provide reasonably reliable evidence of income or assets.

The CFPB’s ATR Regulation, which is part of Regulation Z, contains even more specific requirements. For example, a lender that hopes a loan will be considered a “qualified mortgage” (QM) must ensure that the loan complies with an extensive set of criteria, including those set forth in Appendix Q to Regulation Z. A QM designation results in either a conclusive or rebuttable presumption that the lender complied with the extensive ability-to-repay requirements. I’ll discuss some observations about Appendix Q at the conclusion of this article.

Now to the case. It is a little convoluted but stick with me. I think you will benefit from an understanding of the litigation. Some of its features remind me of the situation you describe.

The U.S. Court of Appeals for the 6th Circuit recently had the opportunity to apply the ATR provisions to the circumstances of a borrower who had been an experienced real estate agent knowledgeable about mortgage products, but eventually faced some cognitive difficulties, though apparently not before negotiating the loan in question from a community bank.[i]

Husband, Elliot, submitted an application for a loan in his name alone to be secured by the home he owned with his wife, Golan. The two had been contemplating separating and had agreed to divide their real estate, with Golan relinquishing all interest in, and Elliot assuming all responsibility for, the home.

The loan application listed the amount of the loan as $315,000 to be repaid over 25 years with an interest rate of 4.875% and monthly payments of $1,818.59. The application listed Elliot's income, as follows: base employment income of $528.95 per month, spousal support of $2,300 per month, Social Security of $1,975 per month, and rental income of $1,400 per month.

To verify the spousal support income, the bank relied on representations by Elliot and Golan that they were going to sign a separation agreement requiring payment of spousal support to Elliot. The two executed a separation agreement, which provided for $2,200 per month, but not until nearly two months after Elliot's loan was consummated.

To verify rental income, the bank reviewed Elliot's tax returns. The returns showed rental income in the past, but not from the home property. 
Elliot leased a portion of the home property for $1,000 per month, but the bank did not know this. 

In November 2014, the bank’s loan committee rejected the loan application. After this rejection, Golan met with the bank’s president, explained it was important to her that Elliot be able to stay at the home property, indicated that she would enter into a separation agreement to cover Elliot's monthly mortgage payments, and said the separation agreement would require her to maintain a $250,000 life insurance policy with Elliot as beneficiary.

This is the point where I felt some similarity occurs between your loan and the loan involved in the lawsuit. Just as you claim that “politics” entered into the process even after your underwriter rejected the loan based on the ability-to-repay, so in the lawsuit the bank’s president intervened and reversed the loan committee’s rejection of the loan application.

Thus, the bank approved the loan, which involved a debt-to-income ratio of 37.367%, lower than the bank’s 40% minimum threshold, and credit scores of 652 and 663, which were near the bank’s guideline of 660.

But, after the loan closed, Golan paid spousal support for only a few months, then she stopped. According to Golan, she paid support until Elliot refused to perform the separation agreement. Elliot also was fired from his job.

The divorce court ordered Elliot to pay a substantial sum to Golan for real estate division and marital debt, which he would not have owed had he abided by the separation agreement. The divorce court ordered Golan to pay Elliot $250 per month for three years (not $2,300 as the Elliot's application had listed).

Now, this is where things turn for the worse, and the bank becomes embroiled in a huge loss mitigation issue. Elliot defaulted on the loan, and the bank sent him a notice of default. He sued the bank, alleging negligence in making the loan and a violation of TILA by making the loan without a reasonable and good faith determination that he had a reasonable ability to repay the loan and for failing to verify his stated income with documentation. The district court granted summary judgment for the bank.

The 6th Circuit reversed regarding TILA but affirmed as to the negligence claim: The bank had not complied with TILA’s ability-to-repay requirements.

The bank did not explain how it had verified Elliot's spousal support income with reliable third-party documents.[ii] Regulation Z’s specificity extends to the meaning of “third-party records,” which the regulation requires a lender to use “to provide reasonably reliable evidence of the consumer’s income or assets.”

A “third-party record” means “[a] document or other record prepared or reviewed by an appropriate person other than the consumer, the creditor, or the mortgage broker…, or an agent of the creditor or mortgage broker” or a copy of a filed tax return or a record the creditor maintains for an account of the consumer held by the creditor or if the consumer is an employee of the creditor or mortgage broker, a document or other record maintained by the creditor or mortgage broker regarding the consumer’s employment.

The bank requested a copy of the separation agreement, thereby suggesting it understood the need to verify and document the spousal support with a reliable third-party document such as an executed separation agreement. And the bank did not dispute that it had not reviewed the executed separation agreement, which it obviously could not have done because the parties did not sign the document until nearly two months after the loan closed.

Furthermore, to make matters even more egregious, the bank did not comply with Regulation Z,[iii] because it had not verified the listed rental income with any documents that established that income.

All things considered, exclusion of the spousal support and rental income would have resulted in a debt-to-income ratio of over 90% (sic), which under the bank’s own standard was too high to repay the loan.

The 6th Circuit agreed that the district court had properly granted summary judgment to the bank on the negligence claim because Elliot had not established that the bank owed him a duty. The prevailing state law provided that lenders owed no duty to prospective borrowers during negotiations about the terms and conditions of a loan. The court rejected his argument that the bank owed him a duty imposed by TILA because no state case law supported this argument.

Now, I will share a few observations.

The bank argued that it had complied with Regulation Z’s Appendix Q because, although Appendix Q generally requires a creditor to verify that spousal support payments “have been received during the last 12 months” to include those payments in an income calculation, Appendix Q authorizes a lender to

rely on “evidence that [spousal support] payments have been received” for “[p]eriods less than 12 months…, provided the creditor can adequately document the payer’s ability and willingness to make timely payments.”

Thursday, September 17, 2020

Essentials of Telemarketing Policy

QUESTION 
You recently answered a question about a company not having a Do Not Call list. The answer you gave became the basis of a meeting about how to manage our telemarketing procedures. We have updated our policies and procedures and commenced the training of our internal sales force and external telemarketing firm. I can’t thank you enough for your timely advice.

But a subject came up in our meeting that I would like to discuss. In updating our policies and procedures, we could not find a list of chapter and section titles. We want to list them and then provide our requirements in the procedures. So, we decided to send this question to you with the hope that you will provide some of the elements needed in policy and procedures on telemarketing.

Our question is, then, what are some essential elements of the telemarketing policy and procedures?

ANSWER 
I wrote about telemarketing violations last week in connection with the Do Not Call Registry and procedures as these relate to the Telemarketing Sales Rule. Given that you are currently following up on your telemarketing strategies and updating your policy document, I will offer some elements that should go into it.

You should contact us for a Telemarketing Tune-up, because a policy approach is only a foundational framework. Our audit is quick and cost-effective. It provides findings, recommendations, and a risk rating. Your telemarketing procedures should be evaluated for regulatory compliance. That is what the Telemarketing Tune-up does. If you are actively involved in telemarketing initiatives, you should get this audit done as soon as possible.

With respect to essential elements of a telemarketing policy, I would recommend that you have chapters and sections for the following subjects. My suggestions are not comprehensive because telemarketing strategies vary, and your policy should adequately reflect the variance. However, as a serviceable set of guidelines, I think you should consider these outlined elements fundamental to a solid telemarketing policy.

Permissible Hours
You should not be making telephone calls to consumers before 8 A.M. or after 9 P.M. local time at the call’s destination, unless the person being called has specifically agreed to let you call at another time.

Do Not Call Lists
This section would require on-going training and monitoring. For instance, among other things, you need to maintain a list of consumers who ask not to receive telemarketing solicitations, consumers whose names appear on the national Do Not Call list, tracking for honoring the requests of consumers who ask not to receive telemarketing solicitations, implementing a process to prevent telephone solicitations to any telephone number on your Do Not Call list or the national Do Not Call list, training, and keeping a version of the national Do Not Call Registry, obtained from the Registry no more than three months prior to the date any call is made, and maintain records documenting this process. Furthermore, you should be auditing contact with consumers to ensure you do not sell, rent, lease, purchase, or use the national Do Not Call database, or any part of it, for any purpose except compliance with the rules and to prevent telephone solicitations to telephone numbers registered on the national database.

Oral disclosures for Outbound Telephone Calls
Make it a requirement to disclose the following information truthfully, promptly, and in a clear and conspicuous manner, in any outbound telephone call to a potential new customer: your institution’s identity, the purpose of the call (viz., to originate mortgage loans), and that you originate mortgage loans. I suggest you contact us for compliance support in this area, as we are one of the few compliance firms in the country that provides Call Calibration, which is a methodology to audit and report on calls between a financial institution and consumers.

Artificial or Prerecorded Voice Calls
Be very careful in using this telemarketing strategy! You should not use artificial or prerecorded voice calls to a consumers’ homes (or business) unless you already have a business relationship with the persons being called. Be sure that any artificial or prerecorded voice message releases the line of the person being called within five seconds of notice that the called party has hung up. Your call should have a call identifier. Also, the beginning of any prerecorded message must clearly state your identity, and during or after any prerecorded message, you must state your telephone number.

Call Abandonment
You should not abandon more than 3 percent of calls answered by a person. Additionally, you must deliver a prerecorded identification message when abandoning a call.

Caller Identification
Always transmit caller identification (i.e., caller ID) information, when available, and do not block this information ever.

Facsimile Machines
Do not send unsolicited advertisements to facsimile machines. If you do send any fax, be sure to identify your institution as the sender.

Disclosures for Telephone and Direct Mail Solicitations
Yet another area that calls for Call Calibration! This is an area fraught with litigious minefields. Be sure to disclose the following information, orally or in writing, before a customer pays for any services offered in a telephone or direct mail solicitation: the total costs to receive the services offered; all conditions that must be satisfied to receive the services offered; if you have a policy of not making refunds, provide a statement of your policy; if you mention a refund policy, provide a statement of the key terms and conditions of the policy.

Misrepresentations
You should not misrepresent, directly or by implication, many forms of information, such as the total costs to receive any services offered; all conditions that must be satisfied to receive the services being offered; any features of your services; and any aspect of your refund policies. Steer away from ever saying that you are affiliated with, or endorsed by, any government or other organization. Be careful, too, about misrepresenting prize promotions, such as not disclosing any aspect of a prize promotion, not including (among other things) the odds of being able to receive a prize, misleading about the nature or value of the prize, or misstating that a purchase or payment is required to win a prize or to participate in a prize promotion. Consider Call Calibration when conducting telemarketing campaigns involved prize promotions.

Verifiable Authorization
You should obtain express verifiable authorization before submitting a check, draft, or other form of payment from a person’s account as the result of your telemarketing efforts in one of three ways: in writing; by tape-recording an oral authorization that contains references to the date of the draft or other form of payment, its amount, your name, your telephone number for consumer inquiries, and the date of the authorization; and by providing written confirmation of the transaction, including the date of the draft or other form of payment, its amount, your institution’s name and telephone number for consumer inquiries, and the date of the customer’s oral authorization

False or Misleading Statements
I would insert a separate section for this policy element, even though it includes aspects of the section on Misrepresentation outlined above. Use this section to set forth definitions of false and misleading statements and provide examples of each.

Assisting in Violations
Include a section that states how your institution will not assist anyone else in deceptive or abusive telemarketing acts or practices when you know or should know the other person is violating the FTC or FCC rules. Such an affirmation is important, and will be looked upon favorably by regulators during an audit.

Abusive Acts or Practices
This is a thorny area filled with problematic pitfalls and potential litigation. Threats, intimidation, or the use of profane or obscene language is only the start. It may seem obvious that you should not request or receive payment of any fee before a loan is originated if you have guaranteed or represented a high likelihood of success in obtaining the loan. But there is far more involved in these telemarketing hurdles. For instance, you should not initiate a telephone call, other than a call for emergency purposes or with the prior express consent of the called party, using an automatic dialing system or an artificial or recorded voice, to emergency lines, health care facilities, radio common carriers, or any number for which the called party is charged for the call. Expanding abusive acts further, you should not (1) use an automatic dialing system to make calls that simultaneously engage two or more lines of a multi-line business; (2) disconnect an unanswered telemarketing call prior to at least 15 seconds or four rings; (3) guarantee or assure customers regarding the likelihood of loan approval; (4) cause any telephone to ring or engage any person in telephone conversation repeatedly or continuously with the intent to annoy, abuse, or harass; and (5) initiate an outbound telephone call to a person when that person previously has stated he or she does not wish to receive an outbound telephone call from your institution. Use Call Calibration to monitor for abusive acts or practices.

Recordkeeping (24 Months)
Be sure to include a section on recordkeeping. All substantially different advertising materials must be kept for 24 months. Keep the name and last known address of each customer, the loan made, the date the loan was closed, and the amount paid by the customer in connection with the loan. Keep also the name, any fictitious name used, the last known home address and telephone number, and the job title(s) for all current and former employees directly involved in telephone sales. If you permit employees to use fictitious names, you must be able to trace each fictitious name to only one employee. And, maintain all verifiable authorizations required under the rules. With respect to prize offers, keep the name and last known address of each prize recipient and the prize awarded for prizes having a value of $25 or more.

Recordkeeping (60 Months)
Keep all Do Not Call requests for 60 months, including any consumer requests to not receive solicitations.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Thursday, September 10, 2020

Telemarketing Violations

QUESTION
We received today a notice from the FTC that says we are in violation of the Telemarketing Sales Rule. They cite us for not complying with the Do Not Call requirements. We do most of our loan originations online, and we use telemarketers to create business leads for us. 

One glaring problem is that we did not maintain a Do Not Call list. But there are other issues, too. 

Now we have 30 days to respond to the FTC or face penalties. We’re now scrambling to show that our telemarketing complies with the FTC’s guidelines. 

I know you get a lot of mail, but time is running out. We need your help. 

What should we be doing to comply with the Do Not Call requirement? 

Should we be monitoring the Do Not Call Registry? 

What happens if we have telemarketing procedures but still make a mistake by calling somebody on the Do Not Call list?

ANSWER
I have prioritized your question. Although we do receive a great deal of mail, some questions are more time-sensitive than others, and yours needs an immediate response. 

I urge you to contact my firm to do a Telemarketing Tune-up soon, so that (1) you get a due diligence review with a risk rating, showing strengths and weaknesses in your telemarketing program, and (2) you can show your regulator that you are taking affirmative steps toward conducting an independent review.

The Telemarketing Sales Rule (“TSR”) has a Do Not Call Safe Harbor. However, to use it, you need to comply with a set of guidelines. If you or your telemarketer can establish that, as part of its routine business practice, you meet certain requirements, you will not be subject to civil penalties or sanctions for erroneously calling a consumer who has asked not to be called, or for calling a number on the National Registry.

The following is a list of those requirements.

-You or the telemarketer has established and implemented written procedures to honor consumers’ requests that they not be called.

-You or the telemarketer has trained its personnel, and any entity assisting in its compliance, in these procedures.

-You, the telemarketer, or someone else acting on your behalf (or a charitable organization) has maintained and recorded an entity-specific Do Not Call list.

-You or the telemarketer uses and maintains records documenting a process to prevent calls to any telephone number on an entity-specific Do Not Call list or the National Do Not Call Registry, provided that the process involves using a version of the National Registry downloaded no more than 31 days before the date any call is made.

-You, the telemarketer, or someone else acting on your behalf (or a charitable organization) monitors and enforces compliance with the entity’s written Do Not Call procedures.

-The call is a result of an error. (For the meaning of “error,” see below.)

You should continually monitor the Do Not Call Registry! You should not call consumers if, among other things, they have placed their number on the National Registry, or not given written and signed permission to call, or you have no established business relationship with the consumers, or if they have asked to get no more calls from you or the telemarketer contacting them on your behalf.

If you don’t constantly monitor and comply with the National Registry, you and the telemarketer may be liable for a TSR violation. If an investigation reveals that neither you nor the telemarketer had written Do Not Call procedures in place, both of you will be liable for the TSR violation. If you had written Do Not Call procedures, but the telemarketer ignored them, the telemarketer will be liable for the TSR violation. Still, you also might be liable, unless you could demonstrate that you actively monitored and enforced Do Not Call compliance and otherwise implemented your written procedures. Ultimately, you are responsible for keeping a current entity-specific Do Not Call list, either through a telemarketing service you hire or your own efforts.

With respect to your question about what would happen if you have procedures but still make a mistake by calling somebody on the Do Not Call list, the Federal Trade Commission might view it as an “error,” if and only if you or the telemarketer has and implements written Do Not Call procedures. Generally, this action will not be liable for a TSR violation if a subsequent call is the result of an error.

But – and this is important – you may be subject to an enforcement investigation, which would focus on the effectiveness of the procedures in place, how they are implemented, and if all personnel are trained in Do Not Call procedures. If there is a high incidence of “errors,” it may be determined that the procedures are inadequate to comply with the TSR’s Do Not Call requirements, the Safe Harbor is not fulfilled, and the calls violate the TSR. On the other hand, if there is a low incidence of “errors,” there may not be a TSR violation. The determination of whether an excusable “error” occurs is based on the facts of each case.

Here’s a rule of thumb: to ensure that adequate Do Not Call procedures are implemented, test periodically for quality control and effectiveness.

Your situation is not unique. Many financial institutions regularly face the prospect of telemarketing violations. Indeed, any company that engages in telemarketing or uses a telemarketer should get the Telemarketing Tune-up done as soon as possible. 

You might also want to require your telemarketer to do the Telemarketing Tune-up as a condition for doing business with you.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Thursday, September 3, 2020

Management Oversight: Evaluation Methods

QUESTION
Our Board of Directors has asked our internal audit group to provide an evaluation of our management. Some members of our management are resisting, saying that they do not need to be bothered with oversight.

We decided to retain an independent internal audit for this purpose, and your firm’s name was mentioned. We are contacting you to discuss this matter. In the meantime, I wonder if you would share with all of us some insight into how financial institutions should evaluate management oversight from a self-assessment point of view.

We have two questions.

First, what should evaluation of management oversight consider?

And second, what questions should we ask as part of a self-assessment?

ANSWER
Quis custodiet ipsos custodes?[i]

Who will guard the guards themselves?

This Latin phrase comes from the Satires, a collection of satirical poems by the 2nd-century Roman poet Decimus Junius Juvenalis, better known as Juvenal. 

In Plato’s Republic, there is a considerable disquisition on how to control persons in positions of power whose actions may lead to abuse of authority.[ii] 

Juvenal was referring to the notion that wives cannot be trusted, so keeping them under guard is a good strategy for monitoring them. However, pessimistically, Juvenal is suggesting that keeping them under guard is not a solution because the guards themselves cannot be trusted. 

Plato was more optimistic about human nature. He thought that people in power could be trusted to behave properly and that it is "absurd" that they should require oversight. Indeed, Glaucon, Socrates’ interlocutor, states: “Yes, it would be ridiculous that a guardian should need a guard.”[iii]

There is nothing absurd about management oversight in a financial institution. Whether the initiative is undertaken as a self-assessment or an internal audit, management should receive a great deal of oversight. 

Doing an evaluation is needed, but will it be effective? It would seem that Juvenal’s view – “who will guard the guards themselves” – leads to evaluation; but Plato’s view – it is “ridiculous that a guardian should need a guard” – leads to resistance.

Management oversight is how a financial institution determines that strategic policies and objectives are being met through an evaluation of policies, plans, programs, and projects carried out by people charged with the authority to achieve expected results. These results should be accomplished in compliance with applicable policies, laws, regulations, and ethical standards. A Board stands “over” management hierarchically, and, as such, focuses its “sight” on management actions.

When Lenders Compliance Group conducts an independent internal audit, we include a review of many factors involved in management oversight. Our philosophy is that our evaluation of oversight functions are meant to look at a process, program, or project “from above,” as an independent agent (as it were) for the Board’s governance role. The Board generally is not involved in day-to-day management, but an oversight evaluation can provide mission-critical information about whether the Board’s many obligations are being duly implemented.

I am going to provide a set of factors that my firm takes into consideration when we are retained for an internal audit, which necessarily includes management oversight. 

If you only need an evaluation of management oversight, keep your costs down and use our Management Tune-up®, which is a targeted, cost-effective, mini-audit that provides an extensive report and risk rating. 

If interested, click HERE and we’ll send you information about it.

Concerning your first question about evaluating management oversight, we consider a host of factors and conditions. The following list provides a few important considerations.

- Extent of Board oversight and involvement in assuring compliance with consumer protection and fair lending laws and regulations.

- Training of directors and senior management regarding compliance and fair lending issues.

- Rationale for implementing new policies or procedures or modifying existing ones.

- Any negative comments on rejected loan applications during loan committee or any other meeting (such records must be traced to the specific loan file to assure that no unlawful disparate treatment or discrimination was involved in the denial).

- Consideration of new loan or deposit products and strategies for their implementation.

- Consideration of new software or software vendors.

- Consideration of third parties for compliance audits.

- Approval of, and rationale for, branch openings and closings.

- Whether the Board documented a review of the prior report that included, as applicable (i.e., a discussion of recommendations for policy changes, an adoption of those revisions, and a report regarding corrective action and subsequent testing for identified violations).

Your second question involves the questions you want to ask when conducting a self-assessment for management oversight. I am glad you want this information because asking the right questions is the key to getting useful answers. Keep in mind that your review should use collected materials as well as discussions with management. 

I will put these questions in the context of compliance because that is (and should be) the cornerstone of this review. Be sure you have the remit to determine if management oversight is strong, adequate, or weak. I think you should consider the following questions.

- What is the business strategy, and what is the compliance implications of that strategy (for example, elevated risk due to rapidly growing subprime lending, cutting-edge e-banking activities, and so forth)?

- What particular compliance-related area(s) does management feel are weak or in need of review?

- Have the Board and senior management worked to foster a positive climate for compliance?

- Has management allocated the appropriate level of resources to compliance?

- Does the institution have a designated compliance officer and/or compliance committee? (If not, is the absence of an officer or committee significant in light of the institution’s resources and risk profile?)

- Has management ensured that the compliance officer(s) and/or compliance committee has/have the level of authority and accountability to effectively administer the institution’s compliance management program?

- Has management responded correctly and promptly to consumer complaints?

- Has management responded deliberatively to deficiencies noted and suggestions made at previous examinations and audits?

- How does management stay abreast of changes in regulatory requirements and other compliance issues? (Is this method effective in light of the institution’s resources and risk profile?)

- How does management ensure that the institution’s staff stays abreast of changes?

- How does management ensure that compliance is considered part of new product and service development, marketing, and advertising?