THE MOST COMPREHENSIVE MORTGAGE COMPLIANCE SOLUTIONS IN THE UNITED STATES.

LENDERS COMPLIANCE GROUP belongs to these National Organizations:

ABA | MBA | NAMB | AARMR | MISMO | ARMCP | ALTA | IIA | ACAMS | IAPP | MERSCORP

Thursday, May 30, 2024

Quality Control: Anticipating Defects and Trends

QUESTION 

Our quality control reports provide defects and trendlines, but we have never been able to put together a list of which defects keep occurring. A trendline is useful; however, trends change all the time, and each quarter presents new defects to chase after and fix.  

We outsource our monthly quality control audits, and we have an in-house quality control coordinator who monitors our policies and procedures for quality control. And I’m the in-house quality control coordinator. 

For the audit method, we use a random sample. In our region, there is a huge competitor that uses discretionary samples. I wonder if they have an advantage in being able to identify defects better than we can by using the random sampling method. 

My concern is determining how to stay informed of the frequency of recurring defects. Since defects change each quarter, I want to know how to list and track them so that I can anticipate and cure them going forward. 

How can I anticipate defects and trends in quality control audits? 

COMPLIANCE SOLUTIONS 

Quality Control Audits 

QC Tune-up® 

ANSWER 

I am going to show you how you can use the audit findings of discretionary quality control audits to anticipate defects and trends in random quality control audits. 

First, I am going to provide some findings that Fannie has offered.[i] You likely have many investors, Fannie being one of them. Many of them utilize both random and discretionary analytics to determine if their relationship partners meet their quality control standards. Lenders often face many of the same challenges. Being aware of the defect trends across the industry allows for more dynamic QC, better action planning, and prevention of similar defects in your organization. 

But don’t be too caught up in an investor’s report if your defect does not appear there. If you’re not experiencing the same defects, it may mean that you already have effective origination controls in place. There is also the possibility that your auditor is not picking up on the defect. 

You should keep a list of the top defects occurring in your reports and investor reports. Keeping the list streamlines your ability to anticipate defects. Use the list to train on, too. You should be leveraging the list of defect trends to develop training opportunities for your staff, underwriters, and other participants in the loan flow process. This is a critical way to get ahead of the trending defects. Develop training to prevent these defects from occurring. 

________________________________________________________

 Quality Control Audits

 QC Tune-up

________________________________________________________

If you want to discuss your approach to quality control, please contact Brandy George, our Executive Director of LCG Quality Control. You can reach Brandy here.

My table below provides a means to anticipate defects as well as a learning tool for training. You can add more columns if you’d like. In our analyses, these are some of the defects that investors reported last year in random sampling. I will list them and add a Best Practice. The Best Practice is an essential component of your training experience. (I have left some blanks in the table to show other possibilities.)

RANDOM SAMPLE

Defect

Description

Best Practice

Income and Employment

Calculation errors

-During prefunding QC, be sure to target complex income streams, especially on higher DTIs.

-Assess the year-over-year trends. The variable income requires evaluation of consistency and predictability.

Borrower Eligibility

Borrower not employed

-Perform extra due diligence in addition to the verbal verification of employment. (i.e., Internet searches; email borrower at job address as close to closing as possible; track and move the verification timeline up.

-Be aware of specific volatile jobs or industries that are more susceptible to workforce disruptions.

Appraisal

Inadequate comparable adjustments; condition and quality rating discrepancies

-Utilize value acceptance + property data (VA+PD), when applicable, to increase certainty, better manage risk, and gain process efficiencies.

Assets

Insufficient

Using one-month statements when two months are appropriate.

Liabilities

 

 

Credit

 

 

Loan Documentation

 

 

Title/Lien

 

 

Fraud

 

 


Please note that the severity of certain defects may make the loan ineligible to certain investors. For instance, a Significant Defect is an issue that makes the loan ineligible for delivery to Fannie Mae and requires remediation or could result in a potential repurchase. An Initial Significant Defect occurs when a Significant Defect has been cited, but remediation activity is still in progress. 

Discretionary sampling is valuable when you want to do a comparative analysis, even if you only do random sampling. As I mentioned above, you can get discretionary (or targeted) audit results directly from many investors. 

Sometimes, the discretionary and random defects sync up. Take the category of appraisals, for example. In the random sample table above, inadequate comparables are a defect. However, Fannie reported in the fourth quarter of 2023 that their discretionary sampling listed appraisal errors amongst the highest of their defect trends.[ii] In this category example, importantly, the investor’s discretionary sample drills down into the appraisal defects to broaden out the findings, as the following table shows.

Discretionary Sampling

Defect

Description

Appraisal

Inadequate Comparable Adjustment(s)

Failure to Adjust Comparables

Inappropriate Comparable Sale(s) Selection Due to Location

Comparable Sale(s) Physical Features Reported Inaccurately - Condition / Quality of Construction

Use of Physically Dissimilar Comparable

Sale(s) - Gross Living Area

A discretionary sample intentionally looks for loans with a greater likelihood of being defective or ineligible. Your random defect trendline, however, may be low in a category yet high in the investor’s trendline. That information provides a possible anticipatory impact, so you should be monitoring that category closely, even though it is currently reporting a low defect and trend.

Taking a strategic approach to comparing random to discretionary sampling can lead to the ability to anticipate defects and trends. The opportunity to use this information to enhance your sampling findings, plus ongoing training, is established on both prefunding and post-closing quality control reviews.


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group


[i] See, for instance, the quarterly quality control report provided by Fannie Mae, which outlines random and discretionary audit findings, including defect and trend analyses. Freddie Mac offers a similar report. And many investors will provide information regarding their overall findings quarter-over-quarter or other calendrical intervals.

[ii] Idem

Thursday, May 23, 2024

CFPB Examination: Failure to Conduct Self-Assessments

QUESTION 

We just received an MRA from the CFPB. We are a mid-size mortgage lender licensed in 30 states. This MRA hit us like a huge shock. Yesterday, we contacted your firm and spoke to a representative. I want to set up a conference call for my management and you to discuss how to proceed. Our counsel recommended that we bring you on board to assist them in handling the MRA demands. 

Here's the situation. The CFPB found that we failed their exam in various areas, one of which was that we did not do any self-assessments, which they call "self-identifications." 

First of all, I didn't even know that we were supposed to do these self-assessments. Secondly, we have a small compliance department, and we do not know how to do self-assessments. Third, our attorneys say they can only do a few of the self-assessments, but not all of them, and their fees are ridiculous. The bottom line is that we need an outside, independent firm to do self-assessments at an affordable cost. 

There are other areas of the MRA that we need to talk to you about, especially in the areas that our counsel wants to team up with you on. However, we need to take care of the CFPB's list of self-assessments, and we want to retain your firm to do them. 

Please get in touch with me as soon as possible to set up a call. In the meantime, please give us a clue about what goes into these self-identifications or self-assessments. 

What is self-identification? 

Why does the CFPB expect self-identification? 

COMPLIANCE SOLUTION 

Compliance Tune-up® 

ANSWER 

Our firm is the first and only firm in the country to provide self-assessment audits, a series denoted by the overall term Compliance Tune-up®. We deconstructed a mortgage company from the point of sale to secondary and beyond to derive audit criteria for each element and regulation. The Compliance Tune-up® is one of our Compliance Solutions and is often in considerable demand. 

I will discuss the Compliance Tune-up® at the conclusion of this article, as it is a means to be responsive to the expectations of the Consumer Financial Protection Bureau (CFPB or Bureau). I'll drop a contact link on the way if you want more information about the Compliance Tune-up®. 

First, I want to outline how self-identifications – or self-assessments – function in the context of the CFPB examination and the evaluation of the Compliance Management System (CMS). 

The CFPB's exam focuses on risks of harm to consumers, including the risk that a supervised entity will not comply with Federal consumer financial law. To get ready for the examination, you should do pre-review planning to collect the information necessary to determine the scope, resource needs, and work plan. The information and documentation should be assembled, given that an Examiner in Charge (EIC) will notify you that the examination team plans to conduct its work offsite and onsite during the review. Timing is critical, and you must be responsive. 

The fact that you received an MRA (Matters Requiring Attention) tells me that you are quite far along in a risk rating evaluation. The CFPB's risk evaluation procedures are extensive. The Bureau uses an MRA to communicate to an institution's Board of Directors, senior management, or both, specific goals to be accomplished in order to correct violations of Federal consumer financial law, remediate harmed consumers, and address related weaknesses in the CMS that the examiners found are directly related to violations of Federal consumer financial law. MRAs include timeframes for periodic reporting of efforts taken to address these matters, as well as expected timeframes for implementation.

___________________________________________________________

 Compliance Tune-up®

 Visit Us to Request Information

 ___________________________________________________________

Let's consider some features of the CPPB examination with an emphasis on self-identification. 

Prior to the examination, you will receive an Information Request. The Information Request is a list of specific information and documents that the supervised entity is asked to provide to the Bureau for offsite review or make available when the examiners arrive onsite. It may include a request for an electronic data upload. Our experience is that the pre-review planning process varies depending on the size, complexity, business model, products, systems, and risk profile of a particular supervised entity. 

Don't assume that the Bureau is only dealing with getting information from you; in fact, it gets quite a lot of information from both internal and external sources to aid in constructing the risk focus and scope of a review. The examiners gather as much information as possible from within the Bureau, other regulatory agencies, and third-party, public sources because the Bureau is required by statute to use, to the fullest extent possible, information available from other agencies or reported publicly.[i] 

The following key documents and information are relevant to understanding a supervised entity and its ability to manage its compliance responsibilities and risks to consumers. Not all documents will necessarily be available for a particular entity; however, you should anticipate that the Bureau's team will consider them. There are two categories: the Bureau's internal sources and regulatory agencies, as well as public information and third parties. 

BUREAU INTERNAL SOURCES AND OTHER REGULATORY AGENCIES 

·       Monitoring information 

·       Any recent risk assessments, self-identifications, and self-assessments 

·       Prior Scope Summary, Supervision Plan, or similar document produced by state or prudential regulators 

·       Prior Examination Reports and Supervisory Letters, and supporting workpapers (internal and from the prudential regulator(s), state regulator(s), or other agencies) 

·       Information about prior supervisory actions, consumer remediation, and responses to Examination Reports and Supervisory Letters 

·       Information on enforcement or other public actions (if applicable) 

·       Correspondence from prudential or state regulator(s) and Bureau correspondence files 

·       State licensing information for the entity 

·       The CFPB Consumer Complaint database 

·       FTC Consumer Sentinel database 

·       Uniform Bank Performance Report (UBPR) and Call Reports, if applicable

·       Previous years' FFIEC Home Mortgage Disclosure Act Loan Application Registers (HMDA LARs) 

·       Home Affordable Modification Program data 

·       Fair lending analyses and supporting documentation 

·       Office of the Comptroller of the Currency (OCC) Federal Housing Home Loan Data System (FHHLDS) report, if applicable 

·       Mortgage Call Report (MCR) from the Nationwide Mortgage Licensing System (NMLS) 

·       Registration or licensing information for mortgage originators (Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act) 

PUBLIC SOURCES OF INFORMATION 

·       Institution securities filings, its offered securitizations, and similar public records 

·       Industry publications showing credit ratings, product performance, and areas of profitability 

·       Newspaper articles, web postings, or blogs that raise examination-related issues

·       Neighborhood Watch

·       Service providers and other third-party arrangements 

·       Content of the supervised entity's website

RATING SYSTEM CATEGORIES AND ASSESSMENT FACTORS 

The Bureau's rating system is organized under three broad categories: 

1.     Board and Management Oversight, 

2.     Compliance Program, and 

3.     Violations of Law and Consumer Harm. 

I will not outline the rating system here. Suffice it to say that it is complex and is used to reflect the implementation of assessment factors considered within each category, with some cross-referencing, along with narrative descriptions of performance. The first two categories, Board and Management Oversight and Compliance Program, are used to assess the strength of an institution's CMS. Examiners evaluate the assessment factors within these two categories commensurate with the institution's size, complexity, and risk profile. 

All institutions, regardless of size, should maintain an effective CMS. The sophistication and formality of the CMS typically will increase commensurate with the size, complexity, and risk profile of the entity. 

The Bureau's compliance expectations contained within the narrative descriptions of the foregoing two categories extend to third-party relationships[ii] utilized by the financial institution. There can be certain benefits to financial institutions engaging in relationships with third parties, including gaining operational efficiencies or an ability to deliver additional products and services. Still, such arrangements may expose financial institutions to risks if they are not managed effectively.

Thursday, May 16, 2024

Regulatory Mandate: Third-Party Risk Management

QUESTION 

I am the Compliance Manager of a bank. We have a mortgage banking platform. I handle our legal and regulatory compliance. Our new Chief Risk Officer wants to review our Third-Party Risk Management policy and procedures. The problem is that we do not have such a policy and procedures. 

We have vendor management procedures, which our regulator has accepted. Like me, the CRO is an attorney but he can’t fathom how we could have functioned for so long without this policy, irrespective of the regulator’s evaluation. I respect his view, and he has discussed case law and regulatory requirements with me. But, the fact is, we simply have never created a comprehensive policy just for third-party risk management. 

I understand now that a policy for Third-Party Risk Management is an essential requirement that must be drafted and ratified by our Board. The policy must extend to other banks and nonbanks with which we do business. We need some guidance in drafting this policy. The CRO follows your articles, and he asked me to write to you. I have subscribed and encouraged our staff to subscribe. 

What are some key features of a policy focused on Third-Party Risk Management? 

COMPLIANCE SOLUTION 

TPRM Tune-up®

Third-Party Risk Management

Policy and Procedures 

ANSWER 

Thank you for subscribing, and I appreciate your Chief Risk Officer reading our articles. We have been publishing these articles for many years, and it is humbling when our subscribers express their gratitude. 

Our research of public enforcement actions shows that approximately 25% of them - that’s one in four enforcement actions! - against banks and nonbanks have specifically noted deficiencies in how the target institution managed third-party service provider risks. 

If any financial institution does not have a Third-Party Risk Management policy and procedures, it is surely currying legal and regulatory risk. Your CRO is correct! 

One other point before I proceed. When a company official tells me that their regulator has never mentioned a particular regulatory violation, though it is a regulatory violation, and thus they intimate that what they’re doing must be ‘acceptable to the regulator,’ the alarms go off. If an institution wants to wait for a regulator to find its policies skimpy, defective, sketchy, inadequate, incomplete, fragmentary, insufficient, and deficient, it will find itself in the midst of a very unpleasant, belated attempt at remediation and possibly even an administrative action. 

And remember to implement the procedures and monitor the implementation. A bank examiner will not only review the policy but also determine if the procedures are implemented. 

_____________________________________________________________ 

TPRM Tune-up® 

When we conduct our TPRM Tune-up®, which is a review of a company’s third-party risk management structure, we work with a set of audit tools that help us evaluate regulatory compliance, offer recommendations, and provide a risk rating. The TPRM Tune-up® is often in demand because third-party risk management is central to safety and soundness criteria. Contact us here, and we’ll send you the presentation.  

_____________________________________________________________ 

Board and Management Responsibility 

Financial institutions are still ultimately responsible for managing their third-party service provider relationships, activities, and associated risks. They must ultimately ensure that all of their operations, in-house or outsourced, are conducted safely and soundly and in compliance with applicable legal and regulatory requirements, including consumer protection and financial crimes laws and regulations, just as if the institution were performing the activities itself. 

Regulators look to the company’s Board of Directors as ultimately responsible for providing oversight for third-party risk management and holding management accountable for its role. Management is responsible for developing and implementing third-party risk management policies, procedures, and practices commensurate with the institution’s risk appetite and the level of risk and complexity of its third-party relationships. Internal controls, independent reviews, and documentation are critical components. 

Third-Party Risk Management POLICY 

There are essential requirements for a Third-Party Risk Management policy (“TPRM Policy”). 

The TPRM policy has four principal requirements, which I will outline below. It will be up to you to draft the policy language. Each requirement can have its section and subsections. I will offer some guidance to help with your considerations. 

The four TRPM Policy requirements can be elucidated as follows: 

1.       Risk Management 

2.       Third-Party Relationship Life Cycle 

3.       Governance 

4.       Appendix 

TPRM Policy Sections 

1. Risk Management 

Not all third-party relationships present the same level of risk. Indeed, not all such relationships require the same level of oversight. However, a financial institution should apply rigorous risk management practices throughout the third-party relationship life cycle for third parties that support higher-risk activities, including critical activities. 

An institution may adjust and update its third-party risk-management practices commensurate with its size, complexity, and risk profile by periodically analyzing the risks associated with each third-party relationship. It is important to involve knowledgeable and skilled staff in each stage of the risk management life cycle. 

Therefore, your company would apply risk management practices in different stages of the third-party relationship life cycle. For instance, an important initial step is identifying third-party relationships that support higher-risk activities, including critical activities. 

Generally, to determine if an activity is higher risk, a company would assess various factors, such as if the third party has access to sensitive data (including customer data), processes transactions, or provides essential technology and business services. 

2. Third-Party Relationship Life Cycle 

Effective third-party risk management generally follows a continuous life cycle for third-party relationships. There are five stages of the TPRM life cycle, all responsive to governance in terms of  Oversight and Accountability, Independent Reviews, and Documentation and Reporting. 

Here is an outline of the five stages of the TPRM life cycle. 

Stage 1: Planning 


Careful planning enables a community bank to consider potential risks in the proposed third-party relationship. Managing third-party relationships allows the company to evaluate the extent of risk management resources and practices for effective oversight of the proposed third-party relationship throughout the subsequent stages of the third-party relationship life cycle. 

Stage 2: Due Diligence (Selecting the Third Party) 


Due diligence is the process by which a company assesses, prior to entering into a third-party relationship, a particular third party’s ability to, among other things, perform the activity as expected, adhere to company policies, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner.

 

The guidelines to develop in the policy is a clear definition of effective due diligence. We define effective due diligence as assistance with the selection of capable and reliable third parties to perform activities for, through, or on behalf of the company. If the company cannot obtain desired due diligence information from the third party, it will have to consider alternative information, details, controls, and monitoring; otherwise, it should consider abandoning the use of the third party.

 

Conducting due diligence on third parties before selecting and entering into third-party relationships is an important part of sound risk management. It provides management with the information needed about potential third parties to determine if a relationship would help achieve an organization’s strategic and financial goals. The due diligence process also provides the banking organization with the information needed to evaluate whether it can appropriately identify, monitor, and control risks associated with the particular third-party relationship. 

Stage 3: Contract Negotiation

 

Before entering into a contractual relationship with a third party, an institution should consider contract provisions that meet its business objectives, regulatory obligations, and risk management policies and procedures. If a company has limited negotiating power, management needs to understand any resulting limitations and consequent risks. It comes down to risk tolerance, such as whether the contract can still meet the company’s needs, whether the contract would result in increased risk to the company, and whether residual risks are acceptable.

Stage 4: Monitoring 


Monitoring cannot be overemphasized when managing third-party risk. A company’s ongoing monitoring of the third party’s performance enables management to determine if the third party is performing as required for the duration of the contract. Our clients use the results of monitoring to use the derived information to adapt and refine their risk management practices.

 

There are three aspects of this stage in the life cycle, whereby monitoring:

 

1)   Confirms the quality and sustainability of a third party’s controls and ability to meet contractual obligations;

2)   Escalates significant issues or concerns (i.e., material or repeat audit findings, deterioration in financial condition, security breaches, data loss, service interruptions, compliance lapses, or other indicators of increased risk; and

3)   Responds to such significant issues or concerns when and where identified. 

Stage 5: Termination 


Ending a relationship with a third party occurs for a variety of reasons, such as expiration or breach of the contract, the third party’s failure to comply with applicable laws or regulations, or a desire to seek an alternate third party, bringing the activity in-house, or discontinuing the activity. It is important for management to terminate relationships efficiently, whether the activities are transitioned to another third party, brought in-house, or discontinued. 

3. Governance 

As I noted above, the life cycle is governed by tripartite activities: Oversight and Accountability, Independent Reviews, and Documentation and Reporting. Here are some tips for each activity. 


(A) Oversight and Accountability

 

The Board of Directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable. The management is responsible for developing and implementing third-party risk management policies, procedures, and practices commensurate with the company’s risk appetite and the level of risk and complexity of its third-party relationships.

 

(B) Independent Review

 

The company must conduct periodic independent reviews to assess the adequacy of its third-party risk management processes. An institution may use the results of independent reviews to determine whether and how to adjust its third-party risk management process, including its policies, reporting, resources, expertise, and controls.

 

(C) Documentation and Reporting

 

Documentation and reporting, key elements that assist those within or outside the company who conduct control activities, will vary among financial institutions depending on the risk and complexity of their third-party relationships.

4. Appendix 

Consider including an appendix that lists resources. The resources do not have to be comprehensive. Keep adding to the Appendix as you come across resources that help to manage third-party risk management. Of course, there are Acts, regulations, and rules. However, other sources of information may be available, particularly on specific topics.

The use of third parties, especially those using new technologies, may present elevated risks to a financial institution and its customers, including operational, compliance, and strategic risks. Importantly, the use of third parties does not diminish or remove the institution's responsibilities to ensure that activities are performed in a safe and sound manner and in compliance with applicable laws and regulations.

Request Information: TPRM Tune-up®.


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group

Thursday, May 9, 2024

Online Data Collection Challenge

QUESTION 

Most of our business is from originating mortgages. Recently, we started originating Buy-Now-Pay-Later loans. I know you specialize in mortgage banking. And these are not mortgage loans. However, they are available online just like we offer our mortgages online. 

Our attorney told us that getting a customer's social security number for online Buy-Now-Pay-Later loans poses consumer privacy and information security risks. She says we could collect partial SSN information directly from the customer and then use a third party source to obtain the full SSN before opening the account. 

This is not a practical solution. As the sales manager, I am trying to find some kind of workaround. We need the SSN when the loan comes in online. Processing begins immediately and includes our CIP filters. However, if we use a third party to handle the BSA requirement, there could be a processing delay. 

Hopefully, you can shed some light on how to resolve this situation. Our attorney reads your articles and often sends them to us. So, I'm sure she will read your view on getting online SSN information. 

Can you explain why our attorney is concerned about our online CIP data collection involving Buy-Now-Pay-Later loans? 

COMPLIANCE SOLUTION 

Website Compliance Review 

Policies and Procedures

ANSWER 

Since 2006, Lenders Compliance Group has offered mortgage banking compliance. We do not provide compliance guidance for Buy-Now-Pay-Later (BNPL) loans. The BNPL loan is an installment loan that typically allows a customer to purchase something immediately with little or no initial payment and pay off the balance over four or fewer payments.[i] 

I will answer your question because you have an online origination platform that is used to originate mortgage loan products, where you have now introduced the origination of BNPL loans. 

You do not state if your company is contemplating partnering with a nonbank third party service provider to facilitate BNPL loan originations. 

Read on to find out why that information is a critical compliance element. 

I think there are more reasons for your attorney's directive than is described in your question. Given that you are marketing mortgage and non-mortgage products online, the online platform should be evaluated for its overall compliance with CIP requirements, among other things. Depending on the online consumer disclosures, product and service array, origination technology, and other factors, I think her concern is warranted. 

Please ask your attorney to contact me here. We'll discuss and resolve the situation. 

Your question comes as FinCEN is evaluating, via a Request for Information (RFI), existing requirements for banks under the Customer Identification Program Rule ("CIP Rule") to collect a taxpayer identification number (TIN) from a customer before opening an account. I'll provide a bird's-eye view of the anticipated plans, which may be responsive to your attorney's concerns. 

Generally, banks and nonbanks ("financial institution(s)" or "institution(s)") must collect a full Social Security Number (SSN) from a customer who is an individual and a U.S. person. The RFI, mentioned above, is being issued in consultation with staff at the OCC, FDIC, NCUA, and the Federal Reserve System (collectively, the "Agencies"). 

FinCEN is looking for feedback to understand the potential risks, benefits, and safeguards that could be established if financial institutions were permitted to collect partial SSN information directly from the customer for U.S. individuals and subsequently use reputable third party sources to obtain the full SSN before account opening. So, FinCEN's inquiry seems to align with your attorney's suggestion. Agencies usually issue an RFI because they want certain information to evaluate practices and, in this case, a better understanding of current industry practices and perspectives related to the CIP Rule's TIN collection requirement. So, their inquiry is based on wanting to assess the potential risks and benefits associated with a change to that requirement. 

From the start of anti-money laundering compliance, financial institutions have collected identifying information from a customer before opening an account. FinCEN, in consultation with staff at the Agencies, seeks information and comments from interested parties regarding the CIP Rule requirement for financial institutions to collect a taxpayer identification number (TIN) and other information from a customer who is a U.S. person before opening an account. 

There are minimum standards[ii] for such information collection, including, among other things, reasonable procedures[iii] for 

(1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; and 

(2) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information.  

It is, therefore, a given that, to satisfy the CIP Rule's TIN collection requirement for a U.S. individual, a financial institution must collect the full SSN from the customer before opening an account. While an institution's procedures for verifying a customer's identity may be risk-based and may vary among institutions, the CIP Rule makes clear that the collection of certain identifying information is a minimum requirement, and such information must be collected directly from the customer before opening an account, except concerning credit card accounts. 

That said, the CIP Rule generally does not allow a financial institution to collect an individual's SSN from a person other than the customer (i.e., a third party service provider). 

When the CIP Rule was adopted, institutions were exempted from the requirement for credit card accounts to collect identifying information directly from the customer, including an identification number. Rather, financial institutions may collect the customer's identifying information, such as the SSN, for credit card accounts, from a third party source before extending credit to the customer. The agency saw at that time that without this exception, the CIP Rule would change an institution's business practices by mandating information beyond what was already obtained directly from a customer who opened a credit card account at the point of sale or by phone. 

Concerns were raised during the proposed CIP Rule's comment period that, for instance, a person applying for a credit card account would be hesitant to provide their SSN, especially through non-face-to-face means, because of consumer privacy and security concerns. 

It seems clear that FinCEN saw requiring a bank to collect a customer's identifying information from the customer in every case, including over the phone, would likely alter how they do business. Consequently, credit card accounts were exempted from the CIP Rule's information collection requirements, allowing banks and nonbanks to obtain, for these purposes, a customer's identifying information from a third party source, such as a credit bureau, before an extension of credit. In its issuances, FinCEN considered this practice an efficient and effective means of extending credit with little risk that an institution did not know the borrower's identity. 

Since the CIP Rule was adopted in 2003, FinCEN has become aware that there has been significant innovation in how customers interact with financial institutions and receive financial services, and in CIP data collection and verification tools available to financial institutions. 

So, here's the crux of the matter: some banks partner with nonbank third party service providers to facilitate new financial products and services. A Buy-Now-Pay-Later loan product is an example of a nonbank financial institution, a third party service provider, that enables such financial products and services by extending credit to customers at the point of sale. 

These products and services operate in a similar manner to credit cards but may be offered by nonbank financial institutions that may or may not be subject to the Bank Secrecy Act (BSA) and its implementing regulations or other comparable regulatory requirements.[iv] Even so, institutions that do not comply with the CIP Rule may face supervisory action, particularly if a nonbank with which a bank has partnered does not collect the customer's identifying information directly from the customer, as required by the CIP Rule. 

The RFI[v] will presumably inform FinCEN's understanding in this area and help the agency evaluate the risks, benefits, and potential safeguards related to certain CIP Rule requirements applicable to financial institutions. Specifically, FinCEN is seeking input from institutions and other interested parties regarding the Rule's SSN collection requirement. The results may allow financial institutions to collect partial SSN information from the customer and use a third party source to collect the full SSN. Partial SSN collection is when a bank collects a certain part of the SSN from individuals who are customers (i.e., the last four digits of an individual's SSN) and then obtains the full SSN from a reputable third party service provider. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group


[i] What is a Buy Now, Pay Later (BNPL) Loan?, Consumer Financial Protection Bureau, Issuance (Last Reviewed: December 2, 2021), https://www.consumerfinance.gov/ask-cfpb/what-is-a-buy-now-pay-later-bnpl-loan-en-2119/ 

[ii] Section 326 of the USA Patriot Act amended the BSA to require, inter alia, the Secretary to prescribe regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." 

[iii] 13 CFR Part 103, Financial Crimes Enforcement Network; Customer Identification Programs for Certain Banks (Credit Unions, Private Banks and Trust Companies, That do not Have a Federal Functional Regulator, Department of the Treasury

[iv] An example of a nonbank financial institution that is a third-party service provider used to facilitate new financial products and services would be one that provides BNPL loans that extend credit at the point of sale to customers.

[v] The RFI supports FinCEN's ongoing efforts to implement Section 6216 of the Anti-Money Laundering Act of 2020, which requires the agency to, inter alia, identify regulations and guidance that may be outdated, redundant, or otherwise do not promote risk-based AML’s requirements for CFT, the acronym for combating the financing of terrorism.