Online Data Collection Challenge

QUESTION 

Most of our business is from originating mortgages. Recently, we started originating Buy-Now-Pay-Later loans. I know you specialize in mortgage banking. And these are not mortgage loans. However, they are available online just like we offer our mortgages online. 

Our attorney told us that getting a customer's social security number for online Buy-Now-Pay-Later loans poses consumer privacy and information security risks. She says we could collect partial SSN information directly from the customer and then use a third party source to obtain the full SSN before opening the account. 

This is not a practical solution. As the sales manager, I am trying to find some kind of workaround. We need the SSN when the loan comes in online. Processing begins immediately and includes our CIP filters. However, if we use a third party to handle the BSA requirement, there could be a processing delay. 

Hopefully, you can shed some light on how to resolve this situation. Our attorney reads your articles and often sends them to us. So, I'm sure she will read your view on getting online SSN information. 

Can you explain why our attorney is concerned about our online CIP data collection involving Buy-Now-Pay-Later loans? 

COMPLIANCE SOLUTION 

Website Compliance Review 

Policies and Procedures

ANSWER 

Since 2006, Lenders Compliance Group has offered mortgage banking compliance. We do not provide compliance guidance for Buy-Now-Pay-Later (BNPL) loans. The BNPL loan is an installment loan that typically allows a customer to purchase something immediately with little or no initial payment and pay off the balance over four or fewer payments.[i] 

I will answer your question because you have an online origination platform that is used to originate mortgage loan products, where you have now introduced the origination of BNPL loans. 

You do not state if your company is contemplating partnering with a nonbank third party service provider to facilitate BNPL loan originations. 

Read on to find out why that information is a critical compliance element. 

I think there are more reasons for your attorney's directive than is described in your question. Given that you are marketing mortgage and non-mortgage products online, the online platform should be evaluated for its overall compliance with CIP requirements, among other things. Depending on the online consumer disclosures, product and service array, origination technology, and other factors, I think her concern is warranted. 

Please ask your attorney to contact me here. We'll discuss and resolve the situation. 

Your question comes as FinCEN is evaluating, via a Request for Information (RFI), existing requirements for banks under the Customer Identification Program Rule ("CIP Rule") to collect a taxpayer identification number (TIN) from a customer before opening an account. I'll provide a bird's-eye view of the anticipated plans, which may be responsive to your attorney's concerns. 

Generally, banks and nonbanks ("financial institution(s)" or "institution(s)") must collect a full Social Security Number (SSN) from a customer who is an individual and a U.S. person. The RFI, mentioned above, is being issued in consultation with staff at the OCC, FDIC, NCUA, and the Federal Reserve System (collectively, the "Agencies"). 

FinCEN is looking for feedback to understand the potential risks, benefits, and safeguards that could be established if financial institutions were permitted to collect partial SSN information directly from the customer for U.S. individuals and subsequently use reputable third party sources to obtain the full SSN before account opening. So, FinCEN's inquiry seems to align with your attorney's suggestion. Agencies usually issue an RFI because they want certain information to evaluate practices and, in this case, a better understanding of current industry practices and perspectives related to the CIP Rule's TIN collection requirement. So, their inquiry is based on wanting to assess the potential risks and benefits associated with a change to that requirement. 

From the start of anti-money laundering compliance, financial institutions have collected identifying information from a customer before opening an account. FinCEN, in consultation with staff at the Agencies, seeks information and comments from interested parties regarding the CIP Rule requirement for financial institutions to collect a taxpayer identification number (TIN) and other information from a customer who is a U.S. person before opening an account. 

There are minimum standards[ii] for such information collection, including, among other things, reasonable procedures[iii] for 

(1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; and 

(2) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information.  

It is, therefore, a given that, to satisfy the CIP Rule's TIN collection requirement for a U.S. individual, a financial institution must collect the full SSN from the customer before opening an account. While an institution's procedures for verifying a customer's identity may be risk-based and may vary among institutions, the CIP Rule makes clear that the collection of certain identifying information is a minimum requirement, and such information must be collected directly from the customer before opening an account, except concerning credit card accounts. 

That said, the CIP Rule generally does not allow a financial institution to collect an individual's SSN from a person other than the customer (i.e., a third party service provider). 

When the CIP Rule was adopted, institutions were exempted from the requirement for credit card accounts to collect identifying information directly from the customer, including an identification number. Rather, financial institutions may collect the customer's identifying information, such as the SSN, for credit card accounts, from a third party source before extending credit to the customer. The agency saw at that time that without this exception, the CIP Rule would change an institution's business practices by mandating information beyond what was already obtained directly from a customer who opened a credit card account at the point of sale or by phone. 

Concerns were raised during the proposed CIP Rule's comment period that, for instance, a person applying for a credit card account would be hesitant to provide their SSN, especially through non-face-to-face means, because of consumer privacy and security concerns. 

It seems clear that FinCEN saw requiring a bank to collect a customer's identifying information from the customer in every case, including over the phone, would likely alter how they do business. Consequently, credit card accounts were exempted from the CIP Rule's information collection requirements, allowing banks and nonbanks to obtain, for these purposes, a customer's identifying information from a third party source, such as a credit bureau, before an extension of credit. In its issuances, FinCEN considered this practice an efficient and effective means of extending credit with little risk that an institution did not know the borrower's identity. 

Since the CIP Rule was adopted in 2003, FinCEN has become aware that there has been significant innovation in how customers interact with financial institutions and receive financial services, and in CIP data collection and verification tools available to financial institutions. 

So, here's the crux of the matter: some banks partner with nonbank third party service providers to facilitate new financial products and services. A Buy-Now-Pay-Later loan product is an example of a nonbank financial institution, a third party service provider, that enables such financial products and services by extending credit to customers at the point of sale. 

These products and services operate in a similar manner to credit cards but may be offered by nonbank financial institutions that may or may not be subject to the Bank Secrecy Act (BSA) and its implementing regulations or other comparable regulatory requirements.[iv] Even so, institutions that do not comply with the CIP Rule may face supervisory action, particularly if a nonbank with which a bank has partnered does not collect the customer's identifying information directly from the customer, as required by the CIP Rule. 

The RFI[v] will presumably inform FinCEN's understanding in this area and help the agency evaluate the risks, benefits, and potential safeguards related to certain CIP Rule requirements applicable to financial institutions. Specifically, FinCEN is seeking input from institutions and other interested parties regarding the Rule's SSN collection requirement. The results may allow financial institutions to collect partial SSN information from the customer and use a third party source to collect the full SSN. Partial SSN collection is when a bank collects a certain part of the SSN from individuals who are customers (i.e., the last four digits of an individual's SSN) and then obtains the full SSN from a reputable third party service provider. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] What is a Buy Now, Pay Later (BNPL) Loan?, Consumer Financial Protection Bureau, Issuance (Last Reviewed: December 2, 2021), https://www.consumerfinance.gov/ask-cfpb/what-is-a-buy-now-pay-later-bnpl-loan-en-2119/ 

[ii] Section 326 of the USA Patriot Act amended the BSA to require, inter alia, the Secretary to prescribe regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." 

[iii] 13 CFR Part 103, Financial Crimes Enforcement Network; Customer Identification Programs for Certain Banks (Credit Unions, Private Banks and Trust Companies, That do not Have a Federal Functional Regulator, Department of the Treasury

[iv] An example of a nonbank financial institution that is a third-party service provider used to facilitate new financial products and services would be one that provides BNPL loans that extend credit at the point of sale to customers.

[v] The RFI supports FinCEN's ongoing efforts to implement Section 6216 of the Anti-Money Laundering Act of 2020, which requires the agency to, inter alia, identify regulations and guidance that may be outdated, redundant, or otherwise do not promote risk-based AML’s requirements for CFT, the acronym for combating the financing of terrorism.

AML Examinations: Common Audit Findings

QUESTION 

We are a credit union with several branches. Our concern is that we don't believe we have a comprehensive training program for BSA/AML. We are going to have a regulatory examination soon, and I think we will be written up for having an incomplete training program and aids. But that's just one of the weaknesses. 

We need some direction here. First, our compliance manager is contacting your firm to review our written AML program. Second, we need to know the areas of weakness that regulators often find in our AML program. 

What are some areas of weakness we can anticipate being reviewed in an AML examination? 

ANSWER 

If you expect the AML examination soon, you and other subscribers can contact us here. 

We have conducted hundreds of AML risk assessments over the years, and the findings regarding BSA/AML vary depending on the financial institution's risk profile, size, complexity, and products and services. Still, there is a common grouping of weaknesses that tend to recur. 

Before listing the more salient, I urge you to segment your responsibility matrix for those personnel involved in the Anti-Money Laundering review process. Regulators take a keen interest in evaluating whether an institution properly allocates responsibilities and authorities along the chain of command in reviewing AML data. 

Segmenting the specific responsibilities will make the written AML program easier to execute. Importantly, the regulators will be able to determine that your institution is complying in a procedurally reliable way. 

I will segment the responsibilities into four groups: (1) Frontline Staff, (2) Operations Staff, (3) Board of Directors, and (4) New Personnel. Now, consider the following brief description of each. You can take these responsibilities as a "starting point." I suggest you broaden them to reflect your institution's normative information paths.

Frontline Staff 

Responsibilities 

• CTR reporting requirements,

• Recognizing suspicious activity,

• Completing a SAR,

• Customer Identification Program due diligence, and

• Office of Foreign Assets Control (OFAC) requirements (if applicable). 

Operations Staff 

Responsibilities 

• Wire transfers,

• ACH Transactions,

• Debit, Credit, Gift Card Transactions

• Recognizing and reporting suspicious activity related to applicable financial products and services, and

• OFAC requirements (if applicable). 

Board of Directors

Responsibilities 

• Methods to enhance the importance of BSA/AML requirements,

• Consequences and risks of noncompliance, and

• Changes and new developments in the BSA laws and regulations. 

New Personnel 

Responsibilities

• Orientation for BSA/AML overview, 

• Jobs requiring performance of BSA/AML and/or OFAC duties must receive thorough training prior to starting the position.

There are eight recurring weaknesses we have found through our AML risk assessments. I will list them here, with the caveat that they are by no means meant to be comprehensive. Also, keep in mind our AML test audits and risk assessments are focused on residential mortgage loan originations and servicing compliance. 

My advice is for you to review your written AML program to ensure you cover these areas with respect to policies, descriptions, and procedures. And be sure to test them! 

Some Commonly Recurring Weaknesses 

in 

Anti-Money Laundering Programs

• Customer ID Program requirements.

• Timely 314(a) reviews and CTR reports.

• Independent audits must address all the issues they identify.

• BSA policies should note both the BSA/AML officer and the backup BSA/AML officer.

• Risk assessments must consider all new products and services.

• Confidentiality of all SARs must be maintained at all levels of the institution.

• BSA training is kept current and available; examiners scrutinize training records and materials.

• Customize the BSA/AML training program to employees' specific responsibilities. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

Personally Identifiable Information

QUESTION 

We passed our information security review by our banking department. However, they found that our description of personally identifiable information was too narrow. 

We need to revise our policies and procedures and submit them to the banking department. Hopefully, you can offer a broader understanding of this area of customer privacy. 

What is a good working description of personally identifiable information for our policy? 

ANSWER 

Most people have heard of nonpublic personal information, called “NPI.” To be precise, as it relates to financial institutions, NPI is personally identifiable information (“PII”) that:

 

1.    The consumer provides to a financial institution;

2.    Results from a transaction or service provided for the consumer; or

3.    The financial institution otherwise obtains, and that is not publicly available.[i]

As a practical matter, most information that a financial institution collects from a consumer or customer is NPI. In fact, NPI also includes lists, descriptions or groupings of consumers, even if the data is publicly available, if the financial institution has derived the data from an individual’s nonpublic personal information. 

Personally identifiable information, PII, is any information a consumer or customer gives to a financial institution in connection with applying for or receiving a product or service.[ii] 

To broaden the foregoing description, PII is (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.[iii] 

Here are a few common examples of PII:

 

·     Name: full name, maiden name, mother’s maiden name, or alias;

·     Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number;

·     Personal address information: street address or email address;

·     Personal telephone numbers;

·     Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting;

·     Biometric data: retina scans, voice signatures, or facial geometry

·     Information identifying personally owned property: VIN or title number; and

·     Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person.

However, there are examples that, on their own, do not constitute PII, as more than one person could share these traits. But when linked or linkable to one of the above examples, the following could be used to identify a specific person:

 

·       Date of birth;

·       Place of birth;

·       Business telephone number;

·       Business mailing or email address;

·       Race;

·       Religion;

·       Geographical indicators;

·       Employment information;

·       Criminal history;

·       Medical information;[iv]

·       Education information;[v] and

·       Financial information.

Thus, PII refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information linked or linkable to a specific individual. 

It is essential to note that the definition of PII is not anchored to any single category of information or technology.[vi] Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, the financial institution should recognize that “non-PII” – non-personally identifiable information – can become PII whenever additional information is made publicly available – in any medium and from any source – that, when combined with other available information, could be used to identify an individual. 

Indeed, there is even PII that is considered high risk, called “High Risk PII.” The Department of Energy describes High Risk PII as PII which, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.[vii] Examples of High Risk PII include Social Security Numbers (SSNs), biometric records (i.e., fingerprints, DNA, etc.), health and medical information, financial information (i.e., credit card numbers, credit reports, bank account numbers, etc.), and security information (i.e., security clearance information). 

While all PII must be handled and protected appropriately, High Risk PII must be given greater protection and consideration – especially following a breach – because of the increased risk of harm to an individual if it is misused or compromised. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 15 USC § 6809(4)

[ii] 16 USC § 313.3(o)(1)

[iii] Safeguarding Against and Responding to the Breach of Personally Identifiable Information, OMB Memorandum M-07-16, May 22, 2007

[iv] May be subject to HIPAA requirements

[v] May be subject to FERPA requirements

[vi] Op. cit. iii

[vii] Department of Energy Privacy Program, DOE O 206.1 Chg1 (MinChg), January 16, 2009

Reasonable Investigation of a Direct Dispute

QUESTION 

One of the findings in our internal audit caused us some concern. The audit found that we did not follow the proper steps in conducting a “reasonable investigation” for FCRA complaints. It says our “direct dispute” procedures were flawed. 

The audit only gave us a brief overview of what should be done to fix the process but no guidance. So, we’re writing to you for some advice. We’ve done some research, but it’s not particularly helpful. We need a more precise outline of what would cause us to conduct a reasonable investigation. 

Here are our two questions:

What is a “direct dispute?” 

What are some criteria that trigger a “reasonable investigation?” 

Thank you so much for your weekly FAQs. We love them! 

ANSWER 

I appreciate your kind words. Ours is a labor of love that shows our commitment to the mortgage community. Through highs and lows, we should look after one another! 

Let’s start with a general understanding of “direct dispute.”[i] It is a term found in the Fair Credit Reporting Act (FCRA) that occurs when a dispute is submitted by a consumer directly to a furnisher (including a furnisher that is a debt collector) concerning the accuracy of any information in a consumer report and pertaining to an account or other relationship that the furnisher has or had with the consumer. 

Your policies and procedures should meet regulatory standards, and they need to be monitored periodically for implementation. In addition to periodic reviews, you should update them as necessary to ensure their continued effectiveness. 

As a furnisher, you must establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that your organization furnishes to a consumer reporting agency. The policies and procedures must be appropriate to the nature, size, complexity, and scope of your furnisher’s activities. 

There are several regulatory requirements.[ii] Subject to exceptions, a furnisher must conduct a “reasonable investigation” of a direct dispute if the dispute relates to: 

1. The consumer’s liability for a credit account or other debt with the furnisher, such as direct disputes relating to whether there is or has been identity theft or fraud against the consumer, whether there is individual or joint liability on an account, or whether the consumer is an authorized user of a credit account. 

2. The terms of a credit account or other debt with the furnisher, such as direct disputes relating to the type of account, principal balance, scheduled payment amount on an account, or the amount of the credit limit on an open-end account. 

3. The consumer’s performance or other conduct concerning an account or other relationship with the furnisher, such as direct disputes relating to the current payment status, high balance, the date a payment was made, the amount of a payment made, or the date an account was opened or closed. 

4. Any other information included in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

Exceptions

There are two exceptions to having to conduct a reasonable investigation. The obligation of a furnisher to conduct a reasonable investigation does not apply if: 

1. The direct dispute relates to:

 

a. The consumer’s identifying information, as name(s), date of birth, Social Security Number, telephone number(s), or address(es). However, the exception does not apply if the direct dispute relates to a consumer’s liability for a credit account or other debt with the furnisher, such as whether there is or has been identity theft or fraud against the consumer, whether there is individual or joint liability on an account, or whether the consumer is an authorized user of a credit account;

 

b. The identity of past or present employers;

 

c. Inquiries or requests for a consumer report;

 

d. Information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless provided by a furnisher with an account of other relationship with the consumer); and

 

e. Information related to fraud alerts or active duty alerts. 

2. The furnisher has a reasonable belief that the direct dispute is submitted by, prepared on behalf of, or is submitted on a form that is supplied to the consumer by a credit repair organization[iii] or an entity that would qualify as a credit repair organization but for the exemption for nonprofit entities. 

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

---

[i] 12 CFR § 222.41

[ii] 12 CFR § 334.43(a)

[iii] 15 USC Section 1679a(3)

Nonpublic Personal Information: Lead Generation Minefield

QUESTION

We used a lead generator. We belatedly found out the lead generation company used nonpublic personal information. Our regulator picked up on it in an examination and cited us for violations for every single one of the leads. 

Our CEO fired the lead generator, even though they are big and highly recommended. But now we’re forced to deal with the regulator doing special monitoring as well as the penalties. 

I am an associate in the compliance department. Our Compliance Manager asked me to write you for some advice on how we can go about distinguishing between a customer’s nonpublic personal information and public information. We are revising our policy for lead generators. Your feedback would be really helpful. 

How do we distinguish between nonpublic personal information and public information? 

ANSWER 

Lead generation companies can be a regulatory minefield. Over the years, we have been approached by lead generation companies to offer guidance. Many of these companies do not operate with sufficient regulatory scrutiny. They fly under the radar, grabbing customer information from many obvious and not-so-obvious sources. 

The Gramm-Leach-Bliley Act (GLBA) governs an institution’s distribution of nonpublic personal information (“NPI”) related to consumers. If the information is considered nonpublic personal information, distributing that information to third parties is subject to the GLBA. Information not deemed nonpublic personal information is not subject to GLBA and may be used without regard to the restriction. 

I published an article on this topic a few years ago, entitled The Lead Generation Company: Managing the Risks. Go ahead and download it here. The article offers quite a lot of solid information, including my Four Rules for lead generation marketing. It also provides my Three Concerns about online lead generation companies. I give tips on an institution’s policy and procedures and how to plan for a regulator’s visit. 

Also, request a presentation of our Privacy Tune-up, which evaluates GLBA compliance.

If you use a lead generation company, I suggest you contact a competent compliance professional. There are just too many pitfalls, regulatory traps, and exceedingly high compliance and legal risks to viewing lead generation as a mere marketing matter. 

Let’s start with the concept of Nonpublic Personal Information.[i] There are essentially two interlocking definitions: 

·    Personally identifiable financial information, and 

·    Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information. 

This definition does not include any publicly available information. 

I will discuss consumer lists momentarily. First, however, let’s review essential terminology. 

The term “personally identifiable financial information” is broadly interpreted.[ii] What is considered personally identifiable financial information includes information: 

·    Provided by a consumer to the institution to obtain a financial product or service from the institution when applying for a financial product or service; 

·    About a consumer resulting from transactions between the institution and the consumer involving a financial product or service; and 

·    Otherwise obtained about a consumer in connection with a financial product or service. 

For instance, the following information about a consumer is personally identifiable financial information: 

·    Information that a consumer provides on an application to obtain a loan, credit card, insurance, or other financial product or service, including, among other things, medical information; 

·    Account balance information, payment history, overdraft history, and credit or debit card purchase information; 

·    The fact that an individual is or has been a customer or has obtained a financial product or service from the institution, unless that fact is derived using only publicly available information, such as government real estate records or bankruptcy records; 

·    Other information about a consumer if disclosed in a manner that indicates the individual is or has been a customer of the institution (such as a list of consumers who have loans or deposit accounts with the institution); 

·    Any information provided by a consumer or otherwise obtained by the institution or an agent of the institution in connection with collecting on a loan or servicing a loan; 

·    Any information the institution collects through an Internet cookie (an information-collecting device from a web server); and 

·    Information from a consumer report (i.e., a credit report or other report subject to the FCRA). 

In other words, virtually all the information a financial institution has about consumers with whom it does business is personally identifiable financial information under the applicable rule, including the fact that the consumer even conducts business with the institution. 

The only type of information that would not be considered personally identifiable financial information would be whatever information the institution would obtain outside the relationship involving a financial product or service. For instance, personally identifiable financial information does not include: 

·    A list of names and addresses of customers of an entity that is not a financial institution, such as a magazine subscription list, and 

·    Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers like account numbers, names, or addresses. (An example of this would be something similar to the Home Mortgage Disclosure Act (HMDA) data available to the public. The HMDA list contains a substantial amount of specific information about individual consumer mortgage loans, but it identifies individual loans by random numbers rather than by name, loan number, social security number, and so forth.)

ECOA Self-Tests

QUESTION

Our regulator suggested that we do a self-test of our ECOA Regulation B compliance. 

We originate loans in 24 states. Also, we have a multi-billion dollar servicing portfolio. 

As the Compliance Officer and General Counsel, I believe there are legal privileges relating to the work product derived from a self-test. However, I can’t find much information about such privilege or whether it also applies to self-correction too. 

We are voluntarily conducting the ECOA self-test to ensure compliance with fair lending requirements, among other things. We have done fair lending reviews previously; however, we believe that conducting ECOA self-test and self-correction reviews would provide additional legal protection. 

What is the legal privilege provided by conducting ECOA self-tests? 

ANSWER

In 1996, amendments were made to the ECOA and the Fair Housing Act (FHA) as part of the Economic Growth and Regulatory Paperwork Reduction Act of 1996. These provisions create a legal privilege for information developed by creditors through voluntary self-tests conducted to determine the level or effectiveness of their compliance with the ECOA and the FHA, provided that appropriate corrective action is taken to address any possible violations discovered. 

To elucidate further, a government agency may not obtain privileged information for use in an examination or investigation relating to compliance with the ECOA or the FHA, or by a government agency or credit applicant in any proceeding in which a violation of the ECOA or the FHA is alleged. The 1996 act also provides a challenge to a creditor’s claim of privilege may be filed in any court or administrative law proceeding with appropriate jurisdiction. 

The privilege, therefore, serves as an incentive by assuring that evidence of discrimination voluntarily produced by a self-test will not be used against a creditor, provided the creditor takes appropriate corrective actions for any discrimination that is found. 

Consider using our ECOA Tune-up as a tool to review your Regulation B compliance. It will help you gain an overall readout of your ECOA implementation. 

Regulations implementing the self-test privilege were adopted under the ECOA as section 1002.15 of Regulation B,[i] and the same was done for the FHA provisions. The rules are virtually the same for both, with the primary difference being the scope of the two laws. 

Under the rules, a self-test is defined as 

any program, practice, or study designed and specifically used to determine the extent or effectiveness of a creditor’s compliance with the ECOA or the FHA, if that program, practice, or study creates data or factual information that cannot be derived from loan or application files or other records related to credit transactions. 

This definition of self-test includes, but is not limited to, the practice of using fictitious applicants for credit (i.e., testers). 

A creditor also may develop and use other methods of generating information that is not available in loan and application files, for example, by surveying mortgage loan applicants to assess whether applications were processed appropriately. 

However, there is a fundamental distinction: the definition does not include creditor reviews and evaluations of loan and application files, either with or without statistical analysis. Therefore, the self-test privilege does not protect any analysis or review of loan and application files. 

Appropriate corrective action is required for the privilege to apply when the self-test shows that it is more likely than not that a violation occurred – even though no violation has been formally adjudicated. That said, taking corrective action is not an admission that a violation occurred. 

The lender must take corrective action that is reasonably likely to remedy the cause and effect of a likely violation by:

·       Identifying the policies or practices that are the likely cause of the violation; and 

·       Assessing the extent and scope of any violation. 

Appropriate corrective action may include both prospective and remedial relief, except that to establish a privilege, the lender: 

·       Is not required to provide remedial relief to a tester used in a self-test;

·       Is only required to provide remedial relief to an applicant identified by the self-test as to one whose rights were more likely than not violated; and

·       Is not required to provide remedial relief to a particular applicant if the statute of limitations applicable to the violation expired before the creditor obtained the self-test results or the applicant is otherwise ineligible for such relief. 

The report or results of a self-test are not privileged if the lender or a person with lawful access to the report or results: 

·        Voluntarily discloses any part of the report or results, or any other information privileged under this section, to an applicant, government agency, or the public;

·        Discloses any part of the report or results, or any other information privileged under the self-test rules, as a defense to charges that the creditor has violated the act or regulation; or

·        Fails or is unable to produce written or recorded information about the self-test that must be retained under the rules when the information is needed to determine whether the privilege applies. (In general, self-tests and results must be retained for 25 months after completion.)

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] 12 CFR 1002.15, § 6.14 Incentives for Self-Testing and Self-Correction

Elder Financial Abuse: Disclosure, Schemes, and “Red Flags”

QUESTION 

Elder abuse is a big issue because we serve a demographic in Florida consisting of senior citizens and the elderly. Each year, we have incidences of elder abuse. We train our employees on how to identify and report elder financial abuse. But it seems that there’s no end to it. 

We are now updating our policies relating to elder abuse. We have three questions, and we hope you will provide some guidance. We have plenty of advice from our regulator. However, we would like information based on your firm’s experience. Here are our questions. 

· What are we permitted to disclose about an incident of elder financial abuse?

· What are some of the schemes you have encountered to commit elder abuse?

· What are some indicators of elder financial exploitation you often come across?

 ANSWER 

As you likely know, tellers, financial services representatives, and others who regularly interact with customers are in the best position to identify and report this type of problem. Consider them your front line! 

Abuse and exploitation of the elderly are statutorily defined at the state level. Federal guidelines have been issued not only by the federal prudential regulators but also the CFPB, FinCEN, FHA, VA, USDA, and the GSEs. Several states have certain requirements, such as mandatory reporting of suspected issues. You should consult your local bank or credit union association if you do not know your state’s laws. Be sure you are receiving ongoing guidance from compliance professionals. 

I have written extensively on elder financial exploitation. Here’s an article with downloads and links to some of my writing on this subject. 

I will take your questions one by one. 

What are we permitted to disclose about an incident of elder financial abuse? 

Various federal and state authorities either require or encourage reporting this type of information to the appropriate agency. However, many financial institutions were concerned that they might violate their privacy policy and the provisions of the Gramm-Leach-Bliley Act (GLBA) if they reported their suspicions, especially if their state law was mute on the subject. So in 2013, the federal banking agencies and the National Credit Union Administration (NCUA) issued guidance to clarify that reporting suspected financial abuse of older adults to appropriate local, state, or federal agencies does not, in general, violate the privacy provisions of the GLBA or its implementing regulations. 

In point of fact, specific privacy provisions of the GLBA and its implementing regulations permit the sharing of this type of information under appropriate circumstances without complying with notice and opt-out requirements. The guidance set forth exceptions to the GLBA’s notice and the opt-out requirement that, to the extent applicable, would permit the sharing of nonpublic personal information about consumers with local, state, or federal agencies for the purpose of reporting suspected financial abuse of older adults without the consumer’s authorization and without violating the GLBA. 

Those exceptions are: 

·    A financial institution may disclose nonpublic personal information to comply with federal, state, or local laws, rules, and other applicable legal requirements, such as state laws that require reporting by financial institutions of suspected abuse; 

·    A financial institution may disclose nonpublic personal information to respond to a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities, or to respond to judicial process or government regulatory authorities having jurisdiction for examination, compliance, or other purposes as authorized; and 

·    A financial institution may disclose nonpublic personal information to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability. For instance, this exception generally would allow a financial institution to disclose to appropriate authorities nonpublic personal information to report incidents that result in taking an older adult’s funds without actual consent or in reporting incidents of obtaining an older adult’s consent to sign over assets through misrepresentation of the intent of the transaction. 

To the extent specifically permitted or required under other provisions of law, a financial institution may also disclose nonpublic personal information to law enforcement and regulatory agencies or for an investigation on a matter related to public safety. 

What are some of the schemes you have encountered to commit elder abuse?

I could probably fill several spreadsheets with the number of schemes. We’ve come across many in our audits. It seems that the schemers continue to pop up with new ways to commit elder financial abuse. Here are a few schemes that we’ve found over the years.

Misappropriation of income or assets

Perpetrator obtains access to an elder’s social security checks, pension payments, checking or savings accounts, credit or automated teller machine (ATM) card, or withholding portions of checks cashed for an elder.

Charging excessive rent or fees for service

Perpetrator charges an elder an excessive rent or unreasonable fees for basic care services, such as transportation, food, or medicine.

Obtaining money or property by undue influence, misrepresentation, or fraud

Perpetrator coerces an elder into signing over investments, real estate, or other assets through manipulation, intimidation, or threats.

Improper or fraudulent use of the power of attorney or fiduciary authority

Perpetrator improperly or fraudulently uses the power of attorney or fiduciary authority to alter an elder’s will, borrow money using an elder’s name, or dispose of an elder’s assets or income.