The Nutter Bank Report is a monthly publication of the firm's Banking and Financial Services Group.

1. FinCEN Publishes FAQs on New Beneficial Ownership Due Diligence Requirements

FinCEN has released guidance in the form of answers to frequently asked questions (“FAQs”) about new customer due diligence (“CDD”) requirements that became effective this month. The CDD FAQs issued on July 19 clarify new requirements that banks and other covered financial institutions must obtain, verify and record the identities of the beneficial owners of legal entity customers. According to the FAQs, the CDD rule does not require that an institution’s beneficial ownership procedures for legal entity customers be identical to its customer identification program (“CIP”). The FAQs explain that the CDD rule requires that the procedures, at a minimum, contain the same elements as required for verifying the identity of customers that are individuals under the applicable CIP rule, but institutions may use photocopies or other reproductions of identification documents in the case of documentary verification. According to the FAQs, the CCD rule amends the anti-money laundering (“AML”) program requirements to explicitly require institutions to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence, which must include understanding the nature and purpose of customer relationships, and conducting ongoing monitoring to identify and report suspicious transactions and update customer information on a risk basis. Banks and other covered financial institutions have until May 11, 2018 to implement written policies and procedures to comply with the CDD rule. Click here for a copy of the FAQs.

Nutter Notes: The new CDD FAQs clarify that under the definition of “beneficial owner” — a “beneficial owner” would include an owner of 25% or more of a legal entity’s equity interests (i.e., the ownership prong) as well as a single individual with significant responsibility for controlling, managing, or directing the entity customer (i.e., the control prong) — each legal entity will have between 1 and 5 beneficial owners who are subject to the CDD requirements. According to the FAQs, a covered financial institution is not required to obtain CDD information directly from the beneficial owners of a legal entity customer. Rather, the CDD rule requires institutions to obtain beneficial ownership information from the individual seeking to open a new account on behalf of the legal entity customer. As with CIP requirements for individual customers, an institution must collect from a legal entity customer the name, date of birth, address and social security number for each beneficial owner who qualifies under the ownership prong (if any), and one beneficial owner who qualifies under the control prong. According to the FAQs, FinCEN intends that the legal entity customer identify its “ultimate beneficial owner or owners and not ‘nominees’ or ‘straw men’.”

2. FDIC Implements Updated IT Examination Procedures and Cybersecurity Assessment

The FDIC has updated its information technology and operations risk (“IT”) examination procedures to enhance identification, assessment and validation of IT in financial institutions and ensure that identified risks are effectively addressed by management. The updated program implemented on July 1, known as the Information Technology Risk Examination (InTREx) Program, also includes a cybersecurity preparedness assessment and discloses more detailed examination results using component ratings. According to the FDIC, InTREx examinations use a work program based on the Uniform Rating System for Information Technology (“URSIT”) that includes Core Modules for the Audit, Management, Development and Acquisition, and Support and Delivery component ratings. The Core Modules incorporate procedures to assess compliance with the Interagency Guidelines Establishing Information Security Standards and procedures to assess cybersecurity preparedness. Examiners will complete the InTREx Core Modules, a Cybersecurity Workpaper, and an Information Security Standards Workpaper to assess risk and to document examination procedures, findings and recommendations. FDIC examiners may also use expanded examination procedures, supplemental work-programs, and the FFIEC Information Technology Examination Handbook for banks with a higher IT profile. The results of the assessments will be included in the Risk Management Report of Examination. Click here for a copy of the InTREx Program documents.

Nutter Notes: The InTREx Program includes a revised pre-examination scoping process that focuses on emerging risks and technologies. Approximately 90 days before a scheduled IT examination, the bank will receive an Information Technology Profile (“ITP”) questionnaire through FDICconnect to be completed and returned to the FDIC. The bank’s responses to the ITP questionnaire will be used to determine the resources needed to perform the IT examination and help determine the scope of the examination. According to the FDIC, the ITP questionnaire has 65% fewer questions than the Officer’s Questionnaire used under the previous IT examination program. At least 45 days before the scheduled examination, an IT Request Letter reflecting the IT profile of the bank will be delivered through FDICconnect. After the examination, a summary of the overall condition of the IT function supporting the URSIT composite rating will be included on the Examiner Conclusions and Comments page. The Information Technology Assessment page will document URSIT component ratings, examination findings, recommendations, management’s responses, including timeframes for corrective action, and supporting comments for cybersecurity preparedness and compliance with information security standards.

3. Federal Banking Agencies Update CRA Compliance Guidance

The federal banking agencies with responsibility for Community Reinvestment Act (“CRA”) rulemaking have published final revisions to the Interagency Questions and Answers Regarding Community Reinvestment (“CRA FAQs”). The updated CRA FAQs issued on July 15 by the Federal Reserve, OCC and FDIC provide guidance on CRA questions dealing with the availability and effectiveness of retail banking services, and innovative or flexible lending practices. For example, “innovativeness” is a regulatory consideration in a variety of CRA performance tests. The updated CRA FAQs emphasize that innovative practices need to be responsive to community needs but are not required if existing products, services or delivery systems effectively address the needs of all segments of a community. The updated CRA FAQs also address community development-related issues, including economic development, community development loans and activities that revitalize or stabilize underserved nonmetropolitan middle-income geographies, and community development services. Click here for a copy of the updated CRA FAQs.

Nutter Notes: The updated CRA FAQs clarify how community development services are quantitatively and qualitatively evaluated. According to the agencies, the updates are meant to address inconsistencies in how community development services have been evaluated quantitatively and to respond to concerns that qualitative factors, such as whether community development services are effective or responsive to community needs, receive inadequate consideration. The updated CRA FAQs explicitly state that examiners will consider community development services qualitatively by assessing the degree to which those services are innovative or responsive to community needs. The updated CRA FAQs discuss how qualitative performance criteria augment the consideration given to community development services by recognizing that community development services sometimes require special expertise and effort on the part of the bank and provide benefit to the community that would not otherwise be possible. The updated CRA FAQs also clarify how examiners should evaluate the quantitative measure of community development services. The updated CRA FAQs include a list of examples of quantitative factors that examiners may assess to determine the extent to which community development services are offered and used, such as the number of low- and moderate-income individuals participating in a community development activity, the number of organizations served by a community development activity, and the number of sessions of a community development service activity.

4. CFPB Proposes Amendments to Privacy Rule Notice Requirements

The CFPB has proposed an amendment to its Regulation P, which requires, among other things, that banks and other financial institutions provide an annual notice describing their privacy policies and practices to their customers. The proposed amendment issued on July 1 would implement a December 2015 statutory amendment to the Gramm-Leach-Bliley Act (“GLBA”) that provides an exception to the annual notice requirement for institutions that meet certain conditions. On December 4, 2015, Congress amended GLBA to provide an exception under which banks and other financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. To qualify for this exception, an institution must not share nonpublic personal information about customers except as described in certain statutory exceptions, and the institution must not have changed its privacy policies and practices from those that were most recently disclosed to customers. Click here for a copy of the proposed amendment.

Nutter Notes: As part of the proposal to implement the recent amendment to GLBA, the CFPB also proposed to amend Regulation P to provide timing requirements for delivery of annual privacy notices if a bank or other financial institution that qualified for the annual notice exception later changes its policies or practices in such a way that it no longer qualifies for the exception. Specifically, the CFPB proposed that an institution would be required to resume delivery of its subsequent regular annual notices pursuant to the existing timing requirements that govern delivery of annual notices generally if the institution changes its policies or practices in such a way that it no longer qualifies for the exception. The CFPB also proposed to remove the Regulation P provision that allows for use of the alternative delivery method for annual privacy notices because the CFPB believes that the alternative delivery method will no longer be used in light of the annual notice exception.

5. Other Developments: HMDA, Volcker Rule and TILA Inflation Adjustments

  • CFPB Provides Free Web Resources for HMDA Compliance

The CFPB published a web page on July 14 that includes free resources to aid banks and other financial institutions in complying with the CFPB’s October 15, 2015 Home Mortgage Disclosure Act (“HMDA”) final rule. The resources include a video that provides an overview of the HMDA final rule, and links to guidance on the new data submission process beginning with HMDA data collected by institutions in or after 2017.

Nutter Notes: The resources also include answers to frequently asked questions and other compliance guidance issued by the FFIEC and HUD for institutions required to file HMDA data. Click here for the CFPB’s HMDA compliance resources.

  • Federal Reserve Extends Compliance Deadline for Key Volcker Rule Provision

The Federal Reserve on July 7 announced that it will extend until July 21, 2017 the conformance period for banking organizations to divest ownership in certain legacy investment funds and terminate relationships with funds that are prohibited under Section 619 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), commonly known as the Volcker Rule.

Nutter Notes: The Federal Reserve announced in December 2014 that it would make this extension to provide for orderly divestitures and to prevent market disruptions. This is the final of the three one-year extensions that the Federal Reserve is authorized to grant. Click here for a copy of the order approving the extension.

  • Federal Banking Agencies Issue Proposals for TILA Annual Inflation Adjustments

The CFPB, Federal Reserve Board and OCC issued proposals on July 22 for the method that will be used to make annual inflation adjustments to the threshold for exempting small loans from higher priced mortgage loan appraisal requirements and the method that will be used to adjust the thresholds for exempting certain consumer credit and lease transactions from the Truth in Lending Act (“TILA”) and Consumer Leasing Act.

Nutter Notes: The Dodd-Frank Act amended TILA to add special appraisal requirements for higher-priced mortgage loans. The rules implementing these requirements contain an exemption for loans of $25,000 or less, which amount must be adjusted annually for inflation. The Dodd-Frank Act also requires that the exemption thresholds in TILA and the Consumer Leasing Act be adjusted annually for inflation. Click here and here for copies of the proposals.