Regulatory Hot Topics for the Financial Services Industry in 2014

A Protiviti WebinarJanuary 29, 2014

© 2014 Protiviti Inc.2

Presenters

Shaheen Dil, Managing Director, Model Risk and Capital Management, ProtivitiTim Long, Managing Director

Tim Long is a Managing Director in Protiviti’s U.S. Financial Services Industry Practice and leads our U.S. Regulatory Practice. He brings extensive knowledge of financial services regulation with hands on experience in all bank supervision and policy related matters. Tim retired from the OCC after a 31-year career in which he oversaw virtually all of the agency’s bank supervision and policy units. He has significant experience working with large complex banks, regional financial institutions and community bank organizations.

In his most recent role with the OCC, Tim served as Senior Deputy Comptroller for Bank Supervision Policy and Chief National Bank Examiner. He was a key advisor to the Comptroller, a member of the OCC’s Executive Committee, and was the Chair of the Committee on Bank Supervision for the agency.

Scott Jones, Managing Director

Scott Jones is a Managing Director with Protiviti, and the leader of our firm’s West Region Financial Services Industry (FSI) Internal Audit and Financial Advisory (IAFA) Practice. He is also a member of our Firm’s 6-member Global FSI Leadership Council. Overall, Scott has over 30 years experience with financial institutions. He was formerly with Arthur Andersen – and was a founding Managing Director with Protiviti in 2002. He is a Certified Public Accountant and an Attorney-at-Law.

© 2014 Protiviti Inc.3

Presenters

Shaheen Dil, Managing Director, Model Risk and Capital Management, ProtivitiJohn Atkinson, Director

John Atkinson is a Director with Protiviti in the firm’s Regulatory Risk Consulting practice. At Protiviti John consults with a broad array of financial institution clients on regulatory and risk management issues, including anti-money laundering and sanctions compliance, Dodd-Frank Act regulations, and FATCA implementation. John joined Protiviti in June 2008 after a 30-year career at the Federal Reserve Bank of Atlanta, where he had oversight and management responsibilities at the official level for numerous bank supervision functions. John has been a regular speaker for many years at professional conferences and events for industry, regulatory, and law enforcement groups on both a national and international basis. He holds the Certified Anti-Money Laundering Specialist (CAMS) designation.

Steven Stachowicz, Director

Steven Stachowicz is a Director and member of Protiviti’s Regulatory Risk Consulting practice in Chicago.  Steven has extensive experience advising financial services companies on risk management, with particular emphasis on compliance management systems and consumer protection legal and regulatory requirements, such as privacy, fair lending, and lending and deposits requirements.  His clients include major U.S. banks and non-bank financial services companies.  Prior to joining Protiviti, Steven worked at a top-10 U.S. bank holding company, where he implemented systemic controls, policies and training related to high cost lending and FCRA compliance, as well as created and maintained a compliance risk assessment and manage compliance reviews of various operations. Steven has written extensively, and has been a frequent speaker, on regulatory issues.

© 2014 Protiviti Inc.4

Presenters

Nicole Weber, Associate Director

Nicole Weber is an Associate Director and member of Protiviti’s Regulatory Risk Consulting practice in Minneapolis. Nicole has worked with a variety of clients in the financial services industry assisting them with the implementation of the changing regulatory compliance requirements, internal audit, and helping them design new processes to ensure ongoing compliance. She has over 15 years of experience in financial services, including a background in regulatory compliance for retail and wholesale broker-dealers, asset management companies, and hedge fund operations. Prior to joining Protiviti, Nicole worked in the compliance and legal departments for two broker-dealers and an asset management firm where she was responsible for supervision, regulatory reviews, risk assessments, training, and continuing education.

© 2014 Protiviti Inc.5

Agenda

Regulatory Environment and 2014 Overview

6

Consumer Financial Lending and Deposits Products

8

Anti-Money Laundering and Sanctions 13

Broker-Dealers and Investment Advisers 17

Impact on Compliance and Internal Audit 21

Regulatory Environment and 2014 Overview

Consumer Financial Lending and Deposits Products

Anti-Money Laundering and Sanctions

Broker-Dealers and Investment Advisers

Impact on Compliance and Internal Audit

© 2014 Protiviti Inc.7

2014 Regulatory Landscape

Consumer Protection Issues

• CFPB• UDAAP• Fair Lending• Indirect Auto and Card

BSA/AML

• Risk Assessment• System Validation and Technology• Audit

Heightened Expectations

• Governance• ERM• Internal Audit

Third Party Vendor Management

Regulatory Environment and 2014 Overview

Consumer Financial Lending and Deposits Products

Anti-Money Laundering and Sanctions

Broker-Dealers and Investment Advisers

Impact on Compliance and Internal Audit

© 2014 Protiviti Inc.9

2014 Regulatory Changes and Environment

Ability-to-Repay/QM

Mortgage Servicing Standards

LO Comp

Escrows

HOEPA/Home

OwnershipCounseling

Flood

Appraisals

Credit Insurance

Mortgage Origination Disclosures

(2015)

Payday/Deposit Advance

Remittance Transfers

Prepaid Cards

Debt Collections

Over-drafts

Student Lending

Risk Retention/Q

RM

MandatoryArbitration

Garnish-ments

© 2014 Protiviti Inc.10

Avoiding the Mortgage “Debt Trap”

• New Loan Estimate and Loan Closing disclosures (2015)

• New monthly billing statements

• Enhanced interest adjustment notifications

• New payoff statements

• Enhanced appraisal provision requirements

• New homeownership counseling requirements

• Enhanced disclosure of MLO licensing/registration information

• Retain a portion of the credit risk associated with mortgages securitized

• Cannot transfer or hedge credit risk retained

• Proposed exemption from requirements established for QMs

• Establish servicing and loss mitigation policies and procedures

• Intervene early

• Avoid “dual-tracking”

• Ensure continuity of contact

• Enhance hazard insurance force-placement processes

• Longer escrow period for higher-priced mortgages

• Requires full verification and documentation of financial information

• Borrowers’ ability to repay over full period of loan must be determined

• Enhanced lender legal protection available when originating “qualified mortgages”

Enhanced Disclosures

Creditor Risk Retention

Servicing & Loss Mitigation

Avoiding the Mortgage

“Debt Trap”

Repayment Ability

© 2014 Protiviti Inc.11

Non-Mortgage Retail Products and Services

Rulemaking & Guidance

• June 2013: Bulletin issued regarding responsible business conduct: self-policing, self-reporting remediation, and cooperation

• July 2013: Bulletin issued regarding UDAAP and debt collection

• September 2013: Bulletin issued regarding credit bureau reporting of credit card disputes under FCRA

• September 2013: Interagency guidance issued on reporting elder financial abuse and privacy

• September 2013: Bulletin issued regarding required use of payroll cards

• October 2013: Final rules regarding remittance transfers effective

• December 2013: Final rule issued regarding supervision of non-bank student loan servicers

• December 2013: Interagency guidance issued on social media

Enforcement Activity – December 2013 Only

• Health-Care Credit Cards: $34.1m restitution. CFPB raises CARD Act and UDAAP concerns related to enrollment practices

• Short-Term, Small-Dollar Loans: CFPB sues to stop collections on loans made online by a tribal lender that were void and refund payments

• Indirect Auto Lending: $80m restitution, $18 CMPs. CFPB and DOJ find fair lending violations related to Bank’s lending practices and a weak compliance program

• Credit Card “Add-On Products”: $59.5m restitution, $9.6m CMPs. CFPB notes UDAAP and FCRA concerns related to marketing, enrollment and servicing of these products

Horizon (2014+)

• Campus Financial Products: January 2013 Notice and Request for Information issued

• Payday and Deposit Advance Products: April 2013 report finds that products can be a “trap” for consumers

• Overdrafts: June 2013 report finds variances in costs and closures related to deposit account overdraft activities

• Private Student Loans: October 2013 study finds repayment problems

• Debt Collection: November 2013 ANPR issued to gather more information about debt collection practices ahead of proposing FDCPA regulations

• Mandatory Arbitration: December 2013 study finds that few customers use arbitration

© 2014 Protiviti Inc.12

Ever-Expanding Expectations

• Self-policing and self-reporting• Corrective actions and customer remediation• Regulatory cooperation

• Unfair, abusive or deceptive acts or practices‒ Product lifecycle‒ High-risk products and services

• Fair lending

• Strategic, well-documented risk management program• Increased vendor due diligence and oversight

• Prevention of elder financial exploitation and abuse• Customer interaction through social media• Servicemember protections

• Ongoing self-assessment and self-disclosure• Employment practices• Third-party vendors

Your Conduct

Your Acts and Practices

Your Vendors

Your Customers

Your Diversity

Increased Expectations to Manage…

Regulatory Environment and 2014 Overview

Consumer Financial Lending and Deposits Products

Anti-Money Laundering and Sanctions

Broker-Dealers and Investment Advisers

Impact on Compliance and Internal Audit

© 2014 Protiviti Inc.14

Anti-Money Laundering/Sanctions

Compliance issues, and AML in particular, continue to receive high-level attention from Congress and extra scrutiny from regulators. Enforcement actions and “matters requiring attention” are issued with ongoing regularity and demand improvements in AML and sanctions programs that need management time and resources. All indicators are that this Congressional and regulatory emphasis on sound identification and strong management of AML risks will continue, if not grow.

Environment:

Bank Secrecy Act (BSA) and anti–money laundering (AML) risks are increasing as BSA programs at some banks fail to evolve or incorporate appropriate controls into new products and services. In addition, changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud are increasing threats. A lack of resources and expertise devoted to BSA/AML risk management in some banks often compounds these issues.”

OCC Semiannual Risk Perspective, Fall 2013

“

”

© 2014 Protiviti Inc.15

Anti-Money Laundering/Sanctions

Hot Topics:

• Active support from the board of directors and senior management• Effective management reporting to board and senior management• Sufficient commitment of resources, with regular staffing analyses• Alignment of compensation decisions and compliance performance

Governance and Staffing

• Strong onboarding procedures followed by regular updates• Robust customer risk scoring systems• Easily accessible information for use in investigations, etc.• Holistic view of the customer across the organization and all relationships

Customer Due Diligence/Enh

anced Due Diligence

• Clear description of methodology• Quantitative analysis support• “Horizontal” assessment of higher-risk products

Risk Identification

and Assessment

© 2014 Protiviti Inc.16

Anti-Money Laundering/Sanctions

Hot Topics:

• Clear link between monitoring efforts and risk• Efficient alert management• Analysis of SAR information• Enterprise-wide coverage

Identification and Reporting of Suspicious

Activity

• Full use of system(s) functionality• Coverage of AML/Sanctions systems by model governance• Regular “tuning” of systems to match risk exposures• Periodic validation of systems

Technology Maintenance

and Validation

• Scoping consistent with risks• Testing by qualified staff/vendors• Timely and complete follow-up on previously cited deficiencies• Overall assessment of the adequacy of AML/Sanctions program

Independent Testing

• Customize training to needs of institution staff• Document new hire training and ongoing training

Training

Regulatory Environment and 2014 Overview

Consumer Financial Lending and Deposits Products

Anti-Money Laundering and Sanctions

Broker-Dealers and Investment Advisers

Impact on Compliance and Internal Audit

© 2014 Protiviti Inc.18

Data Collection and Reporting

With the implementation of regulations requiring collection and reporting of account and transaction data, regulators will soon have the ability to use the data to recognize trends, identify potential regulatory infractions, and target their exams through data analysis.

Firms should expect to incorporate the processes and procedures related to new data collection and

reporting requirements into their existing supervisory oversight and compliance

monitoring programs.

Internal identification of trends and resolution of

potential issues in a timely manner will be key, before

regulators identify the trends from their data analysis.

• SEC Rule 613• Firms will need to develop plans for complying

with CAT to provide requested data in a consistent format that will allow for timely compilation and analysis across the industry.

Consolidated Audit Trail

(CAT)

• Securities Exchange Act Rule 13h-1

• Firms should continue monitoring the evolution of the Large Trader Reporting requirements to ensure they are coordinated with CAT requirements, while also complying with current reporting requests from the SEC, when received.

Large Trader

Reporting

• FINRA Regulatory Notice 13-38

• Firms should review the FINRA requirements and ensure changes are implemented to report the new data elements to SIAC by the effective date.

Enhanced EBS

Reporting

© 2014 Protiviti Inc.19

Hedge Fund Examinations

Section 403 of Dodd-Frank requires hedge fund advisers and other private fund advisers to register with, and in certain instances provide public reports to, the SEC.

These firms are likely to face SEC exams in 2014, with a focus on marketing, portfolio management, conflicts of interest, safety of client assets, and the valuation of assets.

Before the regulators arrive, firms can prepare for a regulatory exam by:

Documenting policies and procedures to understand the business and how the hedge fund operations may differ from operations in the rest of the financial institution, especially if the hedge fund group is part of a larger organization;

Identifying risks and controls, including segregation of duties and technology controls;

Assessing the design effectiveness of existing controls, identifying gaps, and defining a remediation plan; and

Conducting a self-exam to evaluate the operational effectiveness of the processes and controls and allow employees to understand the examination process and prepare accordingly.

© 2014 Protiviti Inc.20

Compliance is in the Details…

In September 2013, the SEC approved an expansion of FINRA’s Minor Rule Violation Plan, which allows FINRA to fine firms, associated persons and registered representatives up to $2,500 for minor or technical violations of certain rules. An additional 37 rules were added to the list, including:

• Failure to comply with Regulatory Element continuing education requirements (FINRA Rule 1250(a))

• Failure to create, maintain and update a written business continuity plan and disclose the plan to customers (FINRA Rules 4370(a), (b), (c), (e), and (f))

• Failure to disclose conflicts of interest prominently (FINRA Rule 5121(a))

• Failure to report or update contact information (NASD Rule 1160)

In September 2013, FINRA proposed a change related to disclosure and reporting of recruiting compensation received by registered representatives. Approval would require:

• Disclosure of recruiting compensation of $100,000 or more that is received by a representative as a result of switching firms, prior to the transfer of any customer account and for one year after the representative joins the new firm

• Reporting to FINRA total compensation increases of 25% or $100,000 over the prior year, whichever is greater, for any representatives who transfer to the hiring firm

Proposed rule intends to provide customers with more visibility into potential conflicts of interest that may exist because the representative who is switching firms may have compensation incentives to bring his or her book of business to the new firm

Recruiting Comp and Conflicts of InterestFINRA Minor Rule Violation Plan Expansion

Although compliance with all applicable regulations is important, firms should determine if existing policies, procedures, monitoring and supervision are sufficient and whether updates might be required. Firms should utilize these rule changes as an opportunity to reinforce the importance of compliance at every level.

Regulatory Environment and 2014 Overview

Consumer Financial Lending and Deposits Products

Anti-Money Laundering and Sanctions

Broker-Dealers and Investment Advisers

Impact on Compliance and Internal Audit

© 2014 Protiviti Inc.22

Compliance and Audit Within The Three Lines of Defense

FIRST LINE OF DEFENSE

(“The Line”)Management Business Unit/System Owners

Risk Management

Internal Audit

SECOND LINE OF DEFENSE

(Support Functions)

THIRD LINE OF DEFENSE

(Independent Assurance)

Compliance Management

Legal

Human Resources

Finance

Operations

Technology

Credit Review

© 2014 Protiviti Inc.23

Regulatory Landscape

• Changes are as diverse as they are complex• Coordinated implementation of new regulation is necessary• Pre-implementation project management and post-implementation

monitoring• Compliance with technical requirements is not enough• Beware the “sleeper” requirements and regulatory guidance• More changes are still coming (examples: Mortgage origination disclosures,

Debt collections, Prepaid Cards)

Compliance and Internal Audit Considerations

Compliance Management/

Monitoring Considerations

• Organized within Compliance Management• Proactively tests for compliance, Helps set policy, Monitors for compliance

success• Begins with a risk assessment and allocation of resources to monitor risk• Challenge: FTE/Skilled Resources/Budget

Internal Audit Considerations

• Begins with a risk assessment and allocation of resources to address risk• Resources and budgets trending higher (accordingly co-source needs

trending higher)• Increased examiner scrutiny and expectation• Increased compliance skills

© 2014 Protiviti Inc.24

We believe an internal audit plan should include:

• Projects that you have to do

• Projects you should do because of significant or emerging risk

• Projects you should cycle-in,

• Projects requested by the Audit Committee, Management, or arise in the circumstances.

Risk Assessment

2014 Suggested Plan Development Philosophy

AvoidRadar

ManageRisk

Other MonitorRisk

Projects related to Significant or Emerging Risk

There are some projects that relate to significant or emerging risk areas, and should be addressed in the current year plan.

Cycled Projects

There are some projects that relate to well managed or controlled areas, which should be cycled-in to the current year plan.

Management Special Projects

There are some projects that may not create risk today, but which management requests internal audit assistance.

Annually Required Projects

There are some projects that internal audit is required to do because of legislation/law or because of regulatory examiner expectation.

© 2014 Protiviti Inc.25

Resources

Title Format Link

2014: The Year Ahead in Financial Services FS Insights Link

Protecting Your Customers – Going Above and Beyond Regulatory Expectations

POV Link

New Consumer Protections Required for International Money Transfers Flash Report Link

OCC Updates Guidance on Third-Party Relationships Flash Report Link

Views on AML Transaction Monitoring Systems – From System Selection to Effective Governance

Compilation of POV Series Link

Guide to U.S. Anti-Money Laundering Requirements, Frequently Asked Questions, Fifth Edition

Resource Guide Link

Getting to Strong – What Banking Organizations Need to Know Whitepaper Link

Top Priorities for Internal Audit in Financial Services Organizations Survey Link

Restoring Confidence: Risk Management Capabilities in the Wake of the Financial Crisis

An Economist Intelligence Unit Research Program Sponsored by Protiviti

Link

Refer to Protiviti’s website for more resources related to Regulatory Compliance, Risk Management and Internal Audit

© 2014 Protiviti Inc.26

Contacts

Phone: 212-399-8637

timothy.long@protiviti.com

Tim LongManaging Director, Global Regulatory Practice Leader

Phone: 213-3271442

scott.jones@protiviti.com

Scott JonesManaging Director, U.S. FSI Internal Audit Practice Leader

Phone: 404-926-4347

john.atkinson@protiviti.com

John AtkinsonDirector, Regulatory Practice

Phone: 312-931-8932

steven.stachowicz@protiviti.com

Steven StachowiczDirector, U.S. Regulatory Practice

Phone: 952-249-2230

nicole.weber@protiviti.com

Nicole WeberAssociate Director, Regulatory Practice

© 2014 Protiviti Inc.27