Oklahoma Bankers Association We make bankers better!
Check your to do list
By Pauli Loeffler
Let’s review some of your annual compliance chores to ensure they are tidy and cared for.
Security, Annual Report to the Board of Directors § 208.61 – The Bank Protection Act requires that your Security Officer report at least annually to the board of directors on the effectiveness of the security program. The substance of the report must be reflected in the minutes of the meeting. The regulations don’t specify if the report must be in writing, who must deliver it, or what information should be in the report. It is recommended that your report span three years and include last year’s historical data, this year’s current data and projections for the next year.
Similar to compliance reporting to the board, this may include a personal presentation, or it may not. I recommend that it is, as it is an opportunity to express what is being done to control what has happened as well as foreseeable events and why, as that can assist you in getting the budget and assets necessary in the coming year. While the year end is not necessarily the most desirable time to make such a presentation, take whatever time you do get and use it wisely. Annual presentations such as this are better done when the directors can focus more on the message so try to avoid quarter ends, and especially the fourth quarter.
Regulation O, Annual Resolution §§ 215.4, 215.8 – In order to comply with the lending restrictions and requirements of 215.4, you must be able to identify the “insiders.” Insider means an executive officer, director, or principal shareholder, and includes any related interest of such a person. Your insiders are defined in Reg O by title unless the Board has passed a resolution excluding certain persons. You are encouraged to check your list of who is an insider, verify that against your existing loans, and ensure there is a notification method to keep this list updated throughout the year.
Fair Credit Reporting Act – FACTA Red Flags Report – Section VI (b) (§ 334.90) of the Guidelines (contained in Appendix J) require a report at least annually on your Red Flags Program. This can be reported to either the Board, an appropriate committee of the Board, or a designated employee at the senior management level.
This report should contain information related to your bank’s program, including the effectiveness of the policies and procedures you have addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts, as well as service provider arrangements, specifics surrounding and significant incidents involving identity theft plus management’s response to these and any recommendations for material changes to the bank’s program. Times change, customers habits change, and importantly criminals change and each may require tweaks to the bank’s program.
Reg E § 1005.8 (b) – If your consumer customer has an account to or from which an electronic fund transfer can be made, an error resolution disclosure is required. There is a short version that you may have included with each periodic statement. If you’ve used this, you are done with this one. But if you send the longer version that is sent annually, it is time to review it for accuracy and ensure it has been sent or is scheduled to be. Electronic disclosures under E-SIGN are allowed here.
This is also a good time to review §1005.7(c) (additional electronic fund transfer services) and determine if any new services have been added and if they were disclosed as required. Think Person-to-Person transfers like Zelle, Venmo or Square. These require disclosure and inaccurate disclosures may affect your claims processing.
Annual MLO Registration § 1007.102 – Mortgage Loan Originators must go to the online Registry and renew their registration. This is done between November 1 and December 31. If this hasn’t been completed, don’t push it to the back burner and lose track during the holidays and then have to join a year-end rush to complete this task. This is also a good time to plan with management and Human Resources any MLO bonus plans. Reg Z Section 1026.36(d)(1)(iv)(B)(1) allows a 10 percent aggregate compensation limitation on total compensation which includes year-end bonuses.
BSA Annual Certifications – Your bank is permitted to rely on another financial institution to perform some or all the elements of your CIP under certain conditions. The other financial institution must certify annually to your bank that it has implemented its AML program. Also, banks must report all blockings to OFAC within ten days of the event and annually by September 30, concerning those assets blocked as of June 30.
Information Security Program part of GLBA – Your bank must report to the board or an appropriate committee at least annually. The report should describe the overall status of the information security program and the bank’s compliance with regulatory guidelines. The reports should discuss material matters related to the program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.
IRAs, IRS Notice. If a minimum distribution is required from an IRA for a calendar year and the IRA owner is alive at the beginning of the year, the trustee that held the IRA on the prior year-end must provide a statement to the IRA owner by January 31 of the calendar year regarding the required minimum distribution.
Training – An actual requirement for training to be conducted annually is rare, but annual training has become the industry standard and may even be stated in your policies. There are six areas that require training (this doesn’t mean you don’t need other training, just that these regulations have stated requirements).
– BSA (12 CFR §21.21(c)(4) and §208.63(c)(4) Provide training for appropriate personnel.
– Bank Protection Act (12 CFR §21.3(a)(3) and §208.61(c)(1)(iii)) Provide initial & periodic training
– Reg CC (12 CFR §229.19(f) Provide each employee who performs duties subject to the requirements of this subpart with a statement of the procedures applicable to that employee)
– Customer Information Security found at III(C)(2) (Pursuant to the Interagency Guidelines for Safeguarding Customer Information), training is required. Many banks allow for turnover and train as needed, imposing their own requirements on frequency.)
– FCRA Red Flag (12 CFR 222.90(e)(3)) Train staff, as necessary, to effectively implement the Program;)
– Overdraft protection programs your bank offers. Employees must be able to explain the programs’ features, costs, and terms, and to explain other available overdraft products offered by your institution and how to qualify for them. This is one of the “best practices” listed in the Joint Guidance on Overdraft Protection Programs issued by the OCC, Fed, FDIC and NCUA in February 2005 (70 FR 9127, 2/24/2005), and reinforced by the FDIC in its FIL 81-2010 in November 2010.
Miscellany – Some miscellaneous items you may address internally in policies and procedures include preparation for IRS year-end reporting, vendor due diligence requirements including insurance issues and renewals, documenting ORE appraisals and sales attempts, risk management reviews, records retention requirements and destruction of expired records, and a designation by the bank’s board of the next year’s holidays. And last but not least, has there been a review of those staffers who have not yet taken vacation or “away time” to the five consecutive business days per the Oklahoma Administrative Code 85:10-5-3 “Minimum control elements for bank internal control program”?
Reg Z Thresholds and Updates – These changes are effective January 1, 2025. You should ensure they are available to staff or correctly hard coded in your systems.
§ 1026.3 – Exempt transactions. There are exemptions from coverage by Reg Z under (b) of this section. One such exemption is when the loan amount exceeds the threshold set under in comment 3(b)-3 for that period. Effective January 1, 2025 the amount increases from $69,500 to $71,900. This applies for loans exceeding the threshold amount which are NOT secured by real or personal property used or expected to be used as the principal dwelling of the consumer nor is a private education loan under as defined in § 1026.46(b)(5). There are additional requirements for exemption with regard to open-end credit. Please note that the Oklahoma Uniform Consumer Credit Code uses the same threshold as Reg Z.
§ 1026.32 – High Cost Mortgage Loans (HOEPA) – The adjusted total loan amount threshold for high-cost mortgages in 2025 will be $26,968. The adjusted points-and-fees dollar trigger will
be $1,348.
For qualified mortgages (QMs) under the General QM loan definition in § 1026.43(e)(2), the threshold for the spread between the annual percentage rate (APR) and the average prime offer rate (APOR) in 2025 will be:
iv. For 2025, reflecting a 3.4 percent increase in the CPI-U that was reported on the preceding June 1, to satisfy § 1026.43(e)(2)(vi), the annual percentage rate may not exceed the average prime offer rate for a comparable transaction as of the date the interest rate is set by the following amounts:
A. For a first-lien covered transaction with a loan amount greater than or equal t`3o $134,841, 2.25 or more percentage points;
B. For a first-lien covered transaction with a loan amount greater than or equal to $80,905 but less than $134.841, 3.5 or more percentage points;
C. For a first-lien covered transaction with a loan amount less than $80,905, 6.5 or more percentage points;
D. For a first-lien covered transaction secured by a manufactured home with a loan amount less than $134,841, 6.5 or more percentage points;
E. For a subordinate-lien covered transaction with a loan amount greater than or equal to $80,905, 3.5 or more percentage points;
F. For a subordinate-lien covered transaction with a loan amount less than $80,905, 6.5 or more percentage points.
For 2025, a covered transaction is not a qualified mortgage unless the transaction’s total points and fees do not exceed:
A. For a loan amount greater than or equal to $134,841: 3 percent of the total loan amount;
B. For a loan amount greater than or equal to $80,905 but less than $134,841: $4,005;
C. For a loan amount greater than or equal to $26,968 but less than $80,905: 5 percent of the total loan amount;
D. For a loan amount greater than or equal to $16,855 but less than $26,9682: $1,305
E. For a loan amount less than $16,855: 8 percent of the total loan amount.