Description of Change The bank directs customers to send loan payments and other correspondence to a P.O. Box. A
Business Case ■ ■ What prompted the change?
■ ■ Did compliance requirements play a role?
■ ■ What products are impacted by the change?
■ ■ Will both consumers and commercial customers be impacted?
■ ■ What is the proposed timing of the change?
Design ■ ■ What, if anything, will the third party do differently than the bank did?
■ ■ When and how will customers be notified of the change?
Regulatory Compliance ■ ■ How will the vendor ensure the bank’s retail payments are processed as of the date received for
consumer transactions? (Regulation Z)
■ ■ How is date of receipt tracked?
■ ■ If payments are posted on a date other than the day they are received, does the vendor back date
the payment to the date of receipt (Regulation Z)?
■ ■ How will the vendor ensure customer correspondence and other information is handled in
accordance with privacy requirements including the Gramm Leach Bliley Act and the Health
Insurance Portability and Accountability Act (for health care customers)?
Enforcement Actions ■ ■ Have there been any enforcement actions related to lockbox processing or similar services?
Operations ■ ■ Is there enough lead time for required notification to consumer customers of the bank and to
customers of the bank’s commercial lockbox customers?
■ ■ Have operations personnel been educated on the change and trained on how to handle customer
questions regarding the change?
■ ■ What is the process for handling payments or correspondence that comes to the bank after
implementation date? These must be processed timely and in compliance with Regulation Z.
Marketing ■ ■ Are marketing materials offering the service compliant with applicable regulations and free from
unfair, deceptive, or abusive acts or practices?
Third-party Vendor ■ ■ Has due diligence been performed on the vendor including its knowledge and ability to comply with
all relevant consumer financial regulations?
■ ■ Have procedures been obtained from the vendor detailing the process and the compliance
■ ■ Has an on-site visit been conducted to observe the operation?
■ ■ Is the vendor prepared to handle anticipated transaction volumes?
■ ■ How will delays in payment posting, if they occur, be handled?
■ ■ Does the vendor have an adequate business continuity plan in place?
■ ■ Are appropriate remediation actions address in the contract should the third party fail to meet terms
outlined in the service level agreement?
■ ■ What happens if the vendor contract is suddenly terminated?
■ ■ Are alternate vendors identified?
Sales ■ ■ Are there any compliance concerns regarding sales scripts that address new product features and
■ ■ Is sales training, including compliance, planned prior to roll-out?
Systems & Testing ■ ■ What systems adjustments will be required to facilitate the vendor’s posting of payments?
■ ■ Has system testing been performed to verify modifications are operating properly and do not cause
unintended compliance errors?
Post-Implementation ■ ■ What monitoring has management put in place to ensure the vendor is performing according to
agreed-upon service-level agreements? And are payments being applied as expected in compliance
with regulatory requirements?
■ ■ What compliance performance monitoring and reporting has the project team developed to identify
issues that arise post-implementation?
■ ■ How and when will issues be escalated to senior management?