ABA Bank Compliance - July/August 2014

MAN ICKING

■■ ■

https://ssw.asu.edu/research/stir/ exploring-sex-trafficking-and-prostitution-demand-during-the- super-bowl-2014

Modern-Day Slavery and Compliance Challenges

BY ART MIDDLEMISS AND HILLARY ROSENBERG

Contents

JULY–AUGUST 2014 | VOL. 35 | NO. 4

Model Risk Management

The joint supervisory guidance on model risk management, known as SR11-07 or OCC-2012-11, is now over three years old.

Is your bank fully compliant?

BY ANDY SPERO

The Executive’s Guide to

Your Bank’s Website and the ADA

BYMARKMILLER

From the Internet to the Courtroom

Difficulties in testing a subjective and wide-ranging topic

You’re probably getting tired of reading about UDAAP (Unfair, Deceptive, or Abusive Acts or Practices), but clearly it’s one of the most critical regulatory risks impacting banks today. One need only look at the number of enforcement actions and consent agreements that incorporate UDAAP in one form or another, and the monetary penalties can be severe. This is not just a large bank phenomenon, either; community banks are also hearing about UDAP (minus the second ‘A’ for “Abusive,” as only the CFPB has supervisory authority over UDAAP) from the prudential regulators.

Regulatory agencies expect banks to have strong risk management structures in place to proactively self-identify and mitigate regulatory risks, which in this case include acts or practices that could be considered unfair, deceptive, or abusive. A critical component of such a structure is an effective compliance management system, which includes robust testing. So how can a bank develop and implement such a program to test for UDAAP risk? The following is meant to provide some helpful ideas:

Traditional testing and audit programs
Much has been written about UDAAP (or UDAP;
for purposes of this discussion they’re interchange-
able), and how different it is from other banking
laws and regulations. Rules such as Regulations Z
(Truth in Lending) and X (RESPA) control specific
conduct: provide disclosures (1) to particular par-
ties; ( 2) at specific times; ( 3) that include mandated
information, for instance. As compliance officers,
we’re used to this. When a new rule is issued, we
barricade ourselves in our offices to go through
the Federal Register (with our reading glasses and
highlighters), develop or amend policies and proce-
dures, and then we come out and implement those
changes by a set date.

Once that’s done, we develop compliance tests and audit processes to ensure the changes have been implemented properly. Often testing processes can be developed without much hassle since the questions are straightforward: (1) Was the disclosure given to the proper party? ( 2) Was the disclosure provided timely? ( 3) Did the disclosure include the proper content? And so forth.

Develop principles-based testing

But of course UDAAP is a rule unlike any other. Broad language is found in theDodd-Frank and FTC Acts, and nowhere is there a definitive list of what’s acceptable and what’s not. This is perhaps the biggest difference between UDAAP and other banking laws and regulations. UDAAP is statute that articulates a principle and that seemingly simple concept makes testing for it extremely difficult. How do you test for a principle? Is it a simple question of “Would this practice be considered unfair, deceptive, or abusive”? If it were that easy, UDAAP testing programs and audits would be nothing more than second guessing the opinions of others in the bank.

AN IN-DEPTH LOOK

JULY–AUGUST 2014 | ABA BANK COMPLIANCE | 19 18 | ABA BANK COMPLIANCE | JULY–AUGUST 2014

Auditing for UDAAP

BYCARLPRY,CRCM,CRP

12 | Human Trafficking:

Modern-Day Slavery and Compliance Challenges

In January, President Obama asked us, in his Presidential Proclamation on National Slavery and Human Trafficking Prevention, “to recognize the vital role we can play in ending all forms of slavery.” But as more lawyers and compliance professionals recognize slavery and human trafficking, the logical question is what can we do about it? We outline the scope of human trafficking, examine legislation, and discuss some of the challenges facing companies subject to new compliance requirements.

BY ART MIDDLEMISS AND HILLARY ROSENBERG

18 | UDAAP Audit Development and Implementation

You are are probably getting tired of reading about UDAAP, but one only needs to look at the number of enforcement actions to see it’s one of the most critical regulatory risks impacting banking today. Regulatory agencies expect banks to have strong risk management structures in place to proactively self-identify and mitigate regulatory risk. So how exactly can a bank develop and implement such a program to test for UDAAP risk?

BY CARL G. PRY, CRCM, CRP

24 | Model Risk Management

In social and economic environments, such as banking, the use of models to inform decisions will always entail risk.

That risk is exacerbated when the model is conceptually unsound, poorly implemented, or misapplied. Models and their governance are under heavy scrutiny and there is no indication that will abate anytime soon. So what do we need to know to close existing gaps and to cost-effectively minimize potential adverse consequences?

BY ANDY SPERO

30 | ADA Compliance with Websites

In 1990, the Americans with Disabilities Act (ADA) was passed making it the nation’s first comprehensive civil rights law addressing the needs of people with disabilities, but in July 1990 there was little thought given to the Internet, websites, or online banking. Few imagined that banking would evolve into making deposits using the phone in your pocket. As the Department of Justice grows closer to completing the regulatory process, businesses are focusing on the accessibility of their websites. So we all must now ask, what constitutes an accessible website?