Regulatory Compliance in 2023: We Answer Your Top 5 Questions

What will regulators and examiners pay the most attention to in 2023? How can we prepare for regulatory change? These are the questions that bankers asked at our annual Regulatory Expectations and Enforcements webinar.  

To help you in your never-ending regulatory compliance quest, we’ve answered the top five questions our webinar attendees asked.

What are the regulatory hot topics for 2023? How to best prepare? 

Our experts looked at supervisory priorities, enforcement trends, rulemaking agendas, speeches, blogs and more to identify the top regulatory hot button issues for 2023.  

1. Deposit accounts. Make sure you’re complying with both state and federal law and train staff on policies and procedures. This is especially true when it comes to pandemic relief funds and garnishments
2. Overdraft and NSF fees. Are your fees surprising customers in any way? If so, you’ve got a problem. 
   
3. Credit reporting. The most common complaint CFPB receives are about inaccurate credit report information. Even if you’re not regulated by CFPB, it forwards complaints onto your regulator. Congress is also asking questions. Make sure you update policies and procedures that deal with the accuracy of information reported, train staff, and test credit reporting systems. Investigate and resolve consumer disputes promptly. 
   
4. Loan origination and servicing. Disclosures must be accurate, including fees. Pay attention to consumer protections for loan forbearance. 
   
5. Lending practices & fair lending. Update your fair lending risk assessments and analyze fair lending data. If you aren’t, know that regulators, public interest groups, and the press are and if they suspect there is an issue, you’ll want an explanation ready to go (and to be able to show that you uncovered the problem yourself and promptly corrected it). 
   
6. BSA/AML/OFAC. Regulators have gone after BSA officers and management with individual fines. Worldwide instability creates new sanctions/orders. You’ll be implementing rules, including beneficial ownership rules, for the next few years.  
   
7. Third-Party Relationships. Relationships with vendors, service providers and fintech partners, including those that help you offer Banking as a Service (BaaS) are still of high interest to regulators. If a third-party is responsible for breaching your data or they aren’t compliant with consumer protection laws, your institution will be held accountable. 
   
8. Cybersecurity. Data breaches and ransomware are an ongoing problem. Examiners are looking for incident response processes and data backup and recovery capability. 

Read also: One Ransomware Attack. 60 Credit Union Outages. Countless Upset Members. 

What’s going on with 1071? 

Section 1071 of the Dodd-Frank Act is surrounded by uncertainty. With no final rule out, much of what’s written is speculation.  

We do know that the CFPB has until March 31, 2023, to issue its final rule. In the CFPB’s rulemaking agenda for 2023, it seemed to push for a final rule earlier than March, but the January final rule date the CFPB was shooting for has passed. Small business lenders will have to collect data about applicants. We can also tell you that Ncontracts’ CRA transmittal tool is being adapted to accommodate 1071 reporting and will be ready soon after the final rule becomes available. 

What data fields will be required? How will a small business be defined? Who will have to report data? What’s the timeline for implementation? Answers to these questions are simply educated guesses at this point. Ncontracts is closely tracking 1071 and will provide a thorough analysis once the final rule is issued. 

Related Webinar: Are You Ready for It? How to Manage Regulatory Change 

What should we do about overdraft and NSF fees? 

The regulatory agencies are looking at overdraft and NSF fees through an Unfair Deceptive and Abusive Acts & Practices (UDAAP) lens of “unfair.” That means the stakes are higher. 

Your institution may not need to exit the overdraft space, but it may want to steer clear from “authorized positive, settled negative” and some return check fees. Put in the time to risk assess your program. Do you have practices or fees that could be viewed as unfair? Is it easy for consumers to understand your policies and fees? Are they often caught off guard? Is the fee income worth the risk? 

Use the data from the risk assessment to make adjustments to your program, if needed. You want your overdraft programs to align with your risk tolerance.  

Related: Risk Assessing Overdraft Programs: Is the Fee Income Worth the Risk? 

Is fair lending still under scrutiny? 

There is tremendous regulator interest in fair lending.  

It’s not just fair lending – it’s fair and responsible banking. Regulators are applying UDAAP and alleging discrimination on all types of products and services, not just loans.  

Another area of significant interest to regulators is bias in AI.  Algorithms are only as good as the data they are built on. If they are built on discriminatory information, they will discriminate so it’s important to know what parameters a program is using for decision making.  

Appraisal bias is also getting a lot of attention. 

Make sure your institution is updating its fair lending risk assessments and analyzing fair lending data to ensure the risk is managed. 

Related: Absolutely Everything You Need to Know about Fair Lending Risk Assessments 

How do you know if your vendor management program meets regulatory expectations?

Vendor management is all about mitigating the risk of working with third parties such as vendors, fintech partners, and consultants. Your vendor management program should be documented and address these key areas: 

• Planning. Why are you thinking about outsourcing an activity? What are the risks? How can you reduce that risk? Are the risks worth the potential benefits? Will this be a critical vendor? 
• Due diligence. Consider multiple vendors to find the best partner. Once the field is narrowed, dig into due diligence to identify red flags. 
• Contract negotiation. Negotiate a contract with favorable pricing and terms. Contracts are your opportunity to build in controls (i.e. access to test results, audit reports, etc.) that help you monitor your vendor. 
• Oversight and monitoring. Someone needs to be responsible for the relationship. There should be systems in place to report problems with a vendor while continuing to regularly review due diligence document to ensure there hasn’t been a change to a vendor’s risk profile. 
• Termination. There should be a documented plan for how to end a third-party relationship and transition to a new one. 

Related webinar: Vendor Management 101: The Basics 

Want to learn more about the top 8 areas likely to draw regulatory scrutiny in 2023 and how you can prepare? Listen to our on-demand webinar Regulatory Expectations and Enforcement in 2023.