How To Ensure Your Bank Remains Compliant

November 12, 2019 | Article

It’s no secret that keeping your financial institution up-to-date and compliant with all laws, regulations and policies is an important piece of a successful business model.

From facing common compliance issues to deciding which documents to keep—and making sure you’re following all rules and regulations—there are many items that require close attention to ensure you remain compliant.

Common Compliance Issues
While there are many compliance issues banks must pay attention to, below are some common issues we wanted to point out. While this list is not exhaustive, it does include important items to keep in mind to keep your bank compliant.

Not sure where to start on your journey to compliance? Our compliance helpline is here for you.

Privately Owned ATMs
You may be wondering why you need to worry about an ATM your bank doesn’t own. However, there are risks that come with privately owned ATMS and your bank may need to make enhancements to address these increased risk areas.

Privately owned ATMs are usually found in restaurants, bars, gas stations and more. These ATMs link to an ATM transaction network that debits the customer’s account and credits the ATM owner’s account, or the Independent Sales Organization’s (ISO) account, which can be located anywhere. The reason these ATMs have been deemed higher risk is that many of them have been involved in fraudulent activity, identity theft and money laundering.

Security enhancements should be made to the bank’s systems and customer identification program (more info on that later) to manage associated risks. At a minimum, these policies, procedures and processes should include:

  • Risk-based due diligence on the ISO through a review of corporate documentation, licenses, permits, contracts or references.
  • Review of public databases to identify potential problems or concerns with the ISO or owners.
  • Understanding controls for currency servicing arrangements for privately owned ATMs, including source of replenishment currency.
  • Documentation of the locations of ATMs and determination of the ISO’s target market.
  • Expected account activity.

Before you begin your review, ask yourself the following questions:

  • Do you know if any of your customers have privately owned ATMs?
  • Do you know how your customer’s ATM is being replenished?
  • Have you completed a policy, procedures and risk assessment for privately owned ATMs?
  • Has monitoring been completed since your bank has recognized any privately-owned ATMs?

Consumer Identity and Prepaid Cards
The Financial Crimes Enforcement Network (FinCEN), has begun to regulate the issuance of reloadable cards issued by financial institutions via the USA PATRIOT Act.

The customer identification program, or CIP, is a provision that deems that all accounts must be opened only after obtaining the customer’s name, address, date of birth and identification number. They must also follow identity verification procedures similar to all other deposit or credit accounts, and specific account recordkeeping and notice requirements must be followed.

What Is Considered an Account?
An account is defined by the CIP rule as a “formal banking relationship established to provide or engage in services, dealings or other financial transactions, including a deposit account, transaction or asset account, a credit account or other credit extension.” So, which prepaid cards are accounts, and which are not? It all boils down to whether the card is reloadable or not. If the card is not reloadable, the transaction is considered a one-time transaction that doesn’t need an ongoing relationship. When the card is reloadable, it is considered an account and the CIP rule must be followed.

Who Is the Customer?
Reloadable cards can be issued within a branch, sold online or issued via mail. Some financial institutions that provide merchant services to small businesses also provide a gift card or reloadable card service to the business. This makes that business an agent for the bank, but each customer of that agent would still be considered the bank’s customer.

So how does the financial institution ensure the CIP rule is being followed when a business issues a reloadable card to its customers? For the smaller institution, a closed-loop non-reloadable card is usually desired. This can help forgo the need to record and verify each individual customer. Another example is that of businesses who issue prepaid cards to employees or agents of that business. In the past, the business was considered the customer, whereas now, each individual cardholder operating on behalf of the business would need to be identified via the CIP rule.

These changes help minimize many threats. The limits on reloadable prepaid cards, as well as the CIP rule, can help fight the funding of terrorism, money laundering and other financial crimes.

Consumer Compliance Rating System

The new Consumer Compliance Rating System (CC Rating System), which was applied March 31, 2017, was designed with an emphasis on evaluating a financial institution’s Compliance Management System (CMS). It creates a comprehensive, consistent framework for all member agencies to apply, focusing on consumer protection, self-identification and proactively addressing compliance issues.

The rating system is based on a five-point scale, with “1” being the highest/best rating and “5” reflecting a critically deficient program. The rating system focuses less on transactional testing and more on the financial institution’s CMS, paying particular attention to practices that may cause consumer harm.

Guiding Principles
The CC Rating System was designed based on four key principles:

  • Risk-Based: Emphasize that a CMS will vary based on size, complexity and risk profile.
  • Transparent: Create uniform rating categories to promote consistency across member agencies.
  • Actionable: Communicate areas of strength and emphasize areas for improvement.
  • Incent Compliance: Encourage institutions to establish a strong CMS that focuses on preventing consumer harm, prompt identification and correction of weaknesses.

Categories and Assessment Factors
The CC Rating System is split into three categories and includes assessment factors in each category:

  • Board and Management Oversight: This includes oversight and commitment to the CMS, supporting change management, identifying and managing risks and correcting weaknesses. Your board should also periodically evaluate your institution’s needs to ensure resources are allocated to the compliance program.
  • Compliance Program: This should contain policies and procedures designed for your organization, a training program for staff responsibilities, monitoring aimed at identifying violations and a process for addressing consumer complaints.
  • Violations of Law and Consumer Harm: These are rated based on the root cause, severity and impact of consumer harm created, the length of the violation and the severity of the violation. Identifying and correcting violations is key, but even more important is ensuring prior exam findings have been addressed.

Consumer harm, self-identification and corrective action are common themes in the CC Rating System. If you have a strong CMS that includes board and management oversight, policies and procedures, training and monitoring with corrective action, your next compliance exam should go well.

Banking Marijuana
The world of marijuana banking has been filled with compliance risks for years. While marijuana is still illegal federally, many states have legalized it for medical and recreational use. Financial institutions must weigh the pros, cons and risks of providing services to businesses that sell marijuana products.

Legal Hemp Growing
The passing of the 2018 Farm Bill provided new opportunities for financial institutions to legally serve certain marijuana-related businesses. The Farm Bill changed the classification of hemp to an agriculture product, which allows the use of hemp fiber as well as CBD oil. The legalization of these types of cannabis enables banks to provide services without fear of legal ramifications.

Each state is responsible for following guidelines for what constitutes legal growing and use of hemp when creating their regulatory framework. The framework must:

  • Record and describe land where hemp is grown
  • Have a process for testing THC levels
  • Establish procedures for disposal of noncompliant products
  • Determine how to enforce regulations

Bank Secrecy Act Compliance
The Bank Secrecy Act is a very important regulation that financial institutions will adhere to when offering services to hemp-related businesses. There are three main areas that institutions must address in their policies and procedures.

  1. Identification of hemp business. This should include identifying when a business is marijuana-related and should now include identification of hemp businesses separate from marijuana-related businesses.
  2. Verification of legal status. This should include verifying the business’s certification or license. The institution also needs to have procedures and be able to identify these businesses for existing customers.
  3. Ongoing due diligence and monitoring. Once the business has been identified, the financial institution must risk rate the customer and determine if they need to be added to the list of higher risk customers. Due to the nature of hemp businesses, it is considered to be a higher risk business and subject to additional due diligence procedures, which include ongoing monitoring of account activity, as well as reverification of the business’s legal status.

Suspicious Activity Reports
Due to the illegality of marijuana federally, if a financial institution chooses to service marijuana-related businesses, they must file Suspicious Activity Reports (SARs) on a continual basis. After filing the initial SAR, they must conduct continuous 90-day monitoring and file the SAR within the required timeframes.

There are three types of SARs that must be filed based on the situation.

  1. Limited SAR. This will be filed when the marijuana-related business is conducting legal business according to the state and appears in compliance with all requirements.
  2. Priority SAR. This must be filed when an institution suspects or knows that the business is violating legal requirements.
  3. Termination SAR. This is what the institution will file when it has made the decision to terminate the relationship with the business.

It’s important that financial institutions implement policies and procedures to outline what the institution must do and ensure that they are compliant. It’s imperative that the institution’s employees understand the difference between true marijuana and hemp or CBD as well as the different requirements for each. With proper policies, procedures and training in place, providing services to these types of businesses may be a lucrative opportunity for financial institutions.

MERS Requirements
Any financial institution that is a member of the Mortgage Electronic Registration System, Inc. (MERS) and is named the servicer for an active mortgage identification number (MIN) must meet certain quality assurance requirements.

  • If an institution services less than 1,000 MIN records, a quarterly two-way validation between the institution’s records and the MERS system records is required to be performed and documented.
  • If an institution services 1,000 or more MIN records, a monthly two-way validation between the institution’s records and the MERS system records is required to be performed and documented.

Reconciliation is important to ensure the data on the MERS system matches the institution’s data. This requirement can sometimes be overlooked if an institution is registering mortgages through MERS for secondary market loans and not servicing the loans but had to buy-back a loan. You would then be servicing a mortgage with a MIN and would need to meet the reconciliation requirements. Depending on the type of MERS membership, an institution may need to complete an annual report and quality assurance plan as well as the data reconciliations.

To ensure compliance, institutions should review their membership agreement with MERS and determine if any MIN-registered mortgages are being serviced by the institution, which would require data reconciliations.

Rules & Regulations: Keeping Your Bank Up to Date
Financial institutions operate with some of the most complex rules and regulations, and keeping up with them can be challenging. Below are some common regulations and updates your financial institution should pay attention to in order to ensure your bank is protected.

The term UDAAP (Unfair, Deceptive and Abusive Acts or Practices) is a common term in daily conversation within the financial institution industry. But what exactly do these terms mean?


  • The practice causes or is likely to cause substantial injury.
  • The injury cannot reasonably be avoided.
  • The injury is not outweighed by any benefits.


  • The practice misleads or is likely to mislead.
  • A reasonable consumer would be misled.
  • The presentation, omission or practice is material.


  • The practice materially interferes with the consumer’s ability to understand a term or condition of a product or service.
  • The practice takes unreasonable advantage of a consumer’s lack of understanding of the risk, costs and conditions of a product or service.

Targeted Products
Any consumer product or service has potential of being criticized for violations, but some of the most common include:

  • Overdraft programs
  • Check/debit processing order and loan payment processing
  • ATM fees
  • Loans with balloon payments
  • Credit life and disability insurance sales
  • Rewards programs
  • Gift card sales
  • Credit card programs

Managing Your UDAAP Risk
As UDAAP continues to challenge the industry, it is essential for financial institutions to evaluate their risks and do what they can to diminish the impact of violations on the organization. But with careful review, you can reduce the risk of potential violations and long-term impacts on your organization. A few proactive steps your bank can take include:

    • Regularly reviewing features of consumer products and services.
    • Reviewing revenue streams for trends that may suggest abusive practices.
    • Evaluating methods of communicating product features to customers.
    • Reviewing third-party service provider agreements to develop a clear understanding of their practices.
    • Reviewing all bank policies and procedures for practices that suggest unfair, deceptive or abusive practices.
    • Creating a consumer-friendly culture within your organization and evaluating all customer complaints for signs of serious problems.

Ensure your controls and systems are properly designed and your clients’ data is safe.
Learn more about Service Organization Control (SOC)

Tax Exempt Instruments
Financial institutions have historically been one of the largest purchasers of tax-exempt debt instruments. One of the most frequent questions that arises regarding tax-exempt debt instruments is: what exactly qualifies for tax exempt treatment?

Tax-Exempt Notes Versus Bonds
The statutory exemption provided in IRC §103 applies to interest on any state or local bond. However, a state or local bond is defined as an obligation of a state or political subdivision of the state. An obligation must be documented or embodied in writing and executed by the state or political subdivision thereof in the exercise of its borrowing power. For tax purposes, there is no distinction between tax-exempt notes and tax-exempt bonds.

Role of Sovereign Power
The first question a financial institution must determine is whether the issuer is a political subdivision of a state. Political subdivision denotes any division of a state or local governmental unit which is a municipal corporation or which has been delegated the right to exercise part of the sovereign power of the unit.

The three generally acknowledged sovereign powers of states are the power to tax, the power of eminent domain and the power to police. It isn’t necessary that all three of these be delegated; however, possession of only an insubstantial amount of any or all sovereign powers is insufficient. All of the facts and circumstances must be taken into consideration, including the public purposes of the entity and its control by the government.

Nonprofits and Churches
One common misconception is that a loan made to a nonprofit would be considered tax-exempt. However, loans made to these organizations are not tax-exempt, and the interest earned on these is taxable.

Impact of Discounts
Knowing if a bond or loan is tax-exempt is vital when weighing the benefits of each instrument against other options. It is also important to know the impact of discounts on municipal securities. If securities are purchased at a discount on the issue date, the difference between the purchase price and par value is accreted into income and is treated as tax-exempt income. On the other hand, if municipal securities are purchased at a discount subsequent to the issue date, the discount accretion is taxed as ordinary income.

The taxation complexities that financial institutions face can be daunting. Our professionals can help you develop the perfect tax plan for your institution.

Documentation: Why it’s Important
When it comes to documentation and record keeping for banks, it can be overwhelming to make sure your institution is including the correct information on certain documents. Form 1099-K is one of those documents that needs special attention.

Not sure where to begin with number crunching and documentation?

1099-K Filing Requirements
Regulations require payment settlement entities to report the gross amount of merchant card payments and third-party network payments to recipients on IRS Form 1099-K. So, which entities are subject to these filing requirements? The Internal Revenue Code requires Payment Settlement Entities (PSEs) to file form 1099-K. PSEs can be defined as:

  • Banks or organizations with contractual obligations to make payments to participating payees in the settlement of payment card transactions.
  • Third-party settlement organizations with contractual obligations to make payments to unrelated participating payees of third-party network transactions.

A participating payee is defined as any domestic person/organization who accepts payments via payment cards or from third-party settlement organizations. Payment card transactions can include the use of gift cards, prepaid phone cards and various other cards. These transactions should be reviewed to determine if they are subject to Form 1099-K reporting requirements.

Third-party network transactions can include a customer's purchase of goods from a merchant over the internet using an internet payment service provider (e.g. PayPal). As long as the internet payment service provider is unrelated to the parties of the transaction, the internet payment service provider will be considered to be a PSE/third party settlement organization for Form 1099-K reporting requirements. Organizations that don’t have contractual agreements to use the payment network and who operate a network which only processes electronic payments are not subject to the Form 1099-K reporting requirements.

Every entity considered a PSE that makes one or more payments in settlement of reportable transactions must file Form 1099-K with respect to each participating payee for that calendar year. However, third-party settlement organizations are only required to file Form 1099-K with respect to each participating payee if both the gross amount of total reportable payment transactions to that payee exceeds $20,000 and the total number of reportable payment transactions exceeds 200.

The gross amount of reportable payment transactions must be reported on Form 1099-K along with the payee’s name, address and tax ID number. The following transactions are not required to be reported on Form 1099-K:

  • ATM withdrawals
  • Cash advances or loans against the cardholder’s account
  • Checks issued in connection with a payment card
  • Any transaction involving payment via payment card when the merchant or other payee is related to the issuer of the payment card.
    • Additionally, Form 1099-K is not required to be filed for a participating payee that has a foreign address as long as the payment settlement entity does not know or have reason to know that the payee is a U.S. person. If the payee does have a U.S. address, then documentation as a foreign person/entity must be provided by the payee for the payments to be excluded from filing requirements.

Other Details to Be Aware Of
If an entity receives payments from a PSE on behalf of one or more participating payees and subsequently distributes these payments to one or more participating payees, then the entity is a participating payee with respect to the original PSE and a PSE with respect to the payees to whom the payments were subsequently distributed.

Over the past few years, there have been many new accounting standards. Get familiar with the revenue recognition standard, new lease standard, credit loss standard and impacts of ASU 2016-01.

Pulling It All Together
In order to keep your bank compliant, there are many rules and regulations you need to pay attention to. Whether it’s new accounting standards, legal provisions or monitoring for deceptive acts, financial institutions have many steps to compliance. But you don’t have to do it alone. A trusted advisor can help make sure your bank is in compliance with all rules and regulations.

Your financial institution deserves the top level of service.

Stay current on your favorite topics


Learn More

See what more we can bring to organizations just like yours.

Financial Institutions Regulatory Consulting

Take a deeper dive into this Insight’s subject matter.

Financial Institutions Regulatory Consulting