The Private Company Council (PCC) made considerable progress this fall in advancing several topics on its agenda to provide alternatives within U.S. generally accepted accounting principles (U.S. GAAP) for private companies. In October, the PCC finalized two proposed private company accounting standards, and in November the PCC made additional progress on these standards and other issues currently under discussion. The PCC’s efforts are of interest to privately held financial institutions and their accountants and auditors.
One of the proposed U.S. GAAP alternatives relates to accounting for certain receive-variable, pay-fixed interest rate swaps, but in its current form would not apply to financial institutions. The second proposed GAAP alternative for private companies relates to accounting for goodwill subsequent to a business combination.
The latter proposed standard would permit a private company to subsequently amortize goodwill over a period of 10 years, or less under certain circumstances, and to apply a simplified impairment model to goodwill. Goodwill is the residual asset recognized as a business combination after recognizing all other identifiable assets acquired and liabilities assumed.
The Financial Accounting Standards Board (FASB) will meet on November 25, 2013, to discuss endorsing both standards. If FASB decides to endorse the two alternatives within GAAP, they will be issued as final Accounting Standards Updates.
The PCC is responsible for determining alternatives to existing nongovernmental U.S. GAAP to address the needs of users of private company financial statements, based on criteria mutually agreed on by both the PCC and the FSAB. The PCC also serves as the primary advisory body to the FASB on the impact on private companies and nonprofit organizations of accounting items under FASB’s active consideration.
Since 1973, the FASB has been the designated organization in the private sector for establishing standards of financial accounting and reporting.
The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), Farm Credit Administration, and the National Credit Union Administration (NCUA) have proposed to amend their regulations regarding loans in areas having special flood hazards to implement provisions of the Biggert-Waters Flood Insurance Reform Act of 2012.
Specifically, the proposal would establish requirements with respect to the escrow of flood insurance payments, the acceptance of private flood insurance coverage, and the force-placement of flood insurance The proposal also would clarify the agencies’ flood insurance regulations with respect to other amendments made by the act and make technical corrections.
Comments are due on or before December 10, 2013.
The amendments cover five broad areas.
First, the agencies’ proposal generally would require regulated lending institutions, or servicers acting on their behalf, to escrow premiums and fees for flood insurance for any loans secured by residential improved real estate or a mobile home, unless the institutions qualify for the statutory exception. Except as may be required under applicable state law, a regulated lending institution is not required to escrow if it has total assets of less than $1 billion and, as of the act’s date of enactment, July 6, 2012, was not required by federal or state law to escrow taxes or insurance for the term of the loan and did not have a policy to require escrow of taxes and insurance. The agencies are proposing to implement the exception substantially as set forth in the statute.
Private Flood Insurance
Second, consistent with the act, the agencies’ proposal would require regulated lending institutions to accept private flood insurance that meets the statutory definition to satisfy the mandatory purchase requirement. The proposal also specifically requests comment on whether the agencies should use their authority under the Flood Disaster Protection Act (FDPA) to include a provision in the final rules that expressly permits regulated lending institutions to accept a flood insurance policy issued by a private insurer that does not meet the act’s definition of “private flood insurance” to satisfy the FDPA’s general mandatory purchase requirement. The agencies are also soliciting comment on what criteria the agencies might require for such a policy. Alternatively, the agencies are soliciting comment on whether it is appropriate to include a provision in the final rules that specifically requires regulated lending institutions to accept only policies issued by private insurers that meet the statutory definition, and if included, what would be the effect of such a provision on the availability of privately issued flood insurance.
Sample Notice Forms
Third, the agencies’ proposal includes new and revised sample notice forms and clauses. Specifically, the proposal amends the current Sample Form of Notice of Special Flood Hazards and Availability of Federal Disaster Relief Assistance, set forth as Appendix A in the agencies’ respective regulations, to add language concerning the availability of private flood insurance coverage (pursuant to the notice requirements under section 100239 of the act) and the escrow requirement. The proposal also adds an additional sample notice form, Notice of Requirement to Escrow for Outstanding Loans, as Appendix B to assist institutions in complying with the proposal’s requirement to inform existing borrowers about the new escrow requirement. An institution would provide this notice for existing loans when neither the Notice of Special Flood Hazards and Availability of Federal Disaster Relief Assistance nor the notice of force-placement is provided. Finally, as Appendix C, the agencies are proposing a sample clause regarding the new escrow requirement that may be included with the force-placement notice.
Fourth, the proposal would amend the force-placement of flood insurance provisions to clarify that a lender or its servicer has the authority to charge a borrower for the cost of flood insurance coverage commencing on the date on which the borrower’s coverage lapsed or became insufficient. The proposal also would stipulate the circumstances under which a lender or its servicer must terminate force-placed flood insurance coverage and refund payments to a borrower. It also sets forth the documentary evidence a lender must accept to confirm that a borrower has obtained an appropriate amount of flood insurance coverage.
Fifth, the agencies propose needed technical corrections. For example, the agencies’ current flood insurance regulations refer to the “director” of the Federal Emergency Management Agency (FEMA). The correct title for the head of that agency is “administrator.” The agencies’ proposal would correct all references to the head of FEMA.
At its best, a bank’s internal audit function reaches into all business lines and management levels to review and monitor virtually everything a bank does. The internal auditor might conduct a procedural compliance review of teller operations or consumer loans one week, and the next week evaluate whether the bank’s investment officer is properly assessing the ongoing creditworthiness of investment securities held in the bank’s portfolio.
The importance of the latter example — internal audit of a bank’s classification and appraisal of investment securities — was recently demonstrated by an enforcement action against JPMorgan Chase & Co. and its affiliate bank, JPMorgan Chase Bank, N.A., for potentially destabilizing losses in a large synthetic credit portfolio. After an investigation, the regulators pointed to internal audit deficiencies, especially in the assessment of bank internal controls, as partly responsible for the investment losses.
In light of the enforcement action, bank internal auditors should be aware of a revised uniform agreement among the federal bank regulators on the classification and appraisal of securities held by financial institutions, whether acquired for their own portfolios or on behalf of customers. The Uniform Agreement on the Classification and Appraisal of Securities Held by Financial Institutions (October 2013) updates and revises the predecessor 2004 agreement and reiterates the importance of a robust investment analysis process. Any such process would include review and monitoring by the institution’s internal auditor.
The New Agreement
Among other things, the revised uniform agreement removes all references to, or required reliance on, external credit ratings published by the nationally recognized statistical rating organizations (NRSROs). This change was mandated by Section 939A of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which directed the agencies to remove credit rating references and requirements in their regulations and guidance and replace them with alternative standards of creditworthiness that financial institutions would henceforth have to apply when analyzing the creditworthiness of a particular security.
The regulators have instructed financial institutions to use fundamental credit analysis techniques to determine the creditworthiness of investment securities as part of their pre-purchase and ongoing due diligence processes. During supervisory reviews, the bank examiners will use the revised uniform agreement to determine whether an asset should be adversely classified.
Note that the 2013 uniform agreement does not change the federal banking agencies’ longstanding asset classification definitions. The uniform agreement clarifies how the unique characteristics exhibited by investment securities should be interpreted within these established classification categories.
Longstanding Asset Classification Definitions
Substandard • The asset is inadequately protected by the current sound worth and paying capacity of the obligor or of the collateral pledged if any. Assets classified as Substandard must have a well-defined weakness or weaknesses that jeopardize the liquidation of the debt. These assets are characterized by the distinct possibility that the institution will sustain some loss if the deficiencies are not corrected.
Doubtful • The asset has all the weaknesses inherent in an asset classified as Substandard with the additional characteristic that collection or liquidation in full is highly questionable or improbable in light of currently existing facts, conditions, and values.
Loss • The asset is considered uncollectible and of such little value that its continuance as a bankable asset is not warranted. Classification as Loss does not mean that the asset has zero recovery or salvage value. Rather, it means that it is not practical or desirable to defer writing off the asset even though partial recovery could be a possibility sometime in the future. Assets classified as Loss should be promptly charged off.
Audit staff may wish to revisit an article in the August 2013 edition of Internal Auditor Alert entitled “Portfolio Credit Risk Analysis: Is It Adequate?” The article includes an audit questionnaire on investment security credit risk assessments. The use of both questionnaires will give internal auditors a comprehensive tool for evaluating the institution’s pre-purchase and ongoing due diligence procedures for investment securities.
In the aftermath of potentially destabilizing losses in a large synthetic credit portfolio during 2012, JPMorgan Chase & Co. (JPMC) paid a $200 million penalty for deficiencies in the bank holding company’s oversight, management, and controls over its chief investment office (CIO), which was responsible for the portfolio. In paying the penalty, JPMC acknowledged, among other things, deficiencies in its internal audit function’s assessment of the CIO’s internal controls.
The enforcement action had other cascading repercussions for the bank holding company and its affiliated bank, demonstrating the prominence of the internal audit function in detecting risky practices and avoiding costly liability.
The enforcement action resulted from an investigation by the Federal Reserve Bank of New York (FRBNY), begun in the second quarter of 2012, of JPMC’s processes, procedures, and controls related to the CIO’s management of a large synthetic credit portfolio and resulting losses. The FRBNY identified deficiencies in the BHC’s risk management, model governance, and internal audit functions.
Reserve Bank investigators also concluded that JPMC’s senior management failed to inform the company’s board of directors and the Federal Reserve of deficiencies in risk management that senior management itself had discovered.
Last January, JPMC signed a Federal Reserve Board (FRB) consent order under which it agreed to operate in a safe and sound manner on a firmwide basis, particularly regarding the CIO’s activities, and to implement an effective firmwide risk management program for its trading activities, commensurate with the BHC’s size, complexity, and risk profile. The consent order required improvements in oversight by the board of directors of the BHC’s risk management, internal audit, and finance functions, and the correction of deficiencies found by FRBNY investigators.
Also last January, JPMorgan Chase Bank, N.A., which is owned and controlled by JPMC, agreed to a consent order issued by the Office of the Comptroller of the Currency (OCC). The order was designed to remedy deficiencies in the bank’s board and management oversight, governance, risk management, model risk management, valuation control, and internal audit programs.
Then on September 19, 2013, the regulators issued civil money penalties to finally settle the case:
The OCC assessed a civil money penalty of $300 million against JPMorgan Chase Bank, N.A., citing unsafe and unsound practices and violations of the law arising from the bank’s trading oversight practices, including internal audit performance.
The Securities and Exchange Commission (SEC) issued an enforcement action against JPMC, including a penalty of $200 million for failing to maintain effective internal controls over financial reporting. The penalty assessment also cited the company’s failure to exercise effective disclosure controls and procedures as a result of the company’s filing of financial reports for the first quarter of 2012 that inaccurately valued the synthetic credit portfolio positions managed by the CIO.
The Financial Conduct Authority of the United Kingdom issued an enforcement action against JP Morgan Chase Bank, plus a penalty of £137.6 million, for failure of the bank’s London branch to observe applicable “Principles of Business” relating to skill, care, and diligence; management and control; proper market practice; and disclosure to regulators in connection with management of the synthetic credit portfolio.
The FRB’s civil penalty of $200 million imposed on JPMC is for (1) exercising inadequate oversight over the CIO and failing to implement sufficient internal controls to ensure the full and adequate disclosure to senior management and the JPMC board of directors of information relevant to the synthetic credit portfolio; and (2) failing to provide the examiners with sufficient and timely information about the risks arising from the synthetic credit portfolio and the valuation of portfolio positions by the CIO.
Although the synthetic credit portfolio losses did not end up triggering significant market repercussions, the incident is an illustrative one for bank internal auditors. Regardless of the context, internal auditors are expected to exercise audit oversight of bank trading practices and to implement sound internal controls capable of preventing and detecting inordinate investment losses.
Some banks sell debt to third-party debt collectors, a strategy that falls under the general bank function of debt collection. In selling its customers’ unpaid debt to third parties for collection, a bank no longer retains a legal interest in the debt. Nevertheless, in selling debt, a bank exposes its customers to the collection practices —good, bad, or ugly— of the third party and exposes the bank itself to heightened reputation and legal risks. The bank regulators expect bank internal auditors to play an important role in managing these risks.
This article focuses on the internal auditor’s role in reviewing debt sales activities as part of an effective risk management process, as articulated in supervisory suggestions and best practices identified by the Office of the Comptroller of the Currency (OCC).
Debt Sales Basics
The debt collection phase of the lending process begins after a lender charges off delinquent loans and realizes a loss. Even after charge-off, the borrower generally continues to have an obligation to repay the loan. The bank, at this point, can either try to recover the loss or decide not to pursue collection of the debt.
The lion’s share of debt charged off by financial institutions and sold to third-party debt collectors involves credit card debt. Charged-off automobile loans, home equity loans, mortgage loans, and student loans are other types of credit that are commonly sold to third-party debt buyers. The largest banking organizations are the primarily sellers of debt, but midsize and smaller banks account for about one-fifth of debt sales activity.
As the economy has gradually improved during the past four or five years, retail debt charge-offs have fallen and debt sales have diminished accordingly. Nevertheless, OCC examiners have found reason to be concerned that debt sales activity at national banks and federal savings associations is not being properly managed to contain the risks. From their on-site supervisory activities, OCC examiners have also identified a number of recommended policies and procedures and best practices to control risks and protect consumers.
Although the OCC aims most of its supervisory concern at large bank debt sales, the best practices can readily be incorporated by smaller institutions as part of an effective risk management framework.
Quality Control and Audit
In a preliminary set of debt sales best practices (which may eventually become formal guidance), the OCC asserts that a strong risk management structure for bank debt sales includes a quality control function that evaluates each sales transaction prior to the sale. The quality control process should make sure that data scrubs, performed to validate credit account data, are complete and accurate and that the account data are directly updated from the system of record.
Also prior to a debt sale, quality control should ensure that account characteristics meet the specifications in the purchase and sales agreement and should investigate the reasons for any repurchases of accounts that occur after a debt sale is completed.
The internal audit function should evaluate the compliance of some or all debt sales transactions with the institution’s policies and procedures and with applicable laws and regulations. In addition, audit or quality control should ensure that credit bureau reporting is updated to reflect the sale or transfer of the debt.
Audit Review of Debt Sales Policies and Procedures
The Debt Sales Audit Checklist encompasses suggested policies and procedures and best practices that will help a financial institution control the risks inherent in debt sales activity. An internal auditor or quality control committee can use the checklist to help identify risks and review and monitor debt sales transactions.
Also note that a financial institution should perform due diligence before engaging in a sales transaction with a debt buyer. What constitutes due diligence and other aspects of an adequate vendor management process are described in new OCC guidance on managing third-party relationship risk. This guidance may be found at: http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html
Banks recently received good news from bank regulators: The requirements of the Ability-to-Repay Rule and the Equal Credit Opportunity Act are compatible.
That should be a no-brainer, but given the post-crisis regulatory environment, banks have been worried that they could face liability under the disparate impact doctrine of the ECOA and Regulation B if they decide to originate only Qualified Mortgages as defined under the Consumer Financial Protection Bureau’s Ability-to-Repay and Qualified Mortgage rule.
In other words, would lenders that decide to play it safe under the ATR/QM rule by offering only QMs, be taking a chance with their fair lending compliance?
Banks can rest a bit easier now. In response to industry inquiries, the Fed, CFPB, FDIC, NCUA, and OCC issued an interagency statement that clarifies that the agencies “do not anticipate that a creditor’s decision to offer only Qualified Mortgages would, absent other factors, elevate a supervised institution’s fair lending risk.”
The agencies pointed out that the ECOA and Regulation B promote creditors acting on the basis of their legitimate business needs. “[E]ven where a facially neutral practice results in a disproportionately negative impact on a protected class, a creditor is not liable provided the practice meets a legitimate business need that cannot reasonably be achieved as well by means that are less disparate in their impact,” they added.
The agencies said they recognize “that some creditors might be inclined to originate all or predominantly Qualified Mortgages, particularly when the Ability-to-Repay Rule first takes effect.”
According to the guidance, the agencies expect creditors, in selecting business models and product offerings, to “consider demonstrable factors that may include credit risk, secondary market opportunities, capital requirements, and liability risk. The Ability-to-Repay Rule does not dictate precisely how creditors should balance such factors, nor do either TILA or ECOA. As creditors assess their business models, the Agencies understand that implementation of the Ability-to-Repay Rule, other Dodd-Frank Act regulations, and other changes in economic and mortgage market conditions have real world impacts and that creditors may have a legitimate business need to fine-tune their product offerings over the next few years in response.”
The interagency guidance provides welcome assurance, but it’s no safe harbor. “Creditors should continue to evaluate fair lending risk as they would for other types of product selections, including by carefully monitoring their policies and practices and implementing effective compliance management systems,” the agencies declared. “As with any other compliance matter, individual cases will be evaluated on their own merits.”
Richard Cordray tried to push all the right “be nice to bankers” buttons in his October 21 speech at the American Banker Association’s annual convention…with one big exception, that is. The Consumer Financial Protection Bureau director made clear that the bureau is not going to extend the compliance deadline for the “sweeping new mortgage rules” slated to take effect next January.
Just a week and a half earlier, Independent Community Bankers of America CEO and President Camden Fine strongly encouraged Cordray to extend the mandatory compliance deadline for the consumer mortgage rules. Fine suggested the CFPB “at the very minimum” allow compliance to be optional for a reasonable period of 9-12 months.
But Cordray may have a different idea about what’s reasonable.
“We believe it is critical to move forward so these rules can deliver the new protections intended for consumers and the certainty the industry has been seeking,” he said. “We understand this poses a challenge for industry, just as the writing of such a substantial set of mortgage rules by last January posed a significant challenge for our new agency. We are all in this together, and so we appreciate the urgency that is being felt and the resources that are being mobilized to prepare for the approaching effective dates.”
However, Cordray did assure bankers that the CFPB’s “oversight of the new mortgage rules in the early months will be sensitive to the progress made by institutions that have been squarely focused on making good-faith efforts to come into substantial compliance on time—a point that we have also been discussing with our fellow regulators.”
He also pointed out that things could have been a lot worse. If the CFPB hadn’t finished the rules on time, the industry would have been subject to much of Dodd-Frank’s Title XIV without the benefit of the rules’ clear safe harbor against litigation for QM loans as well as the rules’ special provisions for small creditors (those with $2 billion or less in assets and making 500 or fewer mortgages per year).
Cordray also said, “It would have been a classic governmental approach for us to say, once the mortgage rules were published, ‘Well, that’s your problem now.’ We could have said we have plenty of other things to do—which is true—and so we will not see you again until our examination teams arrive to gauge whether you are getting it right or we bring an enforcement action contending that you did not get it right. We could have left you entirely on your own.”
But the CFPB has a different approach, Cordray reminded bankers. The CFPB has engaged “directly and intensively” on regulatory implementation, published “plain language” versions of the rules, created and posted video guidance, met with all major market players (including vendors), made further tweaks to respond directly to industry input, and worked with fellow regulators to “publish inter-agency examination procedures on the new rules, a full six months before the implementation date, to familiarize you with our expectations.”
Watchful Eye on Consumer Complaints
More broadly, Cordray said the CFPB has already begun to see changes in the marketplace as a direct result of its efforts. As he put it, “Our supervision and enforcement work is driving cultural change.”
Cordray said the CFPB’s consumer response function and public complaint database are also playing a tangible role in producing a shift toward more emphasis on excellent customer service. So far, the CFPB has received over 225,000 complaints.
He applauded institutions for trying to minimize the number of complaints the CFPB receives about them. But he cautioned that institutions “also know, or should know, that our supervision and enforcement teams are keeping a watchful eye on the consumer complaints we receive; the patterns reflected in those complaints can prompt investigations or be the basis for prioritizing supervisory attention through the risk scoping of examinations.”