total training solutions - overdraft payment …ttsmedia.ttstrain.com/overdraftho1bk080416.docx ·...
TRANSCRIPT
COMPLIANCE SUPPLEMENT OVERDRAFT PROTECTION PROGRAM
1 | P a g e
Table of Contents
Overdraft Payment Programs—FDIC Compliance Handbook................................................3Controller’s Handbook “Consumer Compliance”: III. Electronic Transaction Overdraft Services Opt-In --OCC................................................................................................................27Federal Register: OCC Guidance on Deposit-Related Consumer Credit Products..............33OCC Bulletin 2015-17: Revised Deposit Related Consumer Credit.......................................38OCC: Comptroller’s Handbook - Deposit-Related Credit (March 2015)..............................39
2 | P a g e
Overdraft Payment Programs—FDIC Compliance HandbookIntroduction As highlighted by the FDIC’s November 2008 Study of Bank Overdraft Programs, institutions have expanded the types of overdraft payment programs provided to customers in recent years. Some of these programs impose substantial fees and interest and rely on third-party vendors to develop systems to maximize the amount of fee income generated. Customer complaints have increased, along with reported legal and enforcement actions. In many cases, fees are repeatedly charged and are often disproportionate to the amount originally intended to be funded. Some institutions manipulate their transaction processing order to maximize fee income. Customers have complained that they were not made aware of the existence or potential negative consequences of, or alternatives to, various types of overdraft coverage. Some customers’ financial difficulties have been exacerbated by institutions’ overdraft payment practices and programs, even though the institutions maintain alternative programs more suitable for those customers.
In an effort to assist FDIC-supervised institutions in identifying, managing, and mitigating risks regarding overdraft payment programs, the FDIC issued its November 24, 2010, Overdraft Payment Supervisory Guidance (“2010 Supervisory Guidance”) (FIL-81-2010).1 The 2010 Supervisory Guidance, which particularly focuses on the risks associated with excessive or chronic use of automated overdraft programs, is intended to serve as a comprehensive, up-to-date source of information about concerns and risks, as well as a summary of existing guidance and recent regulatory developments. In addition, the 2010 Supervisory Guidance encourages FDIC-supervised institutions to promote responsible use of overdraft payment programs through a series of specifically recommended actions institutions can take to help minimize the potential for consumer harm and regulatory or other risks. These overdraft payment program examination procedures:
• Incorporate recent changes to applicable laws and regulations;
• Integrate the supervisory expectations stated in the 2010 Supervisory Guidance; and
• Reaffirm principles contained in the 2005 interagency Joint Guidance on Overdraft Protection Programs (“Joint Guidance”) (FIL-11-2005) and the 2008 Guidance for
Managing Third-Party Risk (“Third-Party Guidance”)2 (FIL-44-2008).
The 2010 Supervisory Guidance reaffirms existing laws, regulations, and guidance and addresses concerns regarding the risks posed by automated programs and excessive use. The specific supervisory expectations set out in the 2010 Supervisory Guidance with respect to excessive or chronic users of automated overdraft programs do not apply to ad hoc overdraft practices. The Joint Guidance,3 Third-Party Guidance and range of applicable laws and regulations potentially
1 On April 1, 2011, FDIC staff published a set of Frequently Asked Questions and answers in response to questions received from supervised institutions and third-party vendors about the 2010 Supervisory Guidance, available at http://www.fdic.gov.2 See Third-Party Risk Compliance Examination Procedures issued June 1, 2010.
3 | P a g e
apply to any method of covering overdrafts, including automated programs, linked accounts and lines of credit.
Laws and Regulations
Compliance examiners should continue to reference appropriate chapters in the Compliance Examination Manual governing laws and regulations applicable to overdraft payment programs. The scope of potentially applicable statutes and regulations that may apply to overdraft payment programs includes:
• The Truth in Lending Act (TILA) and Regulation Z;
• The Truth in Savings Act (TISA) and Regulation DD;
• The Electronic Fund Transfer Act (EFTA) and Regulation E;
• Section 5 of the Federal Trade Commission Act (FTC Act) governing Unfair or Deceptive Acts or Practices (UDAPs) and Regulation AA;
• The Equal Credit Opportunity Act (ECOA) and Regulation B;
• The Expedited Funds Availability Act and Regulation CC; and
• The Community Reinvestment Act (CRA).
Compliance examiners should apply the Overdraft Payment Program Compliance Examination Procedures and relevant laws and regulations, and refer to the 2010 Supervisory Guidance, the Joint Guidance, and the Third-Party Guidance, as appropriate, to verify that institutions are adhering to applicable laws and regulations, and implementing appropriate policies, procedures, compliance management systems, and risk mitigation strategies.
Regulation E Changes
Changes to laws and regulations place additional requirements on institutions’ overdraft payment programs. Under Regulation E rules that took effect July 1, 2010, institutions must provide notice and a reasonable opportunity for customers to opt-in to the payment of automated teller machine (ATM) and one-time, point-of-sale (POS) overdrafts provided in exchange for a fee. Institutions must also inform the customer if alternatives are available.4
In complying with these requirements, institutions should not attempt to steer frequent users of fee-based overdraft products to opt-in to these programs while obscuring the availability of alternatives.
Targeting customers who may be least able to afford such products can raise safety-and-soundness concerns about potentially unsustainable customer debt. Overly aggressive marketing, advertising, and other promotional activities require particular vigilance to ensure that they are not unfair or deceptive. Steering activity with respect to credit products raises potential legal issues, including fair lending, equal credit opportunity, and concerns about UDAPs, among
3 Compliance examiners should pay particular attention to the “Best Practices” in the Joint Guidance, which cover both Marketing and Communications with Consumers and Program Features and Operation.4 See Regulation E (Electronic Fund Transfer Act) Examination Procedures. In addition, as of January 1, 2010, Regulation DD (Truth in Savings) requires institutions to disclose on periodic statements the aggregate dollar amounts charged for overdraft fees and for returned item fees, for the statement period and the year-to-date. It also requires institutions that provide account balance information through an automated system to provide a balance that does not include additional funds that may be made available to cover overdrafts. See Regulation DD Examination Procedures.
4 | P a g e
others, and will be closely scrutinized. In addition, inconsistent application of waivers of overdraft fees will be evaluated in light of all applicable fair lending statutes and regulations.
Unfair or Deceptive Acts or Practices
Section 5 of the FTC Act prohibits UDAPs in or affecting commerce.5 The FDIC enforces compliance with this important consumer protection law regarding FDIC-supervised institutions pursuant to its authority in the FTC Act and Section 8 of the Federal Deposit Insurance Act.6 The prohibition against UDAPs applies to all products and services offered by financial institutions, including overdraft services, and regardless of whether such services are offered directly or indirectly through a third party. Moreover, the prohibition applies to every stage and activity: from product development to the creation and rollout of the marketing campaign; from account maintenance and collections all the way through termination of the customer relationship.7
Community Reinvestment Act
Institutions will continue to receive favorable CRA consideration under the service or lending tests (consistent with CRA regulations and FIL-50-2007 providing details on small dollar loans8), for offering financial education and positive alternatives to overdrafts that are responsive to the needs of customers, particularly low- and moderate-income individuals, in their local communities. Examples include lower-cost transaction accounts and credit alternatives, such as a linked savings account, a small, reasonably priced line of credit consistent with safe and sound banking practices, or a safe and affordable small dollar loan.
Third-Party Arrangements
With the growth of third-party arrangements for overdraft payment programs, Compliance examiners should ensure that financial institutions are managing these relationships in accordance with the principles outlined in the Third-Party Guidance.9 In addition to general third-party oversight considerations, these third-party overdraft payment programs may raise concerns that differ from potential issues related to in-house programs. For example, some vendors have tended to promote programs that encourage generation of fee income by linking the amount or volume of overdraft fees charged to the percentage of incentive compensation paid to the vendor.10 This practice is generally inconsistent with promoting the responsible use of these programs.
Where vendor compensation is tied to a percentage of income or fees generated by the product sold, Compliance examiners should evaluate whether the third-party relationship raises the potential for compliance, operational, financial, and reputational risks to the financial institution. For example, where a third-party arrangement provides that the vendor will take a reduced percentage of compensation if the financial institution implements a transaction processing order of largest-to-smallest, this arrangement may rise to the level of a UDAP violation if the institution, at the vendor’s encouragement, is manipulating the transaction processing order
5 15 U.S.C. § 45(a).6 See 12 U.S.C. § 1818(b).7 See Unfair or Deceptive Acts or Practices Compliance Examination Procedures.8 See also Inte See FDIC Study of Bank Overdraft Programs (November 2008) at p. 50 (Section VII), available at http://www.fdic.gov.ragency Questions and Answers Regarding Community Reinvestment, 75 Fed. Reg. 11642 (Mar. 11, 2010), available at http://www.ffiec.gov.9 See footnote 2.10 See FDIC Study of Bank Overdraft Programs (November 2008) at p. 50 (Section VII), available at http://www.fdic.gov.
5 | P a g e
solely to generate fees and increase both the institution’s fee income and the vendor’s compensation. Customers may be harmed if this practice is designed exclusively to increase the amount of overdraft fees assessed without any corresponding and meaningful benefit to the consumer.
The 2010 Supervisory Guidance
The FDIC expects that supervised institutions will review their current automated overdraft payment programs, policies and procedures in light of the 2010 Supervisory Guidance. For example, as a threshold matter, Compliance examiners should determine if the institution has reviewed its existing program and determined whether the institution is going to:
• Give customers the opportunity to affirmatively choose the credit product most suitable for their financial needs, including overdraft payment products;
• Ensure that customers understand overdraft payment programs and alternative product choices;
• Appropriately monitor accounts and take meaningful and effective action to reach customers frequently using automated overdraft programs to inform them of lower-cost alternatives;
• Structure transaction clearing practices in a neutral manner not intended to maximize overdraft-related fees charged to customers; and
• Establish appropriate daily limits on fees.
Identification of Types of Overdraft Payment Programs Offered
Compliance examiners should first identify overdraft payment practices, programs and products offered and used by the financial institution at each examination, and consider the applicability of existing laws, regulations and guidance, as appropriate. In particular, examiners will need to determine whether overdraft payment decisions and programs are automated or not.
Automated overdraft payment programs typically rely on computerized decision-making and use pre-established criteria to pay or return specific items. There is little to no case-by-case review and decision-making with respect to an individual customer or item. By contrast, ad hoc programs typically involve the exercise of bank employee judgment in making a specific decision about whether to pay or return an item, as an accommodation and based on the employee’s knowledge of a particular customer. See Management and Policy-Related Examination Procedures for further explanation of automated and ad hoc programs.
Automated overdraft payment programs are the focus of the 2010 Supervisory Guidance. Ad hoc overdraft payments have been authorized by banks for years as an accommodation based on specific considerations and knowledge of a particular customer, and they have generally not been the subject of the type of product over-use concerns that can be associated with automated overdraft programs. Consequently, the specific supervisory expectations set out in the Guidance regarding customer contact for excessive or chronic users do not apply to ad hoc overdraft practices. Compliance examiners should not focus on ad hoc overdraft payments or practices when evaluating appropriate risk mitigation efforts in connection with the 2010 Supervisory Guidance; however, if significant safety and soundness or compliance risks regarding ad hoc programs and practices are identified, an examiner may consider an expanded review (See Expanded Review for Ad Hoc Programs or Practices).
Examiners should focus on identifying and mitigating the significant risks posed by automated overdraft programs, including taking a risk-based approach in scoping examinations to verify
6 | P a g e
that institutions’ automated overdraft payment programs comply with applicable laws and regulations, and that such programs are not operating in a manner that is inconsistent with expectations set out in the 2010 Supervisory Guidance, the Joint Guidance and the Third-Party Guidance. In examining for appropriate application of the 2010 Supervisory Guidance, reviews of management activities, policies and procedures, and transaction testing, including document requests, should focus on automated overdraft programs.
Supervisory Action to Mitigate Risks
Overdraft payment programs that are found to pose unacceptable safety and soundness or compliance risks will be factored into examination ratings, and corrective action will be taken where necessary. Violations should be cited on the appropriate Violation pages of the Report of Examination (ROE). Other concerns regarding practices that are inconsistent with the 2010 Supervisory Guidance, the Joint Guidance, and/or the Third-Party Guidance should be discussed in the Examiner’s Comments and Conclusions page of the ROE. Additionally, Compliance examiners should make appropriate recommendations to bank management in the ROE. These violations and concerns should be taken into consideration when assessing the institution’s Compliance Management System (CMS) and determining the overall Compliance Rating.
Appropriate corrective action will be pursued where overdraft payment practices or programs pose unacceptable safety and soundness or compliance management system risks, or result in violations of laws or regulations, including UDAPs. Depending on the circumstances, corrective action may include ratings downgrades, informal agreements, enforcement orders, customer restitution, and/or civil money penalties. Regional Offices should ensure that appropriate post-examination tracking covers instances where the ROE identifies:
• Inconsistencies with the 2010 Supervisory Guidance, the Joint Guidance and the Third-Party Guidance given an institution’s overall CMS and risk mitigation approach, and
• Other overdraft-related violations and concerns, to ensure that timely and appropriate corrective action is taken by bank management.
In addition, at the conclusion of each compliance examination, examiners are required to complete the overdraft payment program related questions in the Credit and Consumer Product/Services Survey. Finally, Compliance examiners should consult with Risk Management examiners, as appropriate, where safety and soundness concerns are identified.
Examination Procedures
Examination Objectives
These Overdraft Payment Program Compliance Examination Procedures incorporate existing and updated laws, regulations, and guidance. These procedures demonstrate a new, heightened, and detailed focus on identifying risks resulting from excessive use of automated overdraft payment programs. Specific examination objectives include the following:
1. Assess the quality of the financial institution’s compliance risk management systems and its policies and procedures governing overdraft payment practices and programs.
2. Determine the financial institution’s compliance with applicable laws and regulations.
3. Assess how and whether institutions are implementing the recommended actions contained in the 2010 Supervisory Guidance.
7 | P a g e
4. Determine the effectiveness of the financial institution’s management of third-party risks, where applicable, in accordance with the Third-Party Guidance.
5. Determine the effectiveness of the financial institution’s internal controls and procedures for monitoring overdraft payment practices and programs consistent with the Joint Guidance and the 2010 Supervisory Guidance.
6. Direct corrective action when violations of laws, rules, or unsafe and unsound practices are identified, or when the financial institution’s practices, policies or internal controls are found to be deficient.
7. Determine the level of compliance with the 2010 Regulation E opt-in notice requirements and relevant regulatory changes related to overdraft products (e.g., TISA).
Management and Policy-Related Examination Procedures
Compliance examiners should follow the Management and Policy-Related Examination Procedures identified below, as applicable, in each examination involving overdraft payment programs. If after conducting a review of an institution’s Management and Policy-Related Examination Procedures, an examiner identifies weaknesses or other areas of concern,11 examiners should conduct appropriate transaction testing consistent with the Transaction-Related Examination Procedures (See Transaction-Related Examination Procedures for Automated Programs) to determine whether the overdraft program poses unacceptable safety and soundness, compliance, or other risks.
1. Determine how the financial institution handles decisions associated with overdraft payment programs and non-sufficient funds items (NSFs), including whether the institution offers overdraft payment programs to customers, and the types and characteristics of these programs. • Identify the overdraft practices, payments, and products used by the institution.
• Identify who in management is responsible for daily oversight of NSFs and overdraft decisions.
• Determine who in management has the ability to override overdraft policies and limits.
• Determine to what extent front-line employees who interact with customers on a daily basis have been trained on the institution’s overdraft and NSF policies, procedures, and products.
• Determine the level of discretion and parameters involved in any waivers or refunds.
• Identify the extent to which the Board of Directors (Board) and management oversee and review the activities associated with overdraft payment programs, decisions, and policies.
2. Determine if the overdraft payment programs qualify as automated programs for purposes of the 2010 Supervisory Guidance.
• Automated overdraft payment programs typically include the following characteristics: o They are partially or fully computerized;
11 Consistent with existing examination protocols governing Compliance Management Systems, examiners should follow these procedures (including the Transaction-Related Examination Procedures, if warranted) in the first examination conducted after issuance of the 2010 Supervisory Guidance. The guidance states that the FDIC expects institutions to have approved, responsive compliance and risk management action plans by July 1, 2011.
8 | P a g e
o They are used by institutions to determine whether NSF transactions qualify for overdraft coverage based on pre-determined criteria; and
o The decision to pay or return specific items is pre-established and generally does not rely on bank employee decision-making with respect to any individual customer or item.
• By contrast, ad hoc programs or practices typically have the following characteristics:
o A bank employee exercises judgment in making a specific decision about whether to pay or return an item;
o Decisions are made based on specific considerations and knowledge of a particular customer; and
o They are provided as an accommodation, not on a pre-determined basis.
• Some overdraft payment programs have elements that are both automated and ad hoc. In these instances, examiners should exercise judgment in making a determination about whether the program is automated or ad hoc based on the aforementioned criteria, and consider appropriate follow-up action.
• If, after completion of the Management and Policy-Related review, examiners identify significant risks and concerns covered in the 2010 Supervisory Guidance with respect to automated overdraft payment programs, examiners should consult the Transaction-Related Examination Procedures (See Consistency with Recommendations in the 2010 Supervisory Guidance – Expanded Review for Automated Programs).
• During Management and Policy-Related reviews, the specific supervisory expectations set out in the 2010 Supervisory Guidance regarding customer contact for excessive or chronic users generally should not be applied to ad hoc overdraft practices. However, institutions that authorize overdrafts on an ad hoc basis should manage potential reputational, compliance, and litigation risks regarding certain overdraft payment practices, such as check clearing practices designed to maximize overdraft fees.
• On an exception basis, where unacceptable risks are discovered during an examination regarding ad hoc programs and practices that potentially raise legal, regulatory, or other significant compliance concerns, examiners should consider whether follow-up action should be taken (See Expanded Review for Ad Hoc Programs or Practices).
3. Review all written policies and procedures, management’s self-monitoring, customer complaints, compliance audit reports including work papers, training materials, and other reports, as appropriate based on the nature of the overdraft program. Determine whether:
• Policies and procedures are all encompassing and take into consideration, as appropriate, issues covered by the 2010 Supervisory Guidance, the Joint Guidance, and the Third-Party Guidance.
• Customer complaints are captured and handled in a timely manner, with appropriate reimbursements and adjustments.
• The scope of the audit or self-monitoring addresses, as appropriate, issues covered by the 2010 Supervisory Guidance, the Joint Guidance, and the Third-Party Guidance.
9 | P a g e
• Management has taken corrective action to follow-up on previously identified deficiencies.
• Testing includes samples covering overdraft payment practices, programs, and decision centers.
• Testing includes monitoring for risks identified in the Joint Guidance, as appropriate.
• Testing encompasses monitoring accounts for excessive or chronic customer use; meaningful and effective customer follow-up with respect to automated programs; transaction processing order; establishment of overdraft payment decision parameters that ensure continued applicability and appropriateness; and other expectations, as appropriate, and consistent with the 2010 Supervisory Guidance.12
• Testing includes review of all third-party arrangements related to overdrafts.
• The scope of the work performed is appropriate.
• The work performed is accurate.
• Significant deficiencies and their causes are included in reports to management and/or the Board.
• Management and/or the Board follow up to ensure that action is taken to correct any significant deficiencies identified.
• Review frequency is appropriate.
• The institution documents instances of accountholder excessive use of automated overdraft payment programs (e.g., more than six occasions where a fee is charged in a rolling twelve-month period).
4. Through discussions with management and review of available information, determine whether the institution’s internal controls are adequate to ensure appropriate compliance with the 2010 Supervisory Guidance, the Joint Guidance, and the Third-Party Guidance (including managing third-party arrangements related to the practices and programs under review), and applicable laws and regulations.
5. Review the following:
• Organization charts;
• Process flowcharts;
• Policies and procedures;
• Account documentation;
• Checklists;
• Computer program documentation;
• Marketing materials;
• Training materials;
• Third-party agreements; 12 See also Consistency with Recommendations in the 2010 Supervisory Guidance – Expanded Review for Automate of the Transaction-Related Examination Procedures
10 | P a g e
• Reports on the frequency of customer overdraft payment program use, overdraft accommodations, and associated fees; and
• Reports documenting efforts to monitor accountholder excessive use of automated overdraft payment programs (e.g., more than six occasions where a fee is charged in a rolling twelve-month period).
6. Through a review of the financial institution’s training materials and procedures, determine whether:
• The institution provides appropriate training to individuals responsible for compliance with, and operational responsibilities for, the institution’s overdraft payment practices and programs, e.g., customer service representatives, tellers, individuals handling complaints, audit and compliance staff, and marketing personnel.
• The training is comprehensive and covers the various aspects detailed in the 2010 Supervisory Guidance, the Third-Party Guidance, the Joint Guidance, and applicable laws and regulations.
• In addition to knowledge of the institution’s overdraft payment programs, practices and policies (including applicable laws, regulations and guidance), the training should specifically cover:
o Information on alternative and less costly products and options,
o How customers opt-in or opt-out (if the institution chooses to allow customers to opt-out) of various programs,
o How to monitor for excessive use,
o How and when to conduct meaningful and effective follow-up with customers, and
o How to respond to customer complaints.
7. Determine the extent and adequacy of the institution’s policies, procedures, and practices for ensuring compliance with safe and sound operational, financial and reputational risks and consumer protection laws and regulations. In particular, verify that:
• The institution has developed overdraft payment program policies, procedures and practices that ensure compliance with applicable laws and regulations, including:
o TILA and Regulation Z;
o TISA and Regulation DD;
o EFTA and Regulation E;
o Section 5 of the FTC Act (governing UDAPs) and Regulation AA;
o ECOA and Regulation B;
o EFA and Regulation CC; and
o CRA.
• The institution’s overdraft payment program policies, procedures and practices address, as appropriate, the supervisory expectations noted in the 2010 Supervisory Guidance,
11 | P a g e
compliance and risk management principles identified in the Third-Party Guidance, and best practices noted in the Joint Guidance.
Among other things, Compliance examiners should verify that:
• The institution has adopted appropriate procedures in accordance with Regulation E to eliminate overdraft charges related to ATM and one-time, point-of-sale (POS) transactions unless the customer has opted-in to having such fees charged.13
• The institution treats customers the same regarding the payment of other NSF items and such payment is not conditioned upon whether or not the customer has affirmatively agreed to pay overdraft fees on ATM or one-time, point-of-sale (POS) transactions.
• The institution’s marketing for an overdraft payment program is consistent with the requirements of applicable laws and regulations.
• The institution has developed practices that treat all customers equally, including ensuring that customers are not steered to more expensive products based on their use of overdraft services.14
• The institution has developed procedures and methodologies to monitor the use of overdrafts by its customers and associated fees charged.
• The institution has enacted policies and procedures that address prompt handling of requests to opt-in (and to opt-out if the institution, within its discretion, chooses to permit consumers to opt-out) of overdraft payment programs and transactions.
• The institution has developed a process that facilitates meaningful and effective follow-up with customers who have been identified as chronic or excessive users of automated overdraft payment programs. An institution’s program should be structured to provide customers with information regarding alternative credit programs or other products that would be more beneficial to their financial needs, and given a meaningful opportunity to affirmatively choose the overdraft payment product that overall best meets their needs.
o According to the 2010 Supervisory Guidance, potential excessive use can occur if a customer overdraws his or her account on more than six occasions where a fee is charged in a rolling twelve-month period.
o For ease of examination, institutions should be encouraged to incorporate excessive use monitoring triggers consistent with the 2010 Supervisory Guidance. If an institution maintains a different standard for excessive use, this standard is expected to be reasonable and designed to implement the supervisory expectation that institutions monitor and take meaningful and effective follow-up action when customers use the overdraft payment program excessively.
• The institution has developed a transaction clearing process method that is fully supported by sound banking business reasons, is neutral in its application, and not designed to maximize the cost to consumers.
• The institution has developed appropriate overdraft payment decision parameters (e.g., daily limits on fees).
13 See footnote 4.14 See FFIEC Interagency Fair Lending Examination Procedures and Regulation E Examination Procedures.
12 | P a g e
• The institution performs adequate due diligence before entering into and during the course of a third-party relationship in connection with an overdraft payment program.15
• The institution has developed policies and procedures for monitoring and responding to customer complaints.
Transaction-Related Examination Procedures for Automated Programs
Compliance examiners should conduct transaction testing using the Transaction-Related Examination Procedures if, after completing the Management and Policy-Related Examination Procedures, they discover weaknesses or other risks requiring further investigation. Examiners should use their judgment in deciding the sample size of, e.g., accounts, disclosures and advertisements. Sample sizes should be increased until confidence is achieved in reviewing various aspects of the financial institution’s automated overdraft payment programs, practices, policies and procedures.
As noted in Identification of Types of Overdraft Payment Programs Offered and Management and Policy-Related Examination Procedures, for the vast majority of examinations, Compliance examiners will not conduct transaction-related testing on ad hoc programs and practices.
Further Document Collection and Review
To the extent not already reviewed pursuant to the Management and Policy-Related Examination Procedures, examiners should obtain and review copies of the following documents for consistency with applicable laws, regulations and guidance:
• Descriptions of overdraft payment programs;
• Disclosure forms;
• Account agreements;
• Opt-in and opt-out agreements;
• Excessive use and fee reports;
• Procedures for monitoring excessive or chronic customer use and undertaking meaningful and effective follow-up action;
• Overdraft activity reports and compliance documentation (including any to management or the Board related to monitoring and follow-up, workout loans, charge-offs, fee waivers, daily limits, de minimis transactions, etc.);
• Third-party contracts for overdraft payment programs;
• Procedural manuals and written policies;
• Approval guidelines and parameters for all overdraft payment programs, including daily fee limits;
• ATM receipts, periodic statements, and ATM/POS terminal notices;
• Form letters and other correspondence used to notify customers of NSFs or overdraft items;
• Form letters and other correspondence used to notify customers of an overdrawn account status;
15 See footnote 2.
13 | P a g e
• Form letters and other correspondence used in case of errors or questions concerning an account;
• Form letters and other correspondence used to contact customers who are excessive users to inform them of alternative, less expensive products;
• Form letters and other correspondence to opt-in or opt-out of overdraft products, including Regulation E ATM and one-time, POS opt-in related materials;
• All other form letters and correspondence used relating to NSF and overdraft items or programs;
• Any agreements with third-parties allocating compliance responsibilities;
• Marketing materials and scripts, including Regulation E ATM and POS-related materials; and
• Customer complaint files.
Consistency with 2005 Joint Guidance Best Practices – Expanded Review
Further review the financial institution’s overdraft payment practices and programs to ensure that they reflect the “Best Practices” outlined in the Joint Guidance, and are consistent with the 2010 Supervisory Guidance. In addition to the safety and soundness considerations and legal risks identified, Compliance examiners should review efforts to mitigate risk and concerns raised consistent with the following 2005 Best Practices, including:
• Marketing and Communications with Consumers 1. The institution does not market the program in a manner that encourages routine or
intentional overdrafts.
2. The institution informs customers of other overdraft services and credit products, if any, that are available and the differences in each product (terms and fees), including the consequences of extensively using overdrafts to cover short-term credit needs.
3. The institution trains staff to explain overdraft payment practices, program features, costs, terms, how to opt-in (or if the institution, within its discretion, chooses to permit consumers to opt-out, how to opt-out), and availability of other products to cover overdrafts.
4. The institution makes clear when payment of overdrafts is discretionary and does not indicate that payment is guaranteed if the institution retains discretion to not pay an overdraft item.
5. The institution does not promote “free” accounts and overdraft payment programs in the same advertisement in a manner that would suggest that the program is free of charges (consistent with Regulation DD).
6. The institution clearly discloses the dollar amount of the fee for each overdraft and any interest rate or other fees that may apply, in communications about overdraft payment programs.
7. The institution informs customers that the overdraft fees, as well as the amount of the overdraft, will be subtracted from any overdraft limit disclosed (consistent with Regulation DD).
14 | P a g e
8. The institution clearly discloses, where applicable, that more than one overdraft fee may be charged against the account per day, depending on the number of checks presented or withdrawals made from the customer’s account.
9. The institution clearly explains to consumers that transactions may not be processed in the order in which they occurred, and that the order in which the transactions are received and processed can affect the total amount of overdraft fees incurred.
10. The institution clearly discloses the types of transactions that can incur an overdraft fee (e.g., ATM withdrawals, debit card transactions, preauthorized automatic debits, telephone-initiated transfers, or other electronic transfers), to avoid implying that check transactions are the only transactions covered.
• Program Features and Operations
1. The institution provides a specific notice, where feasible, to inform the customer that completing the withdrawal or fund transfer may trigger an overdraft fee and presents the notice in a manner that permits the customer to cancel the transaction after receiving the notice. If this is not feasible, the institution prominently displays notices explaining that transactions that overdraw accounts may be approved and fees may be incurred.
2. The institution does not include overdraft payment program funds when providing a single balance for an account by any means (consistent with Regulation DD).
3. The institution promptly notifies customers each time an overdraft payment program has been accessed. The notice identifies the date of the transaction, type of transaction, item amount, overdraft amount, fee imposed, amount necessary to return the account to a positive balance, amount of time the customer has to return the account to a positive balance, and the consequences of not returning the account to a positive balance within that time period. Additionally, the institution notifies customers if the institution terminates or suspends customer access to the service.
4. The institution establishes daily limits on the customer’s costs from overdraft payment programs, e.g., by limiting the dollar amount of fees or number of transactions per day.
5. The institution monitors excessive customer use of overdrafts, which would indicate a need for alternative credit arrangements or services, and informs customers of these options.
6. The institution does not report negative information to consumer reporting agencies when overdrafts are paid under the terms of the institution’s overdraft payment program.
Consistency with Recommendations in the 2010 Supervisory Guidance – Expanded Review for Automated Programs
Where transaction testing is warranted, examiners should perform a detailed review of the financial institution’s automated overdraft payment practices and programs for appropriate consistency with the “Supervisory Expectations” outlined in the 2010 Supervisory Guidance, as well as the “Regulation E Requirements” and “Examinations” discussions. Examiners should discuss with institutions which recommendations, expectations, and items are appropriate given
15 | P a g e
the institution’s overdraft payment programs and practices, customer base and use patterns, and business model, as well as other efforts by the institution to address excessive use.
In particular, for automated overdraft payment programs Compliance examiners should determine whether:
1. The institution gives customers the opportunity to affirmatively choose the overdraft payment product that best meets their needs.
• This includes, for example, a linked savings account,16 a more reasonably priced line of credit that is consistent with safe and sound banking practices, or a safe and affordable small-dollar loan.17
2. The institution’s Board provides appropriate oversight of programs consistent with its ultimate responsibility for overall compliance, and management provides oversight of program features and operations on an ongoing basis, including annual review of an overdraft payment program’s key features.
3. The institution reviews its marketing, disclosures, and implementation of such programs to minimize potential customer confusion and promote responsible use.
4. The institution trains staff to explain program features and other choices.
5. The institution prominently distinguishes account balances from any available overdraft coverage amounts (consistent with Regulation DD).
6. The institution monitors programs for excessive or chronic customer use, and undertakes meaningful and effective follow-up action.
• Meaningful and effective follow-up means that the institution has made reasonable efforts to provide the customer with information on alternatives to automated overdraft payment programs that may be better-suited to the individual’s need for short term credit, and a clear mechanism for the customer to avail him or herself of those alternatives.
o The key goal is to ensure that customers are able to make informed choices among available options to manage recurring needs for short-term credit.
o An institution should be able to demonstrate it monitors account usage, undertakes programs designed to address excessive or chronic use, and monitors its success in informing frequent users of overdraft payment programs of the high cumulative costs of the program and the availability of less costly or otherwise more appropriate alternatives.
o Although institutions are encouraged to provide responsible alternatives, and most institutions offer some form of short-term alternative, including lines of credit, fixed-term small dollar loans, and linked savings accounts, they are not required to develop new products in response to the 2010 Supervisory Guidance.
• Compliance examiners should weigh the institution’s overall approach in addressing excessive or chronic customer use and assess whether a chosen course of action demonstrates meaningful and effective follow-up.
16 See The FDIC’s Model Safe Account Pilot which provides a template for safe, low-cost transactional and savings accounts (http://www.fdic.gov.)17 See A Template for Success: The FDIC’s Small-Dollar Loan Pilot Program which provides a template for safe and affordable small dollar loans (http://www.fdic.gov).
16 | P a g e
o Steps should include assessing the institution’s level of effort to reach customers, and the ease with which customers are able to select alternative products.
Key areas of focus regarding meaningful and effective follow-up include:
• Institutions are encouraged to be proactive in contacting customers, clearly communicating available options and giving a meaningful choice among options.
• Institutions may employ a variety of techniques, based on individual customer profiles and general business practices, to contact excessive or chronic users of overdraft payment programs.
• While examples of meaningful and effective follow-up could include contacting a customer via telephone, in person, by mail, or through electronic notifications, a single action may or may not necessarily show appropriate follow-up. When evaluating meaningful and effective follow-up, examiners should consider the institution’s overall process for providing notice to excessive use customers and the circumstances at that institution. Factors to consider include whether:
o The institution has a regular program to inform excessive or chronic users of overdraft usage and cumulative costs in a prominent or conspicuous fashion;
o The institution highlights availability of alternatives to overdraft payment programs that may be lower-cost or more appropriate;
o The institution provides a clear and simple manner to contact the institution to discuss available alternatives;
o Contact with the customer was cursory;
o The customer and the institution engaged in relevant dialogue or exchanged correspondence; or
o Other information provided by the institution that documents meaningful and effective follow-up.
• Although institutions should use their judgment in determining what risk mitigation response is appropriate for their particular institution, two specific examples of ways in which an institution could demonstrate meaningful and effective follow-up regarding excessive or chronic use of automated overdraft programs are: 1) providing enhanced periodic statements; or 2) employing a targeted outreach approach.
1. Enhanced Periodic Statement Approach
o Under the enhanced periodic statement approach, an institution would augment existing, required disclosures for overdraft fees under Regulation DD (requiring disclosure of the total amounts of fees charged for overdrafts during the statement period and calendar year-to-date), by:
Prominently highlighting how excessive or chronic users of automated overdraft programs can contact the institution to discuss available alternatives, and
Encouraging meaningful and effective contact.
17 | P a g e
o If a customer incurs more than six overdrafts in a rolling twelve-month period, the institution would prominently display on the periodic statement information describing how the customer can contact the institution to discuss alternative options.
An effective method is to include the name or names of specific employee(s) who have knowledge of alternative credit products for which the customer might qualify and are able to assist the customer in determining whether he or she qualifies for them.
For example, the following statement could be used: “You have been paying multiple overdraft fees and there may be cheaper alternative products that may be better suited for your needs. Please call [name(s) of employees] at xxx-xxx-xxxx to discuss other options with a customer service representative or visit us at your local branch.”
o Under this approach, institutions should continue to send enhanced periodic statements to customers for as long as the customer continues to exhibit chronic or excessive usage.
2. Targeted Outreach Approach o A targeted outreach approach would involve contacting excessive users in person or
by telephone to discuss less costly alternatives to automated overdraft payment programs.
o An institution would initiate outreach within a reasonable time period (e.g., 30 days) when a customer incurs more than six overdrafts in a rolling twelve-month period to discuss overdraft usage and available alternatives to the overdraft payment program.
o If a customer decides to remain in the automated overdraft payment program, the institution should also engage the customer to determine the customer’s preferences regarding future contact regarding participation in the automated overdraft payment program.
o Absent an indication of customer preference regarding subsequent contact, a targeted outreach approach would involve contacting a customer whenever there is a cycle of repeated, excessive use (e.g., subsequent occurrences of more than six overdraft occasions where a fee is charged in a rolling twelve-month period).
Additional key areas of focus regarding meaningful and effective follow-up include:
• Institutions should establish a reasonable period of time in which to reach the customer to discuss less costly alternatives (e.g., 30 days).
• Institutions are not expected to suspend the availability of or limit access to overdraft coverage during the period in which they are engaging in good faith efforts to reach customers.
• Once successful contact with the customer occurs, institutions should evaluate the appropriate course of action. Before pursuing a course of action, institutions should consider the overall risks and circumstances, including whether the customer has expressed a desire to pursue alternatives or continue participating in the overdraft payment program.
18 | P a g e
• An occasion occurs when an overdraft fee is charged (e.g., a per-transaction, sustained daily, or other overdraft fee, but not an NSF fee charged where payment for an item is rejected). If three overdraft fees are charged in one day, that constitutes three occasions. If four overdrafts occur in one day but only three fees are charged for three transactions that day (e.g., if the institution waives fees after a daily limit of three is met), that similarly constitutes three occasions.
• If a financial institution posts a single $105 fee to an account for three, per-transaction overdrafts (i.e., a $35 fee is charged for each overdraft), this would still constitute three overdraft fees and, consequently, three occasions.
Is there documentation or empirical evidence that the institution’s follow-up has resulted in customers choosing more affordable alternatives?
• After meaningful and effective contact, and repeated instances of follow-up, a customer may not wish to receive follow-up contact envisioned by the 2010 Supervisory Guidance.
o Regardless of customer choice, institutions should continue to monitor account usage.
• At the same time, institutions should not attempt to steer frequent users of fee-based overdraft products towards continuing fee-based overdraft coverage while obscuring the availability of less costly alternatives. In addition, institutions should not employ inappropriate efforts, including overly aggressive advertising or other promotional activities to coerce consumers to choose to continue with fee-based overdraft coverage.
• As with all customer communications, simple and clear language is preferred. Regardless of customer choice, institutions should continue to monitor accounts for excessive use that may pose safety and soundness risks.
7. The institution has appropriate daily limits on customer costs. For example, the financial institution has done the following:
• Limited the number of transactions that will be subject to a fee (e.g., no more than three per day), or
• Provided a dollar limit on total fees that will be imposed per day.
Daily limits should be reviewed as one element of the institution’s overall overdraft payment program. Failure to institute daily limits on customer costs with respect to overdraft payment programs does not in and of itself mean that the institution is not acting in a manner that is consistent with the expectations set out in the 2010 Supervisory Guidance.
8. The institution has implemented transaction-clearing procedures that operate in a manner so as to avoid maximizing customer overdrafts and related fees through manipulation of the clearing order, and ensures that any third-party vendor has similar procedures in place.
• Determining clearing order does not in and of itself necessarily indicate whether an institution is or is not acting consistent with the expectations set out in the 2010 Supervisory Guidance. Examiners should review and consider whether the processes, practices, policies, and procedures of the financial institution and their third-party vendor provide an overall compliance management system or framework that is consistent with those expectations.
19 | P a g e
• To the extent that institutions make decisions regarding transaction processing order, transactions should be processed in a neutral order that avoids manipulating or structuring processing order to maximize customer overdraft and related fees.
• Institutions are discouraged from implementing systems that re-order transactions to clear the highest item first, as this approach will tend to increase the number of overdraft fees. In addition, although processing batches of transactions in a random order or order received is a neutral approach, institutions are discouraged from arranging the order of types of transactions (i.e., batches) cleared in order to increase the number of overdrafts and maximize fees.
• Compliance examiners should consider the overall risk-profile of the institution and the following factors or characteristics:
o Is the transaction order neutral (e.g., by order received, check number, serial number sequence, or other potentially equitable approaches)?
o Has the institution established that their transaction processing order is necessary for sound business reasons and is not manipulated so as to maximize fees?
9. The institution monitors and, where necessary, mitigates credit, litigation, reputational, safety and soundness, and other risks, as appropriate.18
10. The institution complies with Regulation E requirements requiring institutions to provide notice and a reasonable opportunity for customers to opt-in to the payment of ATM and one-time POS overdrafts for a fee and does not steer frequent users of fee-based overdraft products to opt-in to these programs while obscuring the availability of alternatives (raising safety and soundness concerns about potentially unsustainable consumer debt, as well as potential fair lending and UDAP concerns).
11. The institution is consistent in its application of overdraft fee waivers, in light of applicable fair lending statutes and regulations.
In addition, an institution in its discretion may choose or elect to implement further risk mitigation efforts. If an institution decides to implement such activities or practices, examiners should weigh these further efforts in evaluating the overall effectiveness of an institution’s compliance management system and evaluate whether an institution’s overdraft program and practices are consistent with the expectations set out in the 2010 Supervisory Guidance. Examples of additional efforts that mitigate risks include the following:
1. The institution has an appropriate process in place for eliminating overdraft fees for transactions that overdraw an account by a de minimis or very low amount.19 Examples of possible de minimis limits that could be implemented include: transaction amounts of less than $10, or an institution could decline to charge overdraft fees for transactions that overdraw an account by less than $10.
2. The institution has effectively employed cost effective, existing technology, as appropriate, to alert customers when their account balance is at risk of generating a fee for NSFs.
18 Compliance examiners should consult with Risk Management examiners, as appropriate, where safety and soundness concerns are identified.19 If a fee is charged such a fee should be reasonable and proportional to the amount of the original transaction.
20 | P a g e
3. The institution has provided information to customers about how to access free or low-cost financial education workshops or individualized counseling to learn how to more effectively manage personal finances. Small or rural institutions may want to consider using Web-based resources or referrals to reputable, non-profit organizations.
4. The institution has appropriate policies and procedures in place for allowing customers to decline overdraft coverage (i.e., opt-out) for non-electronic transactions (meaning transactions that are not subject to the Regulation E opt-in requirements), such as paper checks, automated clearing house transfers and recurring debits, and honor an opt-out request.20
o It is recommended that institutions consider occasional communications to remind customers of available options to terminate overdraft coverage.
5. The institution has appropriate policies and procedures in place for reminding their customers, especially chronic or excessive users of overdraft programs, that even if they have chosen to opt-in to the payment of ATM and one-time POS overdrafts for a fee, at any time they can still choose to opt-out of ATM and one-time, POS overdraft programs.
Expanded Review for Ad Hoc Programs or Practices
For ad hoc programs or practices, if unacceptable risks are identified on an exception basis during the Management and Policy-Related review, examiners should consider whether the institution’s ad hoc payment practices require closer review. For example:
• When weaknesses or other risks are discovered that may indicate that ad hoc programs or practices are not in compliance with existing laws and regulations; and/or
• When red flags are raised indicating potential reputation, compliance, and litigation risks regarding certain practices, such as check clearing practices designed to maximize overdraft fees, examiners should consider inquiring about:
o The nature of the red flag;
o Why the issue occurred; and
o How the institution oversees and manages such issues, including a potential review of policies and procedures.
Overdraft Payment Program Supervisory Guidance Frequently Asked Questions
FDIC staff has developed the following Frequently Asked Questions (FAQs) and answers in response to questions from supervised institutions and third-party vendors about the FDIC’s Overdraft Payment Supervisory Guidance issued in November 2010 (FIL-81-2010) (Guidance). The responses represent the views and opinions of FDIC staff regarding incorporation of the Guidance into the examination process.
I. Defining Automated and Ad Hoc Programs
1. How does an “automated” overdraft payment program differ from “ad hoc” overdraft payment practices?
20 Revised Regulation E provides consumers with an ongoing right to rescind their prior opt-in to coverage of ATM and one-time POS overdrafts.
21 | P a g e
Automated overdraft payment programs typically rely on computerized decision-making, and use pre-established criteria to pay or return specific items. There is little to no case-by-case review and decision-making with respect to an individual customer or item.
By contrast, ad hoc practices typically involve the exercise of bank employee judgment in making a specific decision about whether to pay or return an item. This is done as an accommodation and based on the employee’s knowledge of a particular customer.
2. Do the specific supervisory expectations about customer contact apply to ad hoc overdraft payments?
No. The FDIC’s November 2010 Guidance is focused on assisting institutions in identifying, managing, and mitigating the particular risks posed by automated overdraft payment programs. Ad hoc overdraft payments have been authorized by banks for years as an accommodation based on specific considerations and knowledge of a particular customer, and they have generally not been the subject of the type of product over-use concerns that can be associated with automated overdraft programs. Consequently, the specific supervisory expectations set out in the Guidance regarding customer contact for excessive or chronic users of automated overdraft payment programs do not apply to ad hoc overdraft practices.
3. Should institutions monitor and manage risks associated with ad hoc payments of overdrafts?
Yes. While the Guidance’s specific supervisory expectations relate only to automated overdraft payment programs, institutions that authorize overdrafts on an ad hoc basis should manage potential reputational, compliance, and litigation risks regarding certain overdraft payment practices, such as check clearing practices designed to maximize overdraft fees. In addition, the Guidance provides updated information on the laws, regulations, and other guidance that apply to all types of overdraft payment practices and programs.
II. Excessive Use and Meaningful Follow-Up
1. The Guidance states that FDIC-supervised institutions should monitor programs for excessive or chronic customer use, and if a customer overdraws his or her account on more than six occasions where a fee is charged in a rolling twelve-month period, undertake meaningful and effective follow-up action. What is an “occasion” where a fee is charged?
An “occasion” occurs each time an overdraft transaction generates a fee. For example, this would include a per-transaction overdraft fee or a daily fee for an outstanding overdraft status. As a result, potentially more than one “occasion” can occur per day. If three overdraft fees are charged as a result of three transactions (even if the fees are aggregated), that would constitute three occasions. If a fee itself triggers an overdraft, that event would count if a further overdraft fee is charged as a result.
By contrast, overdraft items paid where no fee is charged (for example, if a bank pays an item after a daily limit is met on overdraft items paid and the bank waives additional fees) would not be included. Thus, if four overdrafts occur in a day but the bank only charges three fees as a result of a per-day limit on fees charged, this would constitute three occasions.
2. What is meaningful and effective follow-up for chronic or excessive use and how can an institution demonstrate it has made meaningful efforts to reach chronic or excessive users of automated overdraft payment programs?
22 | P a g e
Meaningful and effective follow-up means that the institution has made reasonable efforts to provide the customer with information on alternatives to overdraft payment programs that may be better-suited to the individual’s need for short-term credit, as well as a clear mechanism for the customer to avail himself or herself of those alternatives. The key goal is to ensure that customers are able to make informed choices among available options to manage recurring needs for short-term credit. The FDIC will assess the institution’s level of effort to reach customers, the institution’s program for providing notice to customers of available alternatives, and the ease with which customers are able to select alternative products.
Institutions may employ a variety of techniques, based on individual customer profiles and general business practices, to contact excessive or chronic users of overdraft payment programs. For example, the institution’s overall approach could incorporate contacting a customer via telephone, in person, by mail, or through electronic notifications. Relevant factors include whether the institution:
• Has a regular program to inform excessive or chronic users of overdraft usage and cumulative costs in a prominent or conspicuous fashion;
• Highlights availability of alternatives to overdraft payment programs that may be lower-cost or more appropriate; and
• Provides a clear and simple manner to contact the institution to discuss available alternatives.
The institution should be able to demonstrate that it monitors account usage, undertakes programs designed to address excessive or chronic use, and monitors its success in informing frequent users of overdraft payment programs of the high cumulative costs of the program and the availability of less-costly or otherwise more appropriate alternatives.
Two examples of ways in which an institution could demonstrate meaningful and effective follow-up regarding excessive or chronic users of overdraft programs are to provide enhanced periodic statements or employ a targeted outreach approach. Specific information discussing meaningful and effective follow-up when utilizing these approaches is described in the attached Illustrations. Institutions may employ other approaches for engaging in effective and meaningful follow-up with chronic or excessive users.
III. Fee Limits and Maximizing Fees
1. What is an example of an appropriate daily limit on overdraft fees?
Daily limits can help prevent a customer’s individual lapse in financial management from triggering a cascade of overdraft fees, and will be reviewed as one possible element of the institution’s overall approach for addressing chronic or excessive use of automated overdraft payment programs. For example, some institutions have implemented limits on the number of transactions that will be subject to a fee (e.g., no more than three per day) or on total allowable fees (e.g., a specific maximum dollar amount of allowable fees per day).
2. What is an example of an appropriate de minimis overdraft amount?
Institutions should consider the use of a de minimis threshold before an overdraft fee is charged in order to reduce reputational risk related to charging fees that are disproportionate to the item being cleared. For example, some institutions have implemented de minimis limits whereby they do not charge overdraft fees for underlying transaction amounts of less than $10, while some have declined to charge overdraft fees for transactions of any amount that overdraw an account by less than $10.
23 | P a g e
3. What is a reasonable and proportional overdraft fee?
As noted in FAQ # III.2 (de minimis), institutions may increase reputational risk when overdraft fees are significantly greater than the amount of the item being cleared. Institutions should review the amount charged for the overdraft payment compared to the amount of the underlying transaction that triggered the overdraft, and assess whether the charge is reasonable and proportionate in comparison. Institutions should consider de minimis limits to reduce the reputational risk of overdraft fees that are disproportionate to the cost of the underlying transaction.
4. How can institutions and their third-party vendors work to process transactions in a manner that addresses risks identified in the Guidance?
Transactions should be processed in a neutral order that avoids manipulating or structuring processing order to maximize customer overdraft and related fees. Examples of a neutral order include order received, check number, serial number sequence, or other approaches when necessary based on sound business justification.
Re-ordering transactions to clear the highest item first is not considered neutral because this approach will tend to increase the number of overdraft fees. By contrast, processing batches of transactions in a random order or order received is a neutral approach; however, institutions should not arrange the order of types of transactions (i.e., batches) cleared in order to increase the number of overdrafts and maximize fees.
IV. Other Questions
1. Is an institution required to provide new alternatives to automated overdraft payment programs?
No. Banks are not required to develop new products in response to the Guidance. However, most banks offer some form of short-term alternative, including lines of credit, fixed-term small dollar loans, and linked savings accounts, and the FDIC encourages institutions to provide linked accounts or responsible, short-term credit products (such as those offered under the FDIC’s small dollar loan pilot). Banks are expected to inform excessive or chronic users of overdraft payment programs about alternative products that the institution has available for its customers, and to make these programs available to customers that qualify. Such products may qualify for CRA consideration under the service or lending tests.21
2. Is an institution required to terminate or suspend a customer’s access to the automated overdraft payment program if the customer engages in chronic or excessive use?
No. Institutions are expected to monitor usage and engage in meaningful and effective follow-up to inform excessive users of available alternatives. However, as discussed in the Guidance, a number of risks are associated with chronic or excessive use of automated overdraft programs, including reputational, compliance, safety-and-soundness, and litigation risks. If such risks are identified during the course of an institution’s monitoring and oversight of an automated overdraft program, institutions should take appropriate action to mitigate risks, as has been the case in the past.
21 See Affordable Small Dollar Loan Guidelines, FIL-50-2007 (June 19, 2007), available at: http://www.fdic.gov/news/news/financial/2007/ fil07050.html, and Interagency Questions and Answers Regarding Community Reinvestment, 75 Fed. Reg. 11642 (Mar. 11, 2010), available at: http://www.ffiec.gov.
24 | P a g e
3. The Guidance states that the FDIC believes institutions should allow customers to decline overdraft coverage (i.e., opt-out) for payment of overdrafts resulting from non-electronic transactions such as paper checks or automated clearing house (ACH) transfers. Can you clarify to which transactions this recommendation applies?
To promote consumer choice and awareness, institutions are encouraged to permit customers to decline overdraft coverage (i.e., opt-out) for transactions that are not subject to the Regulation E opt-in requirements, including checks, ACH transactions and recurring debits. As part of an institution’s on-going relationship with its customers, the FDIC recommends that institutions consider occasional communications to remind customers of available options to terminate overdraft coverage.
4. How can small or rural institutions provide information about financial education?
In addition to educational resources identified in the Guidance, institutions may want to consider using Web-based resources or referrals to reputable, non-profit organizations.
5. When are institutions expected to have reviewed and responded to the Guidance?
As stated in the Guidance, the FDIC expects that institutions will have approved, responsive compliance and risk management action plans, policies and procedures by July 1, 2011.
Meaningful and Effective Follow-Up Illustrations
The following information is provided to illustrate two examples of ways in which institutions may demonstrate meaningful and effective follow-up with excessive or chronic users of overdraft payment programs.
An enhanced periodic statement approach would involve augmenting existing, required disclosures for overdraft fees under Regulation DD (Truth in Savings), which requires disclosure of the total amounts of fees charged for overdrafts during the statement period and calendar year-to-date, by prominently highlighting how excessive or chronic users of automated overdraft programs could contact the institution to discuss available alternatives, and encouraging meaningful and effective contact.
A targeted outreach approach would involve contacting excessive users in person or via telephone to discuss less costly alternatives to automated overdraft payment programs.
Approach #1: Enhanced Periodic Statements
If an institution chooses to take an enhanced periodic statement approach that augments the requirements of Regulation DD for overdraft fees charged during the current statement period and calendar year-to-date, and if a customer incurs more than six overdrafts in a rolling twelve-month period, an institution could include a message on the periodic statement that describes how the customer could contact the institution to discuss alternative options. An effective approach could be to include the name or names of specific employee(s) who have knowledge of alternative credit products for which the customer might qualify and are able to assist the customer in determining whether he or she qualifies for them. For example, the following statement could be used: “You have been paying multiple overdraft fees and there may be cheaper alternative products that may be better suited for your needs. Please call [name of employee] at xxx-xxx-xxxx to discuss other options with a customer service representative or visit us at your local branch.”
25 | P a g e
Under this approach, it would be reasonable for an institution to continue to send enhanced periodic statements to a customer for as long as the customer continues chronic or excessive usage.
Approach #2: Targeted Outreach
If an institution chooses to take a targeted outreach approach, an institution would initiate outreach within a reasonable time period (e.g., 30 days) when a customer incurs more than six overdrafts in a rolling twelve-month period, to discuss overdraft usage and available alternatives to the overdraft payment program. If a customer decides to remain in the automated overdraft payment program, the institution should also engage the customer to determine the customer’s preferences for future contact regarding participation in the automated overdraft payment program. Absent an indication of customer preference regarding subsequent contact, a targeted outreach approach would involve contacting a customer whenever there is a cycle of repeated, excessive use (e.g., subsequent occurrences of more than six overdraft occasions where a fee is charged in a rolling twelve-month period).
References
FIL-81-2010: Overdraft Payment Programs and Consumer Protection: Final Overdraft Payment Supervisory Guidance
FIL-11-2005 Overdraft Protection Programs Joint Agency Guidance
FIL 44-2008 Third-Party Risk: Guidance for Managing Third-Party Risk
FDIC Industry FAQs (April 1, 2011)
26 | P a g e
Controller’s Handbook “Consumer Compliance”: III. Electronic Transaction Overdraft Services Opt-In --OCC
October 2011
Background. In recent years, overdraft protection services have been extended to cover overdrafts resulting from non-check transactions, including ATM withdrawals, debit card transactions at POS, online transactions, preauthorized transfers, and ACH transactions. Generally, institutions charge a flat fee each time an overdraft is paid, although some institutions have a tiered fee structure and charge higher fees based on the amount of the negative balance at the end of the day or as the number of overdrafts increases. Institutions commonly charge the same amount for paying check and ACH overdrafts as they would if they returned the item unpaid. Some institutions also impose a fee for each day the account remains overdrawn. For debit card overdrafts, the dollar amount of the fee and multiple assessments can exceed the dollar amount of the overdrafts.
In 2005, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation, and the National Credit Union Administration (the agencies) issued guidance concerning the marketing, disclosure, and implementation of overdraft programs. The guidance also covers safety and soundness considerations and establishes a number of best practices financial institutions should incorporate into their overdraft programs. The 2009 revisions to Regulation E supersede portions of the guidance related to ATM and one-time debit card overdraft transactions. In addition to the revised Regulation E requirements, however, institutions are again advised to incorporate the Joint Guidance on Overdraft Protection Programs (see OCC 2005--9, April 6, 2005) into their overdraft protection programs.
Section 205.17 was added in the 2009 revision to Regulation E.22 The revision provides consumers with a choice to opt into their institution’s overdraft protection program and be charged a fee for overdrafts for ATM and one-time debit card transactions. It also requires disclosure of the fees and terms associated with the institution’s overdraft service. Before an institution may assess overdraft fees, the consumer must opt in, or affirmatively consent, to the overdraft service for ATM and one-time debit
22 74 FR 59033, November 17, 2009; 75 FR 31665, June 4, 2010
27 | P a g e
card transactions, and the consumer has an ongoing right to revoke consent. Institutions may not require an opt-in for ATM and one-time debit transactions as a condition to the payment of overdrafts for checks and other transactions. The account terms, conditions and features must be the same for consumers who opt in and for those who do not.
Opt-in requirement for overdraft services. The financial institution may assess a fee for paying an ATM or one-time debit card transaction pursuant to an overdraft service only if it has met the following requirements:
• The financial institution has provided the consumer with a written (or, if the consumer agrees, electronic) notice, segregated from all other information, describing the overdraft service;
• The financial institution has provided a reasonable opportunity for the consumer to affirmatively consent (opt in) to the overdraft service for ATM and one-time debit card transactions;
• The financial institution has obtained the consumer’s affirmative consent (opt in) for ATM and one-time debit card transactions; and
• The financial institution has mailed or delivered written (or, if the consumer agrees, electronic) confirmation of the consent, including a statement informing the consumer of the right to revoke consent. An institution complies if it adopts reasonable procedures to ensure that it assesses overdraft fees only for transactions paid after mailing or delivering the confirmation to the consumer (section 205.17(b)(1); staff commentary 205.17(b)–7)).
Fee prohibitions. As a general rule, an institution may not charge overdraft fees for paying an ATM or one-time debit card transaction unless the consumer has opted in. The fee prohibition also applies to an institution that has a policy and practice of not paying an ATM or one-time debit card overdraft when it reasonably believes at the time of the authorization request that the consumer does not have sufficient funds available to pay the transaction, although the institution does not have to comply with the notice and opt-in requirements (staff commentary 205.17(b)–1(iv)).
Lack of consent does not prohibit the financial institution from paying ATM or one-time debit card overdrafts. The financial institution, however, may charge a fee only if the consumer has consented to the institution’s overdraft service for ATM and one-time debit card transactions (staff commentary 205.17(b)– 2). Conversely, the financial institution is not required to pay an ATM or onetime debit card overdraft even if the consumer has consented to
28 | P a g e
pay a fee (staff commentary 205.17(b)–3).
For a consumer who has not opted in, if a fee or charge is based on the amount of the outstanding negative balance, an institution may not charge a fee for a negative balance that is solely attributable to an ATM or one-time debit card transaction. An institution may assess a fee, however, if the negative balance is attributable in whole or in part to a check, ACH transaction, or other type of transaction not subject to the prohibition on assessing overdraft fees (staff commentary 205.17(b)–8).
For a consumer who has not opted in, the institution may not assess daily or sustained negative balance, overdraft, or similar fees for a negative balance, based solely on ATM or one-time debit card transactions. If the negative balance is attributable in part to a check, ACH transaction, or other type of transaction not subject to the prohibition on assessing overdraft fees, however, the institution may charge a daily or sustained overdraft or similar fee, even if the consumer has not opted in. The date the fee may be charged is based on the date on which the check, ACH, or other type of transaction is paid into overdraft (staff commentary 205.17(b)–9).
Contents and format of notice. The notice describing the overdraft service must be substantially similar to Model Form A–9. The notice must include all of the following items, and may not contain any other information not expressly specified or otherwise permitted:
A brief description of the overdraft service and the types of transactions for which the financial institution may charge a fee;
The dollar amount of any fee that may be charged for an ATM or one-time debit card transaction, including any daily or other overdraft fees;23
The maximum number of fees that may be charged per day, or, if applicable, that there is no limit;
An explanation of the right to affirmatively consent to the overdraft service, including the methods by which the consumer may consent;24 and
• The availability of a line of credit or a service that transfers funds from another account to cover overdrafts, if the financial institution offers
23 If the amount of the fee may vary based on the number of times the consumer has overdrawn the account, the amount of the overdraft, or other factors, the financial institution must disclose the maximum fee.24 Institutions may tailor the response portion of Model Form A–9 to the methods offered. For example, a tear-off portion of Model Form A–9 is not necessary if consumers may only opt-in by telephone or electronically (staff commentary 205.17(d)–3).
29 | P a g e
those alternatives25 (section 205.17(d)(1) through (d)(5)). The financial institution also may (but is not required to) include the following information, to the extent applicable:
Disclosure of the right to opt into, or out of, the payment of overdrafts for other types of transactions (e.g., checks, ACH transactions, or automatic bill payments) and a means for the consumer to exercise such choices;
Disclosure of the financial institution’s returned item fee, as well as the fact that merchants may charge additional fees; and
Disclosure of the right to revoke consent (section 205.17(d)(6)).
Reasonable opportunity to consent. The financial institution must provide a reasonable opportunity to consent. Reasonable methods of consent include mail, if the financial institution provides a form for the consumer to fill out and mail; telephone, if the financial institution provides a readily available telephone line that the consumer may call; electronic means, if the financial institution provides a form that can be accessed and processed at its Web site, by which means the consumer may click on a box to consent and click on a button to affirm consent; or in person, if the financial institution provides a form for the consumer to complete and present at a branch or office (staff commentary 205.17(b)–4). The financial institution may provide the opportunity to consent and require the consumer to make a choice as a step to opening an account (staff commentary 205.17(b)–5).
Affirmative consent is necessary. An important feature of the opt-in is that the consumer’s affirmative consent is necessary before the institution may charge overdraft fees for paying an ATM or one-time debit card transaction (section 205.17(b)(1)(iii)). The consent must be separate from other consents or acknowledgments (including consent to receive disclosures electronically). Check boxes are allowed, but the check box and the consumer’s signature may only apply to the consumer’s consent to opt-in. Preprinted disclosures about the overdraft service provided with a signature card or contract do not constitute affirmative consent (staff commentary 205.17(b)–6).
25 If the institution offers both a line of credit subject to the Board’s Regulation Z (12 CFR 226) and a service that transfers funds from another account of the consumer held at the institution to cover overdrafts, the institution must state in its opt-in notice that both alternative plans are offered. If the institution offers one, but not the other, it must state in its opt-in notice the alternative plan that it offers. If the institution does not offer either plan, it should omit the reference to the alternative plans. (staff commentary 205.17(d)–5). If the financial institution offers additional alternatives for paying overdrafts, it may (but is not required to) disclose those alternatives (staff commentary205.17(d)(5)).
30 | P a g e
Confirmation and consumer’s right to revoke. Not only must the consumer affirmatively consent, but the institution must also mail or deliver to the consumer a written confirmation (or electronic, if the consumer agrees) that the consumer has consented, along with a statement informing the consumer of the right to revoke the consent at any time (section 205.17(b)(1)(iv) and staff commentary 205.17(b)–7). An institution complies with the confirmation requirement if it has adopted reasonable procedures to ensure that overdraft fees are assessed only on transactions paid after the confirmation is mailed or delivered to the consumer (staff commentary 205.17(b)–7).
Assessing fees. For consumers who have not opted in, institutions are prohibited from charging overdraft fees for paying those transactions. This prohibition applies to daily or sustained overdraft, negative balance, or similar fees. The rule does not, however, prohibit an institution from assessing these fees if the negative balance is attributable, in whole or part, to a check, ACH, or other transaction not subject to the fee prohibition. If, for example, the negative balance is attributable in part to an ATM transaction, and in part to a check, a fee may be assessed based on the date when the check is paid into overdraft, not the date of the ATM or one-time debit transaction (staff commentary 205.17(b)–9).
Conditioning payment of other overdrafts. The financial institution may not condition the payment of other types of overdraft transactions on the consumer’s affirmative consent, and the financial institution may not decline to pay other types of overdraft transactions because the consumer has not affirmatively consented to the payment of ATM and one-time debit card overdrafts (section 205.17(b)(2)). In other words, the financial institution may not use different criteria for paying other types of overdraft transactions for consumers who have consented and for consumers who have not consented (staff commentary 205.17(b)(2)–1).
Same account terms, conditions, and features. The financial institution must provide to consumers who do not affirmatively consent to the same account terms, conditions, and features (except the payment of ATM and one-time debit overdrafts) that are available to consumers who do affirmatively consent (section 205.17(b)(3)). That requirement includes, but is not limited to, the following:
• Interest rates paid • Fees assessed
31 | P a g e
• The type of ATM or debit card provided to the depositor26 • Minimum balance requirements • Online bill payment services (staff commentary 205.17(b)(3)–1)
Joint accounts. Any consumer may consent, or revoke consent, for payment of ATM or one-time debit card transactions from a joint account (section 205.17(e)).
Continuing right to consent or revoke. A consumer may consent to the payment of ATM and one-time debit card overdrafts at any time. A consumer may also revoke consent at any time. The financial institution must implement a revocation as soon as reasonably practicable (section 205.17(f)). The financial institution need not waive overdraft fees assessed before it implements the consumer’s revocation (staff commentary 205.17(f)–1).
Duration of consent. Consent remains effective until the consumer revokes it, unless the financial institution terminates the overdraft service (section 205.17(g)). The financial institution may terminate the overdraft service, for example, if the consumer makes excessive use of the service (staff commentary 205.17(g)–1).
Effective date. The overdraft services rule became effective on January 19, 2010, and compliance became mandatory starting July 1, 2010. For accounts opened on or after July 1, 2010, the financial institution must obtain consent before charging a fee for payment of any ATM or one-time debit overdraft. For accounts opened before July 1, 2010, however, the financial institution may not charge a fee for paying any ATM or one-time debit overdraft on or after August 15, 2010, unless it has obtained consent. (secti
26 For example, the financial institution may not provide a PIN-only debit card to consumers who do not opt in and a debit card with both PIN and signature-debit features to consumers who do opt in.
32 | P a g e
Federal Register: OCC Guidance on Deposit-Related Consumer Credit Products(6/8/11)
33 | P a g e
34 | P a g e
35 | P a g e
36 | P a g e
37 | P a g e
OCC Bulletin 2015-17: Revised Deposit Related Consumer Credit
OCC BULLETIN 2015-17Subject: Deposit-Related Credit
Date: March 6, 2015
To: Chief Executive Officers of All National Banks and Federal Savings Associations, Department and Division Heads, All Examining Personnel, and Other Interested Parties
Description: Revised Comptroller's Handbook Booklet
Summary
The Office of the Comptroller of the Currency (OCC) issued today the "Deposit-Related Credit" booklet of the Comptroller's Handbook. This booklet replaces and clarifies the "Deposit-Related Consumer Credit" booklet issued February 11, 2015. The "Deposit-Related Credit" booklet references relevant supervisory guidance and includes examination procedures that OCC examiners use to assess a bank’s deposit-related credit products and services.
This Comptroller's Handbook booklet is intended as a summary restatement of existing laws, regulations, and policies applicable to deposit-related credit products and services. Examiners and members of the public may use this booklet as reference for obtaining an overview of the topic. Nothing in this booklet should be interpreted as changing existing OCC policy.
Note for Community Banks
The "Deposit-Related Credit" booklet is applicable to examinations of all OCC-regulated institutions that provide deposit-related credit products and services.
Highlights
The OCC's "Deposit-Related Credit" booklet addresses
check credit products and services. overdraft protection services. deposit advance products. risk management of third-party relationships involving these products and services.
For further information, please contact Robert Piepergerdes, Director for Retail Credit Risk, at (202) 649-6220.
Jennifer C. KellySenior Deputy Comptroller and Chief National Bank Examiner
Related Link
"Deposit-Related Credit" (PDF)
38 | P a g e
OCC: Comptroller’s Handbook - Deposit-Related Credit (March 2015)
39 | P a g e
40 | P a g e
Introduction
The Office of the Comptroller of the Currency’s (OCC) Comptroller’s Handbook booklet, “Deposit-Related Credit,” is prepared for use by OCC examiners in connection with their examination and supervision of national banks and federal savings associations (collectively, banks). Each bank is different and may present specific issues. Accordingly, examiners should apply the information in this booklet consistent with each bank’s individual27 circumstances. When it is necessary to distinguish between them, national banks and federal savings associations are referred to separately.
Banks may offer customers a variety of small-dollar, unsecured credit products and services that are related to their deposit accounts. These deposit-related credit (DRC) products and services generally take one of three forms: check credit (CC), overdraft protection (ODP), and deposit advance products (DAP). Examiners should be aware that laws, regulations, and supervisory guidance referenced in this booklet may not apply to all DRC products and services.
Types of Deposit-Related Credit
Check Credit
CC is defined, for purposes of this booklet, as the granting of unsecured revolving lines of credit to customers. Banks provide CC products and services by three basic methods:
Overdraft line of credit: This is the most common method. The bank automatically transfers funds from an existing line of credit to the customer’s demand deposit account when a check or payment is presented that would cause the customer’s account to be overdrawn. Transfers normally are made in stated increments, up to a bank-approved maximum line of credit, and the customer is notified that the funds have been transferred.
Cash reserve: The customer must request that the bank transfer funds from an existing line of credit to the customer’s demand deposit account. To avoid overdrawing the account, the customer must request the funds transfer before negotiating a check or payment against the demand deposit account.
Special draft: This involves the customer negotiating a special check drawn directly against an existing line of credit, such as a credit card. Demand deposit accounts are not affected because no funds enter or leave a demand deposit account.
In all three CC methods, the bank periodically provides the customer with statements of account activity. The customer’s required minimum payments are computed as a fraction of the account balance on the cycle date and are usually made by automatic charges to the demand account. Refer to the “Risk Management” section of this
27 Pursuant to Title X of the Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd– Frank), the Consumer Financial Protection Bureau (CFPB) is responsible for examining banks with assets over $10 billion for compliance with federal consumer financial laws (as that term is defined in Title X).
41 | P a g e
booklet for details.
Banks should have policies and procedures for CC products and services that include eligibility or underwriting criteria to obtain the product or service.
Overdraft Protection
Many banks offer ODP to pay customers’ checks and allow other overdrafts when there are insufficient funds in the account. Common names for ODP are automated overdraft protection, bounced check protection, and courtesy overdraft protection. These are typically automated services provided to transaction account customers as alternatives to a traditional overdraft line of credit.
In most cases, customers who meet a bank’s eligibility criteria may be enrolled in ODP. Banks generally do not underwrite ODP on an individual account basis when enrolling the customer. Most banks do review individual customer accounts periodically to determine whether the customer continues to qualify for the service and whether the amount of ODP coverage provided continues to be appropriate. Automation is typically used to apply specific bank criteria for determining whether to honor overdrafts and to set limits on the amount of ODP coverage provided. Some banks may supplement their ODP automated systems, however, by allowing individual officers or employees to approve overdrafts on a case-by- case basis. Many banks inform customers that payment of an overdraft is discretionary on the banks’ part, and deposit account agreements typically disclose that the banks have no legal obligation to pay any overdrafts.
Some banks may extend the ODP to non-check transactions including account withdrawals made at automated teller machines (ATM), purchases using a debit card, pre-authorized automatic debits from a customer’s account, automated clearing house (ACH) transactions, telephone-initiated funds transfers, or online banking transactions. Banks must provide consumers with the right to opt in, or affirmatively consent, to the bank’s ODP for ATM and one-time debit card transactions (12 CFR 1005.17(b)). Notice of the opt-in right must be provided, and the consumer’s affirmative consent obtained, before fees or charges may be assessed on the consumer’s account for paying such overdrafts.
Fees vary by bank for ODP services and are subject to change. Banks typically charge a flat fee each time an overdraft item is paid, although some banks have a tiered fee structure and charge higher fees as the number of overdrafts increases. Banks commonly charge the same amount for paying a check or an ACH overdraft as they would if they returned the item unpaid.
National banks are authorized to provide overdraft credit relating to commercial demand deposit accounts under 12 USC 24(Seventh). A federal savings association also may extend overdraft credit. All banks are subject to the lending limitations of 12 CFR 32. Overdraft credit extended by a federal savings association relating to commercial demand deposit accounts, however, is subject to the statutory limit on commercial loans, as set forth in the Home Owners’ Loan Act (12 USC 1464(c)(2)(A)) and regulations (12 CFR 160.30, endnote 19). Management and the boards of federal savings associations should be aware of any implications and limits regarding
42 | P a g e
small business loans in the calculation of the limit on commercial loans.
The interagency Joint Guidance on Overdraft Protection Programs28 and OCC Bulletin 2010-15, “Overdraft Protection: Opt-In Requirements and Related Marketing Issues,” apply to bank ODP. Laws, regulations, and supervisory guidance pertaining to ODP are subject to change, and bank management, directors, and examiners are encouraged to stay informed and up to date. Existing regulations cover a variety of topics related to overdrafts, such as disclosures concerning fees, account-opening disclosures, and advertising rules.
Deposit Advance Products
A DAP is a type of small-dollar, short-term credit product offered to customers maintaining a deposit account, reloadable prepaid card, or similar deposit-related vehicle at a bank. The bank provides a credit feature that allows the customer to take out a loan in advance of the customer’s next direct deposit. The advance is based on a history of the customer’s recurring deposits. Typically, the advance is offered as an open-end line of credit; OCC guidance on DAPs, however, applies to all such extensions of credit, whether the product is structured as 3 open- or closed-end credit.29 Specific details of DAPs vary among banks and may vary over time. Historically, DAPs incorporate some or all of the following general characteristics, a number of which have been addressed in OCC Bulletin 2013-40, “Deposit Advance Products: Final Supervisory Guidance.
Cost: The cost is based on a fee structure, rather than an interest rate. Advances are made in fixed dollar increments and a flat fee is assessed for each advance. For example, a DAP may be structured so that a customer may obtain advances in increments of $20 with a fee of $10 per every $100 advanced.
Eligibility and loan limits: A customer is eligible for a DAP if the deposit account has been open for a certain period and the customer receives recurring deposits. Banks generally require that a minimum sum be directly deposited each month for a certain period for the customer to be eligible for a DAP. The minimum deposit and time period may vary by bank. The maximum dollar amount of the DAP generally is limited to a percentage or amount of the recurring deposit.
Ability to repay: Some DAPs have been predicated solely on the amount and frequency of a customer’s deposits, rather than the customer’s ability to repay. Repayment: Repayment is required through a preauthorized electronic payment of the advance and the fee with each deposit; however, some banks have implemented alternative repayment methods, such as the customer mailing the payment or coming into the bank to make the payment. The bank is paid before any other transactions are paid. If the first deposit is insufficient to repay the advance and the fee, the repayment is obtained from subsequent deposits.
Marketing and access: Banks market DAPs as intended to assist customers with financial emergencies or to meet short-term needs. These advances are typically not included with the banks’ lists of available credit products but
28 OCC Bulletin 2005-9, “Overdraft Protection Programs: Interagency Guidance,” 70 Fed. Reg. 9127 (2005).29 OCC Bulletin 2013-40, “Deposit Advance Products: Final Supervisory Guidance.”
43 | P a g e
instead are listed as a deposit account feature.
OCC Bulletin 2013-40 sets forth the OCC’s risk management expectations for DAPs.
Other Products and Services
Some banks implement unsecured credit products and services in the form of installment loans in place of DAPs. See the Comptroller’s Handbook booklet “Installment Loans” for additional information on unsecured lending.
Risks Associated With Deposit-Related Credit
From a supervisory perspective, risk is the potential that events, expected or unexpected, will have an adverse effect on a bank’s earnings, capital, or franchise or enterprise value. The OCC has defined eight categories of risk for bank supervision purposes: credit, interest rate, liquidity, price, operational, compliance, strategic, and reputation. These categories are not mutually exclusive. Any product or service may expose a bank to multiple risks. Risks also may be interdependent and may be positively or negatively correlated. Examiners should be aware of this interdependence and assess the effect of risks in a consistent and inclusive manner. Refer to the “Bank Supervision Process” booklet of the Comptroller’s Handbook for an expanded discussion of banking risks and their definitions.
DRC can be offered in a safe and sound manner if bank management properly understands and controls its primary risks: strategic, credit, operational, and compliance. Failure to control the primary risks of DRC products and services may contribute to other risks, such as reputation and liquidity. Poorly structured DRC products and services can pose harm to customers. Accordingly, DRC products and services should be carefully designed and managed.
Strategic Risk
A bank assumes strategic risk when taking on new product lines without having the expertise and systems to properly manage and control risks associated with the line of business. In a sound DRC program, management ensures that staff has the knowledge and experience to recognize, assess, mitigate, and monitor the bank’s DRC risks. Failure to provide effective oversight of DRC activities can increase the bank’s strategic risk profile while also negatively affecting interrelated risks, such as credit and reputation risks. Factors that could raise a bank’s level of strategic risk include:
Failure to provide adequate resources for DRC products and services and related control functions.
Weaknesses in the administration of acquisitions, mergers, and alliances.
44 | P a g e
Credit Risk
DRC is generally unsecured credit, and repayment depends primarily on a customer’s capacity to repay. With regard to DAP and ODP, repayment is expected from the next deposit made to the customer’s account. By contrast, CC may only require the customer to make minimum monthly payments that are computed as a fraction of the outstanding balances. Customers may become overextended and unable to repay.
DRC products and services, particularly ODP and DAP, may exhibit higher-risk characteristics. Some customers who obtain certain ODP or DAP products or services may have cash flow difficulties or blemished or insufficient credit histories that limit other borrowing options. In addition, some DRC products and services (in particular, ODP) are not underwritten for the individual customer and may rely on other eligibility criteria rather than ability to repay. Extensions of credit that are subject to less stringent underwriting requirements and loans that exhibit subprime credit characteristics reflect higher risk. The structure of DRC products and services and the presence of higher-risk characteristics may increase the credit risk of individual DRC extensions of credit and of the overall DRC portfolio.
Numerous and repeated extensions of credit to the same customer may be substantially similar to continuous advances and can subject the bank to increased credit risk. Customers may repeatedly use DRC products and services if they are unable to fully repay the balance on prior extensions of credit. OCC Bulletin 2013-40 notes that this practice can be similar to the practice of “loan flipping,” which the OCC, the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (Board) have previously noted to be an element of predatory lending30.F
Operational Risk
On a daily basis, banks face operational risk as they process DRC for customers. Operational risk can arise for various reasons, such as a bank’s failure to process a transaction properly, inadequate controls, employee error or malfeasance, a breakdown in the bank’s computer system, or a natural catastrophe. Fraud also poses operational risk.
Products and services such as ODP and DAP, which are often highly automated and have a large transactional volume, require strong operational controls. To control operational risk, the bank should maintain effective internal controls and use comprehensive management information systems (MIS). Bank management should be aware that aggressive growth has the potential to stretch operational capacity and can cause problems in handling customer accounts.
30 OCC Bulletin 2001-6, “Subprime Lending: Expanded Guidance for Subprime Lending Programs.” This guidance was jointly signed by the OCC, the Board, the FDIC, and the Office of Thrift Supervision (OTS).
45 | P a g e
6
Compliance Risk
DRC can pose significant compliance risk if a bank’s systems of identifying, measuring, monitoring, and controlling risk are deficient. While compliance risk may occur at the bank level, this risk also can exist when DRC products, services, or systems associated with a third-party relationship are not properly reviewed for compliance or when the operations of the third-party relationship are not consistent with applicable law, regulations, supervisory guidance, or the bank’s policies and procedures31.4F
The potential for serious or frequent violations of law, or failure to meet expectations contained in pertinent guidance, is heightened when the bank’s oversight program does not include appropriate audit and control features, particularly when a third party is implementing new bank activities or expanding existing ones. Compliance risk also increases when privacy or customer records are not adequately protected, when conflicts of interest between the bank and affiliated third parties are not appropriately managed, or when the bank or its service providers have not implemented an appropriate information security program. Further, section 5 of the Federal Trade Commission Act (FTC Act), 15 USC 45, prohibits unfair or deceptive acts or practices32 (UDAP). DRC products and services may raise UDAP concerns, depending on how they are marketed and implemented. The prohibition on UDAP applies not only to the product or service, but also to every stage of the product or service life cycle and every activity, including product development, the creation and rollout of marketing campaigns, servicing, and collections. Banks should involve their compliance management function in the due diligence and monitoring process when third-party products or services are present.
Various practices may raise compliance risk and supervisory concerns. Examples include:
Steering customers toward DRC products and services when they may qualify for other, less costly forms of credit.
Failure to disclose the costs and fees of DRC products and services. Failure to monitor accounts for excessive use of DRC products and services and
the costs of those products and services. Failure to ensure adequate risk management, including appropriate internal
audits and compliance reviews. Failure to adequately disclose transaction clearing policies and failure to
disclose how those policies can affect the total amount of fees associated with DRC products and services.
Other laws and regulations that may apply to one or more types of DRC include, but
31 On supervisory expectations for managing third-party relationships, see OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” and the “Third-Party Management” section of this booklet.32 For federal savings associations, see OTS Examination Handbook section 1354, “Unfair or Deceptive Acts or Practices, Federal Trade Commission Act, Section 5” and related “Program” and “Questionnaire.” For national banks ansd federal savings associations, see OCC Advisory Letter 2002-3. “Guidance on Unfair or Deceoptive Acts or Practices” and OCC Advisory Letter 2000-7, “Abusive Lending Practices.”
46 | P a g e
1
are not limited to, the following:33
Truth in Lending Act (TILA): TILA and Regulation Z require creditors to provide cost disclosures for extensions of consumer credit.34 Different rules apply to Regulation Z disclosures depending on whether the credit is an open- or closed-end credit product.
Electronic Fund Transfer Act (EFTA): A DRC product or service that involves the use of electronic fund transfers must meet the applicable disclosure and other requirements of EFTA and Regulation E.35 EFTA requires that certain disclosures be made,36 Generally prohibits creditors from mandating that credit be repaid by “preauthorized electronic fund transfers,”37 transfers.” and allows consumers to withdraw authorization for “preauthorized fund transfers.”38
Truth in Savings Act (TISA): A program that involves a consumer’s deposit account must meet the disclosure requirements of TISA and Regulation DD.39 Under TISA, deposit account disclosures must include the amount of any fee that may be imposed in connection with the account and the conditions under which the fee may be imposed.40
Equal Credit Opportunity Act (ECOA): Under ECOA and Regulation B, creditors are prohibited from discriminating against an applicant on a prohibited basis in any aspect of a credit transaction.41 The manner in which a creditor exercises its discretion, for example, in determining the application of eligibility requirements, loss mitigation options, and fee waivers, may raise fair lending risk.
Banks involved in DRC face litigation risk, both from private lawsuits and from regulatory enforcement actions. Litigation risk is increased if DRC is not administered properly. Before implementing DRC programs, banks should have their products and services reviewed by bank counsel to ensure compliance with all applicable laws and regulations.
Examiners are reminded that laws and regulations are subject to change. Consequently, examiners should assess whether banks monitor applicable laws and regulations for revisions and ensure that the banks’ services and programs remain fully compliant with such laws and regulations.
33 The list is not intended to affect whether or when such laws or regulations may apply to a particular DRC product or service.34 15 USC 1601 et seq. TILA is implemented by Regulation Z, 12 CFR 1026.35 15 USC 1693 et seq. EFTA is implemented by Regulation E, 12 CFR 1005.36 See, e.g., 12 CFR 1005.7, 1005.8, and 1005.9.37 See 12 CFR 1005.10(e).38 See 12 CFR 1005.10(c).39 12 USC 4301 et seq. TISA is implemented by Regulation DD at 12 CFR 1030 for depository institutions, including national banks and federal savings associations.40 See 12 CFR 1030.4(b)(4).41 15 USC 1691 et seq. ECOA is implemented by Regulation B, 12 CFR 1002. ECOA prohibits discrimination on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to contract), the fact that all or part of the applicant’s income derives from a public assistance program, and the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act.
47 | P a g e
Reputation Risk
The bank should consider the possible reputation risk involved in DRC. This risk may arise from the bank’s obligations to customers and contracts with third-party providers, as well as through the outsourcing of any parts of the DRC program. Any aspect of DRC that the bank or the bank’s third-party providers conduct that is not consistent with the bank’s policies and standards, or laws and regulations, could subject the bank to reputation risk. Adverse publicity about the product may increase reputation risk. Also, publicity about adverse events involving third-party providers may increase the bank’s reputation risk. See the “Third-Party Management” section of this booklet and OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” for additional information.
Banks may be subject to negative news coverage and public scrutiny from reports of high fees and customers taking out multiple advances to cover prior advances and everyday expenses. Engaging in practices that are perceived to be unfair or detrimental to the customer can cause a bank to lose community support and business.
Liquidity Risk
Management should keep apprised of the funding requirements created by DRC products and services. Failing to do so exposes the bank to liquidity risk.
Risk Management
Each bank should identify, measure, monitor, and control risk by implementing an effective risk management system appropriate for the size and the complexity of its operations. When examiners assess the effectiveness of a bank’s risk management system, they consider the bank’s policies, processes, personnel, and control systems. Refer to the “Bank Supervision Process” booklet of the Comptroller’s Handbook for an expanded discussion of risk management.
This section focuses on the primary methods by which banks manage risk. The risk management processes and controls may vary from bank to bank and may include differences by individual products and services.
Management and Supervision
The board and management of any bank considering whether to offer DRC products and services or to maintain or expand the bank’s DRC program should be fully aware of the risks involved. Management should (1) identify the business activities’ risks, as well as the expertise and controls required to manage them; (2) determine how well the bank can keep pace with technology and competition; and (3) determine whether the bank will use third- party organizations in the activity and, if so, how much the bank will use them, for what purposes, and for what DRC products and services.
Banks should have risk management systems commensurate with an activity’s risk and
48 | P a g e
complexity. Management experience, staffing, systems, and reporting should be sufficient to enable the bank to monitor the activity knowledgeably and effectively.
Management should evaluate the risk and reward for DRC activity and ensure that the bank is not taking on an unacceptable level of risk. Banks may be subject to exposure and losses through credit transactions with customers or through fraud. Uncontrolled growth and inadequate operations by third parties may further contribute to problems for banks.
Management should consider the implications the activity may pose for capital and earnings.
A bank should maintain adequate oversight and exercise appropriate control over its DRC products and services so as to minimize exposure to potential financial loss, reputation damage, and supervisory action. The bank’s compliance management system should consider all statutes, regulations, guidance, and internal policies and procedures applicable to the products and services offered by the bank, including DRC.
A bank should adopt policies and procedures that set forth eligibility criteria for a customer to obtain the DRC product or service.
Capital
Higher capital requirements generally apply to loan portfolios that exhibit higher-risk characteristics and are subject to less stringent loan underwriting requirements. Loan portfolios that exhibit subprime credit characteristics are higher risk and may require higher levels of capital. Any higher risk posed through contractual arrangements with third-party providers for DRC activities should be considered when determining the adequacy of capital for the activities. The board and management should limit the bank’s volume of DRC relative to the bank’s capital, its risk profile, and management’s ability to monitor and control DRC risks.
Banks should ensure proper risk-based regulatory capital treatment of outstanding overdrawn balances and unused commitments. Overdraft balances should be risk weighted according to the obligor. Under the interagency risk-based capital rules,42 the capital charge on the unused portion of a commitment generally is based on an off-balance-sheet credit conversion factor and the risk weight appropriate to the obligor. In general, these rules provide that the unused portion of a commitment is subject to a 20 percent credit conversion factor if the commitment has an original maturity of one year or less or a 50 percent credit conversion factor if the commitment has an original maturity of more than one year. Also, ODP that is unconditionally cancelable by banks in accordance with applicable law qualify for a 0 percent credit conversion factor.
42 OCC Bulletin 2013-23, “Regulatory Capital Rule: Final Rulemaking.” Subject to various transition periods, the rule became effective for advanced approaches banks on January 1, 2014, and for all other banks on January 1, 2015. Other documents included with the release of the new rule include the interagency New Capital Rule, Community Bank Guide and the OCC-issued New Capital Rule Quick Reference Guide for Community Banks.
49 | P a g e
Marketing
Account materials and marketing should not mislead customers about the optional nature of a DRC product or service or otherwise promote routine use or undue reliance on the products and services. In addition, a customer should be permitted to opt out of a DRC product or service at any time, after which no future advances may be made or related fees imposed, and the customer should be provided clear notice of this option. (See OCC Advisory Letter 2000- 7, “Abusive Lending Practices,” for national banks and federal savings associations. See also OTS Examination Handbook section 1354, “Unfair or Deceptive Acts or Practices, Federal Trade Commission Act, Section 5” [including the accompanying program and questionnaire] for federal savings associations. See OCC Advisory Letter 2002-3, “Guidance on Unfair or Deceptive Acts or Practices” for national banks and federal savings associations.)
Underwriting and Account Eligibility Criteria
Underwriting and eligibility criteria for CC and DAP should be well documented in the bank’s credit policy, consistent with eligibility and underwriting criteria for other bank extensions of credit. Banks’ underwriting and eligibility criteria should prevent churning and prolonged use of products and services intended to meet short-term credit needs. Repetitive use of certain CC and DAP products and services could indicate weak underwriting, may be criticized in the Report of Examination, and may affect a bank’s CAMELS43 ratings and risk assessment.
Written underwriting policies for CC and DAP generally should include an assessment of
the length of a customer’s deposit relationship with the bank. the customer’s history with the bank on any current or prior relationships
including classified credits. the customer’s willingness and ability to repay or financial capacity. factors to be considered before increasing credit limits (i.e., prior payment
performance and the impact of the increase of the credit limit on the borrower’s willingness and ability to repay or financial capacity).
the customer’s continuing eligibility.
Prudent ODP risk management practices include establishing express account eligibility standards and well-defined and properly documented dollar limit decision criteria. In addition, there should be established procedures for the suspension of overdraft services when the account holder no longer meets the eligibility criteria (such as when the account holder has declared bankruptcy or defaulted on other credit at the bank).
Monitoring and Reporting
Management Information Systems43 CAMELS components are capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk.
50 | P a g e
Bank management should receive regular reports on the volume, trend, profitability, delinquency, and credit performance of the DRC program. These MIS reports should segment accounts by level of utilization to identify excessive product usage. Management should receive reports that describe the status and outcome of internal reviews and evaluations of accounts identified as demonstrating excessive usage.
Ongoing Monitoring and Account Management
DRC accounts should be monitored to ensure that changing customer circumstances have not adversely affected credit risk and to identify excessive usage. For ODP, banks should monitor for excessive usage, which may indicate a need for alternative credit arrangements or other services, and inform customers of available options. With respect to DAP, banks should monitor for repeated customer usage, which may indicate a need for alternative credit arrangements or other services, and inform customers of these available options when appropriate.
Banks that have extended their CC programs to small businesses have found that the practice may involve a higher than normal risk unless placed under very stringent controls. Because such advances are basically unsecured lines of credit, the examiner’s review should be based on the same factors and criteria used in the review of unsecured commercial loans. See the Comptroller’s Handbook booklet, “Commercial Loans,” for additional information regarding unsecured lending.
Regulatory and Financial Reporting
With respect to the reporting of income and loss recognition, banks must follow the instructions for the Consolidated Reports of Condition and Income (call report) and generally accepted accounting principles (GAAP). Banks should adopt rigorous loss estimation processes to ensure that fee income associated with DRC is accurately measured. Such methods may include providing loss allowances for uncollectible fees or only recognizing that portion of earned fees estimated to be collectible. The procedures for estimating an adequate allowance should be documented in accordance with OCC Bulletin 2001-37, “Policy Statement on Allowance for Loan and Lease Losses Methodologies and Documentation for Banks and Savings Institutions: ALLL Methodologies and Documentation,” and OCC Bulletin 2005-9, “Overdraft Protection Programs: Interagency Guidance.”
If a bank advises customers of the available amount of ODP, for example, when accounts are opened, or the amount is noted on customers’ account statements or ATM receipts, the bank must report the available amount of ODP coverage with legally binding commitments for call report purposes. These available amounts, therefore, must be reported as “unused commitments” in regulatory reports.
51 | P a g e
Portfolio Quality
Delinquencies
Delinquencies in CC and DAP accounts often occur when an account is at or near the maximum credit line. Accordingly, management should review frequent, comprehensive reports that reflect pertinent information about the CC or DAP product or service, including schedules of
delinquent accounts (aged). accounts for which payments are made by drawing on reserves. accounts with steady usage.
Classification and Charge-Off
An overdraft balance generally should be charged off when considered uncollectible, but no later than 60 days from the date that balance first became overdrawn. In some cases, a bank may allow a customer to cover an overdraft through an extended repayment plan if the customer is unable to bring the account to a positive balance within the required time frame. The existence of a repayment plan, however, does not change the bank’s obligation to charge off the overdraft 60 days from the date of the overdraft (or a shorter period, if warranted). Any payments received after the account is charged off (up to the amount charged off against allowance) should be reported as a recovery.
Some overdrafts may be rewritten as loan obligations in accordance with the bank’s loan policy and supported by a documented assessment of the customer’s ability to repay. In those instances, the charge-off time frames described in the Federal Financial Institutions Examination Council (FFIEC) Uniform Retail Credit Classification and Account Management Policy (Retail Classification Policy) apply.
Deposit advances that are not repaid in accordance with the account terms should be charged off. The OCC’s policy with respect to charge-off of CC advances is the same as for charge-off of credit card advances.44
The FFIEC Retail Classification Policy establishes guidelines for classifying consumer credit based on delinquency, but the policy also allows discretion to classify individual retail loans that exhibit signs of credit weakness, regardless of delinquency status. An examiner also may classify retail portfolios, or segments thereof, for which underwriting standards are weak and present unreasonable credit risk. See OCC Bulletin 2000-20, “Uniform Retail Credit Classification and Account Management Policy: Policy Implementation” for additional information.
Third-Party Management
Third-party relationships include any entity the bank contracts with to provide DRC products and services. Banks frequently outsource functions to third-party relationships to control costs. Banks can benefit from the technological expertise and capabilities of third parties without having to develop the systems and infrastructure themselves. Third-party relationships provide a wide array of services; examiners
44 OCC Bulletin 2000-20, “Uniform Retail Credit Classification and Account Management Policy: Policy Implementation.”
52 | P a g e
should understand that each bank’s list of third parties used and services outsourced is unique.
A bank’s use of a third party, including technology service providers, to provide products and services does not diminish the responsibility of the bank’s board of directors and management to ensure that the activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the bank were to perform the activities in-house.
The quality of the services provided by third-party relationships can vary widely. Banks should exercise due diligence and maintain ongoing monitoring of the third party’s activities and performance.
Banks should have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures. More comprehensive and rigorous oversight and management are appropriate for third-party relationships that involve critical activities, for example, significant bank functions (such as payments, clearing, settlements, or custody) and significant shared services (such as information technology), or other activities that
could cause a bank to face significant risk if the third party fails to meet expectations.
could have significant negative impact on customers. require significant investment in resources to implement the third-party
relationship and manage the risk. could have a major impact on bank operations if the bank has to find an alternate
third party to conduct the outsourced activity or if the outsourced activity has to be brought in- house.
Banks should conduct appropriate due diligence before selecting a third-party provider. Regardless of the type of third-party relationship, selecting a competent and qualified third- party provider is essential to managing third-party risk. The due diligence process provides the bank with an opportunity to review qualitative and quantitative aspects, both financial and operational, of a third party and to assess whether the third party can help the bank achieve its strategic goals.
Bank management should periodically arrange for on-site inspections and audits of third- party organizations. Written audit reports should be generated, and the third party’s management should be required to respond in writing to issues identified during inspections and audits. If the third party is required to have specialized audits or an attestation engagement (e.g., an attestation engagement according to the Statement on Standards for Attestation Engagement No. 16, “Reporting on Controls at a Service Organization” [SSAE 16]) or elects to have such audits or attestation, bank management should obtain and review the audits or attestation.
Examiners and bank management should refer to OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” and booklets including the “Supervision of Technology Service Providers” and “Outsourcing Technology Services” of the FFIEC Information Technology (IT) Examination Handbook for additional guidance.
53 | P a g e
The agencies’ “Administrative Guidelines—Implementation of Interagency Programs for the Supervision of Technology Service Providers” is another reference document that can be consulted.
Banks also should ensure that third-party processors and network providers have contingency plans for continuing operations. Examiners conducting reviews of this area should include IT examiners to the extent needed to review the bank’s in-house data-processing systems and the adequacy of the business continuity and contingency plan.
54 | P a g e
Examination Procedures This booklet contains expanded procedures for examining specialized activities or specific products or services that warrant extra attention beyond the core assessment contained in the “Community Bank Supervision,” “Large Bank Supervision,” and “Federal Branches and Agencies Supervision” booklets of the Comptroller’s Handbook. Examiners determine which expanded procedures to use, if any, during examination planning or after drawing preliminary conclusions during the core assessment.
Scope
These procedures are designed to help examiners tailor the examination to each bank and determine the scope of the DRC examination. This determination should consider work performed by internal and external auditors and other independent risk control functions and by other examiners on related areas. Examiners need to perform only the objectives and steps that are relevant to the scope of the examination as determined by the following objective. Examinations seldom require every objective or step of the procedures.
Objective: To determine the scope of the DRC examination and identify the objectives and activities necessary to the supervisory strategy for the bank.
1. Review the following documents to identify any issues that require follow-up. Consider
previous DRC and compliance examinations findings and management’s response to those findings; these findings may relate to CC, ODP, DAP, or other applicable products and services.
work performed by internal and external auditors, internal and external loan review, and credit examiners, including reports issued and management’s response to significant deficiencies.
supervisory strategy and the scope memorandum issued by the bank’s examiner-in- charge (EIC).
work papers from the previous examination.
2. Obtain and review management information related to the supervision of DRC activities, focusing on any significant changes or trends since the last examination. Consider
the bank’s current plans, both formal and informal, that relate to DRC products and services.
management’s analysis of capital adequacy or capital allocated for DRC risks. an organizational chart including each functional area. copies of formal job descriptions for all personnel involved with the DRC
products and services. copies of the two most recent monthly management reports provided to the
55 | P a g e
board of directors for DRC products and services. copies of all internal and external audit reports issued since the last
examination, with any response from management. copies of all loan review and ODP reports for the DRC products and services. new customer accounts reports for the applicable products for the
previous three months. a list of board and executive or senior management committees that
supervise DRC products and services, including a list of members and copies of minutes documenting those meetings since the last examination.
copies of marketing plans for the overall DRC products and services and, if applicable, for each DRC product and service.
copies of applicable policies and procedures for DRC products and services. profitability reports for the specific DRC products and services for the most
recent year-end and year to date. a list of all insiders who have DRC or receive DRC products and services. any management reports addressing credit risk posed by specific DRC
products and services, as well as reports addressing credit risk associated with customers that have those products and services.
daily fraud-monitoring reports. fraud loss and credit loss history (including information concerning ODP losses). list of third-party organizations that provide DRC-related services to the
bank, including name and address of each third-party organization, and a description of services provided by them related to the applicable product.
customer complaints filed with the bank, and other entities, in connection with applicable DRC products and services.
3. Identify, during early discussions with management,
any significant changes in policies, practices, personnel, staffing, and controls since the last DRC examination.
what DRC program(s) are offered and whether the programs were developed and administered internally or externally.
any changes in the bank’s DRC-related activities (e.g., products, services, growth, geographies, target market, marketing plan and activities, and third-party providers and vendors associated with the bank’s DRC products and services).
how management supervises product and service operations. any internal or external factors that could affect operations.
4. Using the findings derived from performing the preceding procedures and from information obtained during discussions with the bank’s EIC and other appropriate supervisors, set the examination’s scope and objectives. From the following examination procedures, internal control questions, and verification procedures, select the ones necessary to meet those objectives.
5. As examination procedures are performed, test for compliance with the bank’s established policies, procedures, internal controls, and applicable laws and regulations, and consistency with OCC issuances. Identify any area with inadequate supervision, weak internal controls, undue risk, or increasing risk
56 | P a g e
profile.
57 | P a g e
Functional Area Procedures
Overall objective: To assess the quantity and direction of risks in a bank’s DRC activity; understand management’s risk appetite; gain an understanding of products and services offered or planned; assess policies, procedures, and practices used in DRC; and assess compliance with applicable laws and regulations and consistency with OCC guidance.
This objective is achieved through completion of examination activities in some or all of the following functional areas.
Separate from these Functional Area Procedures, compliance-specific procedures may be found in the Consumer Compliance series of booklets of the Comptroller’s Handbook.Compliance-specific booklets are generally arranged according to specific regulations. A number of compliance regulations may be applicable to DRC products and services. See the Compliance Risk section in the Introduction of this booklet for additional information.
Management and Supervision
Objective: To assess the adequacy of the strategic plan, business plan, and overall planning process, including management’s methodology for setting DRC growth and profitability targets, and the processes to ensure appropriate expertise and sufficient staffing within the DRC line of business.
1. Review the bank’s strategic and business plans and determine whether management’s plans for DRC products and services are clear and represent the current direction of the bank, as well as any changes since the last examination that may not be consistent with the bank’s current strategic plan.
2. If issues identified in prior examinations, audits, or credit reviews remain uncorrected, determine whether the board or its audit committee has adopted a corrective action plan and, if so, the status of implementing corrective actions.
3. Obtain, through discussion with the manager of the DRC activities, information about the overall portfolio, MIS, and policies. Review significant changes since the last examination to understand how the changes have affected the portfolio’s risk profile.
4. Evaluate any new programs the bank is pursuing and what effect the programs may have on the DRC operation.
5. Review all aspects of the DRC programs offered by the bank, including marketing practices, advertising, and customer disclosures, to ensure that they are consistent with applicable laws, rules, regulations, and with OCC guidance.
58 | P a g e
6. Assess performance management and compensation programs. Consider whether these programs measure and reward performance that aligns with the bank’s strategic objectives and risk appetite.
If the bank offers incentive compensation programs, determine whether they are consistent with applicable rules and guidance. OCC Bulletin 2010-24, “Interagency Guidance on Sound Incentive Compensation Policies,” provides that incentive compensation arrangements should comply with the following three key principles: Provide employees with incentives that appropriately balance risk and
reward. Be compatible with effective controls and risk management. Be supported by strong corporate governance, including active and
effective oversight by the bank’s board of directors.
7. Assess management’s responsiveness to regulatory, accounting, industry, and technological changes.
8. Review the organizational chart for the department or line of business to determine what other responsibilities, if any, the DRC manager has within the bank. Determine whether the organizational structure is appropriate.
9. Determine what committees, if any, are involved in reviewing DRC products and services. Review the committee’s minutes for pertinent information about discussion of risks, changes to current products and services, and any potential new products and services being considered. Determine whether the committee structures, if any, are appropriate.
10. Determine whether current staffing levels meet the bank’s short- and long-term requirements. Determine whether
staffing levels are adequate for the number of accounts, volume of activity on the accounts, account monitoring needs, and, if applicable, the need to oversee third parties and use of outsourcing arrangements for the DRC products and services.
staffing levels are sufficient to investigate daily fraud exception reports in a timely manner.
turnover of staff for the area appears high and, if so, why.
11. Determine whether there is a separate bank policy for DRC products and services or if it is incorporated within another bank policy. If there is a separate policy, determine when it was approved by the board of directors and when it was last updated.
12. Evaluate the overall adequacy of written policies for DRC products and services by considering whether the policy
establishes clear lines of authority and responsibility.
59 | P a g e
identifies the risks the bank is willing to accept and limits the amount of those risks in relation to capital or earnings, as appropriate.
provides for adequate and knowledgeable staff. requires written contracts between all third parties associated with DRC
products and services. establishes underwriting or eligibility criteria, as appropriate, applied to
qualify customer accounts for DRC products and services, and for the acceptance of new customer accounts into DRC products and services.
requires the development of procedures to monitor the activity of customer accounts.
establishes risk-based guidelines for the periodic review of customer accounts. requires adequate MIS to keep management and the board informed of
the DRC program’s condition. requires a comprehensive procedure manual to guide officers and
employees in administering the DRC program. establishes guidelines for handling exceptions to policy (including
appropriate approval and monitoring requirements and criteria for suspending availability), and sets limits on acceptable exception volumes.
addresses criteria for paying DRC items, such as overdrafts or debit items. establishes appropriate limits for DRC items in conjunction with different
types of deposit accounts. For example, limits with overdrafts might include dollar limits for individual items and cumulative items, and item limits, such as the number of overdraft items that are allowed during a statement cycle or other specific time frame or during the life of the account.
establishes guidelines for a cooling off period for DAP products. establishes criteria for canceling participation and privileges in DRC
products and services, as well as criteria for the charge-off of an ODP balance or outstanding balances on other DRC products and services.
identifies circumstances under which features of a DRC program or product are reactivated for suspended or canceled customer accounts, if applicable.
establishes criteria for establishing a payment plan for a customer using certain DRC products and services, if the bank offers a payment plan option.
13. Determine whether DRC policies are approved and annually reviewed by the board of directors or a committee thereof. Determine whether the board, or a committee thereof, evaluates policies for changing market and business conditions at least annually and whether the policies are in line with the overall strategic plan for this activity.
14. Determine whether the bank policy addresses charge-off requirements and accounting treatment for DRC products and services and assess the policy’s appropriateness. Also, determine whether the bank uses the same charge-off time frames for all DRC products and services or whether it varies by product.
15. Determine whether the bank policy addresses the approval process for new DRC accounts, including any applicable underwriting or account eligibility
60 | P a g e
criteria for new accounts. Determine whether the policy addresses the following items:
Documentation requirements for customer files. Applicable underwriting for DAP or CC, or ODP account eligibility
criteria guidelines, for customer accounts. Guidelines for suspending DRC accounts. Termination or closing procedures for DRC accounts. Types of derogatory information acceptable on credit reports, if applicable. Handling of exceptions for DRC account approvals.
16. Determine whether the board has adopted a policy applicable to small businesses for underwriting new DRC accounts, or determining eligibility criteria for ODP. If so, determine whether the policy states that
the customer must provide the bank with financial information, the type of information, and the frequency of obtaining the information (if this occurs on a periodic basis after the account is opened).
an experienced commercial credit officer must review the periodic financial statements of the business.
the bank must review the depth and experience of the management of the business.
the bank must perform required background checks and that the checks should determine whether any business or the business’s principals have criminal records.
Underwriting and Account Eligibility Criteria
Objective: To determine whether underwriting standards (for CC and DAP) and account eligibility criteria (for ODP) are consistent with business and strategic plans, as well as risk appetite objectives, and whether appropriate controls and systems are in place. To assess the quality of new DRC accounts, identify any changes from past underwriting standards or account eligibility criteria, determine the adequacy of and adherence to DRC policies and procedures, and gain a thorough understanding of the processes employed in DRC underwriting and account eligibility criteria.
1. Evaluate the bank’s policy and process for approving new DRC accounts, including underwriting or account eligibility criteria for new accounts. Determine whether the policy addresses the following items:
Types of customer accounts for which the bank does not want to offer DRC products and services.
Documentation requirements for DRC files. Underwriting or eligibility criteria guidelines for DRC products and
services, including approval of line or limit increases for DRC products and services.
61 | P a g e
Criteria to ensure that extensions of credit and fees can be timely repaid. Termination or closing account procedures for DRC accounts and services. What types of derogatory information from credit reports may be
acceptable, if applicable. Handling of exceptions to the DRC account and service approval policy.
2. Determine what information sources the bank relies upon to evaluate a customer’s creditworthiness for CC or DAP, or account eligibility for ODP, and the extent to which the bank relies upon information solely or in conjunction with other forms of information. Evaluate whether the bank relies on
information provided by the customer through an application. information provided through a credit bureau report and whether the bank
evaluates the information from the report. a credit score. Banks may use credit scores or credit bureau information to
project the probability of future payment performance based on past experience, but are not required to do so.
a proprietary scoring model and, if so, determine what factors and information are considered in the model.
an evaluation of a customer’s account behavior based on inflows and outflows through deposit accounts.
3. Determine whether the bank’s underwriting policies and practices for a CC or DAP product or service, and its eligibility criteria for an ODP service, are commensurate with the specific risks associated with the product type and the terms and conditions under which the product will be extended. Underwriting and eligibility policies and practices among banks may vary, but should be appropriate based on the type of credit product.
Evaluate whether the bank is conducting an appropriate degree of analysis before a customer’s request for credit is approved to determine whether the customer will be able to manage and repay the credit obligations in accordance with the terms associated with the product.
Determine whether the bank’s DAP underwriting requirements evaluate whether the customer will have sufficient remaining funds after making scheduled payments to cover necessary and recurring living expenses.
Evaluate the terms of the DRC product to determine whether product features increase the probability that a customer will be able to successfully manage repayment of the obligation.
4. Evaluate the bank’s procedures for ensuring compliance with the DRC approval policy.
5. Determine how the bank documents and monitors exceptions to the DRC approval policy. Evaluate the practices for waiving documentation requirements.
6. Select a representative sample of recently approved DRC files (for example,
62 | P a g e
within the last 90 days). Review the sample of files for compliance with the bank’s underwriting policies or practices, or account eligibility criteria, and consistency with OCC guidance. See appendix B for a “Checklist for Deposit Advance Products” to aid in the sample review. Summarize the results of the DRC file review. Determine whether the level of exceptions is reasonable in view of board-approved policies.
7. Obtain the following reports, which may be used in step 8 and for sampling and testing purposes: Most recent report of overlimit and overline accounts (list of any DRC
accounts for which the bank customer has exceeded the established limit and line granted by the bank for the account).
Most recent exception reports. Most recent stagnant maximum usage report. Most recent inactive suspects report (list of accounts on which payments are
made by drawing on reserves). Most recent report of customers who have opted in/opted out of ODP
products and services. Month-end account balance and total delinquency. Trial balance of all accounts related to the DRC area. Using the trial
balance (if needed for verification purposes), agree or reconcile balances to departmental controls and general ledger. If
the totals do not agree or reconcile, it may be necessary to obtain support records for daily transactions that may have posted later and account for a difference in the totals.
review reconciling items for reasonableness.
8. Using appropriate sampling techniques, select customers with DRC products and services for review. Review the selected accounts, preparing line sheets or worksheets where appropriate, and
if the credit was granted since the preceding examination, ascertain that the- application form is on file and properly completed.- customer’s signature is on file.- credit check or review of eligibility criteria has been performed, if required
for the particular product.- established credit limit is properly authorized and in compliance with
policies. test the accuracy of the reports obtained at step 7 by
- tracing any overlimit credit for proper inclusion in the overline report. For those included, review the files to determine whether the line or limit was originally established in compliance with bank
policy. the overline or overlimit status was the result of deficiencies in
policy or procedures. action has been taken to prohibit additional advances until the
account is within the established credit line.
63 | P a g e
based upon available information, customer has the ability to repay or meets account eligibility criteria (which may vary by product).
- tracing credits with exceptions for proper inclusion in appropriate exception reports. For those included, determine whether appropriate action is being taken to resolve the situation and whether collectability is questionable.
- tracing any long-standing fully advanced credits for proper inclusion in the stagnant maximum usage report. For those included, determine whether appropriate action is being taken to resolve the situation and whether collectability is questionable.
- tracing any delinquent credit for proper inclusion in the appropriate past-due report.
review accounts selected to determine adequacy of and compliance with bank policy and procedures for- granting of extensions.- identification of outstanding balances on any DRC accounts carried
forward or rolled over to other credits, when the prior credit amount was not paid in a timely fashion.
- placing accounts on reduced payments schedule.- placing accounts on nonaccrual status.- cooling off periods, if applicable.- identification of excessive, repeated usage of products and services.
9. In evaluating the bank’s ongoing review of DRC accounts, determine
the type or size of DRC accounts included for review. what area of the bank conducts the review and the frequency of the review. the scope of the review and the bank’s documentation process for the review. if the review covers DRC accounts for business customers, whether the
review is coordinated with the commercial loan department.
Portfolio Quality
Objective: To evaluate portfolio quality and the effectiveness of charge-off processes for DRC. To ensure the bank complies with laws, rules, and regulations, and consistency with supervisory guidance.
1. Obtain the reports listed below for the DRC products and services. These reports may be used to identify credits that potentially should be charged off, to evaluate portfolio quality, or in conjunction with a review for compliance with laws and regulations and consistency with supervisory guidance and bank policy. The use of some of these reports may be more fully addressed in procedures elsewhere under this section.
Past-due credits. Overdraft report. Use of DRC products and services by major shareholders, employees,
64 | P a g e
executive officers, directors, or their related interests. Extensions of credit to officers and directors of other banks. Miscellaneous loan debit and credit suspense accounts. DRCs considered problem credits by management. Specific guidelines in the bank’s lending policy. Each officer’s current lending authority. Current interest rate structure. Any useful information obtained from the minutes of the loan and discount
committee or any similar committee for DRC products and services. Reports furnished to the loan, retail banking, or other appropriate committee. Reports furnished to the board of directors.
2. Review the overdraft report and determine whether charge-offs are taken in accordance with bank policy and consistent with supervisory guidance. Verify that management has established reasonable loss recognition guidelines. Overdrafts should generally be charged off within 60 days after the date the account first went into overdraft status. Stale items that appear on the overdraft report should be charged off.
3. If the bank does not have a periodic charge-off policy, the bank should develop and implement one. Prepare a list of stale and past-due DRC items for discussion with management and direct charge-off as appropriate. The list should include the customer name, account number, amount outstanding, loan or account identification number, and any other pertinent information.
4. Review reports for any past-due credits for the DRC area since the previous examination and investigate any significant variations.
5. If the bank uses repayment plans to allow customers longer terms to pay off overdrafts, determine whether the accounts are carried on the books beyond 60 days from the date of the advance. Those accounts should be charged off and the subsequent plan payments treated as an allowance recovery.
6. Review charge-offs and recoveries over the last year. If the bank does not have appropriate MIS to track trends, calculate the ratio on a quarterly or semiannual basis as appropriate. Evaluate any significant trends, variances, or changes.
7. Review the information for extensions of credit to officers and directors of other banks and investigate for any circumstances that may indicate preferential treatment.
8. Review information provided for DRC-related suspense accounts and discuss with management any large or stale items in the accounts. Perform additional procedures, as deemed appropriate.
9. Determine compliance with laws and regulations pertaining to specific DRC products and services, as described below.
For 12 CFR 215, 12 USC 375a, “Loans to Executive Officers of Bank,” and12 USC 375b, “Extensions of Credit to Executive Officers, Directors, and
65 | P a g e
Principal Shareholders of Member Banks.” Per 12 USC 1468(b), the aforementioned sections of 12 USC 375a and 12 USC 375b apply to all savings associations “in the same manner and to the same extent” as if the savings association were a member bank. Per 12 CFR 163.43, savings associations are subject to Regulation O.
Provide the examiner assigned to “Loan Portfolio Management” outstanding balances on DRC products and services for advances to executive officers, directors, and principal shareholders and their related interests to ensure they are included in the review for compliance with Regulation O.
Otherwise, review information received from the examiner assigned “Loan Portfolio Management,” including participations and loans sold, and- test the accuracy and completeness of the loans to executive officers,
directors, and principal shareholders and their related interests by looking to see if the information includes DRC products and services for the individuals and credits sampled.
- review credit files to determine whether required information is available.
For 12 USC 84 “Lending limits” (national banks), 12 USC 1464(u) “Limits on loans to one borrower” (federal savings associations), and 12 CFR 32 “Lending limits,” determine compliance with the lending limits for aggregate loans to customers. These laws and regulations apply to extensions of credit to all customers of the bank. 12 USC 84 is made applicable to federal savings associations by 12 USC 1464(u).
For 12 USC 1464(c)(2)(A) and 12 CFR 160.30, endnote 19 (federal savings associations), determine compliance with the statutory investment limit in commercial loans. Overdraft credit extended by a federal savings association relating to commercial demand deposit accounts is considered a commercial loan for purposes of determining the association’s percentage of assets limitation.
For 31 CFR 1010.410(a), “Records to be Made and Retained by Financial Institutions,” review operating procedures and credit file documentation and determine whether the bank retains a record of each extension of credit of more than$10,000 that specify the name and address of the customer, the amount of the credit, the nature and purpose of the credit, and the date of the credit.
10. Assess the quality, accuracy, and completeness of MIS reports and other analyses used to manage the DRC collections process.
11. Determine what system(s) the bank uses to recover DRC charged-off accounts and balances and whether they interface with the bank’s collection management system(s). If not, determine how the recovery unit gathers and uses information about prior collection activities.
12. Determine whether customer service or any department other than collections can initiate DRC collection activities. If so, determine whether appropriate monitoring
66 | P a g e
MIS are in place to monitor volumes and credit performance of accounts in collection activities initiated outside of collections.
67 | P a g e
Profitability
Objective: To assess management’s ability to accurately calculate the profitability of DRC products and services while also assessing the quantity, quality, and sustainability of earnings from DRC products and services.
1. Review profitability statements for DRC activities to evaluate major costs and fee income items in relation to overall profitability. Determine the impact of DRC losses and fraud losses on line-of-business profitability. Consider the level and trend of charge-offs and recoveries on DRC operating performance.
2. Review operating results for DRC activities for the most recent year-end and the current year to date. Determine whether there is a profit or loss and the extent to which the bank is relying on fee income generated from DRC products and services. Assess whether the bank has an over-reliance on fee income from any single DRC product. Evaluate whether the bank considers the significance of a particular product and monitors for potentially undue reliance on fees generated by that product for its revenue and earnings.
3. If the DRC operation is unprofitable, determine the bank’s appetite, plan, and rationale for continuing to offer unprofitable products and services, or assess the bank’s plans for bringing certain products and services, and the operation to a profitable status.
4. Review the budgeting process for the DRC area and investigate any significant variances between budget and actual performance. Determine whether the department is expected to meet this year’s budget and, if not, why not.
5. Evaluate the MIS used in determining the department’s profitability.
6. Determine how management determines costs—that is, whether it uses actual or estimated costs—and whether the methodology is appropriate.
7. Review the bank’s pricing policies and evaluate the bank’s pricing methods. If the bank offers reduced rates based on other existing banking relationships, evaluate the risks and rewards.
8. Determine which personnel have the authority to set pricing variables and how management monitors the pricing process.
9. If the bank relies on third parties in connection with DRC products and services, coordinate with the examiner reviewing third-party relationships and determine whether pricing programs are used and whether pricing is tied to other services.
68 | P a g e
Risk Management and Control Systems
Objective: To assess the adequacy of the bank’s processes for identifying, measuring, monitoring, and controlling risk related to DRC activity by reviewing the effectiveness of risk management and other control functions.
1. Consider whether processes are effective, adequately communicated to appropriate staff, and consistent with underlying bank policies. Review any written procedures and processes for DRC. Discuss processes with management and department heads to determine how policy requirements and changes are communicated.
2. Determine whether internal controls are in place and functioning as designed. Complete the internal control questionnaire (ICQ) for CC, if necessary. Review any special reports the bank may use for internal control purposes, and hold discussions with management, as appropriate.
3. Assess and review the scope, frequency, effectiveness, and independence of the internal and external audit of the DRC area.
Review audit reports, work papers, and management’s responses to any issues. Determine the status of corrective actions as appropriate.
Determine whether internal auditors review major services provided by third-party organizations for DRC, if applicable.
Determine whether audits address appropriate operational areas for DRC. Assess the internal or external auditor’s knowledge of the DRC area and
whether the auditor’s knowledge is adequate to perform an effective review. Determine whether audit findings and the status of responses to audit
findings are relayed to the board.
4. Determine how the bank establishes parameters for exceptions to DRC policies and procedures and the approval process for exceptions, if applicable.
5. Evaluate monitoring systems’ effectiveness in identifying, measuring, and tracking exceptions to policies and established limits.
6. Assess the adequacy of the overall MIS information by doing the following:
Review the MIS reports management routinely uses and determine whether the reports adequately inform management of the risk posed by DRC products and services.
Determine whether adequate processes exist to ensure data integrity and report accuracy.
Determine whether key management reports are clearly labeled, dated, maintained, and updated.
Determine whether reports are produced to track volume and performance by product, channel, or marketing initiative.
Determine whether reports are available to track performance trends, delinquency, and quality.
69 | P a g e
Review reports to the board and determine whether the information the directors receive is timely, accurate, and useful. At a minimum, reports should include information for each portfolio product, number of accounts and total balances, delinquency and charge-off information, fraud activity, and risk levels and trends for the DRC area.
Evaluate systems planning to determine whether MIS and reporting needs are adequately researched and developed before new products and services are rolled out. Specifically, determine whether the systems and reports are adequate to supervise and administer new products and services.
Review the adequacy of MIS reports pertaining to fraud. Determine whether the information is sufficient to monitor fraud and the effectiveness of fraud controls, including the appropriate filing of suspicious activity reports (SAR).
7. Determine whether the bank has appropriate DRC tracking and reporting systems (e.g., by product type) and whether management regularly monitors and analyzes that information, including
utilization rate of the CC and DAP as a percentage of the approved credit limit, and for ODP, as a percentage of deposit accounts.
timeliness of repayments. charges or fees per account and as a percentage of average account balance. losses as a percentage of the specific product by number of accounts and in
dollars.
8. Review the bank’s call report to ensure that the bank is treating assets and any losses associated with DRC appropriately. Specifically, confirm that
DRC assets are treated as “other consumer loans” on Schedule RC-C. if the bank advises the customer of the available amount of ODP, the
unadvanced portions (with legally binding commitments) are reported as unused commitments on Schedule RC-L.
principal losses and recoveries related to these accounts go through the allowance for loan and lease losses (ALLL) and are shown on Schedule RI-B.
losses associated with fees are reversed against the income account in which originally recognized (if in the same accounting period) or are charged against a loss allowance for uncollectible fees.
9. Determine whether the scope and frequency of fraud reviews are adequate. Assess the bank’s processes if potential fraud is uncovered.
Perform verification procedures if the reports and trial balances contain unusual information or information that cannot be readily explained.
70 | P a g e
Third-Party ManagementObjective: To determine the extent of all third-party relationships45 in DRC and evaluate the effectiveness of management’s oversight and risk management processes.
1. Determine what third-party relationships the bank uses for DRC. Identify the role the third parties play and the activities or services performed.
2. Assess the rationale behind management’s decision to use third-party providers for DRC and determine whether the bank conducted an appropriate due diligence review.
3. Evaluate whether the bank periodically reviews its third-party servicers and, if so, the frequency and content of the reviews. Information available for the review of third-party servicers may include audit reports, financial statements, third-party operational reviews, disaster contingency plans, and reports of bank regulatory agencies.
4. Review major contracts of third-party relationships to assess the following information:
Terms specifying financial compensation, payment arrangements, and price changes.
Reasonableness of the compensation agreement. If there are income-sharing provisions, determine whether the provisions are equitable to the bank and whether the third-party relationship shares not only income but also costs (e.g., participates in credit losses, receives less income).
Provisions prohibiting the third party from assigning the agreement to any other party.
Frequency and means of communications and monitoring activities of each party.
Specific work the third party performs. Whether the contract addresses compliance with the specific laws and
regulations and is consistent with supervisory guidance and self-regulatory standards applicable to the activities involved.
Whether the contract states the bank has the right to monitor on an ongoing basis the third party’s compliance with applicable laws, regulations, and policies and requires remediation if issues arise.
Whether the contract provides for the confidential treatment of records. Record-keeping requirements for each party and whether the parties have
access to each other’s records. Whether the bank or the third party is responsible for responding to customer
complaints. If the third party is responsible for customer complaints, whether the contract includes provisions that ensure the third party receives and responds timely to customer complaints and forwards a copy of each complaint and response to the bank.
Whether the contract stipulates when and how the third party should notify the
45 OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.”
71 | P a g e
bank of its intent to use a subcontractor, whether the contract specifies the activities that cannot be subcontracted or whether the bank prohibits the third party from subcontracting activities to certain locations or specific subcontractors.
Responsibility for audits and whether the bank has the right to audit the third party.
Notification requirements for system changes that could affect procedures and reports.
Whether the contract includes requirements for the regular and timely submission of the third party’s financial information and, if the third party is involved with the ongoing administration or servicing of the product, whether the contract allows the bank to audit the third party at will.
Whether the contract includes a reasonable right to cancel and whether termination clauses are one-sided in the third party’s favor.
Whether contractual penalties for terminating the contract seem reasonable. Whether the contracts contain the appropriate signatures.
5. List third-party relationships that have provided contingency plan information. Review the bank’s analysis of contingency plans to determine adequacy. If an analysis does not exist, review the reasonableness of contingency plans.
6. Determine whether third-party contingency plans are adequately considered in the bank’s overall contingency plan.
7. Determine whether the management of DRC products and services requires the third party to adopt a written action plan when results fall below the bank’s standards, are inconsistent with supervisory guidance, or violate legal standards.
8. Determine whether the bank keeps contracts on file for each third-party relationship used for the DRC program, the location of original contracts for third-party providers, and whether the bank requires that the contracts be maintained in a secure, fire-protected area.
9. Obtain a report that shows the volume of activity with each third-party relationship. Review third-party relationships that have a significant volume of activity (transactions or dollar amount).
10. Review a sample of third-party relationship files. Evaluate whether the information in the files is appropriate in light of the significance of the third party’s activities and risk posed to the bank and check for compliance with the bank’s policy.
72 | P a g e
Conclusions
Conclusion: The aggregate level of each associated risk is (low, moderate, or high).
The direction of each associated risk is (increasing, stable, or
decreasing).
Objective: To determine, document, and communicate overall findings and conclusions regarding the examination of DRC.
1. Determine preliminary examination findings and conclusions and discuss with the EIC, including
quantity of associated risks (as noted in the “Introduction” section). quality of risk management. aggregate level and direction of associated risks. overall risk in DRC. violations and other concerns.
Summary of Risks Associated With DRC
Risk category
Quantity of risk Quality of risk management
Aggregate level of risk Direction of risk
(Low, moderate, high)
(Weak, satisfactory,
strong)
(Low, moderate, high)
(Increasing, stable,
decreasing)
Credit
Liquidity
Operational
Compliance
Strategic
Reputation
2. If substantive safety and soundness concerns remain unresolved that may have a material adverse effect on the bank, further expand the scope of the examination by completing verification procedures.
3. Share substantive consumer protection concerns that are identified or remain unresolved with the EIC or lead compliance examiner for direction and appropriate course of action.
4. Discuss examination findings with bank management, including violations,
73 | P a g e
recommendations, and conclusions about risks and risk management practices. If necessary, obtain commitments for corrective action.
5. Compose conclusion comments, highlighting any issues that should be included in the report of examination (ROE). If necessary, compose a matters requiring attention comment.
6. Update the OCC’s information system and any applicable ROE schedules or tables.
7. Write a memorandum specifically setting out what the OCC should do to effectively supervise DRC in the bank, including time periods, staffing, and workdays required.
8. Update, organize, and reference work papers in accordance with OCC policy.
9. Ensure that any paper or electronic media that contain sensitive bank or customer information are appropriately disposed of or secured.
74 | P a g e
Internal Control Questionnaire for Check Credit
An ICQ helps an examiner assess a bank’s internal controls for an area. ICQs typically address standard controls that provide day-to-day protection of bank assets and financial records. The examiner decides the extent to which it is necessary to complete or update ICQs during examination planning or after reviewing the findings and conclusions of the core assessment.
Although this ICQ is specifically designed for CC, to the extent that the following questions are applicable, examiners may also apply them to DAP and ODP.
CC Policies
1. Has the board of directors, consistent with its duties and responsibilities, adopted written CC policies that establish
procedures for reviewing CC applications or eligibility where applications are not required?
standards for determining credit lines and limits? minimum standards for documentation?
2. Are CC policies reviewed at least annually to determine whether they are compatible with changing market conditions and legal requirements?
CC Records
3. Is the preparation and posting of subsidiary CC records performed or reviewed by persons who do not also
issue official checks or drafts singly? handle cash?
4. Are the subsidiary CC records reconciled daily to the appropriate general ledger accounts and are reconciling items investigated by persons who do not also handle cash?
5. Are delinquent account collection requests and past-due notices checked to the trial balances used in reconciling CC subsidiary records to general ledger accounts and are they handled only by persons who do not also handle cash?
6. Are inquiries about credit balances received and investigated by persons who do not also handle cash?
7. Are documents supporting recorded CC adjustments checked or tested subsequently by persons who do not also handle cash? (If not, briefly explain.)
8. Is a daily record maintained summarizing transaction details—e.g., credits extended, payments received, and interest or fees collected—to support applicable general ledger account entries?
75 | P a g e
9. Are frequent note and liability ledger trial balances prepared and reconciled with controlling accounts by employees who do not process or record credit transactions?
10. Are suspense accounts reviewed daily for timely disposition of all items?
11. Are authorized signatures required to effect a status change regarding individual customer accounts?
12. Is an exception report produced that encompasses extensions, renewals, and any factors that would result in a change in customer account status and is it reviewed by operating management?
13. Is an overdue-accounts report generated frequently? If so, how often?
Interest and Service Fees
14. Is the preparation and posting of interest or service fee records performed or reviewed by persons who do not also
issue official checks or drafts singly? handle cash?
15. Are any independent interest and service fee computations made and compared or tested to initial interest and service fee records by persons who do not also
issue official checks or drafts singly? handle cash?
Other
16. Are statements of balances and payments due issued at least monthly?
17. If the CC is established in conjunction with a demand account, are combined demand deposit and credit statements issued?
18. If the CC (regarding available checks to the customer) is separate from the customer’s demand account, but is paid through the demand account, are notices of transfer from the CC cash reserve to the demand account delivered on a timely basis to the customer?
19. Are all internally prepared entries affecting customer account records approved by an officer?
20. Are customers prohibited from exceeding their maximum approved lines?
If not, is the allowed overline amount a percentage of their maximum approved credit line? If so, what is the stated percentage?
21. Are the following reports prepared for internal use in the department and monitored:
Overlimit and overline balances?
76 | P a g e
Stagnant maximum usage balances? Inactive suspect accounts (accounts for which payments are made by
drawing on reserve)?
22. Are the above reports reviewed for accuracy periodically by someone independent of the CC function?
23. Are customers forbidden to make payments by drawing against a CC reserve?
If not, how many payments may be made by drawing against the CC reserve before a warning is issued to the customer?
24. Do operating procedures require that simultaneous drawing and payment postings to the same account be reported to department management?
25. Is a completed application obtained from each customer that includes the following (specific information for the application and the application process may vary by product and underwriting or credit eligibility criteria):
Name? Address? Number of dependents? Occupation? Length of employment? Income?
26. Are credit limits varied according to the customer’s repayment ability?
If so, does the bank conduct an analysis of the customer’s financial capacity, including income levels?
27. Are credit limit approvals made by an officer or employee granted credit authority by the board of directors?
28. Are credit investigations performed on every applicant before a CC is approved?
29. Are credit reports and investigations updated periodically? If so, what is or what are the periodic basis or criteria used to determine when updated credit reports and investigations should occur?
30. Is each credit line evidenced by a properly completed credit agreement?
31. Are credit lines periodically reviewed for appropriateness of the amount of the line?
32. Is additional credit review undertaken if the customer requests a credit line increase?
33. Are procedures in effect to review credit lines if the bank becomes aware of a change in the financial status or creditworthiness of a borrower?
34. Do controls exist to prohibit the opening of more than one specific type of CC account for any one customer?
35. Are exception reports reviewed and initialed by an officer daily?
77 | P a g e
36. Is a regular review made of all past-due accounts?
37. Is a customer contact record maintained for each collection account with appropriately detailed comments and date of contact?
38. Are collectors required to issue pre-numbered receipts when payments are received?
39. Is customer contact rotated between collectors?
40. Are procedures in effect for establishing employee accounts?
41. Are employee accounts periodically reviewed?
42. If employees are permitted to maintain CC accounts, are procedures in effect to determine whether accounts are being used to conceal shortages during audits of those employees?
Conclusion
43. Is the foregoing information an adequate basis for evaluating internal controls, in that there are no significant additional internal auditing procedures, accounting controls, administrative controls, or other circumstances that impair any controls or mitigate any weaknesses indicated above? (Explain negative answers briefly and indicate conclusions regarding the effects on specific examination or verification procedures.)
44. Based on the answers to the foregoing questions, internal control for CC is considered _______ (strong, satisfactory, or weak).
78 | P a g e
Verification Procedures
Verification procedures are used to verify the existence of assets and liabilities or test the reliability of financial records. Examiners generally do not perform verification procedures as part of a typical examination. Rather, verification procedures are performed when substantive safety and soundness concerns are identified that are not mitigated by the bank’s risk management systems and internal controls.
1. Test the addition of the trial balance and the reconciliation of the trial balance to the general ledger.
2. Using appropriate sampling techniques, select accounts from the trial balance including customer outstanding balance and approved limit for the customer, and
prepare and mail confirmation forms to ask customers to confirm balances and credit limits as of the last statement date.
after a reasonable time, mail second requests for any confirmations not returned by the customers.
follow up on any no-replies or exceptions received and resolve differences.
3. If the bank charges a fee for DRC services,
using the selected accounts, check computation of the latest charges. trace charges to posting in appropriate general ledger income account. review monthly income amounts posted to the general ledger for
reasonableness relative to the number of DRC accounts handled.
4. Obtain or prepare a schedule showing the amount of monthly interest and fee income and the DRC credit balances at the end of each month since the preceding examination and investigate significant fluctuations or trends.
79 | P a g e
Appendixes Appendix A: Sample Request Letter
Deposit-Related Credit Request
Letter Please provide copies of the
following: Management and Board
Supervision
1. Current organizational chart for the DRC department or those overseeing DRC activity (hereinafter, DRC department).
2. Résumés of all principals in the DRC department.
3. Job descriptions of all principal positions in the DRC department.
4. DRC department’s strategic and business plans and budgets.
5. Management’s annual analysis of capital adequacy or capital allocation relative to the risk profile of DRC activities.
6. Two most recent sets of recurring management reports related to DRC activity reviewed by management and/or the board of directors.
7. Report on new DRC activity or management summaries of DRC activity for the previous three months.
8. Any credit risk management reports for DRC.
9. Concentration reports for DRC by state or geographic area or industry.
Underwriting and Eligibility
10. A listing of all insider-related DRC customers.
11. Samples of customer agreements, including deposit account agreements eligible for ODP, and applications related to DRC.
12. List of all DRC reserves.
Profitability
13. Profitability report for the DRC department for the most recent year-end and the current year to date.
80 | P a g e
14. Current fee schedule and definitions of fees charged for DRC.
15. Profitability reports by DRC product segment.
Third-Party Relationships
16. List of third parties used for DRC activity by name and address and a description of services provided. Are any third-party arrangements new to the bank within the last 12 months? If so, please provide an electronic copy of the contract with the third party.
17. List of any credit relationships with third parties associated with DRC activities, including credit terms and amounts.
Risk Management
18. Management summary of underwriting exceptions/overrides for DRC activity.
19. Brief description of the fraud-monitoring process, the systems and reports used, prioritization of investigations, and staffing involved in the process for DRC activity.
20. Representative sample of daily fraud-monitoring reports for DRC activity.
21. Fraud loss history for DRC for the most recent year-end and year to date. Were suspicious activity reports filed for the fraud losses identified?
22. Credit loss history for DRC for the most recent year-end and year to date.
23. Any additional risk analysis or reports used to evaluate DRC activity apart from daily monitoring reports.
Audit
24. Most recent internal or external audit reports related to DRC activity and management’s response.
Loan Review
25. Copies of internal loan review and ODP reports for the DRC activity. Also, provide any management responses for these reports.
Please Make the Following Available Upon Our Arrival at the Bank:
26. DRC policy and procedure manuals.
81 | P a g e
27. Committee minutes for DRC activities.
28. All third-party credit files, including current financial statements for parties providing services to DRC activities.
29. All third-party written contracts and agreements related to DRC products and services and agreements between third parties and the bank’s data processor(s).
30. Disaster contingency plans for third-party organizations that provide DRC-related services and bank management’s review of the plans.
31. Internal or external auditor work papers from review of DRC activity.
82 | P a g e
Appendix B: Checklist for Deposit Advance Products
Yes No Examiner comments
Does the bank monitor for repeated or extended use of DAP credit?
Are eligibility and underwriting criteria designed to assure that the extension of credit, including all associated fees and expenses, can be repaid according to its terms while allowing the customer to continue to meet typical recurring and other necessary expenses, as well as other outstanding debt obligations?
Does the bank maintain appropriate criteria to prevent churning and prolonged use of DAP credits?
Does underwriting for DAP credits occur prior to opening such accounts and does monitoring occur on an ongoing basis?
Are bank policies regarding the underwriting of DAPs written and approved by the bank's board of directors and consistent with the bank's general underwriting standards and risk appetite?
Do written underwriting policies for DAPs include:
The length of a customer's deposit relationship with the bank (no less than six months)?
Ineligibility for DAPs for customers with delinquent or adversely classified credits with the bank that is offering the DAP?
An analysis of the customer's financial capacity including income levels?
An analysis of the customer's account for recurring deposits (inflows) and checks/credit/customer withdrawals (outflows) over at least six consecutive months?
The exclusion of items from lines of credit, including overdrafts, and drafts from savings, from inflows (these items should not be counted as inflows)?
Consideration of the customer's net surplus or deficit at the end of each of the preceding six months without reliance on a six-month transaction average?
A cooling off period of at least one monthly statement cycle after the repayment of a DAP should be completed before another advance may be extended in order to avoid repeated use of the short-term product?
A full underwriting reassessment in compliance with the bank's underwriting policies before determining whether the amount of credit available to a customer can or cannot be increased?
That any increase in the credit limit should not be automatic and should be initiated by a request from the customer?
As part of the underwriting for this product, that the bank should, no less than every six months, reevaluate the customer's eligibility and capacity for this product?
83 | P a g e
Yes No Examiner comments
That a bank should identify the risks that could negatively affect a customer's eligibility to receive additional DAPs (such as repeated overdrafts or evidence that a customer is overextended with respect to total credit obligations)?
Higher capital requirements generally apply to credit portfolios that exhibit higher-risk characteristics and are subject to less stringent credit underwriting characteristics. How does the bank arrive at the capital level held for the DAP portfolio?
Fees associated with DAPs should be based on safe and sound banking principles. What fees or fee structure does the bank utilize for DAPs and does it appear reasonable?
Does the bank monitor for any undue reliance on fees generated by DAPs for its revenue and earnings? If it does monitor for undue reliance on fees, how does it monitor and how frequently does it monitor for undue reliance on fees?
Is the ALLL adequate for estimated credit losses for the DAP portfolio?
Does the bank have methodologies and analyses in place to demonstrate and document that the level of the ALLL is appropriate?
Has the bank implemented effective compliance management systems, processes, and procedures to mitigate risks appropriately?
Is the bank in compliance with applicable consumer protection statutes and regulations, including TILA, EFTA, TISA, ECOA, and Section 5 of the FTC Act?
In the review of a bank's relationships with third parties involved in the bank's DAP, is the bank assuming more risk than it can identify, monitor, and manage?
Has bank management allocated sufficient and qualified staff to monitor risks posed by third-party relationships, excessive usage by customers, and excessive risk taking by the bank?
Have examiners identified high-risk situations associated with third- party relationships that necessitate examiners conducting on-site third-party reviews under specific authorities granted to the OCC?
Has bank management established controls and implemented a rigorous analytical process to identify, measure, monitor, and manage the risks associated with DAPs?
Does the bank maintain adequate oversight of DAPs and adequate quality control over products and services to minimize exposure to potential significant financial loss, reputation damage, and supervisory action?
Does the bank's compliance management system ensure continuing compliance with applicable federal and state laws, and regulations, as well as internal policies and procedures?
Has management provided the appropriate oversight and allocated sufficient and qualified staff to monitor deposit advance programs?
84 | P a g e
Yes No Examiner comments
Are results of oversight activities, including identified weaknesses that should be documented and promptly addressed, reported periodically to the bank's board of directors or designated committee?
85 | P a g e
Appendix C: Abbreviations
ACH automated clearing houseALLL allowance for loan and lease lossesAPR annual percentage rateATM automated teller machineBoard Board of Governors of the Federal Reserve Systemcall report Consolidated Reports of Condition and IncomeCAMELS capital adequacy, asset quality, management, earnings,
liquidity, and sensitivity to market riskCC check creditCFPB Consumer Financial Protection BureauCFR Code of Federal RegulationsDAP deposit advance productDodd–Frank Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010DRC deposit-related creditECOA Equal Credit Opportunity Act of 1974 EFTA Electronic Fund Transfer Act of 1978 EIC examiner-in-chargeFDIC Federal Deposit Insurance CorporationFFIEC Federal Financial Institutions Examination CouncilFTC Federal Trade CommissionGAAP generally accepted accounting principlesICQ internal control questionnaireISAE International Standard on Assurance EngagementsIT information technologyMIS management information systemsOCC Office of the Comptroller of the CurrencyODP overdraft protectionOTS Office of Thrift SupervisionROE report of examinationSAR suspicious activity reportSSAE Statement on Standards for Attestation EngagementTILA Truth in Lending Act of 1968 TISA Truth in Savings Act of 1991 UDAP unfair or deceptive acts or practices USCU.S. Code
86 | P a g e
References Laws
12 USC 24, “Corporate Powers of Associations” (national banks)12 USC 84, “Lending Limits” (national banks) (made applicable to federal savings
associations by 12 USC 1464(u))12 USC 161, “Reports to the Comptroller of the Currency” (national banks)12 USC 375a, “Loans to Executive Officers of Bank” (national banks) (made
applicable to federal savings associations by 12 USC 1468(b))12 USC 375b, “Extensions of Credit to Executive Officers, Directors, and Principal
Shareholders of Member Banks” (national banks) (made applicable to federal savings associations by 12 USC 1468(b))
12 USC 1464(c), “Loans and Investments” (federal savings associations)12 USC 1464(d)(7), “Regulation and Examination of Savings Association Service
Companies, Subsidiaries, and Service Providers” (federal savings associations)12 USC 1464(u), “Limits on Loans to One Borrower” (federal savings associations) 12 USC 1464(v), “Reports of Condition” (federal savings associations)12 USC 1468(b), “Extensions of Credit to Executive Officers, Directors, and
Principal Shareholders” (federal savings associations)12 USC 1867(c), “Services Performed by Contract or Otherwise” (national banks
and federal savings associations)12 USC 4301, “Truth in Savings” (national banks and federal savings associations)12 USC 5514(e); 5515(d); 5516(e), “Service Providers” (national banks and federal
savings associations)15 USC 45, “Unfair Methods of Competition Unlawful; Prevention by Commission”
(UDAP) (national banks and federal savings associations)15 USC 1601, “Truth in Lending Act” (national banks and federal savings associations) 15 USC 1691, “Equal Credit Opportunity Act” (national banks and federal savings
associations)15 USC 1693, “Electronic Fund Transfer Act” (national banks and federal savings
associations)31 USC 5315, “Reports on Foreign Currency Transactions” (national banks and
federal savings associations)
Regulations
12 CFR 3, “Capital Adequacy Standards” (national banks and federal savings associations) 12 CFR 7.4002, “National Bank Charges” (national banks)12 CFR 21.11, “Suspicious Activity Report” (national banks)12 CFR 32, “Lending Limits” (national banks and federal savings associations)12 CFR 160.30, “General Lending and Investment Powers of Federal Savings
Associations” (federal savings associations)12 CFR 163.43, “Loans by Savings Associations to Their Executive Officers,
87 | P a g e
Directors and Principal Shareholders” (federal savings associations)12 CFR 163.180, “Suspicious Activity Report” (federal savings associations) 12 CFR 167, “Capital” (federal savings associations)12 CFR 215, “Loans to Executive Officers, Directors, and Principal Shareholders of
Member Banks (Regulation O)” (national banks and federal savings associations)12 CFR 1002, “Equal Credit Opportunity Act, Regulation B” (national banks and
federal savings associations)12 CFR 1005, “Electronic Fund Transfers, Regulation E” (national banks and federal
savings associations)12 CFR 1026, “Truth in Lending, Regulation Z” (national banks and federal savings
associations)12 CFR 1030, “Truth in Savings, Regulation DD” (national banks and federal savings
associations)31 CFR 1010.410(a), “Records to be Made and Retained by Financial Institutions”
(national banks and federal savings associations)
Comptroller’s Handbook
Examination Process“Bank Supervision Process” “Community Bank Supervision” “Large Bank Supervision”
Consumer Compliance“Community Reinvestment Act Examination Procedures” “Compliance Management System”“Depository Services” “Fair Credit Reporting” “Fair Lending”“Servicemembers Civil Relief Act of 2003” “Truth in Lending Act”
Safety and Soundness, Asset Quality “Allowance for Loan and Lease Losses” “Commercial Loans”
OCC Issuances
Advisory Letter 2000-7, “Abusive Lending Practices” (July 25, 2000) (national banks and federal savings associations)
Advisory Letter 2002-3, “Guidance on Unfair or Deceptive Acts or Practices” (March 22, 2002) (national banks and federal savings associations)
OCC Bulletin 1998-3, “Technology Risk Management: Guidance for Bankers and Examiners” (February 4, 1998) (national banks and federal savings associations)
OCC Bulletin 2000-20, “Uniform Retail Credit Classification and Account
88 | P a g e
Management Policy: Policy Implementation” (June 20, 2000) (national banks and federal savings associations)
OCC Bulletin 2001-6, “Subprime Lending: Expanded Guidance for Subprime Lending Programs” (January 31, 2001) (national banks and federal savings associations)
OCC Bulletin 2001-37, “Policy Statement on Allowance for Loan and Lease Losses Methodologies and Documentation for Banks and Savings Institutions: ALLL Methodologies and Documentation” (July 20, 2001) (national banks and federal savings associations)
OCC Bulletin 2005-9, “Overdraft Protection Programs: Interagency Guidance” (April 6, 2005) (national banks and federal savings associations)
OCC Bulletin 2010-15, “Overdraft Protection: Opt-In Requirements and Related Marketing Issues” (April 12, 2010) (national banks)
OCC Bulletin 2010-24, “Incentive Compensation: Interagency Guidance on Sound Incentive Compensation Policies” (June 30, 2010) (national banks and federal savings associations)
OCC Bulletin 2012-34, “Supervision of Technology Service Providers: FFIEC IT Examination Handbook Booklet Revision and Administrative Guidelines for Interagency Supervisory Programs” (October 31, 2012) (national banks and federal savings associations)
OCC Bulletin 2013-23, “Regulatory Capital Rule: Final Rulemaking” (October 11, 2013) (national banks and federal savings associations)
OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” (October 30, 2013) (national banks and federal savings associations)
OCC Bulletin 2013-40, “Deposit Advance Products: Final Supervisory Guidance” (December 26, 2013) (national banks and federal savings associations)
OTS Examination Handbook section 1354, “Unfair or Deceptive Acts or Practices, Federal Trade Commission Act, Section 5” (May 2010) and related “Program” (March 2011) and “Questionnaire” (May 2010) (federal savings associations)
FFIEC
“Administrative Guidelines—Implementation of Interagency Programs for the Supervision of Technology Service Providers” (October 2012)
Federal Regulatory Agencies’ Administrative Guidelines—Implementation of Interagency Programs for the Supervision of Technology Service Providers (issued jointly by the OCC, FDIC, and Board) (October 2012) (national banks and federal savings associations)
FFIEC Information Technology Examination Handbook
“Outsourcing Technology Services” (June 2004) “Retail Payment Systems” (February 2010)“Supervision of Technology Service Providers” (October 2012)
Other
89 | P a g e
American Institute of Certified Public Accountants, Accounting Standards Board, “Statement on Standards for Attestation Engagement No. 16, Reporting on Controls at a Service Organization” (SSAE 16)
International Auditing and Assurance Standards Board, “International Standard on Assurance Engagements” (ISAE 3402)
90 | P a g e