Consumer Compliance Outlook: First Quarter 2012

View from the Field: Commonly Cited Compliance Violations in 2011

By Justin Windschitl, Examiner, Federal Reserve Bank of Minneapolis1


To help identify current compliance risks, financial institutions often ask their regulators which violations of regulations are frequently cited during consumer compliance examinations. To address this question, we identified some of the common violations of regulations cited by compliance examiners at the 12 regional Federal Reserve Banks during 2011:

This article discusses these violations and provides guidance and resources to facilitate compliance.

Common Violations of Regulations

Regulation B/Equal Credit Opportunity Act

Spousal Signatures

When a married applicant applies for credit individually and qualifies under the creditor's standards for creditworthiness, the creditor is prohibited by 12 C.F.R. §1002.7(d)(1) External Site from requiring the signature of the applicant's spouse on the credit instrument subject to limited exceptions. The exceptions in §1002.7(d) include when the spouse's signature is necessary under applicable state law to provide a secured creditor access to collateral in the event of default or to provide an unsecured creditor access to property relied upon in the event of death or default. A spouse's signature is also permissible on the credit instrument if the applicant does not qualify under the creditor's lending standard and the spouse chooses to provide credit support.

If an applicant intends to apply for credit jointly with a spouse, their joint intent must be evidenced at the time of application. Signatures on the promissory note are insufficient. Also, the method used to establish joint intent must be distinct from the means used to affirm the accuracy of information in the application. For example, financial statements affirming the veracity of information do not establish joint intent. But creditors can rely on signatures or initials on a credit application affirming the applicants' intent to apply jointly.2

In 2008, Outlook published an article titled “Regulation B and Marital Status Discrimination: Are You in Compliance?,” which discussed the spousal signature requirements.3 Today, more than three years later, the requirements under §1002.7(d)(1) continue to present compliance challenges. In some instances, bankers say they require the spouse's signature on the credit instrument out of an “abundance of caution.” But the regulation does not contain an exception for this circumstance.

Institutions can improve compliance by conducting reviews of loans in which a married applicant applied for credit individually or where the intent of the spouse to apply jointly has not been established, but the institution obtained the spouse's signature on the credit instrument. The Outlook article also noted signature violations frequently occur with commercial or agricultural loans. Banks should therefore be aware of the increased fair lending risk associated with these products. The article also recommended conducting a fair lending risk assessment to identify vulnerable areas in which marital status discrimination could occur. For example, products for which previous violations have been noted should receive higher scrutiny. Finally, institutions should be aware that spousal signature violations can trigger file searches for other affected applicants and require the institution to take corrective action for the affected parties.4

Consumer Credit Adverse Action Notices

When a creditor takes adverse action — as defined in §1002.2(c) External Site — on a consumer credit application or existing consumer account, the creditor is required by §1002.9(a)(2) to provide a written adverse action notice that discloses the action taken by the financial institution, the name and address of the institution, the ECOA anti-discrimination notice in §1002.9(b)(1) External Site, the name and address of the institution's regulator, and either the specific reasons for the adverse action or a disclosure of the right to obtain the specific reasons and the contact information to obtain them.5

Examiners noted common violations for two of the adverse action notice requirements: failing to list the statement of reasons for the action taken and providing reasons for the action taken that are not specific enough.

The statement of reasons must indicate the principal reasons for the adverse action, which “must relate to and accurately describe the factors actually considered or scored by a creditor.” See comment 1002.9(b) (2)-2. The number of reasons should not exceed four because more than four will likely not be meaningful to the applicant.6

General explanations such as “credit score below bank policy” or “outside of risk tolerance” are not specific enough and should not be used. Sample Form C-1 found in Appendix C to Part 1002 contains a list of 23 “Principal Reason(s) for Credit Denial, Termination, or Other Action Taken Concerning Credit” and includes a 24th option for “Other, specify.” If the reasons for taking adverse action are not included in Sample Form C-1, such as “inadequate down payment” or “no deposit relationship with us,” those can be included.7 Simply picking the closest identifiable factor listed is not sufficient.

Some best practices for adverse action notices include providing a second-level review of notices. For commercial loans, if the creditor discloses the action taken orally, it should make a contemporaneous notation of the call in its file to demonstrate compliance.

Since adverse action notices are often prepared by internal software or third-party programs, the software must reflect current regulatory requirements. If the software an institution uses for creating adverse action notices uses drop-down menus, options that are too vague should be removed. For example, instead of stating “credit score too low,” address the reasons behind the low credit score, such as “limited credit experience” or “delinquent past or present obligations with others.” Since the purpose of the notice is to tell the applicant why the application was denied, the reason specified should be clear to the applicant. Finally, as with spousal signature violations, adverse action notice violations can trigger file searches for other affected applicants and require the institution to take corrective action for the affected parties.8

Regulation X/Real Estate Settlement Procedures Act

Tolerance Cures

The U.S. Department of Housing and Urban Development (HUD) made significant changes to the RESPA GFE and HUD-1 disclosure forms effective January 1, 2010.9 The changes include a new requirement that certain settlement costs disclosed in the final HUD-1 cannot exceed the estimate of those costs on the GFE by more than a specified tolerance.10 The revised rule establishes three categories of settlement charges, with different tolerances for each category. See 12 C.F.R. §1024.7(e).External Site If the actual charge for a settlement cost listed on the HUD-1/1a exceeds the estimated charge for the cost disclosed on the GFE by more than the applicable tolerance, and none of the tolerance exceptions in §1024.7(f) apply, the lender is required under §1024.7(i) to cure the discrepancy within 30 calendar days of settlement by reimbursing the borrower for the amount by which the tolerance was exceeded. The lender must also provide the borrower with a revised HUD-1 reflecting the cure.11

In some cases, lenders are exceeding the tolerances and failing to reimburse the consumer in a timely manner to the extent that the actual costs exceed the applicable tolerances. It is important to recognize that a creditor does not automatically violate Regulation X when exceeding the tolerance. A violation occurs only if a creditor exceeds a tolerance and fails to cure it in a timely manner.

Institutions can establish formal procedures for tolerance cures specifying how to respond when tolerances are exceeded. A thorough pre- or post-closing loan review (within 30 days of settlement) that specifically targets compliance with the requirements for tolerance cure can also be an effective internal control.

Regulation H/National Flood Insurance Act (NFIA)

Forced-placed Insurance

The implementing regulations for the NFIA12 require that if at any time during the term of the loan a lender or servicer determines that the collateral has less flood coverage than is required by the NFIA, it must notify the borrower to obtain the required insurance. See 12 C.F.R. §208.25(g).External Site The notice should state that if the borrower does not obtain the insurance within 45 days, the lender will purchase the insurance on behalf of the borrower and may charge the borrower for the cost of premiums and fees to obtain the coverage. The banking agencies recently clarified their expectation that if a borrower is sent a 45-day notice and fails to obtain flood insurance within that period, the agencies expect the lender to force-place insurance on the 46th day.13

Forced-placement insurance violations typically arise because the borrower fails to renew a policy when it expires, a matter outside the lender's direct control. A tickler system is an effective way to manage this risk. The system should be designed to send a reminder to the appropriate staff when the renewal date is approaching to verify with the insurer or borrower that the policy is being renewed.

In addition, staff may not understand the forced-placement regulatory requirements. Establishing forced placement procedures can help guide staff and ensure compliance with regulatory requirements. Finally, some financial institutions are reluctant to force-place insurance because their customers complain about it, and the institution does not want to damage a customer relationship. Because the forced-placement insurance requirements are mandatory, institutions must comply.

Regulation C/Home Mortgage Disclosure Act

Rate Spread, Loan Purpose Definitions, and Type of Action Taken

Section 1003.4 of Regulation C requires financial institutions to collect certain loan data for originations and purchases of home-purchase loans, home-improvement loans, and refinancings. Reportable transactions must be recorded within 30 calendar days after the end of the calendar quarter in which the final action is taken and reported annually. HMDA data collection and reporting continue to make the list of common violations at financial institutions, primarily because of the amount of information required to be reported, limited tolerance for errors, and issues related to the data collection process. In 2011, common violations included errors recording the number of rate spread loans, the loan purpose, and the action taken.

A HMDA-reportable loan qualifies as a rate-spread loan if it is subject to Regulation Z, and the spread between the loan's annual percentage rate and the average prime offer rate for a comparable transaction is equal to or greater than 1.5 percentage points for first-lien loans or 3.5 percentage points for subordinate-lien loans.14 Loans exempt from Regulation Z, such as investment property loans, should not be reported.

Errors in the loan purpose field are also a common HMDA violation. Section 1003.4(a)(3) requires financial institutions to identify the loan purpose, and the instructions in Appendix A to Regulation C identify the three options: home purchase (code 1), home improvement (code 2), or refinancing (code 3). A careful review of the definitions of loan purposes and of the HMDA reporting exemptions15 will help ensure accuracy in this area. In some instances, financial institutions do not understand the “loan purpose hierarchy” that applies to multiple-category loans, i.e., loans that have more than one HMDA-reportable purpose. Specifically, if the loan is a home-purchase loan as well as a home-improvement loan or a refinancing, the loan will always be reported as a purchase loan. If the loan is for both refinancing and home improvement, financial institutions should report the loan as a home-improvement loan. The loan purpose hierarchy appears in the HMDA Official Staff Commentary for 1003.2.

Another common Regulation C error occurs in the action taken field. Some institutions select Code 2 (application approved but not accepted) when Code 4 (application withdrawn) applies or select Code 4 when Code 2 applies. If an application is approved but the applicant fails to respond to the notification within the specified time, Code 2 should be used, while Code 4 may be used only when the consumer expressly withdraws the application before a credit decision is made.16

Understanding HMDA's regulatory requirements can help reduce these errors. A good reference is the Federal Financial Institutions Examination Council's (FFIEC) A Guide to HMDA Reporting: Getting It Right.External Site The FFIEC also provides other HMDA resources on its website. Finally, inaccurate collection and reporting of HMDA data may require resubmission of the data.

Regulation Z/Truth in Lending Act

Account Opening Disclosures for Open-End (Not Home-Secured) Credit Plans

The Board of Governors of the Federal Reserve System (Board) amended some of the Regulation Z disclosure requirements for open-end credit (not home-secured) in a January 2009 final rule that became effective July 1, 2010.17 The changes include new requirements for account-opening disclosures.18 Consumer testing revealed that consumers responded favorably to a table format that summarized key terms (based on the Schumer Box format used for credit card solicitation and application disclosures). As a result, the Board required in 12 C.F.R. §1026.6(b) External Site that creditors use a table format substantially similar to model form G-17 to disclose certain key account terms.19

The failure to use a table format substantially similar to model form G-17 has been a frequent violation for account-opening disclosures for overdrafts and personal lines of credit. As with the RESPA tolerance requirements, this violation reflects the compliance challenges that arise with a significant regulatory change. Financial institutions relying on third-party software to create disclosures should verify that the software reflects the changes in regulatory requirements. For internally created software, institutions should ensure that regulatory changes are communicated in a timely manner to the IT department and that the software is tested to verify that the changes have been implemented. For a more detailed discussion of vendor risk management, refer to the Outlook article “Vendor Risk Management” in the First Quarter 2011 issue.20

Best Practices for Compliance

Compliance officers must exercise vigilance and awareness of the current rules and regulations as well as any and all recent changes to them. In addition to the procedures and resources offered in this article, good policies and procedures and ongoing training are important and practical ways for a financial institution to put itself in the best position to comply with consumer protection regulations.

Training is a critical part of any effort to achieve compliance. Staff cannot be expected to comply with laws and regulations if they do not correctly understand the regulatory requirements. The Outlook website contains a list of resources to supplement training and help achieve compliance with the requirements listed above and in other compliance areas.21


This article discussed common violations identified by Federal Reserve System bank examiners in 2011. Through awareness and training, a compliance officer can help ensure that the financial institution and its staff are in compliance with consumer protection laws and regulations. Specific issues and questions should be raised with your primary regulator.