You are currently viewing The 2022 Community Banking Compliance Checklist

Year end is a time for reflecting on the successes and challenges of the prior year. For bankers, it is also a time to complete various reports and reviews. The following is intended to help get you started on your own checklist. It is not intended to be exclusive or to fit all situations. Many of the reports listed require use of year-end data. Therefore, they will need to be prepared in January. This article is intended to convey general information only and does not provide legal adv ice or opinions. It should not be construed as legal advice, may not be current and is subject to change without notice.

Proxy statement and notice of annual shareholders meeting. Many banks have their annual shareholders meeting in January. If so, you need to prepare your proxy statement, proxies and notice of shareholder’s meeting for mailing in December.

Depending on what is happening with COVID-19, you may wish to consider conducting your shareholders meeting remotely, using telephonic or electronic media. Check your bylaws and articles to see whether this is permitted. The time frames are not changed for this, but you should consider retaining a service to assist with managing the meeting electronically. At this writing, it appears that in-person meetings should be feasible. However, many businesses are using hybrid meeting styles to accommodate affected parties.

Identifying executive officers. Under Regulation O, certain officers are automatically considered executive officers unless the officer is excluded by a resolution of the board of directors from participation in major policy-making functions. Do this at the last meeting of the year or no later than the first meeting of the next year.

Identifying insiders. At the first meeting of a new board, often in January, be sure to require directors and executive officers to identify their related interests as defined in Regulation O. Also, determine whether there are any “affiliates” due to common control, which would be subject to Regulation W.

Renew registration of residential mortgage loan originators. The annual renewal period means November 1 through December 31 of each year.

Year-end reports to the IRS and customers. There are a number of reports filed on forms 1099 and 1098 reflecting interest earned and interest paid. There are W-2 forms for employees and other reports, such as property taken in satisfaction of indebtedness, discharged debt and the like. Customers must receive their reports by January 31 with the IRS receiving its report by February 28. Thus, the bank’s data-processing system must be prepared to generate these reports at the beginning of the year.

Billing error resolution notices. Both Regulation E and Regulation Z require annual billing error resolution notices or an alternative summary statement with each periodic statement. Don’t forget that this applies to payroll cards, too!

Appraisals. Update and review appraisals where appropriate. Don’t forget appraisals of other real estate.

Review contingency plan, including electronic data processing arrangements. In particular, review your pandemic planning and determine whether it needs fine tuning based on your experience with COVID-19. The board should make sure that this plan meets the needs of the institution, as well as the requirements of the pertinent regulations. Don’t forget the business impact analysis.

Review third-party vendor due diligence. Remember that this is not a one-time activity. Rather, be sure that your vendor files are updated with current financials, audits, SSAE-16, business continuity plans and other data as appropriate. Don’t forget to obtain current evidence of your vendor’s liability insurance coverage, including general liability, auto liability, workers’ compensation and fidelity. If they’re providing professional type services for your bank—accountants, attorneys, security companies, etc.—you should also ask for evidence of their professional services liability/errors and omissions coverage.

Review security devices and compliance with the Bank Protection Act. The board should consider the adequacy of the written security policy. Be sure you are in compliance with the multi-factor authentication requirements for online banking and interactive voice response systems. The security officer must report at least annually to the board.

Perform Enterprise Risk Management assessment.

Measure the inherent cyber risks and cybersecurity preparedness.

ACH rule compliance audit. Be sure that this is completed by December 1 each year.

Red flag compliance report. An annual compliance report is required by the Fair Credit Reporting Act rule.

Annual audit. Under the FDIC Improvement Act of 1991, banks with $500 million or more in total assets are required to have an annual independent audit. Institutions with more than $1 billion in total assets must also have a management report covering internal controls. Due to the impact of COVID-19, the FDIC has amended this to permit an insured bank to determine consolidated total assets as of December 31, 2019, or as of the beginning of fiscal year ending in 2021. An independent audit committee of outside directors should select the auditor. Smaller banks may also desire an outside audit and should select their auditor.

Policies and procedures. Many banks review and re-approve all policies and procedures annually. The best approach is to provide updates if there are changes in the laws, regulations or the bank’s products that would necessitate such updates. Also, if the board wishes to re-approve all policies every year, it’s helpful to parcel these out through the year rather than approve all at once at year’s end!

Training. Be sure that all required training has been accomplished for the year. Directors should receive fair lending and other training. Again, it is better to allocate this throughout the year rather than attempt to cram it all in at year’s end.

Review correspondent relationships. Review your exposure to correspondent banks. Obtain copies of correspondent banks’ financial statements and evaluate capital condition. Set exposure limits.

Record disposal and retention. Using an appropriate record-retention schedule in line with federal requirements, the bank should properly store records required to be maintained and destroy records that have expired. Remember that the Financial Institutions Reform, Recovery and Enforcement Act has a 10-year statute of limitations on most crimes affecting banking. Thus, some records will need to be retained for a 10-year period. Also, the Customer Identification Program and BSA/AML regulations have some specific—mostly five-year—record retention requirements. Texas law requires banks to retain check information for seven years if statements are truncated. However, most records can be stored digitally immediately to reduce storage needs. Be sure that your program includes email as part of your bank’s records. The Dodd-Frank Act focused on repayment ability regarding residential mortgages. Violation of this Truth in Lending requirement could create liability for the life of the mortgage loan. Therefore, be sure your record-retention schedule includes maintenance of the underwriting file.

Set dividend to shareholders. The bank board of directors should review its dividend policy and its financial condition to determine whether a dividend can legally be paid under appropriate guidelines. If so, then the dividend should be set aside for the year with arrangements made for payment to shareholders. This would also be a good time to review and, if necessary, change your capital adequacy policy. This year, it is quite possible that there will be no dividend due to increased allocation to the bank’s Allowance for Loan and Lease Loss due to the pandemic-related impact on loan quality and income. Be prepared to explain this in your annual notice to shareholders that you include with your annual meeting notice!

Review schedule of fees and charges. While this is not required by law, it’s a good idea to review bank pricing periodically. It is a good time to consider the pricing strategy for accounts. During the pandemic, you may be waiving fees as part of your CRA outreach and accommodation to your stressed customers. Consider whether to further adjust fees, such as ATM foreign transactions, early withdrawal penalties (after the mandatory Regulation D penalty) and overdraft fees, such as amount or caps. Don’t limit this review to deposit account fees and charges. Be sure that you have good loan rate sheets. While these should really be evaluated more frequently, be sure that they are updated at least annually and are consistent with fair lending practices.

Annual personnel evaluations. Again, this is not required by law; however, it is a good idea to perform annual evaluations of officers. Annual reviews of employees have been going out of favor in the human resources community. In performing these, consider the impact of teleworking on productivity.

Year-end bonus. Review incentive compensation and bonus programs. Check compliance with the mortgage anti-steering rules in Regulation Z. Mortgage loan originator (MLO) rules permit up to 10 percent of the MLO’s aggregate comp to include a non-deferred profits-based plan—e.g., year-end bonus.

Review insurance coverage for adequacy. This includes not only the directors’ and officers’ liability policy, but also property and casualty policies, trust and mortgage errors and omissions, workers’ compensation and the entire range of appropriate insurance coverage for the institution.

Review the pension plan and take appropriate actions for the year. If your bank has a pension plan, the plan committee should meet and review investments, as well as other reporting requirements for the year.

Holidays. National banks have the ability under federal law to either abide by or ignore state holidays. State banks have the same flexibility. The board of directors should set the holidays by resolution. The best time to do this is at the December meeting for the next calendar year. You may wish to use the Federal Reserve holiday calendar. Be sure to decide whether Saturdays and Sundays will be holidays, limited banking days or full-service days. The Federal Reserve standard holiday schedule mandates that if January 1, June 19, July 4, November 11 or December 25 falls on a Sunday, the following Monday will be observed as a holiday. If January 1, June 19, July 4, November 11 or December 25 occurs on a Saturday, the preceding Friday will not be observed as a holiday.

Privacy notices. An annual notice is not required for banks that only share information with third parties under the statutory exceptions—e.g., to complete a transaction, respond to a subpoena, etc.—and the privacy policy has not been changed. Otherwise, be sure to send an updated privacy notice.

Exclusions. Some rules provide for small-bank exclusions based on activity. At year end, check to make sure loan servicing is still below 5,000 (for small servicer), the size of the bank is still $2 billion in assets (small bank QM), fewer than 500 open-end or 100 closed-end mortgage loans (Home Mortgage Disclosure Act) and foreign wire activity is still 500 or fewer. Some banks have reached the $10 billion in asset size due to PPP loans. Remember, the consequences for this plateau, including examination authority of the Consumer Financial Protection Bureau, impact on interchange fees, and other safety and soundness requirements. There is temporary relief for “small is-suers” with regard to interchange for 2020 and 2021. Size calculation may be determined on the lesser of the assets of the issuer together with its affiliates as of the end of the calendar year 2019 and the assets of the issuer together with its affiliates as of the end of the calendar year 2020.

Property tax compliance. If your bank does not escrow for payment of property taxes—whether on residential mortgages or commercial loans secured by real or personal property—check for property tax payment. Remind borrowers of their obligations under the loan agreement to protect the bank from liens. An article with helpful procedures is available at bit.ly/lienpdf.

Year-end is a time to look back on the successes—as well as the problems—of the preceding year. Use this time, and the reports required, to plan ahead for a safe 2021.

Karen M. Neeley has served as IBAT general counsel since 1989. She is widely recognized throughout the financial institution community for her expertise in the areas of regulatory and compliance law. Contact her at [email protected].