Broker Dealers and Broken Controls

Managing a financial advisory or brokerage firm is no small task; from finding clients, to advising the ones you already have, and everything in-between, compliance and governance can be a necessary burden.  While going through the vast regulations that shape the industry, the specific tasks of testing, preserving and repeating, are often asked.  Most firms utilize Excel, Word documents, and PDFs to build out their internal policies and controls in response to these regulations.  Almost all of these controls have a quarterly, bi-annual, or annual requirement to report activities, statements, or other documents to a host of stakeholders.  While utilizing an established Excel or SharePoint solution may seem like a “good enough” practice, the risk of missing one of these control events can be detrimental to your firm.

With a strong policy management software your firm can update processes to help save time, money, and reduce overall risk.  Strunk’s Controls Manager solution is one of the most intuitive products on the market, unwinding the complexity of your policy and compliance book, so you can automate your policy controls process and operation.  Through the use of a strong organizational system to address your regulatory obligation, your firm will have a more logical and considered approach to compliance, such as a Controls Calendar, enabling your company to effortlessly respond to your requirements.

While a patchwork of common Office tools seems like the easy and cheap solution, the downside risk far outweighs the upside risk.  Strunk can help you manage these risks, and put your firm on a better strategic footing.

Opting in for Overdraft Protection

Banks and Credit Unions have been providing Overdraft Protection programs for many years but 10 years ago all debit card and ATM transactions that created an overdraft had to have consumer consent before the financial institution could pay the debit and charge a fee.

Prior to 2010, paper checks were nearly 50% of all debit transactions a bank would process and today less than 8% of all debits are paper. Consumers paying with a debit card or electronic transaction is a common practice and we are nearing the situation many predicted 30 years ago of a paperless society for banking transactions.

If consumers want to take home their prescriptions or groceries when paying with a debit card when there are insufficient funds in their account, a bank or credit union cannot automatically authorize the transaction. Beginning on July 1, 2010 a financial institution had to obtain opt-in for these transactions pursuant to Regulation E.

A financial institution can obtain opt-in via their website, in person, by mail, or over the phone. It is not required that a financial institution obtain a signature on the prescribed Federal Reserve’s A-9 form, nor do the forms have to be kept for any period of time. If a consumer opts-in, a confirmation of the opt-in must be sent to the consumer.

Opting-in is a great service for those customers who want flexibility in managing their account. Others may not see any benefit to opting-in. But it gives consumers complete choice on how they want their account handled when it comes to paying for things they need when they are short on funds.

Focus on Reg E Opt-in Now More Important Than Ever

It has never been more important to ensure that your financial institution has adequate coverage in regards to account holder Reg E opt-in. Reg E opt-in allows you to authorize ATM withdrawals and everyday debit card purchases, which may overdraw an account holder’s checking account, as long as they have provided their consent for you to do so.

Data recently released by a 2019 Federal Reserve Payments study shows that only 9% of all transactions in 2018 were from checks paid and 16% were via ACH. An overwhelming 42% of transactions were made via debit card. This decline in traditional transaction types, in favor of a debit card, means that it is extremely important to focus on the proper opt-in approach.

According to Part 205 of Electronic Fund Transfers (Regulation E), the financial institution must give “Reasonable opportunity to provide affirmative consent.”

A financial institution provides a consumer with a reasonable opportunity to provide affirmative consent when, among other things, it provides reasonable methods by which the consumer may affirmatively consent. A financial institution provides such reasonable methods, if—

  1. By mail. The institution provides a form for the consumer to fill out and mail to affirmatively consent to the service.
  2. By telephone. The institution provides a readily-available telephone line that consumers may call to provide affirmative consent.
  3. By electronic means. The institution provides an electronic means for the consumer to affirmatively consent. For example, the institution could provide a form that can be accessed and processed at its Web site, where the consumer may click on a checkbox to provide consent and confirm that choice by clicking on a button that affirms the consumer’s consent.
  4. In-person. The institution provides a form for the consumer to complete and present at a branch or office to affirmatively consent to the service.

By arming your team with the most effective procedures, you can be certain to achieve optimum opt-in for your organization. Strunk has a proven track record of achieving maximum results with financial institutions across the country. We help to more effectively reach your goals, all while remaining in compliance with applicable laws and regulations.

 

Audits and Exams and ODP, Oh My!

An audit or exam is approaching? Use ODP Manager to help you gather the requested documentation!

Do you need to supply samples of each letter sent using ODP Manager? In Collection Letters and Custom Letters, you can generate a sample PDF of each active letter template.

For the specified review period, do you need to identify accounts with overdraft limits added or removed? Reg E opt ins or opt outs? Letters generated?  In Events, you can search for all events that occur during a specified timeframe. Use filters to narrow your results to a specific event or letter.  Not only can you identify the appropriate accounts, but you can also export the list.

Do you need a convenient summary of all the account’s information contained within ODP Manager? In Account Inquiry, export the Account Profile as a PDF – it’s a convenient way to compile the information for account officers, auditors, or examiners. It includes an overdraft summary, comments, reminders, repayment plans, and an event history. Also, the Events tab allows you to review all the account’s events and regenerate PDFs of any letters mailed to the customer.

For any Overdraft Privilege Program review, ODP Manager makes compiling the requested information easier.

 

Managing Fee Waivers and Refunds

As the end of the year approaches, we have seen more and more clients loose potential additional fee income by waiving or refunding customer OD/NSF fees.  This is often lost income potential that is unknown to the institution. Generally most systems are set up to charge fees after the pay/return decisions have been made, so if the fees are waived the income never shows up on the general ledger as either income or the subsequent reversal of income.  Besides the reduction of fee income, waiving or refunding OD/NSF fees can also be a compliance issue.  Regulators have become increasingly sensitive to which accounts are not being held accountable for the fees that their activity dictates should be charged. For instance, if a high net worth individual is not charged overdraft (or other) fees that other accounts are routinely charged, this may be viewed as disparate treatment with all the ramifications that allegations of that nature involve.

The best solution to help alleviate both of these issues is to charge the fee “the night before”, or when the overdraft transactions are presented rather than waiting until the resolution of all items to post the fee. This helps accomplish the reduction in fee income simply because it requires more than a “click” to waive a fee, but rather a refund would need to be run for the reversal of the fee. This also allows for easier tracking of what is being given back to your account holders. With the gross fees as well as the individual refunds posting to the general ledger you can see at any given time how much the institution is giving away in fee income. From a compliance standpoint the institution is charging everyone on an equal basis – if an item overdraws the account then the account is charged – but the officer still has the discretion to refund the fee after the fact. This method is much more trackable and provides much more accountability for fee refunds.

Many of our clients cannot tell how much income they are giving back to customers each month. Part of the issue is addressed above regarding how to account for your fees and the associated waives, but the other issue is simply employees refunding fees back to customers when they ask for it, or sometimes even without them asking for it. In addition, very few institutions take the time to build reports, examine those reports, and hold their employees accountable on a consistent basis.

To assist in managing fee refunds, Strunk recommends that you implement the use of a “Refund Request Form” for employees to provide customers when they request a refund. This accomplishes multiple things. First, it allows the employee to avoid the face-to-face confrontation and having to make a snap decision. Second, it puts the emphasis for refunds back on the customer to show why it should be granted. This does not mean that we will no longer grant refunds, but we would like the customer to have to provide a valid reason why the institution should consider granting the request.

Technology Service Provider Contracts

Understanding the increase dependence that financial institutions have on technology service providers, bank regulators have increased their efforts to require banks to appropriately handle third-party risk management.  The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance.  These contracts were missing or inadequately addressed key terms, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lack standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response. Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology related services can create special risks to depository institutions that need to be properly addressed in their service contracts.  The FDIC indicated that it plans to hold the board and senior management of financial institutions accountable for controlling those risks in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract.  All financial institutions should have provisions that they review for all of their contracts with a robust vendor management program, this will help uncover any weakness in business continuity and data recovery early in the process.

 

Why is Overdraft Protection Important

Financial institutions across the country have to make decisions every day when it comes to accounts that show insufficient funds. Should the institutions pay an overdrawn item and take a chance the customer will pay them back or should they return or deny the transaction?

Most banks and credit unions charge the same fee whether they pay an item into overdraft status or return it to the merchant (in the case of paper checks). The question always comes up…who would want you to return the item to the merchant? Furthermore, what happens when the item is returned and what are the consequences to the customer? There is nothing good that happens when an item is returned and it only causes grief to the consumer. In this particular case, grief in the form of additional fees from the merchant or being redlined for future non-cash purchases.

Formal consumer centric overdraft payment programs started in the early 1990s and consumers have benefited greatly. Since the same fee is levied either way, the grief and embarrassment of returned checks is eliminated. For debit card or ATM transactions, consumers can decide on their own if they want the debit authorized or not. About half of a financial institution’s customers want to take the groceries or prescriptions home rather than being denied when using a debit card. Others never want to overdraw their account regardless of the situation.

This is the reason Overdraft Privilege and other forms of overdraft protection programs work. The daily overdraft decision process is easier for the financial institution and consumers like the program. A rare win-win in banking.

Take Advantage of ODP Opt-In Opportunities

How are you communicating with your account holders in your Overdraft Privilege Program? Are you able to not only advise account holders of the benefits of Overdraft Privilege but also remind them that they can authorize Overdraft Privilege service for ATM withdrawals and everyday debit card purchases? Strunk’s overdraft management application, ODP Manager, allows you to do just that!

You should consider sending both Welcome and Reinstatement letters to your account holders when overdraft limits have been assigned or when account holders requalify for Overdraft Privilege. When you send these letters to accounts that have not opted in for Regulation E, you should remind account holders that they have the option to authorize Overdraft Privilege for ATM and debit card transactions. ODP Manager can identify the accounts that have not opted in and generate a letter that includes the Consent Form for Overdraft Services and information about other ways to opt in. You can even set up a form in ODP Manager to allow your account holders to opt in online.

Additionally, ODP Manager allows you to send a letter periodically to account holders in your Overdraft Privilege program who have not opted in to or opted out of the ATM/everyday debit card Overdraft Privilege coverage. This is another opportunity to explain this additional feature to your account holders and to provide a consent form and additional opt-in methods.

Once you start taking advantage of these additional opportunities, the ODP Manager software can help you monitor your progress using daily reports and a dashboard that tracks progress over time.

You Can Outsource, But You Cannot Hide

Companies may outsource an activity, but cannot outsource accountability.

In today’s economic environment, almost every aspect of a company’s operations can be outsourced efficiently. As a result companies interact with vendors on a daily basis, opening themself up to additional risk. Vendor Risk is a type of Operational Risk associated with the potential risk that may occur from relying upon outside parties to perform services or activities on an organization’s behalf. When a company outsources a need to a vendor, it is still the responsibility of the company to ensure that the vendor operates in compliance with established policies, procedures and regulator expectations.

For financial institutions in particular, this has been a clear message from all banking regulatory agencies to their members. Regulatory agencies have identified instances in which financial service institutions have:

  • Failed to properly assess and understand the risks and the direct and indirect costs involved in vendor relationships.
  • Failed to perform adequate due diligence and ongoing monitoring of vendor relationships.
  • Entered into contracts without assessing the adequacy of a vendor’s risk management practices.
  • Entered into contracts that incentivize a vendor to take risks that are detrimental to the financial institution or its customers, in order to maximize the vendor’s revenues.
  • Engaged in informal vendor relationship without contracts in place.

All companies, and especially financial services institutions, must establish an effective vendor management program to protect their business, clients and employees. Having an effective vendor management program enables institutions to control costs, drive service excellence, mitigate risks, and gain increased value over the life cycle of the vendor relationships. Selection, contract structuring and ongoing monitoring of third party service providers are the consistent theme from the regulatory agencies and other risk experts.

Our GRC Services

Our roots go back to 1976, when we began providing consulting services to banks and credit unions. Since then, we have worked with more than 1,500 clients in all fifty states. Among banks and credit unions, we are best known for our compliant fee income improvement programs, including Overdraft Privilege, Rewards Checking and Value Checking. Because risk management and compliance have always been a big part of what we do, in recent years we have gradually expanded our focus to helping clients in all industries improve their risk management and compliance processes and productivity using our software.

We now offer six comprehensive, easy-to-use and affordable compliance management tools that are useful for clients in any industry:

Risk Assessor helps you prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.

Policy Manager organizes all your policies into a single database, mapped to the relevant standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.

Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.

Skills Manager provides online testing and training to ensure employees are knowledgeable about your policies.

All our tools are securely and reliably hosted at Amazon AWS, from which they are available on a variety of devices from anywhere. We’ve gotten some great feedback from our clients. Here are a few comments:

Our policy and control structure is very complex having both a broker/dealer and an investment advisory firm. Policy Manager allows us to easily organize a large volume of policies and maintain our control testing documentation all in one convenient place—a significant improvement over our previous process! — Laura Hendricks: Woodlands Securities / Woodlands Asset Management

We currently use Strunk’s Policy Manager to update and track changes to our policies. We like the audit trail it leaves of changes and also the PDF Redline that indicates changes used for the Board to review and approve. Strunk Customer Support has been prompt and they always assist with any issues we might have. — Karen Lomax, Vice President and CFO Kinetic Credit Union

Strunk’s program brings efficiency to the process and allows us to focus on areas of high risk. Our team sees great value in the process and reporting generated by the Strunk program. It is an affordable way to manage regulatory required risk assessments. — Bob Sundquist, CFO/CRO, NebraskaLand National Bank

Our core customer base has always been smaller and medium-sized organizations and so, unlike most providers, we have tried to price Risk Manager at a level that is affordable by all. In order to encourage usage, we charge a flat annual fee based an organization size. That fee gets you unlimited access to the tools for an unlimited number of users, along with unlimited support from for our support team.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.