dodd frank & money transmitters: 10 key aspects of ... · dodd frank & money transmitters:...
TRANSCRIPT
1
DODD FRANK & MONEY TRANSMITTERS:
10 KEY ASPECTS OF REGULATION E
IRIS AIMEE PINEDO
JANUARY 13, 2014
2
CFBP-Remittance Transfer Rule
On January 20, 2012, The Consumer Financial Protection Bureau (CFPB) released its
long-anticipated rules governing certain electronic money transfers or “remittance
transfers.” Subpart B to Regulation E of the Dodd Frank Wall Street Reform and
Consumer Protection Act1 establishes a new regulatory framework governing cross-
border electronic transfer payments originated
by US consumers. The new “remittance
transfer” rules took effect on October 28,
2013 imposing—for the first time—federally
mandated disclosure, error resolution and
cancellation rights on remittance transfer
providers, which can include both financial and
non-financial institutions. The CFPB believes
that the new remittance transfer rules will
create new protections and improve
predictability for consumers who send
“remittance transfers” from the United States to
individuals and businesses in foreign countries.
“Dodd Frank 1073 creates certain disclosure requirements which obligate
US based remittance transfer providers to know the exact costs and
delivery terms for consumer initiated international payments. The
drafters of Dodd Frank 1073 assumed that these disclosures would drive
down costs for international electronic payments by enabling US
consumers to comparison shop between providers. The drafters also tied
the disclosures to consumer error resolution rights so that almost any
1 In December 2011, the CFPB restated the Board’s implementing Regulation E at 12 CFR Part 1005 (76 Fed. Reg. 81020) (December 27,
2011). In February 2012, the CFPB published subpart B (Requirements for Remittance Transfers) to Regulation E to implement the new
remittance protections set forth in the Dodd-Frank Act (77 Fed. Reg. 6194) (February 7, 2012) 1. Following a series of amendments published
later in 2012 and early 2013, the Bureau published another amendment in May 2013 to, among other things, establish a new effective date of
October 28, 2013 (78 Fed. Reg. 30661) (May 22, 2013).
The Consumer Financial
Protection Bureau (“CFPB” or
“Bureau”) will conduct
rulemaking, supervision and
enforcement with respect to the
Federal consumer financial laws
and a) Handle consumer
complaints and inquiries; b)
Promote financial education; c)
Research consumer behavior;
and, c) Monitor financial
markets for risks to consumers.
3
deviation from disclosed costs and delivery terms will result in liability to
the US remittance provider”.2
Non-depository financial institutions such as money remittances companies are
subject to these new federal rules, adding a new element to the BSA/AML Program:
Establishing a Compliance Program
The development of internal policies, procedures and controls
The designation of a compliance officer
An ongoing employee training program
An independent audit function to test programs
Establishing a Know your Agent (KYA) program
Establishing a Know your Customer (KYC) program
Establishing a Know your Foreign Counterparty (KYFC) program
Reporting and Record-keeping (including FinCEN registration)
Detecting and reporting Suspicious Activity
Administering Office of Foreign Assets Control (OFAC) sanctions
Protecting Non-Public Consumer Information (GLBA- Gramm-Leach-Bliley)
Establishing Consumer protections (CFPB- Remittance Rule)
Money transmitters and their agents are perceived as high risk in money laundering,
terrorist financing and abuse to consumers as loss of funds, wrong product/service,
failed transactions, overpricing, divulging/losing private data, and claims ignored.
The newly established Consumer Financial Protection Bureau is empowered to
exercise enforcement authority against money transmitters that can bring consumer
compliance risk as a result of non-compliance with Dodd Frank.
What is a Consumer Compliance Risk? In general, the risk of legal or regulatory
sanctions, financial loss, consumer harm, or damage to reputation and franchise
value caused by a failure to comply with or adhere to:
2 White paper on Dodd Frank Section 1073 – Cross-border Remittance Transfers (Version 2.0, October 2012).A partnership initiative
between The Clearing House Association, L.L.C. and the PMPG. http://www.swift.com/resources/documents/PMPG_Dodd_Frank_1073_Whitepaper_v2.0.pdf
4
• Consumer protection laws, regulations, or standards
• The organization’s own policies, procedures, codes of conduct, and ethical
standards
• Principles of integrity and fair dealing applicable to the organization’s
business activities and functions3
An institution’s failure to manage compliance risk effectively can elevate the risk
level or manifest itself as other types of key risks: Legal, Reputational or
Operational Risk. More specifically, noncompliance may expose the organization to
fines, civil money penalties, legal damages, voided or unenforceable contracts,
reduced franchise value, or rejected expansionary activities, mergers, and
acquisitions.
Activities regulated by Regulation E
Scope: Remittance Transfer under Regulation E includes (a) all electronic transfers of
funds to (b) designated recipients (consumer or business) (c) located in foreign country
that are (d) initiated by a remittance transfer provider (e) upon request of consumers
(individual) (f) in the US (g) for personal, family or household purpose.
Business-to-business or business-to-consumer transactions are not covered, but
consumer-to-business transactions (for personal, family or household purposes) are
covered, including international bill payment services.
The rules do not apply to “small value transactions” which are transfer
amounts of $15 or less, as measured by the currency in which the remittance
transfer is initially funded. Examiners should consider the volume of remittance
transfers that an entity provides before proceeding further.
The definition of “remittance transfer provider” includes a safe harbor that means
that if a person provided 100 or fewer remittance transfers in the previous calendar
3 COMMUNITY BANK- RISK - FOCUSED CONSUMER COMPLIANCE SUPERVISION PROGRAM.
Effective January 1, 2014. Board of Governors of Federal Reserve System http://www.federalreserve.gov/bankinforeg/caletters/Attac hment__CA_13-19__Risk-focused_Supervision_Program_Document.pdf
5
year and provides 100 or fewer such transfers in the current calendar year, it is
deemed not to be provided remittance transfers for a consumer in the normal
course of its business, and is thus not a remittance transfer provider, and is thus not
subject to the requirements of Subpart B of Regulation E. A person that surpasses
100 in any given year is permitted a reasonable time period, not to exceed 6 months,
for compliance.
Examination Procedures
Failure to comply with the “remittance transfer” regulatory requirements may have
serious consequences for financial institution and can lead to regulatory sanctions,
financial losses, and reputational damage. New additions to our audit procedures for
consumer to consumer money transfers will conform to the new regulations imposed
under Regulation E. Therefore, it is essential that auditor give significant weight to how
effectively the institution’s compliance management program manages the inherent
risks associated with its consumer-related activities.
Objective:
Access the adequacy and quality of the RTP’s system to manage the risk of
violations related to not complying with disclosure information and format
established by Regulation E;
Adhere to the timing and notice requirements for error resolutions,
cancellations and refunds; and
Identify acts or practices that materially increase the risk of violations of federal
consumer financial law and associated harm to consumers in connection with
remittance transfers.
RTPs must provide, among other things:
a) List of remittance transfer products offered
b) List of Departments involved providing remittance transfers (e.g. retail, prepaid
cards, bill payment, online transactions, and foreign exchange)
c) Process flowcharts
d) Policies and operating procedures that govern its remittance transfer operations
6
e) Board minutes
f) Transaction documentation;
g) Management and monitoring reports;
h) Sample of the provider’s disclosure forms in all languages (as applicable) as
provided for various products;
i) List of foreign countries to which the provider sends remittance transfers;
j) List of all foreign currencies in which remittance transfers are sent and where
there are limitations on such currencies;
k) Identification of the currencies in which the provider controls the exchange rate;
l) List of all third-party service providers or business partners involved in
remittance transfers: payment networks, payment processors, software
providers, foreign currency providers, etc.;
m) List of U.S. and foreign agents;
n) Agent/correspondent agreements;
o) Advertising and marketing material including any produced in foreign languages
p) Documentation regarding calculation or estimates of fees, taxes, exchange rates,
and dates included on disclosures;
q) Error resolution files;
r) Consumer complaint files;
s) Form letters used in case of errors or questions concerning a remittance transfer
(including any provided in foreign languages);
The 10 key aspects to evaluate
1) Determine if the Board has adopted a written Dodd-Frank policy and procedures
that ensure compliance with Dodd Frank and statement that the entity’s internal
controls are adequate to ensure compliance with respect to the Regulation E. In
assessing the quality of board of directors and senior management oversight,
auditor should consider whether the institution follows policies and practices such
as those described below:
• The board and senior management have identified and have established a
clear understanding of the types of consumer risks inherent to money
7
transfer’s activities and have reviewed and approved appropriate policies to
limit risks inherent in the institution’s business line or products, including
ensuring effective oversight of any third-party providers that provide
products and services for the institution.
• The board and senior management ensure that businesses lines are
managed and staffed by personnel with knowledge, experience, and expertise
consistent with the nature and scope of the money transmitter activities.
• The board and senior management at all levels provide adequate
supervision of the day-to-day activities of officers and employees, including
management supervision of senior officers or heads of business lines. 4
Comprehensive and fully implemented policies help to communicate management’s
commitment and expectations related to compliance. Procedures should provide
personnel with guidance that enables them to complete transactions or other
processes in accordance with applicable laws and regulations. Such information
may include appropriate regulatory references and definitions, sample forms,
instructions, and where appropriate, directions for routing, reviewing, and retaining
transaction documents.
2) Conduct Transaction Testing and determined if the disclosures use the terms
required by Regulation E and address:
a) Pre-payment Disclosures
Transfer amount
Taxes or fees imposed by direct correspondent. Information about fees
impose and all taxes collected on the remittance transfer by the provider’s
payout agent should be readily available or obtainable by the RTP (or
provider can control such fees) base on the terms of the contract between the
provider and such agent
Total
4 Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies. November
14, 1995. BOARD OF GOVERNORS OF THEFEDERAL RESERVE SYSTEM TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK. http://www.federalreserve.gov/boarddocs/srletters/1995/sr9551.htm
8
Exchange rate
Total amount in the currency in which the funds will be received by the
designated recipient
Total to recipient (transfer amount less any covered third party fee)
b) Receipt or Combine Disclosures: Include all information require for the pre-
payments disclosure plus all directly related information:
Date
Company name and logo
Sender’s/Recipient’s name and contact
information
Location in which recipient may pick up the
funds
Optional disclosure of non-covered third
party fees and taxes collected by a person
other than the provider
Identification code
Statement when the funds will be available
Signatures
Instructions of retrieval of the funds such a
number of days the funds will be available to the recipient before they are
returned to the sender
Statement that the provider makes money from foreign currency exchange.
In addition to the transfer fee, money transfer companies may make money
when it changes the dollars sent amount into foreign currency
Disclosure of privacy of consumer information. Examiners should consider
whether a remittance provider has complied with privacy provisions enacted
as part of the Gramm-Leach-Bliley Act (GLBA) and implemented through
Regulation P. These provisions impose limitations on when financial
institutions can share nonpublic personal information with third parties.
They also require under certain circumstances that financial institutions
Tips
*If the provider provides combined
disclosure, what changes to the
procedure they made in order to
provide the sender with combine
disclosure prior to payment?
* After payments is made, how RTP
is providing the proof of payment?
*If changes were made to
disclosures and receipts, does the
RTP have the state regulatory
approval, where applicable?
9
disclose their privacy policies and permit customers to opt out of certain
sharing practices with unaffiliated entities
Statement about sender’s right to resolve errors and cancel transactions
For any remittance transfer schedule by the sender at least three business
days before the transfer, the statement about the rights of the sender
regarding cancellations must state that the sender must request the
cancellation at least three business days before the next schedule transfer.
The statement must also note that the request must enable the provider to
identify the sender’s contact information and the particular transfer to be
cancelled
Information of the applicable state regulatory agency and the CFPB
information. If RTP is licensed in multiple States may not disclosure contact
information for agencies in other States but should make the determination
as to the State in which the sender is located base on the information that is
provided by the sender and on any record associated with the sender
3) Determine if adopted disclosures are produced in the format established by
Regulation E. Obtain and review a sample of the provider’s disclosure and copies of
scripts for oral disclosures.
Disclosures must be made in English and, if applicable, in either (i) the foreign
language principally used by the RTP for advertising, soliciting, and marketing
remittance transfer services at the office at which the sender conducts a transaction,
or (ii) the foreign language primarily used by the sender with the RTP to conduct
the transaction (provided it is one of the principal languages used by the RTP). Oral
disclosures for transactions conducted entirely by telephone must be made in the
language primarily used by the sender with the RTP to conduct the transaction
There are specific formatting standards that include: size (in a minimum eight-point
font), prominence (on the front of the page, on which the disclosure is printed,),
grouping and proximity (sender information, designated recipients, etc.). The
10
information required by the Final Rules must be segregated from all other
information on disclosures.
4) Determine if the RTP’s has developed and maintains adequate written policies and
procedures designed to ensure compliance with Regulation E for:
a) Error resolution
a. Sender has 180 days from stated delivery date of transfer to assert
error no matter the status of the transaction
b. RTPs has 90 days after receiving the sender’s notice to promptly
investigate a notice of error to determine whether an error occurred
c. Where an error is found on documentation sender previously
requested, sender have to provide notice of error to RTP by the latter
of: 180 days after disclosed date of availability; or 60 days after
provider sent the additional documentation that was requested
d. RTPs will report to the agent and sender the results within three days
of completing the investigation
e. RTPs should correct an error within one business day or “as soon as
reasonably practicable after” receiving the sender’s preferred choice of
remedy
b) Cancellations
The Final Rule generally gives consumers the right to cancel a transfer within 30
minutes of making payment for the transfer. The two conditions on this right set
forth in the Final Rule are (i) the sender’s oral or written request to cancel must
enable the provider to identify the sender and the particular transfer to be
cancelled and (ii) the transferred funds must not have been picked up by or
deposited into the account of the designated recipient.
Dodd Frank imposes to providers once it receives a valid cancellation request,
(3) three business days to refund the total amount of funds, including fees and
taxes (unless prohibited by law). The provider cannot impose fees for cancelling
the transaction.
11
5) Determine if management has implemented internal controls to minimize the risk
of the most common violations and adhere to the timing and notice requirements of
the rule. Review claim and cancellation documentation. Identify if the RTP complies
with timing period and remedies:
a) Review samples of claims and cancellations reports to evaluate the
timelines
b) Uniform method for documenting received claims−whether the notice was
oral or in writing
c) Procedures that ensure the prompt submission of claims to the
appropriate department upon receiving a notice of an alleged error
d) System that ensures the prompt investigation of these claims
e) Adequate documentation and tracking of steps and status of the
investigation
f) A tickler system that prompts the appropriate personnel of approaching
timeframes
g) Review samples to determine if the RTP uses the language set forth in
Model Form A-36
h) Determine the provider’s policy for providing long form error resolution
and cancellation notice
i) For error resolutions, review the remedies adopted and determine if the
RTP effectively comply with Regulation E
j) If the remedy is a refund, determine if the provider refunds the total
amount within one business day or as soon as reasonably practicable
thereafter; or
k) If the provider makes available to the designated recipient the amount
appropriate to resolve the error without additional cost to the sender or
the designated recipient, and refund to the sender any fees and taxes if
applied, collected on the remittance transfer
l) Escalating issues identified as not solved at least 48 to 72 hours before
timing expiration
12
6) Determine that the provider is maintaining records of compliance for a period of
not less than 2 years from the date a notice of error was submitted to the provider or
action was required to be taken by the provider.
RTPs must retain records of senders’ claims, error notices, cancellation request and
the provider’s responses for at least 2 years.
7) Review the provider’s agreements with agents − correspondents used for
remittance transfer to determine whether they are appropriate for the activities
delegated.
Because remittance transfers involve multiple parties and countries, Congress was
concerned about the consumer’s ability to redress errors caused by parties acting on
behalf of a provider. The final rule implements this requirement under which a
provider is liable for any violation of subpart B of Regulation E when an agent or
authorized delegate acts on behalf of the provider.
8) Determine if the entity provides appropriate training to employees and other
persons responsible for Regulation E compliance and operational procedures,
including, to the extent appropriate, third-party service providers or other business
partners.
Review the training program to determine if the following elements are adequately
addressed:
a) All employees involved in the Regulation E- claim and cancellation
process should receive ample training in order to comply with the
requirements of Dodd Frank in an effort to cut losses and minimize the
risk of wrong handling of claims
b) All agent training materials are adequate and include regulations,
procedures and processes around Dodd Frank requirements
13
c) All agents have been retrained and include regulations, procedures and
processes around Dodd Frank requirements
9) Review and assess the adequacy of the provider’s policies and procedures
regarding transfers scheduled before the date of transfer.
For one time transfers scheduled five or more business days in advance or for the
first in a series of preauthorized remittance transfers, does the provider provide
either pre-payment disclosures and a receipt of a combined disclosure at the time
the sender requests the transfer but prior to the payment?
10) Determine if the entity’s privacy and information sharing practices are consistent
with the requirements of section 502 to 509 of the Gramm Leach Bliley Act to the
extent that they have applied and are using the examination procedures that
address unfair, deceptive or abusive acts or practices and consider if any aspect of
the provider remittances practices and operations constitute UDAAPs
Conclusions
The Final Rule is replete with challenges for any institution that provides international
remittance transfer services. The CFPB anticipates that most businesses that qualify as
“remittance transfer providers” will have to make some changes to their processes,
software, contracts, or other aspects of their practices. Among other things, an RTP
must identify (a) products (b) departments and staff that are affected by the rule, (c)
business processes and operational (d) systems technology used to enter, implement,
and record remittance transfers, and for auditors this will be a new challenge.
Auditors will find many MSBs unable to totally comply with all the requirements
imposed by the Dodd Frank- Regulation E because of the cost of the implementation.
Significant information technology and operational developments, revised compliance
policies and training materials will require a phased in approach to implementation,
which likely will result in an audit finding.