Compliance Corner - April 10, 2013

Compiled by Steven Stachowicz and Tony Dinovelli, members of Protiviti’s global financial services and regulatory risk consulting practice, FSA Times’ Compliance Corner is a resource for financial services auditors to keep up to date on changing regulations and requirements affecting internal audit.


Qualified Mortgages and Repayment Ability

On Jan. 10, 2013, the U.S. Consumer Financial Protection Bureau (CFPB) finalized rules regarding qualified mortgages that require lenders to evaluate a consumer’s ability to repay a mortgage loan before originating the loan, effectively restricting limited- and no-documentation loans. The new rule signals a significant change in the regulatory oversight of credit and underwriting practices from a consumer protection perspective, and affords fewer protections to creditors for loans underwritten outside of the new parameters. Beginning in January 2014, lenders originating any consumer-purpose mortgage loan must:   

  • Verify and document the consumer’s financial information, such as current income, assets, credit and employment status, monthly obligations, etc.
  • Determine whether the borrower can repay the loan over the full period of the loan (not just the introductory period, which may include a lower rate) considering the borrower’s income and obligations.  

If a lender originates a qualified mortgage — which does not contain the risky features perceived to have harmed consumers during the financial crisis — to a borrower with a debt-to-income ratio of 43 percent or less (with certain exceptions), it is presumed that the lender has complied with these requirements. These risky features include loans with excessive up-front points and fees, interest-only periods, negative amortization features, and balloon payments. It is notable that lenders may make loans that do not meet these requirements, but they are still required to verify repayment ability.  

The rule provides different legal protections for higher-priced qualified mortgages, and the CFPB has proposed certain exemptions to these rules be provided to smaller creditors, such as community banks and credit unions.  

Internal auditors should evaluate their institution’s current product offerings against the new requirements and their readiness to enhance underwriting standards and implement internal controls and processes to address these new requirements ahead of the effective date. 


Disparate Impact Fair Lending Rules
The U.S. Fair Housing Act (FHA) is a civil rights-related law enacted in 1968 to prohibit discrimination in the sale or rental of housing because of a person’s race, color, religion, sex, familial status, handicap, or national origin. The law has been enforced by both the U.S. Department of Housing and Urban Development (HUD) and the U.S. Department of Justice to address overt discrimination in housing and disparate treatment of persons based upon a protected characteristic. Effective March 18, 2013, HUD formalized into regulation a long-standing interpretation of the FHA regarding the prohibition of practices that have a discriminatory effect. This rule addresses practices that on the surface appear neutral but actually or predictably result in a discriminatory effect on a group of protected persons or on a community as a whole on the basis of a protected characteristic. Notably: 

  • The discriminatory effect of a given practice (not whether the practice was motivated by a discriminatory intent) is what may cause liability for an institution. 
  • Institutions bear the burden to prove that a particular practice is necessary to achieve substantial, legitimate interests. Even still, the institution may be subject to liability if the plaintiffs can establish the existence of another practice that would result in less discriminatory impact. 
  • In bringing a case, plaintiffs may claim that the “conduct” of the defendant is the basis of the discriminatory effect, but may not have to address a specific practice that is causing the harm.  

The rule applies to cases pending when the rule becomes effective as well as new cases. Though likely to be challenged by the industry further, internal auditors should be aware of the implications of the rule on their institutions and understand how their institution evaluates new and existing business practices (such as underwriting, marketing, pricing, etc.) for potential discriminatory impacts. 


Regulatory Expectations for the Internal Audit Function and Outsourcing
On Feb. 23, 2013, the U.S. Federal Reserve Board (FRB) published a policy statement regarding internal audit functions and outsourcing in response to weaknesses observed during the financial crisis. The supplemental statement applies specifically to FRB-supervised banks, bank and savings and loan holding companies, and U.S. operations of foreign banking organizations with more than US $10 billion in assets, though all financial services institutions and their internal auditors should evaluate the guidance closely.  

The FRB policy statement builds on an existing 2003 policy statement and establishes expectations for: 

  • Enhanced Internal Audit Practices. Internal auditors should regularly analyze the effectiveness of all critical management risk and governance functions; identify thematic macro control issues and high-risk business activities; challenge ineffective or insufficient policies, procedures, and controls; and evaluate major institutional infrastructure initiatives.
  • Professional Standards. Internal audit functions should adhere to professional standards, such as guidance from The IIA. Critical elements include ensuring institutional independence, professional competence, appropriate staffing, objectivity, ethical behavior, and appropriate management and board oversight of the internal audit function, as well as documenting a risk-based audit methodology and plan, conducting continuous monitoring, and establishing quality assurance standards for the function.
  • Outsourcing. Senior management and the board must provide active and effective oversight of outsourced audit activities, including ensuring the competence of selected vendors, contingency pland to avoid disruptions with selected vendors, and the consistency of the vendors' work product with the institution's standards.
  • External Auditor Independence. The external auditors of a public or private institution are precluded from performing cosourced or outsourced internal audit services. 

The FRB stresses that the internal audit function is critical to ensuring that the institution operates in a safe, sound, and compliant manner, and that it will evaluate the effectiveness of the function as part of the supervisory review process, even to the extent of relying on the work performed by the function when possible.