Compliance Question of the Week

In today’s banking environment as soon as one big new regulation is implemented another pops up. Our compliance resources help your community bank stay one step ahead of the regulators.

Regulations and Guidance

Question: Which practices can increase the risk of violations in the area of third-party relationships?


Vendor risk management problems often involve one or more of the following issues:

Overreliance on third-party vendors. A common root cause of vendor problems is the overreliance, and sometimes complete reliance, on a third-party vendor. Third parties can provide staffing and expertise but do not assume ultimate responsibility for compliance violations involving products or services offered by an institution.

Failure to train new staff or retain knowledgeable staff. Institutions may believe they can avoid hiring, retaining, or training staff because of a vendor’s expertise. Although an institution may be leveraging a third party’s expertise, staff at the institution must be knowledgeable about vendor activities and the compliance requirements for that activity to facilitate monitoring. Specifically, proper staffing or specialized training for existing personnel may be required. Similarly, banks should consider evaluating activity at the vendor’s location to ensure that risks are understood, and that staff has sufficient knowledge of vendor processes and controls.

Failure to adequately monitor the vendor. Ongoing monitoring is necessary to ensure compliance and to prevent potentially costly regulatory violations.

Failure to set clear expectations. An institution must ensure that the information provided to third-party vendors is complete and accurate and that expectations for vendor performance are communicated clearly and included in the contract with the vendor. Vendor contracts should also include detailed consumer protection requirements to ensure that the vendor is aware of the applicable requirements.

Reference: Fed. Consumer Compliance Outlook, 4th Quarter 2012.










Q&A Archives


If the institution is required to notify an account holder under 31 C.F.R. §212.7(a), the notice must contain the following information in “readily understandable language”:

  • the institution’s receipt of a garnishment order against the account holder;
  • the date on which the institution was served the garnishment order;
  • a succinct explanation of garnishment;
  • an explanation of the institution’s requirement, when a covered benefit is deposited into one of the account holder’s accounts within the last two months, to calculate and establish a protected amount and ensure that the protected amount is made available to the account holder;
  • the account or accounts subject to the garnishment order;
  • the protected amount the institution established;
  • the institution’s requirement to freeze funds in excess of the protected amount, if applicable, pursuant to state law to satisfy the garnishment order;
  • the amount of any garnishment fee charged to the account, consistent with 31 C.F.R. §212.6(h);
  • a list of all federal benefit payments covered by the Garnishment Rule, as identified in 31 C.F.R. §212.2(b);
  • the account holder’s right to assert exemption for amounts above the protected amount against the creditor that initiated the garnishment order by taking an action customarily applicable in a given jurisdiction, such as completing exemption claim forms, contacting the court of jurisdiction, or contacting the creditor;
  • the account holder’s right to obtain legal aid in asserting exemption against the creditor that initiated the garnishment order;
  • the name of the creditor, and
  • the means of contacting the creditor if contact information was included in the order.
Reference: Fed. Consumer Compliance Outlook, 3rd Quarter 2013; 31 CFR 212.7(b).










Yes. The lender is permitted to require more flood insurance than required by the regulation.

Reference: Interagency Q&A 2022, X. Determining the Appropriate Amount of Flood Insurance Required; Amount 8.










Consistent with 1005.5(a), an institution may issue an access device only in response to an oral or written request for the device, or as a renewal or substitute for an accepted access device. A consumer is deemed to request an access device for a payroll card account when the consumer chooses to receive salary or other compensation through a payroll card. A consumer is deemed to request an access device for a prepaid account when, for example, the consumer acquired a prepaid account offered for sale at a retail location or applies for a prepaid account by telephone or online.

Reference: Official Staff Interpretation 1005.18(a), comment 1.










Internet gambling business means the business of placing, receiving or otherwise knowingly transmitting a bet or wager by any means which involves the use, at least in part, of the Internet, but does not include the performance of the customary activities of a financial transaction provider, or any interactive computer service or telecommunications service. For additional information see the definition of Unlawful Internet Gambling under 12 CFR 233.2(bb)

Reference: Regulation GG: 12 CFR 233.2(r) and (bb) Definitions










No, unless there is prior express consent and:

(i) the call is made for emergency purposes;

(ii) the call is not made for a commercial purpose;

(iii) the call is made for a commercial purpose but does not include or introduce an advertisement or constitute telemarketing;

(iv) the call is made by or on behalf of a tax-exempt nonprofit organization; or

(v) the call delivers a “health care” message made by, or on behalf of, a “covered entity” or its “business associate,” as those terms are defined in the HIPAA Privacy Rule, 45 CFR 160.103.

Reference: 47 CFR § 64.1200 (a)(3)










To prevent banks from shielding the identity of customers, FinCEN implemented the "Travel Rule." Under the Travel Rule, financial institutions must include a customer's full identifying information on a payment order including:

  • the name,
  • address,
  • amount,
  • date,
  • recipient's bank information, and
  • recipients contact information.

The rule requires a customer's true name, not pseudonyms. The rule only applies to originating and intermediary banks, not the beneficiary bank.

Note: The bank's routing number in the account number field is not sufficient to satisfy the travel rule.

Reference: 31 CFR 1010.410(f). 










The agencies have a risk focused consumer compliance examination approach, based on the potential for compliance errors to have an adverse impact on banking customers.

Prudence says that when the bank receives a notice of error from a customer, it should be considered, reviewed and investigated in the same manner a complaint would be based on the potential for potential harm to the consumer.

While not every error and/or complaint is related directly to UDAAP, considering errors in this manner helps to ensure that the bank is working UDAAP into its procedures.

Consumer harm is broken into several “categories”:

  • Quantifiable harm – economic harm to a consumer where the injury or loss can be measured. For example, a consumer may suffer monetary harm as a result of deceptive marketing.
  • Non-quantifiable harm – injury or loss to the consumer that cannot be measure or is very difficult to measure, yet the consumer may suffer some form of economic or other harm. For example, when a bank unfairly denies the consumer credit or discourages an application on a prohibited basis.
  • Potential harm – involves bank activities (or failure to take action) that create the possibility that a consumer may be harmed. For example, a violation of flood regulations where the bank fails to require flood insurance at loan closing.

Reference: FDIC Compliance Examination Manual, II Compliance Examination – Evaluating Impact of Consumer Harm, March 2017.










If you work for an insured depository regulated by the OCC, FDIC, FRB, CFPB, and NCUA or the Farm Credit Administration you are not required to take the continuing education courses required under the SAFE Act. 

You still can and may want to take the relevant Professional Education and Continuing Education courses to keep your knowledge of industry and regulatory information up to date in the event that you change employment and work for a state-licensed lender or broker.

Reference: NMLS Resource Center FAQ -










Ask an Expert

We want to hear your pressing questions about compliance at your bank. Please fill in the form below. Not all questions will be featured. Your questions will be kept anonymous.