ABA Compliance Center Inbox, November/December 2016

Q: I wanted to gauge your opinion on using educational information for underwriting. Currently, one of our platforms uses education information such as degree level, area of study, school, graduation year, GPA and standardized testing scores to underwrite loans. The platform has a section on the application in which it asks the applicant, “What is your highest level of education?” In the drop down options, “high school diploma or higher” for degree choices is offered. However, I noticed that there is no option for “no degree” or even for “GED.” There could be several reasons as to why an applicant may not have an educational degree, but still meets all the other requirements for a loan. Does this pose a fair lending concern as applicants with no degrees are not allowed to apply for these loans?

A: Yes. Unless there is a legitimate business justification that can be fully supported, what you describe may well be viewed as having a disparate impact, or even disparate treatment when using generally recognized creditworthiness criteria, on a particular group of applicants and would create a fair lending concern.

For example, if areas with low high school graduation rates are located primarily in the same areas with large minority populations, then there would likely be at least the appearance of disparate impact. It would then fall to the creditor to “prove” that education level has some significant bearing on the borrower’s ability to repay or otherwise justify the requirement to ask for the amount of education received.

Notable celebrities without a high school diploma include Robert De Niro, Billy Joel, Catherine Zeta-Jones, Jay-Z, Simon Cowell, Richard Branson and others; would your institution not accept a loan application from these people simply because of their level of education? Similarly, I am nearly certain there have been borrowers with multiple degrees that have failed to repay loans. This is not to say that there may not be a legitimate reason for asking the question; however, the creditor will need to defend its underwriting practices to “prove” that education level provides some amount of repayment predictability. (Response provided July 2016)

Q: Our vendor provides the bank with a tri-merged report that includes information about all three credit bureaus (Equifax, TransUnion, Experian). We list all three bureaus on the adverse action notice, but our external audit firm says the bank should only list the company that provided the tri-merged report. Is this correct?

A: Yes, the audit firm is correct. Section 615(a)(1) of the Fair Credit Reporting Act requires users of consumer reports to provide an adverse action notice if they take any “adverse action” based in whole or in part on any information contained in a consumer report. Under Section 615(a)(3), the notice must provide the name, address and telephone number “of the consumer reporting agency … that furnished the report to the person [user].” Because your tri-merge vendor is a consumer reporting agency and is providing your bank the information, its contact information should be included in the adverse action notice. While there may be value in providing the information of all three bureaus, it is equally helpful to the consumer to provide a single point of contact to a vendor that can respond to and direct consumers with questions.

In addition, Section 615(a)(2) requires that the adverse action notice contain any “numerical credit score [which excludes proprietary scores] … used … in taking adverse action based in whole or in part on any information in a consumer report,” and, among other information, “the name of the person or entity that provided the credit score or credit file upon which the credit score was created.” Thus, as with tri-merged reports, the notice should include information about the entity that provided the score—that is, the provider of the tri-merged score.

As a side note, when the bank obtains multiple scores, the adverse action notice should disclose the score it used, for example, the middle score. If the bank uses multiple credit scores in setting the material terms of credit (e.g., by computing the average of all the credit scores), it must include one of these scores. The notice may, at the creditor’s option, disclose all the credit scores used. If there was no score, then this fact would be reflected in the adverse action notice per the Equal Credit Opportunity Act requirements. (Response provided July 2016)

Q: Section 12 C.F.R. § 353.3, addressing board reporting of Suspicious Activity Reports, states that the management of a bank shall promptly notify its board of directors or a committee of the board of any report filed pursuant to this section. Can you provide any clarity as to what regulatory expectations are for individual SAR reporting to the board?

A: There is no hard and fast rule about how to report SARs to the bank’s board of directors, and identifying the best way to inform the board about them has challenged bankers for quite some time. While the board needs to be informed to carry out its responsibilities, it doesn’t need to know all the details of each and every SAR that’s been filed. In fact, that’s not the intention of the section you cited. As institutions grow and file a larger volume of SARs, just providing copies of all the SARs to the board makes it difficult for them to grasp the significance of what’s there and, for a very large institution that files hundreds of SARs a month, it’s likely that an examiner would be critical if the board wasn’t given summaries of the activity.

While the board needs to be informed, it’s also important to take appropriate steps to ensure that SAR confidentiality is maintained, and the more people who see copies of actual SARs filed, the more difficult that can be.

The purpose of the cited section is to ensure that the board is informed about any suspicious activity that involves the bank. That’s done to be sure that the board can carry out its responsibility for oversight of the bank’s Bank Secrecy Act program. However, when you report to the board, what is most useful is a summary report of the SARs filed, indicating the number of SARs, subjects covered, areas of the bank impacted and so forth.

One option, depending on the number of SARs you file during a month or quarter, would be to provide a table listing the area of the bank where the activity originated, subject involved (generally, but not by name), possible loss to the bank (if any) and a very brief description of the activity and why it’s considered to be suspicious. It also helps to include information about anything that affects SAR investigations and reporting, including any delays or handicaps caused by insufficient resources, since that’s an area of focus for the examiners right now.

Of particular interest to the board (and key to their fiduciary duty) is to understand how the information reported in SAR filings could affect the bank: whether the bank is likely to suffer a loss, how significant that loss might be and whether the loss would be covered by insurance. In that vein, if there is something particularly significant or the bank is looking at a substantial loss, the board should be notified as soon as possible. Keep in mind that when you report to the members of the board, they can ask questions if they want additional details.

Finally, as you develop procedures, you should also map out how you’ll handle any situation that involves a senior officer of the bank or a board member. Hopefully, it will never be needed, but it’s good to be prepared. (Response provided July 2016)

Answers are provided by Leslie Callaway, CRCM, CAFP, director of compliance outreach and development; Mark Kruhm, CRCM, CAFP, senior compliance analyst; and Rhonda Castaneda, CRCM, compliance analyst, ABA Center for Regulatory Compliance. Answers do not provide, nor are they intended to substitute for, professional legal advice. Answers were current as of the response date shown at the end of each item.