Regulatory Compliance Digest | August 2023

calendar iconAugust 22, 2023

The August issue of the Regulatory Compliance Digest (the Digest) features a summary of the latest updates from the regulators on Bank Secrecy Act (BSA)/Anti-Money Laundering (AML), as well as an important alert on Unfair, Deception and Abusive Acts and Practices (UDAAP) and a reminder to file the Office of Foreign Assets Control (OFAC)’s annual report on blocked property by September 30th.

The Digest is intended to keep you informed of regulatory changes in advance of their effective date so that your institution can evaluate changes or updates to necessary policies, procedures and processes to be compliant at the time of enactment.

Industry Trends & Insights

Unfair, Deceptive, and Abusive Acts and Practices

The focus on UDAAP is not waning. In fact, there is increased regulatory focus on practices that may impact consumers. UDAAP impacts all consumer products and services offered by or through your institution including offered through partnerships with third parties.

Recently, the CFPB published its  Supervisory Highlights which featured the unfair, deceptive, and abusive acts or practices found during the most recent examination cycle.  Some of the products and egregious practices highlighted included:

  • Consumer Reporting:  Failure to maintain policies and procedures; Failure to conduct reasonable investigations of direct disputes; Failure to notify consumers that a dispute is frivolous or irrelevant; Failure to inform consumers of information needed to investigate frivolous or irrelevant disputes; Furnisher failure to provide adequate address disclosures for notices.
  • Mortgage Origination:  Loan originator compensation differentiations based on product type; Loan disclosures failed to reflect the terms of the legal obligation on disclosures.
  • Mortgage Servicing:  Loss mitigation timing violations; Misrepresenting loss mitigation application response times; Assigning continuity of contact personnel; Spanish language acknowledgement notices missing information; Failure to provide critical loss mitigation information; Failure to credit payment sent to prior servicer after transfer; Failure to maintain policies and procedures reasonably designed to identify missing information after a transfer.
  • Auto Lending:  Deceptive marketing of auto loans.
  • Auto Servicing:  Collecting interest on fraudulent loan charges; Canceling automatic payments without sufficient notice; Requiring consumers to pay other debts to redeem vehicles.
  • Payday and Small-Dollar Lending:  Unreasonable limitations on collection communications; False collection threats; Unauthorized wage deductions; Misrepresentations regarding the impact of payment of debt in collections; Risk of harm to consumers protected by the Military Lending Act; Failure to retain evidence of compliance with disclosure requirements under Regulation Z.
  • Deposits: Unfair line of credit usage and fees.
  • Remittances:  Failure to develop policies and procedures to ensure compliance with the Remittance Rule’s error resolution requirements.
  • Fair Lending:  Pricing discrimination; discriminatory lending restrictions.
  • Information Technology:  Failing to implement adequate information technology security controls.

If UDAAP hasn’t been on the institution’s radar, it might be a good time to focus in on this area before your next examination. This action plan to help you to get started.

  • Perform a UDAAP risk assessment to gain an understanding of the institution’s risk profile.  Remember to address inherent risk, internal controls, and residual risk as well as historical data to support your conclusions and trending.  In addition, the risk assessment should be updated as new products and services are offered or changes are made to existing products, services, and processes.
  • Review policies and procedures to ensure that they capture controls and processes designed to mitigate risk. Include processes and practices that target third party relationships as well.
  • Review current products and services. Ensure that products and services are operating as disclosed and advertised. Review system parameters, account opening disclosures, marketing and advertising collateral, website and social media, subsequent disclosures, periodic statements, etc. to ensure that all are in agreement. Pay particular attention to the higher risk products and services including indirect lending relationships, overdraft programs, loan servicing and collections, etc.
  • Implement a new product and service development process that documents clear consideration of UDAAP.  Prior to product/service roll out, document a UDAAP review of advertising and marketing, disclosures, etc.
  • Implement a monitoring/audit process to periodically review compliance with regulatory guidelines.
  • Provide training to applicable personnel, particularly those that are customer facing, are opening accounts for customers or are responsible for addressing customer inquiries and questions. This includes branch personnel, lenders, call center staff, etc. In addition, ensure that the Board receives awareness training on UDAAP and the institution’s program performance.
  • Ensure that those responsible for the institution’s complaint management program are trained to recognize potential UDAAP red flags and know to escalate such findings for further review and remediation.

FFIEC Updates the BSA/AML Examination Manual

The Federal Financial Institutions Examination Council, on behalf of its members, released updates to the following sections of the Bank Secrecy Act/Anti-Money Laundering Examination Manual.

The updates should not be interpreted as new instructions or increased focus on certain areas; instead, they offer further transparency into the examination process and support risk-focused examination work. Details are available at

OFAC to Retire PIP, DEL, and SDALL.ZIP File Formats of the Sanctions List On or About August 15, 2023

On July 6, 2023, OFAC announce that it will retire the PIP, DEL, and SDALL.ZIP sanctions list file formats on or about August 15, 2023. OFAC will continue to offer for public download, the XML, CSV, and FF file formats, the ZIP files SDN_XML and SDN_Advanced, and PDF versions for OFAC’s sanctions list(s).

OFAC’s Sanctions List Search tool will not be affected by these changes, and users of the search tool will not experience any loss of service.

Financial Action Task Force Identifies Jurisdictions with Anti-Money Laundering and Combating the Financing of Terrorism and Counter-Proliferation Deficiencies

On June 29, 2023, FinCEN informed U.S financial institutions that the Financial Action Task Force (FATF), an intergovernmental body that establishes international standards for anti-money laundering, countering the financing of terrorism, and countering the financing of proliferation of weapons of mass destruction (AML/CFT/CPF), issued a public statement at the conclusion of its plenary meeting this month reiterating that all jurisdictions should be vigilant to current and emerging risks from the circumvention of measures taken against the Russian Federation in order to protect the international financial system. The FATF noted that the Russian Federation’s war of aggression against Ukraine continues to run counter to FATF’s principles and thus the suspension of the membership of the Russian Federation continues to stand.

The FATF also updated its lists of jurisdictions with strategic AML/CFT/CPF deficiencies. U.S. financial institutions should consider the FATF’s stance toward these jurisdictions when reviewing their obligations and risk-based policies, procedures, and practices.

On June 23, 2023, the FATF added Cameroon, Croatia, and Vietnam to its list of Jurisdictions under Increased Monitoring and did not remove any jurisdictions from the list.

The FATF’s list of High-Risk Jurisdictions Subject to a Call for Action remains the same, with Iran and the Democratic People’s Republic of Korea (DPRK) still subject to FATF’s countermeasures. Burma remains on the list of High-Risk Jurisdictions Subject to a Call for Action and is still subject to enhanced due diligence, not counter measures.

As part of the FATF’s listing and monitoring process to ensure compliance with its international standards, the FATF issued two statements: (1) Jurisdictions under Increased Monitoring, which publicly identifies jurisdictions with strategic deficiencies in their AML/CFT/CPF regimes that have committed to, or are actively working with, the FATF to address those deficiencies in accordance with an agreed upon timeline and; (2) High-Risk Jurisdictions Subject to a Call for Action, which publicly identifies jurisdictions with significant strategic deficiencies in their AML/CFT/CPF regimes and calls on all FATF members to apply enhanced due diligence, and, in the most serious cases, apply counter-measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks emanating from the identified countries.


Reminder to file the 2023 Annual Report of Blocked Property

31 C.F.R. § 501.603 of the Reporting, Procedures and Penalties Regulations (RPPR) requires holders of blocked property to provide the Office of Foreign Assets Control (OFAC) with a comprehensive list of all blocked property held as of June 30 of the current year by September 30. Persons that do not hold blocked property as of June 30 do not need to file an Annual Report of Blocked Property (ARBP). Please note that the term blocked property only applies to property that is blocked pursuant to OFAC regulations. Property that was unblocked by an OFAC general or specific license or was previously blocked pursuant to a sanctions program that was terminated on or before June 30, 2023, is not considered blocked property, and should not be reported in the ARBP. Similarly, a restricted account of a person ordinarily resident in Iran is not blocked and should not be reported to OFAC in the ARBP, unless there is an interest in the account of a person whose property and interests in property are blocked pursuant to an applicable sanctions authority.

Have Questions?

If you would like to discuss any compliance matters for your institution, please contact your Cherry Bekaert Advisor or reach out to the Firm’s Risk Advisory regulatory compliance team today.

Questions? Contact Us


External links to other websites outside of are being provided as a convenience and for informational purposes only. The links do not constitute an endorsement or an approval by Cherry Bekaert of any of the information, products, services, or opinions of the organization or individual. Cherry Bekaert bears no responsibility for the accuracy, legality, or content of the external websites or for that of subsequent links. Contact the external website for answers to questions regarding its content.