Top 10 Regulatory Requirements & Issues with E-SIGN Compliance
Top 10 Regulatory Requirements & Issues with E-SIGN Compliance
E-SIGN has been around since 2000 when President Clinton signed the Electronic Signatures in Global and National Commerce Act into law. Twenty years later, the 2020 pandemic forced many banks to open accounts electronically and follow E-SIGN when branches temporarily closed. In a 2021 webinar, compliance expert, Susan Costonis reviewed “the top 10 things you may have issues with and want to verify as you go through the E-SIGN world.”
BSA (Bank Secrecy Act) and CIP (Customer Identification Program): CIP is having a reasonable idea of a person or business’s identity, which is riskier when you are not face-to-face. The main issue for banks is being able to verify the true identity of the deposit customer and create a risk profile based on the increased risks of online account opening.
Susan explained “This activity is going to continue to grow when you look at the demographics and banking customer age. The younger customers do not want to drive to a branch, they want 24/7 access and be able to do things electronically.”
Disclosures — accuracy, completeness, and delivery: “When you deliver disclosures electronically, it has to be accurate. You want to make sure you can verify all 6 steps of the consumer consent process”, stated Susan.
Regulatory Oversight (UDAAP — Unfair Deceptive Abusive Acts and Practices): “This is vendor management, is there something that the vendor wants to cross-sell or do, that will not be blessed by your regulator?” Confirm that all advertising and account information was provided, that the consumer was advised of all fees, and that an informed decision was made in the consumer’s best interest.
Advertising: Review requirements for advertising, especially Truth in Savings, for triggering terms and required model language
Privacy — information sharing practices: Provide actual practices and opt-out options.
Technology — changes in sending and receiving electronic disclosures and information: Monitor your internal hardware and software requirements as part of an audit and internal control procedures process. Ensure your technology is up-to-speed and working as intended.
Cybersecurity — identity theft and elder abuse: “Cybersecurity is probably the scariest part of E-SIGN,” warned Costonis. Exercise due diligence for “out-of-wallet” questions to detect fraud and identity theft. Be alert to the potential for abuse of older customers and elder abuse; provide resources for identity theft reporting and resources for seniors. “Often vendors will develop a profile of what they think is a validity check — they will look for irregular IP addresses, irregular locations of use, debit card requests from different email addresses, etc,” Costonis added.
Policies and procedures: Have all policies and procedures been updated to reflect the risks of online account opening, revised CIP and CDD procedures for BSA compliance, updates to required risk assessments (BSA, Identity Theft Red Flags, OFAC, audit, deposit compliance)? “If your old school CIP policy did not address online account opening, you will want to make sure that is updated. If your red flag assessment looked at how accounts were opened and didn’t anticipate opening accounts online, then it has to be updated and board approved.”
Social media — restrictions on employee's use of social media in the workplace: “Many people today live on social media, so your employees have to understand that what is personal should not be public. There are restrictions against “advertising” services that an employee can offer or how complaints may be handled.”
Complaints: It is a best practice and regulatory expectation to have a complaint policy and procedures. Complaints can be sent to social media and must be reviewed. Check YOUR regulators’ resources and exam procedures for expectations about handling complaints.
BSA (Bank Secrecy Act) and CIP (Customer Identification Program): CIP is having a reasonable idea of a person or business’s identity, which is riskier when you are not face-to-face. The main issue for banks is being able to verify the true identity of the deposit customer and create a risk profile based on the increased risks of online account opening.
Susan explained “This activity is going to continue to grow when you look at the demographics and banking customer age. The younger customers do not want to drive to a branch, they want 24/7 access and be able to do things electronically.”
Disclosures — accuracy, completeness, and delivery: “When you deliver disclosures electronically, it has to be accurate. You want to make sure you can verify all 6 steps of the consumer consent process”, stated Susan.
Regulatory Oversight (UDAAP — Unfair Deceptive Abusive Acts and Practices): “This is vendor management, is there something that the vendor wants to cross-sell or do, that will not be blessed by your regulator?” Confirm that all advertising and account information was provided, that the consumer was advised of all fees, and that an informed decision was made in the consumer’s best interest.
Advertising: Review requirements for advertising, especially Truth in Savings, for triggering terms and required model language
Privacy — information sharing practices: Provide actual practices and opt-out options.
Technology — changes in sending and receiving electronic disclosures and information: Monitor your internal hardware and software requirements as part of an audit and internal control procedures process. Ensure your technology is up-to-speed and working as intended.
Cybersecurity — identity theft and elder abuse: “Cybersecurity is probably the scariest part of E-SIGN,” warned Costonis. Exercise due diligence for “out-of-wallet” questions to detect fraud and identity theft. Be alert to the potential for abuse of older customers and elder abuse; provide resources for identity theft reporting and resources for seniors. “Often vendors will develop a profile of what they think is a validity check — they will look for irregular IP addresses, irregular locations of use, debit card requests from different email addresses, etc,” Costonis added.
Policies and procedures: Have all policies and procedures been updated to reflect the risks of online account opening, revised CIP and CDD procedures for BSA compliance, updates to required risk assessments (BSA, Identity Theft Red Flags, OFAC, audit, deposit compliance)? “If your old school CIP policy did not address online account opening, you will want to make sure that is updated. If your red flag assessment looked at how accounts were opened and didn’t anticipate opening accounts online, then it has to be updated and board approved.”
Social media — restrictions on employee's use of social media in the workplace: “Many people today live on social media, so your employees have to understand that what is personal should not be public. There are restrictions against “advertising” services that an employee can offer or how complaints may be handled.”
Complaints: It is a best practice and regulatory expectation to have a complaint policy and procedures. Complaints can be sent to social media and must be reviewed. Check YOUR regulators’ resources and exam procedures for expectations about handling complaints.
Costonis’s E-SIGN Series webinar, ‘No-Contact’ Account Opening: E-SIGN Compliance, covers BSA and CIP basics, deposit regulations related to E-SIGN and specific compliance provisions, the most recent BSA guidance for satisfying the due diligence requirements for CIP, acceptable documents to open accounts and incorporate risk mitigation strategies into the new account process, and due diligence steps are required to open an account.
Contact us to purchase this informative webinar.
Read These Articles Next
Tess Bower
June 3, 2021
February 21, 2022
Tess Bower
April 22, 2021
© 2024 FINANCIAL EDUCATION & DEVELOPMENT, INC