How did compliance change in 2021?

This year has largely been a quiet time for regulatory and compliance reform. But while community banks were focused on the economic recovery of their communities, a few changes came during 2021.

By Mary Thorson-Wright

Formal proposals and deadlines for regulatory changes were again sparse in 2021. Regardless, community banks were engaged to serve their communities, safeguard their data and that of their customers, and address regulatory compliance challenges commensurate with the times. Let’s take a look at the year’s changes.

Flood insurance

In 2020, the Federal Emergency Management Agency (FEMA) published a final rule to codify provisions of the Biggert-Waters Flood Insurance Reform Act of 2012 and the Homeowner Flood Insurance Affordability Act of 2014, and to clarify existing National Flood Insurance Program (NFIP) rules. In February 2021, it issued corrections to those instructions.

The final rule and corrections became effective Oct. 1.

In April 2021, FEMA announced its Risk Rating 2.0: Equity in Action flood insurance rating methodology. The NFIP has used a rating structure based on flood zones across the country and expected losses of groups of structures. Risk Rating 2.0 is based on actual flood risk and the value of individual properties. In Phase I, which went into effect Oct. 1, new policies are subject to Risk Rating 2.0 methodology and existing policyholders may take advantage of any premium decreases. In Phase II, NFIP policies renewing on or after April 1, 2022, will be covered by the new methodology. Lenders’ compliance with flood insurance requirements will not be affected.

Fair access to banking services, capital and credit

In January 2021, the Office of the Comptroller of the Currency (OCC) released a final rule to ensure fair access to banking services by large national banks, federal savings associations, and federal branches and agencies of foreign bank organizations. The rule implements provisions of the Dodd-Frank Act and codifies historical OCC guidance that banks, when provisioning access to services, capital and credit, should conduct a risk assessment of individual customers, rather than make broad-based decisions affecting whole categories or classes of customers. The rule applies to banks with more than $100 billion in assets.

Community Reinvestment Act (CRA)

The OCC issued a rule to national banks in May 2020 making broad changes to the agency’s CRA enforcement. The OCC issued an announcement in July 2021 to rescind the rule and committed to work with the Federal Reserve Board and the FDIC on joint CRA rulemaking.

Small business loan reporting

Section 1071 of the Dodd-Frank Act amends the Equal Credit Opportunity Act (ECOA) to require reporting of specific categories of business loans. In September 2021, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking to facilitate the small business loan requirements. Under the rule, institutions would be required to collect and report data on certain business credit applications in three categories:

  • Data that financial institutions would generate or provide
  • Data provided by the applicant or that a financial institution could determine by reviewing information provided by the applicant or a third party
  • Data that addresses the demographics of the applicant’s principal owners or ownership status.

Quick Stat


The number of data points the CFPB would require covered institutions to report under the agency’s Section 1071 proposal

“Under Section 1071, the CFPB was only required to collect 12 data points from covered institutions,” says Michael Emancipator, ICBA’s vice president and regulatory counsel, “However, it nearly doubled that number to 21 data points. If finalized as is, the effect could [transform] small business lending and serve to make it homogenized, which is contrary to what community banks offer.”

ICBA has pursued efforts to exempt as many community banks as possible, and Emancipator encourages community banks to seek ways to influence revision of the rule (Read more from Empancipator on Section 1071).

“As a national bank, we were focused on the October implementation date for the CRA changes. That changed, of course, when the OCC pumped the brakes.”
—Jamie Santistevan, Native American Bank

A ‘pause in regulatory changes’

Despite the lack of changes, community bankers were engaged in robust efforts to oversee regulatory and risk management.

“We welcomed the pause in regulatory changes. As a national bank, we were focused on the October implementation date for the CRA changes. That changed, of course, when the OCC pumped the brakes and announced a commitment to working with the FDIC and FRB for joint revisions,” says Jamie Santistevan, vice president of compliance, Bank Secrecy Act (BSA), anti-money laundering (AML) and CRA and operations officer at $180 million-asset Native American Bank in Denver. During this pause, Santistevan has witnessed more incidents of attempted fraud.

“Hot buttons for us, like many other financial institutions, are fraud and cybersecurity. We saw an uptick in pandemic-related schemes and fraud on top of the ones already in the mix before the pandemic,” he says. “For technology-based solutions and security protocols, we’ve taken on the costs and employed great efforts to be sure our data and customer security is where it needs to be.”

Tim Grooms, chief risk officer at $800 million-asset First State Bank in Winchester, Ohio, says he’s noticed a similar increase but the bank is focusing on cybersecurity.

“We also saw an uptick in fraud, especially in connection with the early paper checks issued for stimulus payments. Some customers also received calls saying that stimulus payments were being held and attempting to scam them for additional information,” Grooms says. “We’ve had a significant focus on cybersecurity as a continuation from 2020 to maximize measures for our own activities and our customers’ accounts.”

Mary Thorson-Wright is a writer in Washington, D.C.