Laws and Regulations of Particular Interest

While you do not need to be an expert on all laws and regulations, there are some laws with which you should be familiar. It is important for you to become familiar with these laws as they may:

  • apply directly to you as a director,
  • carry significant penalties for noncompliance, or
  • provide you with knowledge to ask questions and evaluate responses.

Click the list below to view highlights of some laws and regulations, their purposes, and warnings on compliance pitfalls. This basic information will help you spot potential trouble areas that your bank may need to address to ensure its regulatory compliance.

The Bank Secrecy Act (BSA) (31 U.S.C. 5311 et seq.; 31 CFR Part 103; and Regulation H, 12 CFR 208.62 and 208.63)


Assigns specific responsibilities to banks to know their customers and to detect and report large cash transactions and suspicious activities. These responsibilities are important to ensure banks are not used as intermediaries for transferring funds obtained from criminal activities. Because of this, you may hear the term anti-money laundering (AML) in the context of BSA.

Compliance Reminders

Banks must have a written BSA/AML compliance program that includes these four components:

  1. internal controls to assure ongoing program compliance;
  2. periodic independent testing for BSA/AML compliance (recommended every 12 to 18 months, depending on the bank’s level of risk);
  3. a designated individual responsible for coordinating and monitoring day-to-day compliance; and
  4. training for appropriate personnel.

A Customer Identification Program (CIP) must be included as part of the BSA/AML compliance program.

The board of directors must approve the BSA/AML program with the approval noted in board minutes.

Currency Transaction Reports (CTRs) are required for cash transactions (deposit, withdrawal, exchange, or other payment or transfer) greater than $10,000. Customers meeting certain criteria may be exempted from such reporting.

The board of directors must be notified of Suspicious Activity Reports (SAR) filings.

Information in SARs is confidential and may not be divulged to people outside the bank or to people who may be the subject of a SAR.

SARs are required with respect to transactions that are inconsistent with what is known about a customer and that have no identifiable business purpose or support.

Account opening procedures, also known as customer due diligence, are critical to a bank’s ability to identify suspicious activity. Those procedures should be designed to obtain necessary information by which to effectively and efficiently serve the customer, while giving the bank the ability to know when a transaction doesn’t make business sense for the customer.

Management Official Interlocks, Federal Reserve Regulation L (12 CFR 212)


Prohibits common directors and management officials among unaffiliated institutions in the same community to maintain competition between institutions.

Compliance Reminders

There are limits on your service as a director or management official at
other unaffiliated financial institutions and bank holding companies, particularly if:

  • your bank has assets greater than $2.5 billion;
  • any office of your bank is located within the same large metropolitan area as the other institution or one of its offices; or
  • any office of your bank is located within 10 miles of an office of the other institution

Loans to Executive Officers, Directors and Principal Shareholders, Federal Reserve Regulation O (12 CFR 215)


Prevents bank insiders (directors, management officials and principal shareholders) from obtaining credit on more favorable terms than other customers of their banks.

Compliance Reminders

Combine credit extensions to insiders (directors, management officials and principal shareholders) with those of their immediate family and businesses to make sure that loans to insiders stay within lending limits specified in the regulation.

There is a limit on loans to a single insider and an aggregate limit on total loans to all insiders.

Overdrafts are extensions of credit and are specifically addressed by the regulation.

Be alert to loan transactions where insiders may receive, directly or indirectly, some benefit. Be mindful that an insider’s endorsement, or guarantee, can be considered an indirect extension of credit to the insider.

Privacy of Consumer Financial Information, Federal Reserve Regulation P (12 CFR 216)


Ensures safeguarding of nonpublic, personal information that customers provide to the bank.

Compliance Reminders

The regulation requires an annual notice to customers describing the bank’s policy on sharing their information with nonaffiliated third parties.

If your bank shares customer information with nonaffiliated third parties, then it must also provide customers with the ability to prevent their information from being shared, also known as the ability to “opt out.”

Make sure the bank’s policies regarding its information sharing are consistent with its current sharing practices.

Transactions with Affiliates, Federal Reserve Act, Sections 23A and 23B (12 U.S.C. 371c and 371c-1) and Regulation W (12 CFR Part 223)


Prevents misuse of bank resources resulting from non-arm’s-length transactions with affiliates.

Compliance Reminders

Your bank cannot buy a low-quality asset from an affiliate, except under very limited circumstances.

Be alert to parent bank holding company expenses and overdrafts paid by the bank, because such payments could constitute illegal, unsecured credit to the holding company.

Be sure the bank receives its share of refunds and benefits from joint tax filings.

Tax payments to the parent should not be made too far in advance of when they are due, or they may be considered a loan to the parent company.

Watch for transactions between the bank and firms controlled by insiders to ensure that their terms are no less favorable than terms the bank would receive on similar transactions with an outsider.

Management fees paid by the bank to its parent bank holding company should be appropriate to the services received.

Asset purchases, rental agreements and lease contracts between the bank and firms owned by insiders must be on equivalent terms to those with outsiders.

Maintain documentation to demonstrate that all transactions with insiders and affiliates take place at market value.

Community Reinvestment, Federal Reserve Regulation BB (12 CFR 228)


Implements the Community Reinvestment Act (CRA), which encourages banks to meet the credit needs of their communities, including low- to moderate-income (LMI) neighborhoods.

Compliance Reminders

The bank’s most recent CRA rating is public information and must be made available to the public upon request.

The assessment area defined by the bank is the geographic area in which the bank’s CRA performance will be judged. The assessment area may not be the same thing as the bank’s market or trade area; nonetheless, it is key to the evaluation of the bank’s record of meeting community credit needs.

Assessment areas must:

  • include whole geographic areas (e.g., counties, census tracts or metropolitan statistical areas (MSAs),
  • not illegally discriminate, and
  • not arbitrarily exclude low- or moderate-income areas (i.e., no “redlining”).

Review the bank’s assessment area to make sure it includes all of the bank's branches, deposit-taking ATMs and a substantial portion of its loans.

Perform a self-assessment of your CRA performance to avoid surprises at your next CRA examination.

Notice of Change in Directors and Senior Executive Officers, Federal Deposit Insurance Act Notices (12 1831i(a)) and Federal Reserve Regulation Y (12 CFR 225.71 et seq.)


Apprises regulators of senior management changes that may be detrimental to banks in troubled condition.

Compliance Reminders

Applies to banks that are deemed to be in troubled condition.

Requires a 30-day prior notice for:

  • any changes to the board of directors or
  • employment of new senior officers.

U.S.C. Golden Parachutes and Indemnification (12 U.S.C. 1828(k) and 12 CFR 359)


Limits severance payments and indemnification in order to safeguard bank assets. Also, limits rewards to institution-affiliated parties who may have contributed to a bank’s less-than-satisfactory condition or who may have otherwise harmed the bank.

Compliance Reminders

The limitation on indemnification applies to all banks. The limitation on severance payments applies only to banks that are in a troubled condition.

Generally, a bank cannot indemnify an insider against the liability or legal expenses of an administrative proceeding by the bank’s regulator.

Indemnification for the payment of civil money penalties is not permitted.

Golden parachute payments or agreements cannot be made without the prior written approval of the bank’s primary federal regulator and the FDIC. A state member bank that is in a troubled condition would need to consult with its Reserve Bank before making or entering into any agreement to make severance payments.

For additional information on golden parachute payments, please see the Federal Reserve Board’s SR 03-6.

Change in Bank Control Act (12 U.S.C. 1817(j)); Bank Holding Company Act (12 U.S.C. 1841, et seq.); and Regulation Y (12 CFR Part 225)


Requires shareholders to receive prior regulatory approval before taking a controlling position in banks and bank holding companies.

Compliance Reminders

Stock transactions, such as treasury stock redemptions, may take a shareholder’s ownership over 10 percent of the outstanding shares of the bank or its parent bank holding company, which may require a change in control notification.

Prior notification is required, unless otherwise grandfathered under the regulation, if a share purchase would take a shareholder’s ownership to 25 percent or more of the bank's or its parent bank holding company's voting shares.

A transaction that takes a shareholders’ ownership over 10 percent of any voting class of stock may require filing a notification.

A shareholder’s ownership may be combined with others, as indicated in the regulation (e.g., immediate family members), in determining the need for a notification.

Placing 10 percent or more of bank or holding company stock in a trust or shareholder agreement may raise control or bank holding company issues and require filings under the Change in Bank Control Act or the Bank Holding Company Act.

If the bank or its bank holding company is being sold, terms of purchase options may give buyers control of the bank or company and require prior notification.

Lending Limits


Promotes diversification in a bank’s loan portfolio by limiting loans to a single, noninsider borrower. Single borrower includes family members, affiliates and business relationships.

The general lending limit to single borrowers for national banks is 15 percent of the bank’s capital and surplus, plus an additional 10 percent of capital and surplus if the loan is fully secured by readily marketable collateral.

Limits for state banks vary, depending upon the state of the charter. Often, the limit is set from 15 to 30 percent of a bank’s capital and surplus. State banking statutes should be consulted for specific lending limit information and for the method of calculating the limit.

It is important to note that banks often establish an internal or “in-house” lending limit to further diversify their credit risk. The level at which the board of directors sets the internal limit depends upon its risk tolerance. At many banks, the board sets the in-house limit at 50 percent or less of the bank’s legal lending limit.

Compliance Reminders

Be cognizant of the bank’s statutory lending limit and its internal lending limits.

Loans and investments that approach these limits represent significant exposure to the bank’s capital and should receive scrutiny.

Loans in excess of the legal lending limit may expose approving directors to potential liability.

Overdrafts are loans to be included in the calculation of a borrower’s legal lending limit.

Safeguarding Customer Information, Federal Reserve Regulation H (12 CFR 208.3(d)(1))


Requires banks to protect customer information by:

  • implementing a comprehensive written information security program that ensures the security and confidentiality of customer information;
  • protecting the security and integrity of this information; and
  • providing safeguards against the bank's unauthorized access or use.

The information security program is to: identify internal and external risks associated with information technology systems and activities; ensure the implementation of risk-mitigating controls; and establish periodic tests of key controls, systems and procedures.

Compliance Reminders

Periodically test the key controls set out in the bank's information security program.

Supervisory guidance on controlling information security risks extends to third-party service providers.

Equal Credit Opportunity, Federal Reserve Regulation B (12 CFR 202)


Prohibits lenders from discriminating against credit applicants, establishes guidelines for gathering and evaluating credit information, and requires written notification when credit is denied.

Compliance Reminders

Make credit decisions based on objective information regarding a borrower’s ability to pay, rather than any of the “prohibited bases.”

Generally, notify loan applicants of action taken within 30 days after receiving a completed application.

On credit primarily for the purchase or refinancing of a dwelling occupied or to be occupied by the applicant as a principal residence, and secured by the dwelling, collect the government monitoring information regarding applicant ethnicity, sex, marital status and age.

Loans in Special Flood Hazard Areas, Federal Reserve Regulation H (12 CFR 208.25)


Implements the National Flood Insurance Act, which makes federally backed flood insurance available to owners of improved real estate or manufactured (mobile) homes located in high flood risk areas.

Compliance Reminders

Banks may not make, increase, extend or renew a loan on improved property located in a flood hazard area and in a “participating” community unless the improvements are covered by flood insurance.

Failure to comply may lead to civil money penalties and potential enforcement action.

Truth in Lending, Federal Reserve Regulation Z (12 CFR 226)


Prescribes uniform methods for computing the cost of credit, for disclosing credit terms, and for resolving errors on certain types of credit accounts.

Compliance Reminders

Inaccurate disclosure of credit terms, particularly understating the annual percentage rate of interest or the finance charge, can result in reimbursements to the customer.

Reg. Z requires certain pieces of information that must be disclosed to a borrower prior to extending credit:

  • annual percentage rate (APR),
  • term of the loan and
  • total costs to the borrower.

Real Estate Settlement Procedures (RESPA) Housing and Urban Development (HUD) Regulation X (24 CFR 3500)


Implements HUD’s Real Estate Settlement Procedures Act (RESPA), which covers consumer real estate loans secured with a mortgage placed on a one- to four-family residential property. These include most purchase loans, assumptions, refinances, property improvement loans and equity lines of credit. RESPA protects consumers from unfair practices by settlement service providers during the home-buying and loan process. It also provides borrowers with key loan terms, closing costs and other information on mortgage loans that will allow borrowers to compare the costs of credit and make informed decisions on the mortgage loan product that best suits their needs.

Compliance Reminders

Within three days of receiving a purchase-money mortgage loan application, the lender must furnish the applicant with a good faith estimate (GFE) of loan closing costs, a copy of HUD’s Special Information Booklet, and a mortgage servicing disclosure statement.

RESPA prohibits a person from giving or accepting anything of value (a.k.a., kickbacks) for referrals of settlement service business related to a mortgage loan.

It also prohibits a person from giving or accepting a charge for services that are not performed.