Regulatory Advisory Services

As the dust settles on another HMDA submission season, many institutions shift their focus to day-to-day operations—relieved to have met the deadline and corrected any glaring data issues. But before we close the chapter completely, there’s an important question to ask:

What did we learn from last year’s HMDA cycle—and how are we applying it today?

Why Reflection Matters in HMDA Compliance

HMDA reporting isn’t just a regulatory requirement, it’s a data story your institution tells the public, regulators, and internal stakeholders about your lending practices. When we treat each year’s submission as a one-time task, we miss the opportunity to uncover patterns, identify root causes of errors, and strengthen future reporting.

Whether your team encountered data integrity issues, experienced last-minute rushes, or handled unexpected regulator questions and feedback, each challenge holds valuable insight.

5 Questions to Ask Now (While the Lessons Are Still Fresh):

1. What were our most common data errors—and why did they happen?
   Look for recurring issues across fields (e.g., income, loan purpose, race/ethnicity). Were they system errors, manual entry mistakes, or training gaps?

2. How much time and effort went into data corrections?
   Use this to evaluate whether your current QA and validation processes are catching issues early enough.

3. Did we have the right people and resources in place?
   HMDA is a cross-functional effort. Reflect on whether communication between business lines, IT, and compliance was efficient—or strained.

4. What feedback did we receive from regulators or internal auditors?
   Pay special attention to informal observations—they often hint at areas of concern before they become formal findings.

5. Are we treating HMDA as a year-round process—or a seasonal fire drill?
   Institutions that build a sustainable, ongoing HMDA program (with interim data analysis and proactive validations) reduce the pressure of year-end fixes.

Every corrected error in last year’s submission is a breadcrumb in a trail leading toward fixing preventable issues. The institutions that stand out are the ones who don’t just clean up HMDA data—they learn from it.

At a time when regulatory scrutiny and public transparency are only increasing, proactive compliance is no longer a luxury. It’s a competitive edge.

• Host a post-submission retrospective. Bring together stakeholders from across departments to talk candidly about what went well and what didn’t.
• Create a "lessons learned" tracker. Document pain points and proposed solutions while they’re still top of mind.
• Develop a quarterly HMDA review cycle. Don’t wait until next January to clean your data. Make data analysis part of your regular cadence.

Final Thoughts

HMDA compliance doesn’t end with a successful submission—it begins with the insights it leaves behind. By analyzing last year’s missteps and building safeguards into this year’s processes, you shift from reactive to resilient.
And that’s how great institutions don’t just comply. They lead.

If there's one thing bank compliance professionals can agree on, it's that the phrase “the checks in the mail” has aged like a paper check in a rainstorm (see what I did there), especially when it involves U.S. Treasury checks. While they used to be a near-gold standard in financial transactions, these government issued checks have become juicy targets for fraudsters looking to make a quick, illegal buck. In this post, we're going to take a guided stroll through the world of Treasury check fraud - what it is, why it happens, how to detect it, and how to reduce institution’s exposure.

Why Treasury Checks?

U.S. Treasury checks are issued for everything from tax refunds to Social Security benefits to federal employee payments. They carry the full faith and credit of the United States government, which means many people (and even bank tellers) instinctively trust them. We know that regulators trust them since, in Reg CC they are basically treated the same as cash.

Fraudsters know this. They also know that many of these checks look alike, follow the same formats, and hit millions of mailboxes every year. Combine that with aging, check-processing technology at some institutions and a mix of human error, and you've got a recipe for some very expensive mistakes.

According to the US Treasury and Secret Service, Treasury check fraud typically falls into three basic categories:

1. Counterfeit Checks - Created from scratch or by altering scanned images. Some of these look alarmingly legitimate.
2. Altered Checks - Legitimate Treasury checks that are modified - often changing payee names or amounts.
3. Forged Endorsements - When a real check is stolen and cashed by someone other than the intended recipient.

Besides the obvious risk of financial loss, failing to detect Treasury check fraud can result in:

• Loss of indemnity protection under Treasury rules.
• Reputational damage (picture that headline: “Local Bank Pays Fraudster $50,000 Tax Refund.)
• Violation of internal controls or worse, accusations of aiding in the facilitation of fraud.

Let's not forget - your frontline staff are not handwriting analysts or Secret Service agents (unless they moonlight, in which case we'd love to hear about that). Still, banks are expected to have reasonable safeguards in place.

Back in 2008, the Federal Reserve and the U.S. Treasury launched the Treasury Check Verification System (TCVS) – a handy online tool that allows financial institutions to verify whether a check is authentic and valid. It's free, it's fast, it's dramatically underused.

If your frontline staff aren’t using it for every Treasury check over a certain dollar threshold – or for any check that gives off that “something’s not right here” vibe – you may be missing a key layer of protection.

Pro tip: Consider setting an internal policy that requires Treasury check verification for all checks above $2500 or in any suspicious circumstances.

Here's the kicker: The U.S. Treasury has indemnity protections for banks only when certain conditions are met.
Accord 31 CFR part 240 (a great light read if you're having trouble sleeping), a bank may be liable for a fraudulent check if:

• The check has forged endorsement and the bank failed to verify the identity of the endorser.
• The check was altered, and then the bank didn’t follow reasonable verification procedures.
• The bank is late in returning a suspected fraudulent item.

There's also a strict time limit: generally, banks must return fraudulent Treasury checks within one year of the issue date.
If you're outside that window, and the check was fraudulent, congratulations - you're likely eating that loss.

Spotting a Fake: Fraud Red Flags
Even if your teller isn't a Secret Service agent, they can be trained to spot the most common signs of a fake or altered Treasury check. These include:

• Blurry or pixelated MICR lines (real checks are printed using magnetic ink)
• Incorrect check numbers or check amounts that don't match the envelope stub.
• Suspicious behavior from the presenter (rushing, no ID, overly eager, or brand new to your bank)

Regular training, test scenarios, and policy refreshers go a long way.

At the end of the day, Treasury check fraud is an evolving risk - but not one you have to accept blindly. A layered defense that includes:

• Use of the Treasury Check Verification System
• Clear internal thresholds and policies
• Ongoing staff training
• And smart, proper use of hold rights under Reg CC

…can help your bank detect and prevent most issues before they become expensive problems.

And remember: even though the check’s in the mail, it doesn't mean you're good judgment should be!

In addition, there is a terrific resource available from the Federal Reserve on this very topic – what to look for and what to do – Responding to Counterfeit Check Fraud.

Let’s be honest, when was the last time you heard someone say, “I can’t wait for compliance training!”?

Probably never.

For most banks, credit unions, and fintechs, compliance training is like eating your vegetables – necessary, but not enjoyable. The usual approach? Hours of PowerPoints, legal mumbo-jumbo, and multiple quizzes that – let’s be honest – employees speed through just to get it over with.

But here’s the thing – compliance doesn’t have to be boring. In fact, if you want employees to actually remember what they learn and be able to apply it, it can’t be boring.

So, how do you fix it?

I’ve been teaching compliance for over 15 years. Let me share two of my favorite techniques.

The Problem with Traditional Compliance Training

Picture this -

An employee - let's call him Mark - logs into the annual anti-money laundering (AML) training period. He clicks through 45 slides while simultaneously checking emails, then guesses his way through the quiz. By lunchtime, he couldn't tell you a single thing he “learned.”

Sound familiar?

How to Make Compliance Training Stick (Without Putting People to Sleep)

I’ve always said the most successful technique is - Tell a story.

Think about any of the great movies you watched or books you read. Chances are you could summarize the plot weeks, and sometimes years, later. Now try recalling the last compliance policy you read.

Exactly.

Our brains are wired for stories, not legal disclaimers. Want to catch your audience’s attention - Tell a Story!

People learn in different ways, but one thing has held true throughout time: People love stories. Before we developed written language, people passed on information by telling stories. At Capco Academy, we have found that one of the most effective ways to teach compliance is by including stories in our training.

We look at the history of a particular regulation to pull some interesting facts to share with our attendees. Introducing these fascinating tidbits and stories into your training narrative can bring the training to life and help attendees understand better why compliance is important to their role.

Make Training Engaging Through Immersion

But there is another method we have found equally as successful – immersion.

This is where you put people in a live environment where they can learn and test their compliance knowledge.

Scenario Immersion – Create simulations or in-person scenarios where employees must use, or test, their compliance knowledge using case studies to solve real-world problems. During meetings, call out risky behaviors and ask someone how they might handle it.

There are a couple of good examples of this technique.

Escape Room Challenge - Put employees in a virtual or real room where they apply and share their compliance knowledge as a team to “escape.” Incorporate interactive elements such as quizzes, polls, or interactive exercises to actively involve participants and keep their attention.

For example, imagine your front-line deposits team is ‘trapped’ in a virtual teller line with 15 minutes to escape before regulators arrive. To break-out, they must review a series of teller-line transactions and apply BSA/AML and Reg CC rules. For example:

Transaction 1 – A customer deposits $9,800 in cash, then immediately withdraws $9,500 in a manager-approved check. Is this structuring? Does Reg CC’s next-day availability rule apply – why or why not?

Transaction 2 – A business client drops off a third-party check for $15,000 with smudged endorsements. Are there any red flags under BSA? Should you, and can you, place a hold under Reg CC?

Transaction 3 – A nervous customer asks to split a $20,000 cash deposit into two $9,999 transactions. Are there BSA implications? What if the customer is 75 years old?

By the way, to make it even more fun – try hiding a fake “mole” among the staff – an employee suggesting shady shortcuts or misinformation to throw the others off. You’ll quickly learn who knows their stuff and who just relies on other.

If the team submit the correct information, then they get a clean ‘exam’ and can take a vacation. If not, they ‘fail’ and the regulators impose a fictional fine.

Examination Role-Play – Similar to the above, but you could have two teams role-play. Create a fictional scenario, for example a set of mock loan files with planted issues or concerns – perhaps multiple LE’s or an adverse action that refers to a credit report however there is no credit report in the file because permissible purpose was never obtained, etc.

One team plays the role of bank auditors and reviews the set of files together looking for issues or possible violations. Then, have the ‘exam’ team’ review the same files as a group. Whichever team finds the most legitimate issues wins.

Why it works? Something happens when there is competition. The ‘fun’ chemical gets triggered and suddenly compliance isn't a chore - it's a challenge.

Storytelling and immersive engagement transform compliance training by making it relatable and experiential. A well-crafted story - like one about a teller who unknowingly facilitated money laundering - humanizes drier regulations, embedding lessons in emotional, memorable narratives. Meanwhile, immersive techniques (escape rooms or role-playing scenarios) force active participation, letting employees ‘practice’ spotting fraud or applying regs under pressure. Together, these methods replace passive lectures with emotional hooks and muscle memory, ensuring employees don't just hear the rules, they understand and remember them because they ‘lived’ them. The result? Higher engagement, deeper retention, and a team that instinctively recognizes real world risks.

#1 The Big Orange Book Provides Clear and Concise Answers to Complex Compliance Questions.

Published first in 1988, the Big Orange Book quickly became the industry standard banking compliance manual. Why? The answer is simple– our answers are simple. Ever-changing federal compliance regulations are stressful enough, so we decided to break complex regulations down in plain business English.

As attorneys, former examiners and compliance officers, we interpret the “legalese” of consumer financial protection regulations in this easy-to-read, all you need to know, compliance manual. The Big Orange Book is written so that banking professionals can get clear, correct, and immediately usable guidance about those regulations quickly and easily.

#2 The Big Orange Book Covers Banking Regulations from A-Z and Everything in Between.

When we say the Big Orange Book covers everything you need to know, we mean it. Fondly nicknamed “BOB” by compliance officers who were tired of having to scour endless sources for compliance advice, the name has stuck with us for decades of providing top-notch compliance advice for our customers – all compiled in a single compliance manual.

The Big Orange Book provides an in-depth review of major federal banking regulations, such as:

• Truth in Lending Act / Regulation Z
• Truth in Savings Act / Regulation DD
• Loans to Executive Officers, Directors, and Principal Shareholders / Regulation O
• Expedited Funds Availability Act / Regulation CC
• Electronic Fund Transfer Act / Regulation E
• Home Mortgage Disclosure Act / Regulation C
• Community Reinvestment Act / Reg BB
• Bank Secrecy Act

It also provides clear explanations of the less frequently encountered laws, such as:

• Marijuana-related businesses
• Safe deposit operations
• Individual retirement accounts
• Real estate lending standards, among many others.

These articles can be very useful when an unusual question comes up and you are pressed for time, as you have the answers at your fingertips.

Our table of contents is organized by operational function plus an alphabetically arranged index to the topics covered. All required specialized terms are defined in plain business English. The BOB’s eBook format has a handy search bar which makes it easy to find all information related to any topic you are interested in.

#3 Contributors to our Know-It-All Compliance Manual Have an Average of 25+ Years of Experience

Each edition of the Big Orange Book is written by banking compliance experts with an average of 25+ years of experience. Each contributor to the Big Orange Book is an expert in their field of regulatory compliance with extensive knowledge of all topics related to banking compliance. The summary and analysis we provide is thorough and complete, written by attorneys and compliance professionals.

When you reference the Big Orange Book, you know that the information you are receiving is accurate and well-sourced. Google and AI certainly can’t promise you that.

Subscriptions Options for Every Institution

Interested in checking out our compliance manual? With multiple subscription options for banking compliance guidance, we have a plan to accommodate financial institutions large and small.

Contact us to subscribe to the Big Orange Book today.

▶ Consumer protection laws remain unchanged.

No changes to consumer protection laws have been enacted since January 20, 2025. Ongoing compliance with consumer and civil rights laws and regulations such as the Equal Credit Opportunity Act (ECOA), Fair Housing Act, and Truth in Lending Act (TILA) remains paramount. 

• ▶ Current CFPB, FCIC, and OCC laws remain in effect.
• While the Trump Administration is considering or may make changes to the CFPB, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC), rules currently remain in effect until amended or withdrawn under either the Administrative Procedure Act (APA) or the Congressional Review Act (CRA).
• ▶ State regulatory enforcement may increase.
• With concerns for freezing supervision, litigation, examinations, and enforcement by the CFPB, states, state banking and securities regulators, and state attorneys general are expected to initiate consumer protection investigations and penalties for consumer protection and private enforcement. Specifically:
  1. Section 1042 of the Consumer Financial Protection Act of 2010 (CFPA) generally authorizes States to enforce the CFPA's provisions.
  2. "Section 1042 allows States to enforce any provision of the CFPA, including section 1036(a)(1)(A), a provision that makes it unlawful for covered persons or service providers to violate the Federal consumer financial laws; the limitations on the Bureau's authority in sections 1027 and 1029 generally do not constrain States' enforcement authority under section 1042; and section 1042 does not restrict States from bringing concurrent enforcement actions with the Bureau."
• ▶ Congressional and judicial review will take some time.
• Congress and the courts are also considering the shift in consumer financial laws and regulations, and it will take time for financial institutions to receive clarity.
• ▶ Political shifts could reverse regulatory changes.
• Financial institutions may need to consider whether a new administration and congress controlled by the Democratic party could reverse the changes from the Trump Administration and conduct full-scope examinations and targeted reviews to determine whether an institution complied with relevant laws, rules, and regulations over the previous four (4) years.
• ▶ Your compliance management system (CMS) will remain critical.
• Non-compliance, a weak CMS, willful violations, and deficiencies in risk management could have a major impact on an institution's overall financial condition, including lawsuits, civil money penalties, and administrative actions.