Specialty Programs

Specialty programs are the compliance obligations that sit outside the core operational pillars of your Compliance Management System but are no less critical to examiner expectations. 

They address specific regulatory requirements tied to your products, customer base, and risk profile, and they often carry their own documentation, testing, and reporting standards.

Fair lending compliance covers the laws and regulations designed to prevent discrimination in credit decisions, including the Equal Credit Opportunity Act (ECOA/Reg B) and the Fair Housing Act. 

Examiners evaluate whether your lending practices, underwriting criteria, pricing models, and marketing treat applicants consistently regardless of protected class status. A defensible fair lending program includes documented policies, comparative analysis of outcomes, and evidence that models and decisioning tools have been tested for disparate impact.

The Red Flags Rule requires financial institutions and creditors to implement a written identity theft prevention program that detects, prevents, and mitigates identity theft. 

This includes an annual board report on the program, documented red flag indicators tailored to your products and channels, and staff training on recognizing and responding to suspicious activity. It’s a non-negotiable requirement that examiners check as a standalone item

AI and emerging technology compliance addresses the governance controls around artificial intelligence, machine learning, and automated decisioning used in regulated processes such as lending, fraud detection, and customer onboarding. 

Examiners are increasingly focused on how organizations validate models, test for bias, document decision logic, and maintain human oversight of automated outputs. A defensible program includes model risk management documentation, ongoing performance monitoring, explainability standards, and clear accountability for model outputs integrated into your broader CMS.

UDAP and UDAAP compliance covers Unfair, Deceptive, or Abusive Acts or Practices under federal and state consumer protection laws. 

Examiners evaluate whether your marketing, disclosures, product terms, and customer communications are clear, accurate, and free from practices that could mislead or harm consumers. A defensible program includes documented marketing review processes, archived versions of all customer-facing materials, and evidence that claims are substantiated and terms are presented without deception.

SCRA compliance addresses the rights and protections afforded to active-duty servicemembers under the Servicemembers Civil Relief Act, including interest rate caps, foreclosure protections, and lease termination rights. 

Examiners expect documented procedures for identifying servicemember status, applying required protections, and training staff on their obligations. Failure to comply carries significant reputational and enforcement risk.

Community Reinvestment Act (CRA) compliance applies to depository institutions and evaluates whether your organization is meeting the credit needs of the communities you serve, including low- and moderate-income areas. 

Examiners review lending data, community development activities, and service delivery to assess CRA performance. A defensible program documents your assessment area, tracks qualifying activities, and maintains records that demonstrate consistent, good-faith effort.

OFAC compliance requires organizations to screen customers, transactions, and counterparties against the Office of Foreign Assets Control sanctions lists to prevent prohibited dealings with sanctioned individuals, entities, and countries. 

Examiners expect documented screening procedures, evidence of ongoing monitoring, escalation paths for potential matches, and records of how alerts are investigated and resolved.

Elder financial exploitation programs address the detection, reporting, and prevention of financial abuse targeting older adults. 

Examiners increasingly expect documented red flag indicators, staff training on recognizing signs of exploitation, clear reporting protocols to the appropriate authorities, and evidence that suspicious activity involving vulnerable customers triggers timely investigation and escalation.