Consumer Compliance Outlook
Risk-Focused Consumer Compliance Supervision Program for Community Banks
On November 18, 2013, the Federal Reserve Board released its new consumer compliance risk-focused examination program for community banks to promote strong compliance risk management practices and consumer protection within state member banks with assets of $10 billion or less and their subsidiaries.1 The program took effect January 1, 2014. While the Federal Reserve has traditionally applied a risk-focused approach to consumer compliance examinations, the new program more explicitly links examination intensity and activities to an institution’s risk profile, including its consumer compliance culture and how effectively it identifies and manages compliance risk. The program balances the nature and breadth of supervision with the level of risk to consumers and institutions, to provide for the effective and efficient use of resources. The program also provides guidance and flexibility so examiners can customize the supervisory approach to each institution’s unique compliance risks.
This article provides an overview of the program framework and its components, and discusses what community banking institutions can expect in their examinations and how to incorporate the program into their own compliance management systems. See CA Letter 13-19, including the appendices, for complete details. Additionally, the March 6, 2014, Outlook Live webinar on the same topic is archived and available for reference.2 This issue of Outlook also contains a question and answer article based on questions received during the webinar.
RISK-FOCUSED SUPERVISION FRAMEWORK
The program provides a framework for examiners to evaluate an institution’s consumer compliance management program in the context of the risk associated with its business activities. The program is guided by the following supervisory principles:
- risk-focused — evaluates a financial institution’s compliance culture and processes for identifying, measuring, monitoring, and controlling risks and practices regarding the treatment of consumers, the potential for consumer harm, and compliance with consumer protection laws and regulations
- proactive and scalable — balances the nature and breadth of supervision with the level of risk to consumers and financial institutions
- efficient — incorporates procedures and processes to ensure good stewardship of examiner resources
- clear — provides guidance, policies, procedures, and examination findings clearly
- collaborative — engages other disciplines and supervisory agencies, as appropriate, to ensure a coordinated supervisory approach
The graphic below displays the supervisory framework and process.
UNDERSTANDING THE INSTITUTION
Critical to the risk-focused supervision process is an understanding of an institution’s operations and the environment in which it operates. This requires the development of an institutional profile that provides a concise portrait of an institution’s structure, including its consumer compliance management program, and activities that give rise to potential consumer harm and consumer compliance risk. A key outcome from developing the profile is establishing the institution’s tolerance for consumer compliance risk. This risk tolerance is reflected in the choices the institution makes regarding the scope and complexity of its business activities. Institutions that engage in riskier activities, such as higher-cost products or products targeted to vulnerable or less financially sophisticated consumers, demonstrate a higher tolerance for risk and must have stronger controls in place to manage those risks effectively.
Examiners will contact bank management in advance of the examination to ensure that they have up-to-date information regarding the institution and the market(s) in which it operates. Special attention will be paid to changes since the last examination, including changes in management personnel, organizational structure, or the institution’s strategic direction, including any new products, markets, or delivery channels the institution has introduced or entered or is considering introducing or entering.
THE RISK ASSESSMENT PROCESS
The risk assessment process is robust and thus enables examiners to draw reasonable and reliable conclusions about risk. This process requires an evaluation of material products and services, the level of associated inherent risk, the adequacy of risk controls, and the overall residual risk of those products.
When assessing a compliance program’s overall effectiveness, emphasis will be placed on identifying an institution’s material products and evaluating the level of inherent risk along with the effectiveness of controls. A determination about product materiality will consider the relative importance of a product compared with others offered by the institution. Nonetheless, a product with low volume relative to other products could still be material if its actual volume is substantial. In addition, a product with low volume could be considered material if it is new or has a particularly risky feature. Examination intensity and the level of examination activity should be commensurate with the residual consumer compliance risks associated with the institution’s material products. Of course, an institution is expected to maintain sufficient oversight to ensure compliance with all applicable consumer compliance laws and regulations, even in the case of material products that do not pose significant potential risk as well as in the case of products that are not found to be material.
Because of the potential for significant consumer harm and the impact on legal, financial, and reputational risks, fair lending and unfair and deceptive practices will always be addressed in the risk assessment process. Fair lending evaluation intensity for a particular product will generally be commensurate with the level of residual risk identified in the risk assessment process. However, in circumstances where inherent risk is high, examiners generally will test the risk controls before concluding that the risk is effectively mitigated.
Inherent risk is the risk of consumer harm or noncompliance with consumer protection laws and regulations posed by an institution’s products and services absent controls or other mitigating factors. It considers the likelihood and impact of noncompliance with consumer laws and regulations prior to considering any mitigating effects of risk management processes. Risk management and controls are evaluated in the context of their likely effectiveness in achieving compliance with laws and regulations. Residual risk is determined by balancing the overall level of inherent risk of an activity (either a product or service) with the overall strength of risk controls for that activity.
The new community bank supervision program groups inherent risk factors into three categories: institutional, legal and regulatory, and environmental. Each category includes a variety of subfactors that are considered when assessing the inherent risk of an institution’s products and services. Guidance for evaluating these factors, found in Appendix 2 of the program document, may be leveraged by an institution to enhance understanding of its own inherent risk.
Institutional risk factors originate from strategic and business decisions as well as products offered. The following factors tend to elevate the level of inherent consumer compliance risk:
- rate of growth
- complexity of products
- decentralized operations
- products targeted to vulnerable or less financially sophisticated consumers
- failure to serve certain consumer or geographic segments of the market
- introduction of substantively new products
- multiple delivery channels
- third-party involvement
Growth, in particular, can elevate inherent risk. Any substantive increase in asset size, change in business focus, or expanded market or geographic presence may increase compliance risk given the need to manage risk across a larger organization.
The risk related to legal and regulatory requirements is determined by the complexity of the requirements applicable to specific products and services, the level and likelihood of potential consumer harm or other penalties, and the extent to which requirements may have changed. The impact on inherent risk depends on the nature and type of the regulatory change and the significance of the change relative to an institution’s product offerings, processes, or procedures.
Environmental risk factors originate from business conditions, the demographic composition of assessment areas or broader market areas, and competition in the institution’s markets. The robustness of an institution’s strategic planning and change management practices must be commensurate with the degree or rapidity of change associated with competitive demands.
Risk Management Controls
The core elements of a sound consumer compliance management program include the traditional four pillars: board and senior management oversight; policies, procedures, and limits; risk monitoring and management information systems; and internal controls. The adequacy of an institution’s compliance management program and its expected level of sophistication and formality are evaluated in the context of the inherent risk associated with the institution’s complexity, business strategy, activities, and organizational structure. As such, a smaller institution will be evaluated differently than a larger, more complex institution. Expectations for risk controls may vary among products or business lines. The effectiveness of an institution’s product management — its ability to identify, measure, monitor, and manage the compliance risk inherent to a particular product — is assessed using the four pillars and directly impacts the examination scope and the associated work plan. Details on the types of factors examiners may consider in the context of the pillars can be found in Appendix 3 of the program document. This guidance may be used by an institution to evaluate and inform its own compliance management program.
In addition to the core elements of a sound consumer compliance management program, the new program places emphasis on vendor or service provider management. An institution can appropriately decide to outsource operational aspects of a product or service but cannot outsource the responsibility for complying with laws and regulations. Accordingly, examiners will assess whether the institution utilizes sound vendor management practices, including effective due diligence, clear compliance expectations and standards, evaluation of compliance risks associated with vendor products or services, and monitoring vendors’ adherence to contractual requirements.
Regardless of the size of the institution, management must maintain an effective process to manage change. Elements of an effective change management function include:
- repeatable processes
- engagement of appropriate management and staff
- consideration of the effects of the change over the entire life cycle of an affected product or service
- appropriate approval and monitoring processes
- up-to-date policies and procedures and staff training
- post-implementation review
An institution’s change management process will be considered as part of the overall evaluation of risk management.
Residual product risk considers the level of inherent risk of a product and the mitigating effect of risk controls. The residual risk for each material product is then aggregated to determine the institution’s overall residual risk. The risk assessment is relied upon to develop the scope of examination activities and to focus resources on areas of elevated residual risk and not on those areas where inherent risk is well controlled and residual risk is limited or low.
EXAMINATION PLAN AND SCOPING
The risk assessment facilitates the customization of the examination scope and work plan based on the residual risks of material products and services. The assessment of an institution’s ability to manage its material products and services drives the overall assessment of the compliance program as well as the depth of review associated with a range of activities available for examining each product and service. The scoping process provides an opportunity to customize examination activities so that they are consistent with the size, complexity, and risk profile of the financial institution. In this way, it is expected that a broad range of examination activities will be considered for products, services, and business lines targeted for additional review.
If there is a reasonable basis for relying on an institution’s controls and a product or service has low or limited residual risk, no additional work beyond that performed during the risk assessment process may be warranted. High residual risk, however, will likely necessitate additional activities, including transaction testing. The graphic on page 15 provides an example of the range of activities available based on the residual risk of products.
The new program incorporates an ongoing supervision element that will typically take place around the midpoint between supervisory events and will include a standard questionnaire, which can be found in Appendix 1 of the program document. This process will focus on the identification of key changes that may impact the institution’s consumer compliance risk profile, including changes to the institution’s products and elements of its consumer compliance management program. The up-to-date view of consumer compliance risks that this provides will facilitate more efficient risk assessment and examination planning processes.
The ongoing supervision process also promotes enhanced communication between institution management and examination staff regarding supervisory expectations, changes in regulatory requirements, and emerging risks. Finally, ongoing supervision helps to inform examiners for the next supervisory event.
With the new community bank risk-focused supervision program, institutions will likely notice improvements in the examination process. More communication will take place up front, which will likely result in an improved understanding of the institution and an examination that is much more targeted to material products and services with elevated residual risk. Ongoing supervision will improve communication throughout the supervisory cycle and allow for more efficient interaction between examiners and institutions. Overall, the flexibility of the new approach and increased pre-examination work is expected to shorten on-site examination time and reduce the regulatory burden on many community banks. Specific issues and questions should be raised with your local Federal Reserve Bank.