Implementing the New Uniform Interagency Consumer Compliance Rating System
In November 2016, the Federal Financial Institutions Examination Council (FFIEC) announced its updated Uniform Interagency Consumer Compliance Rating System (CC Rating System) in the Federal Register.1 The revisions reflect the regulatory, examination, technological, and market changes that have occurred since the release of the original rating system. The FFIEC member agencies (agencies) each implemented the updated rating system with consumer compliance examinations that began on or after March 31, 2017.
The CC Rating System is a supervisory policy used by the agencies’ examiners to evaluate financial institutions’ adherence to consumer compliance laws and regulations. The primary purpose of the CC Rating System is to ensure that financial institutions are evaluated in a comprehensive and consistent manner and that supervisory resources are appropriately focused on areas exhibiting the risk of consumer harm and on institutions that warrant elevated supervisory attention.
Financial institution management teams and compliance officers should be familiar with the factors that examiners will assess when assigning the consumer compliance rating at the conclusion of consumer compliance examinations. This article will highlight the foundational principles of the CC Rating System, discuss the framework on which the CC Rating System is based, and explain how examiners will apply the CC Rating System in evaluating a financial institution’s consumer compliance management system (CMS).
PRINCIPLES OF THE INTERAGENCY CC RATING SYSTEM
When the original consumer compliance rating system was developed in 1980, examinations were more focused on validating regulatory compliance and less focused on evaluating the effectiveness of a financial institution’s CMS. In the intervening years, supervisory practices have evolved, and the agencies now place greater emphasis on an institution’s strong CMS, which can effectively prevent violations of law and support consumer protection in the delivery of financial services. The revised CC Rating System better reflects current consumer compliance supervisory approaches and more fully aligns the rating system with the agencies’ risk-based, tailored examination processes.
The agencies developed the following principles to serve as a foundation for the CC Rating System:
Risk-based — Recognize and communicate clearly that a CMS can vary based on the size, complexity, and risk profile of the supervised institutions
Transparent — Provide clear distinctions between rating categories to support consistent application by the agencies across supervised institutions; reflect the scope of the review that formed the basis of the overall rating
Actionable — Identify areas of strength and direct appropriate attention to specific areas of weakness, reflecting a risk-based supervisory approach; convey examiners’ assessment of the effectiveness of an institution’s CMS, including its ability to prevent consumer harm and to ensure compliance with consumer protection laws and regulations
Incentives for Compliance — Provide incentives for the institution to establish an effective consumer compliance system across the institution and to identify and address issues promptly, including self-identification and correction of consumer compliance weaknesses; reflect the potential impact of any consumer harm identified in examination findings
It is important to note that the revisions to the CC Rating System were not developed to set new or higher supervisory expectations for financial institutions. Instead, the revised system provides a consumer compliance rating that more fully complements the agencies’ risk-focused examination approach. Its adoption has no additional regulatory burden.
FRAMEWORK OF THE CC RATING SYSTEM
The CC Rating System establishes a framework of compliance factors that examiners use during consumer compliance examinations to assess a financial institution’s performance. Based upon the examiners’ comprehensive evaluation of the institution’s performance under those assessment factors, the examiners assign an overall consumer compliance rating to the financial institution. The CC Rating System is not based upon a numeric average or any other quantitative calculation. Specific component ratings will not be assigned to the underlying assessment factors.
The 12 CC Rating System assessment factors are organized within the following three categories:
Board and Management Oversight
- Oversight and Commitment
- Change Management
- Comprehension, Identification and Management of Risk
- Corrective Action and Self-Identification
Compliance Program
- Policies and Procedures
- Training
- Monitoring and/or Audit
- Consumer Complaint Response
Violations of Law and Consumer Harm
- Root Cause
- Severity
- Duration
- Pervasiveness
The first two categories of assessment factors — Board and Management Oversight and Compliance Program — encompass an institution’s CMS. Examiners will evaluate the institution’s performance under these categories based upon the institution’s size, complexity, and risk profile. This tailored evaluation acknowledges that the roles and responsibilities of boards and management teams and the sophistication of compliance programs can vary significantly between financial institutions and yet still be effective at ensuring compliance with regulatory requirements and preventing consumer harm. All institutions, regardless of size, should maintain an effective CMS.
Compliance expectations within the first two categories of assessment factors also extend to third-party relationships in which the financial institution is engaged. In addition to traditional core bank processing and information technology services, financial institutions outsource operational activities such as audit, sales and marketing, loan review, appraisal management, asset and wealth management, and loan servicing. Effectively managed third-party relationships can help institutions maintain a strong CMS. However, the CC Rating System acknowledges that, if a financial institution outsources the operational aspects of a product or service, the institution cannot abdicate the responsibility for complying with the law or managing the risks associated with those third-party relationships.
The third category — Violations of Law and Consumer Harm — encompasses assessment factors that measure the dimensions of identified violations of consumer protection laws and regulations and any resultant consumer harm. Similar to the current rating system, the assigned consumer compliance rating will be a number ranging from 1 to 5, in increasing order of supervisory concern. As described within the CC Rating System:
- The highest rating of 1 is assigned to a financial institution that maintains a strong CMS and takes action to prevent violations of law and consumer harm.
- A rating of 2 is assigned to a financial institution that maintains a CMS that is satisfactory at managing consumer compliance risk in the institution’s products and services and at substantially limiting violations of law and consumer harm.
- A rating of 3 reflects a CMS deficient at managing consumer compliance risk in the institution’s products and services and at limiting violations of law and consumer harm.
- A rating of 4 reflects a CMS seriously deficient at managing consumer compliance risk in the institution’s products and services and/or at preventing violations of law and consumer harm. “Seriously deficient” indicates fundamental and persistent weaknesses in crucial CMS elements and severe inadequacies in core compliance areas necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.
- A rating of 5 reflects a CMS critically deficient at managing consumer compliance risk in the institution’s products and services and/or at preventing violations of law and consumer harm. “Critically deficient” indicates an absence of crucial CMS elements and a demonstrated lack of willingness or capability to take the appropriate steps necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.
PERFORMANCE WITH THE CC RATING SYSTEM
The CC Rating System includes guidance for assigning ratings based upon the effectiveness of the CMS in managing consumer compliance risk and guidance for determining how any identified violations of law or consumer harm will influence an institution’s assigned rating. This guidance provides examiners with direction on how to use the rating definitions when assigning a consumer compliance rating to an institution.
Consistent with its fourth principle, the CC Rating System incorporates incentives through the definitions associated with a 1 rating to recognize financial institutions that adopt proactive strategies to promote consumer protection. Performance assessed at a 1-rating level is characterized by management and compliance programs that anticipate, actively identify, and prevent violations of law or facilitate early detection of potential violations. These proactive approaches can limit the size and scope of consumer harm and demonstrate the institution’s commitment to responsibly address underlying risks.
Along with conveying a consumer compliance rating, examiners will highlight their conclusions regarding the institution’s performance under the CC Rating System’s assessment factors. Examiners will discuss any assessment factors relevant to the consumer compliance rating either through observed weaknesses or strengths, based upon the size, complexity, or individual risk profile of the institution. To illustrate this point, at an institution that has introduced a new third-party lending product or relationship, examiners may apply more weight to performance under the Change Management and Comprehension, Identification, and Management of Risk assessment factors than they would at an institution that continues to offer the same loan products since the last examination. This weighting is used because effective change management practices and management of risk are more critical to the institution’s success when a new third-party relationship or product has been introduced than if no changes have taken place.
In applying the CC Rating System, examiners also will consider that, while the expectations for compliance with consumer protection laws and regulations are the same across institutions of varying sizes, the means to achieve an effective CMS may differ across institutions. Examiners also will evaluate the various control environments within which the institution’s products, services, and activities are managed. Examiners may identify weaknesses isolated to individual products or lines of business. In arriving at a consumer compliance rating, examiners will apply greater weight to assessments related to material products, services, or activities with significant potential consumer compliance risk.
ASSIGNMENT OF THE CONSUMER COMPLIANCE RATING
Examiners will assign a consumer compliance rating after weighing the institution’s performance under the CC Rating System assessment factors. An institution need not achieve a satisfactory assessment in all of the factors to be assigned an overall satisfactory rating. Conversely, an institution may be assigned a less-than-satisfactory rating even if some of its individual assessments are satisfactory.
Further, an institution may be assigned a less-than-satisfactory rating primarily based upon deficiencies or weaknesses in its CMS. Since a deficient CMS can lead to future violations and consumer harm, these weaknesses can impact the consumer compliance rating, even if no violations are identified. Conversely, the presence of violations does not guarantee that an institution will be assigned a less-than satisfactory rating. For example, when violations involve limited impact on consumers, are self-identified, and are resolved promptly, the evaluation may result in a 1 or 2 rating.
CONCLUSION
Financial institution managers and compliance officers can anticipate discussing the new CC Rating System with the examiner-in-charge during their next consumer compliance examination. The consumer compliance rating assigned at the conclusion of that examination will represent a comprehensive evaluation of the institution’s entire CMS and any violations and resultant consumer harm. If questions arise before the next scheduled consumer compliance examination, state member banks are welcome to contact their Reserve Bank consumer compliance team. Other institutions may contact their primary regulator.
