Consumer Compliance Outlook > 2022 > Third Issue 2022

Consumer Compliance Outlook: Third Issue 2022

Elements of a Strong Compliance Management System Under the FFIEC Compliance Rating System

by Kate Loftus, Examiner, Federal Reserve Bank of Minneapolis

Carl Jung, the noted psychiatrist, once said that the “shoe that fits one person pinches another; there is no recipe for living that suits all cases.” This insight applies to an institution’s compliance management system (CMS): All institutions, regardless of size, should maintain an effective CMS, the scale and details of which will vary with the size, complexity, and risk profile of their operations.1 This article discusses the components of an effective CMS, as outlined in the 2016 revised Uniform Interagency Consumer Compliance Rating System (CC Rating System), with a specific focus on examples of strong performance factors illustrative of institutions with a CMS rating of 1.

The CC Rating System

Background

The CC Rating System provides a general framework for assessing risks during the supervisory process and assigning an overall consumer compliance rating to regulated institutions. The system is organized under three broad categories:

Regulators assign a consumer compliance rating after evaluating an institution’s performance under these three categories. The CC Rating System (Table 1) is based upon a scale of 1 through 5, with a 1 representing the highest rating and lowest level of supervisory concern and a 5 representing the lowest level of performance and highest degree of supervisory concern. The rating system recognizes proactive compliance programs as attributes tied to 1-rated institutions:

Strong compliance programs are proactive. They promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner. Accordingly, the CC Rating System provides incentives for such practices through the definitions associated with a 1 rating.2

Board and Management Oversight

Examiners consider four factors, commensurate with an institution’s size, complexity, and risk profile, when evaluating board and management oversight:

Oversight and Commitment

Boards of directors and management of 1-rated institutions demonstrate a strong commitment to and oversight of their CMS by implementing forward-looking strategic initiatives and actively participating in managing risk. As an example, an institution may actively participate in the compliance management program by directly involving executive management in compliance activities. Such activities place the importance of compliance at the top, effectively promoting a culture of compliance throughout the institution.

Additionally, 1-rated institutions dedicate substantial compliance resources to the compliance function, including systems and human capital. Staff at these institutions, for example, have extensive experience, expertise, and depth to manage risks. Finally, 1-rated institutions conduct comprehensive and ongoing due diligence of third parties to effectuate strong third-party oversight. While many institutions rely on third-party vendors to provide products, services, and systems, a 1-rated institution may extend board and management oversight beyond its own compliance risk management program to that of its third-party vendors to ensure they meet contractual obligations and comply with legal and regulatory requirements specific to consumer protection consistent with agency standards.

Change Management

Management at institutions with a strong CMS anticipates and responds promptly to changes in applicable laws and regulations, market conditions, and products and services offered. Management at 1-rated institutions may prepare for such changes by defining and providing examples of what constitutes a change, examples of which include new and changed vendor relationships, and regulatory updates. Management may also demonstrate a strong management of change through proactive measures in advance of upcoming changes; for example, management may require the compliance department and impacted business lines to review and approve changes before they take effect to ensure compliance with applicable consumer protection laws and regulations.

Management at 1-rated institutions conducts due diligence in advance of product changes, considers the entire life cycle of a product or service, and conducts a postimplementation review to determine whether the actions taken have achieved the expected results. For example, as a part of its due diligence of a new product, management may develop and follow approval processes associated with implementing the new product and require a post-implementation review.3

Comprehending, Identifying, and Managing Risk

Management at 1-rated institutions has a solid comprehension of and effectively identifies compliance risks and actively engages in managing those risks. Management at these institutions completes comprehensive risk assessments at established frequencies. The risk identification and assessment processes generally become increasingly formal and extensive as an institution’s size, complexity, and risk profile increase; for example, an annual risk assessment may be appropriate for a small, noncomplex bank, while completing a risk assessment at a large, complex institution may be an ongoing, collaborative effort among senior management, the compliance department, and internal audit. Institutions with a strong CMS maintain comprehensive risk assessments that include, as examples, business lines and relevant rules and regulations, as well as a breakdown of associated inherent risk, risk controls, and residual risk.

Corrective Action and Self-Identification

Banks with a strong CMS proactively identify issues and promptly respond to compliance risk management deficiencies and violations. One-rated institutions may complete a root cause analysis of deficiencies and violations to ensure that remediation is timely, appropriate, and comprehensive. For example, an institution that completes a root cause analysis of a self-identified joint intent violation may find that written policies and procedures do not include sufficient joint intent information to ensure that staff complies with relevant regulatory requirements. Here, the root cause analysis helps to inform appropriate and comprehensive remediation. A 1-rated institution may also contact its primary regulator to determine whether its remediation efforts are sufficient. The CC Rating System assigns a 1-rating to institutions that proactively identify issues and promptly respond to deficiencies and violations, including remediation.

Overall Compliance Program

Examiners consider four factors when evaluating an institution’s CMS, commensurate with its size, complexity, and risk profile:

Policies and Procedures

One-rated institutions have policies and procedures and third-party relationship management programs that are comprehensive and provide standards to effectively manage compliance risks. Institutions with a strong CMS have compliance policies and procedures that are strong, comprehensive, and provide standards to effectively manage compliance risks. Policies and procedures should address all applicable regulatory requirements, be updated to remain current, and serve as a resource tool for staff.

One-rated institutions have third-party relationship management programs that are comprehensive and provide standards to effectively manage compliance risks. Institutions often rely on third parties for products and services, including but not limited to processing systems, marketing, and Internet banking. Institutions with a strong CMS maintain a third-party management program that may include written, formalized initial and ongoing due diligence requirements and contingency plans, as examples.

Training

Compliance training for 1-rated institutions is comprehensive, timely, and tailored to the responsibilities of the staff receiving it. One-rated institutions have training programs that include all applicable regulatory requirements, compliance risks, and risk mitigation methods.4 These training programs may have varied delivery methods, including but not limited to face-to-face training and computer-based training modules. Additionally, 1-rated institutions provide regular and timely training to staff, including at the outset of employment and upon changes in staff responsibilities and regulatory requirements.

Monitoring and/or Audit

One-rated institutions have strong compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems that are comprehensive, timely, and successful at identifying and measuring compliance risk. Monitoring and audit activities at 1-rated institutions are comprehensive, informed by the bank’s risk assessments, and generally include all of the bank’s products, services, and activities. Additionally, a 1-rated institution’s monitoring and audit activities are timely and aim to proactively identify violations and deficiencies, thereby limiting any potential consumer harm. Finally, monitoring and audit activities at 1-rated institutions are successful at identifying and measuring compliance risk; these activities occur at established frequencies and are clearly documented.

Consumer Complaint Response

Institutions with a strong CMS maintain processes and procedures for addressing consumer complaints, including completing prompt and thorough investigations and responses, and monitoring complaints to identify risks. For example, a 1-rated institution may have a complaint policy outlining an individual or department responsible for investigating and responding to complaints. Additionally, management may delegate responsibility for compiling and monitoring complaint information to the compliance officer or relevant department. Outlook previously published an article5 on this topic that institutions may find helpful when reviewing their complaint operations.

Violations of Law and Consumer Harm

Examiners consider four factors when evaluating violations and any resulting consumer harm:

Root Cause

The root cause assessment factor analyzes the degree to which weaknesses in the CMS gave rise to the violations. For a strong CMS, violations are generally the result of minor weaknesses, if any, in the compliance risk management system. Often, however, the root cause of a violation is tied to a weakness in one or more elements of the CMS. An example of this would be a violation related to a disclosure that lacks required information. The root cause of the violation may include a weakness in board and management oversight if the institution outsources the maintenance of the disclosure to a third-party vendor and management did not identify that the vendor did not comply with regulatory requirements. The root case may also include a weakness in monitoring and audit if the group responsible for reviewing the disclosure did not identify that the disclosure lacked required information.

Severity

The severity assessment factor weighs the type of consumer harm, if any, that resulted from violations. More severe harm results in a higher level of supervisory concern under this factor. If violations are identified for a 1-rated institution, the violations are generally the result of minor weaknesses, if any, in the compliance risk management system.

Duration

The duration assessment factor considers the length of time over which violations occurred. Violations that persist over an extended period of time will raise greater supervisory concerns than violations that occur for only a brief period of time. If violations are identified for an institution with a strong CMS, the violations and resulting consumer harm, if any, generally occurred over a brief period of time. An example of this may occur within an institution that increased a deposit account fee in January 2022 but unintentionally neglected to update its disclosure to reflect the increase until March 2022; this violation and any resulting consumer harm occurred over a brief period of time and would not be likely to raise supervisory concern.

Pervasiveness

Finally, the pervasiveness assessment factor evaluates the extent of the violations and resulting consumer harm, if any. Violations that affect a large number of consumers raises greater supervisory concern than violations that impact a limited number of consumers. If violations are identified for a 1-rated institution, the violations and any resulting consumer harm are typically isolated in number.

It is important to note that institutions may receive a less-than-satisfactory rating when no violations were identified based on deficiencies or weaknesses in the CMS. Similarly, institutions may receive a satisfactory (2) or strong (1) rating even when violations are present if the CMS is commensurate with the institution’s risk profile and complexity.

Conclusion

The CC Rating System provides a general framework for assessing risks during the supervisory process and assigning an overall consumer compliance rating to regulated institutions. The CC Rating System assigns higher ratings for CMSs that prevent, self-identify, and address compliance issues proactively, while recognizing that the appropriate CMS varies based on the size, complexity, and risk profile of each institution. Specific issues and questions about consumer compliance matters should be raised with your primary regulator.

TABLE 1: FFIEC Ratings Matrix

Assessment Factors to Be Considered

1

2

3

4

5

Board and Management Oversight

Board and management oversight factors should be evaluated commensurate with the institution’s size, complexity, and risk profile.

The compliance expectations below extend to third-party relationships.

Oversight and Commitment

Board and management demonstrate strong commitment and oversight to the financial institution’s compliance management system.

Board and management provide satisfactory oversight of the financial institution’s compliance management system.

Board and management oversight of the financial institution’s compliance management system is deficient.

Board and management oversight, resources, and attention to the compliance management system are seriously deficient.

Board and management oversight, resources, and attention to the compliance management system are critically deficient.

Substantial compliance resources are provided, including systems, capital, and human resources commensurate with the financial institution’s size, complexity, and risk profile. Staff is knowledgeable, empowered, and held accountable for compliance with consumer laws and regulation

Compliance resources are adequate, and staff is generally able to ensure the financial institution complies with consumer laws and regulations.

Compliance resources and staff are inadequate to ensure the financial institution complies with consumer laws and regulations.

Compliance resources and staff are seriously deficient and are ineffective at ensuring the financial institution’s compliance with consumer laws and regulations.

Compliance resources are critically deficient in supporting the financial institution’s compliance with consumer laws and regulations, and management, and staff are unwilling or incapable of operating within the scope of consumer protection laws and regulations.

Management conducts comprehensive and ongoing due diligence and oversight of third parties consistent with agency expectations to ensure that the financial institution complies with consumer protection laws and exercises strong oversight of third parties’ policies, procedures, internal controls, and training to ensure consistent oversight of compliance responsibilities.

Management conducts adequate and ongoing due diligence and oversight of third parties to ensure that the financial institution complies with consumer protection laws, and adequately oversees third parties’ policies, procedures, internal controls, and training to ensure appropriate oversight of compliance responsibilities.

Management does not adequately conduct due diligence and oversight of third parties to ensure that the financial institution complies with consumer protection laws nor does it adequately oversee third parties’ policies, procedures, internal controls, and training to ensure appropriate oversight of compliance responsibilities.

Management oversight and due diligence over third-party performance, as well as management’s ability to adequately identify, measure, monitor, or manage compliance risks, is seriously deficient.

Management oversight and due diligence of third- party performance is critically deficient.

Change Management

Management anticipates and responds promptly to changes in applicable laws and regulations, market conditions, and products and services offered by evaluating the change and implementing responses across impacted lines of business.

Management responds timely and adequately to changes in applicable laws and regulations, market conditions, and products and services offered by evaluating the change and implementing responses across impacted lines of business.

Management does not respond adequately and/or timely in adjusting to changes in applicable laws and regulations, market conditions, and products and services offered.

Management’s response to changes in applicable laws and regulations, market conditions, or products and services offered is seriously deficient.

Management fails to monitor and respond to changes in applicable laws and regulations, market conditions, or products and services offered.

Management conducts due diligence in advance of product changes, considers the entire life cycle of a product or service in implementing change, and reviews the change after implementation to determine that actions taken have achieved planned results.

Management evaluates product changes before and after implementing the change.

Comprehension, Identification, and Management of Risk

Management has a solid comprehension of and effectively identifies compliance risks, including emerging risks, in the financial institution’s products, services, and other activities.

Management comprehends and adequately identifies compliance risks, including emerging risks, in the financial institution’s products, services, and other activities.

Management has an inadequate comprehension of and ability to identify compliance risks, including emerging risks, in the financial institution’s products, services, and other activities.

Management exhibits a seriously deficient comprehension of and ability to identify compliance risks, including emerging risks, in the financial institution.

Management does not comprehend or identify compliance risks, including emerging risks, in the financial institution.

Management actively engages in managing those risks, including through comprehensive self- assessments.

Management adequately manages those risks, including through self- assessments.

Corrective Action and Self-Identification

Management proactively identifies issues and promptly responds to compliance risk management deficiencies and any violations of laws or regulations, including remediation.

Management adequately responds to and corrects deficiencies and/or violations, including adequate remediation, in the normal course of business.

Management does not adequately respond to compliance deficiencies and violations, including those related to remediation.

Management response to deficiencies, violations, and examination findings is seriously deficient.

Management is incapable, unwilling and/or fails to respond to deficiencies, violations or examination findings.

Compliance Program

These factors should be evaluated commensurate with the institution’s size, complexity, and risk profile.

The compliance expectations below extend to third-party relationships.

Policies and Procedures

Compliance policies and procedures and third-party relationship management programs are strong, comprehensive, and provide standards to effectively manage compliance risk in the products, services, and activities of the financial institution.

Compliance policies and procedures and third-party relationship management programs are adequate to manage the compliance risk in the products, services, and activities of the financial institution.

Compliance policies and procedures and third-party relationship management programs are inadequate at managing the compliance risk in the products, services, and activities of the financial institution.

Compliance policies and procedures and third-party relationship management programs are seriously deficient at managing compliance risk in the products, services, and activities of the financial institution.

Compliance policies and procedures and third-party relationship management programs are critically absent.

Training

Compliance training is comprehensive, timely, and specifically tailored to the particular responsibilities of the staff receiving it, including those responsible for product development, marketing, and customer service.

Compliance training outlining staff responsibilities is adequate and provided timely to appropriate staff.

Compliance training is not adequately comprehensive, timely, updated, or appropriately tailored to the particular responsibilities of the staff.

Compliance training is seriously deficient in its comprehensiveness, timeliness, or relevance to staff with compliance responsibilities, or has numerous major inaccuracies.

Compliance training is critically absent.

The compliance training program is updated proactively in advance of the introduction of new products or new consumer protection laws and regulations to ensure that all staff are aware of compliance responsibilities before rolled out.

The compliance training program is updated to encompass new products and to comply with changes to consumer protection laws and regulations.

Monitoring and/or Audit

Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems are comprehensive, timely, and successful at identifying and measuring material compliance risk management throughout the financial institution.

Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems adequately address compliance risks throughout the financial institution.

Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems do not adequately address risks involving products, services, or other activities including timing and scope.

Compliance monitoring practices, management information systems, reporting, compliance audit, and internal controls are seriously deficient in addressing risks involving products, services, or other activities.

Compliance monitoring practices, management information systems, reporting, compliance audit, or internal controls are critically absent.

Programs are monitored proactively to identify procedural or training weaknesses to preclude regulatory violations. Program modifications are made expeditiously to minimize compliance risk.

Consumer Complaint Response

Processes and procedures for addressing consumer complaints are strong. Consumer complaint investigations and responses are prompt and thorough.

Processes and procedures for addressing consumer complaints are adequate. Consumer complaint investigations and responses are generally prompt and thorough.

Processes and procedures for addressing consumer complaints are inadequate. Consumer complaint investigations and responses are not thorough or timely.

Processes and procedures for addressing consumer complaints and consumer complaint investigations are seriously deficient.

Processes and procedures for addressing consumer complaints are critically absent. Meaningful investigations and responses are absent.

Management monitors consumer complaints to identify risks of potential consumer harm, program deficiencies, and customer service issues and takes appropriate action.

Management adequately monitors consumer complaints and responds to issues identified.

Management does not adequately monitor consumer complaints.

Management monitoring of consumer complaints is seriously deficient.

Management exhibits a disregard for complaints or preventing consumer harm.

Violations of Law and Consumer Harm

Root Cause

The violations are the result of minor weaknesses, if any, in the compliance risk management system.

The violations are the result of modest weaknesses in the compliance risk management system.

The violations are the result of material weaknesses in the compliance risk management system.

The violations are the result of serious deficiencies in the compliance risk management system.

The violations are the result of critical deficiencies in the compliance risk management system.

Severity

The type of consumer harm, if any, resulting from the violations would have a minimal impact on consumers.

The type of consumer harm resulting from the violations would have a limited impact on consumers.

The type of consumer harm resulting from the violations would have a considerable impact on consumers.

The type of consumer harm resulting from the violations would have a serious impact on consumers.

Duration

The violations and resulting consumer harm, if any, occurred over a brief period of time.

The violations and resulting consumer harm, if any, occurred over a limited period of time.

The violations and resulting consumer harm, if any, occurred over an extended period of time.

The violations and resulting consumer harm, if any, have been long-standing or repeated.

Pervasiveness

The violations and resulting consumer harm, if any, are isolated in number.

The violations and resulting consumer harm, if any, are limited in number.

The violations and resulting consumer harm, if any, are numerous.

The violations and resulting consumer harm, if any, are widespread or in multiple products or services.

ENDNOTES

1 See 2016 Uniform Interagency Consumer Compliance Rating System, p. 2.

2 See 2016 Uniform Interagency Consumer Compliance Rating System, p. 23; see also Kathleen Benson, “The Benefits of a Proactive Compliance Program,” Consumer Compliance Outlook (Issue 3 2020).

3 For additional resources, see Allison Burns, “Promoting Effective Change Management,” Consumer Compliance Outlook (Second Issue 2019) and Mark Serlo, “Managing Risk Throughout the Product Life Cycle,” (Second Quarter 2015).

4 See Kathleen Benson, “Enhancing Your Compliance Training Program,” Consumer Compliance Outlook (First Issue 2019).

5 See Andrea Sovich, “Enhancing the Compliance Management Program with Complaint Data,” Consumer Compliance Outlook (Second Quarter 2012).