[Federal Register Volume 81, Number 85 (Tuesday, May 3, 2016)]
[Notices]
[Pages 26553-26563]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-10289]
-----------------------------------------------------------------------
FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL
[Docket No. FFIEC-2016-0001]
Uniform Interagency Consumer Compliance Rating System
AGENCY: Federal Financial Institutions Examination Council (FFIEC).
ACTION: Notice and request for comment.
-----------------------------------------------------------------------
SUMMARY: Pursuant to 12 U.S.C. 3301, the Federal Financial Institutions
Examination Council (FFIEC), established in 1979, is a formal
interagency body empowered to prescribe principles and standards for
the federal examination of financial institutions and to make
recommendations to promote consistency and coordination in the
supervision of institutions.
The six members of the FFIEC represent the Board of Governors of
the Federal Reserve System (FRB), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA),
the Office of the Comptroller of the Currency (OCC), the State Liaison
Committee (SLC), and the Consumer Financial Protection Bureau (CFPB)
(Agencies).
The FFIEC promotes compliance with federal consumer protection laws
and regulations through each agency's supervisory and outreach
programs. Through compliance supervision, the FFIEC Agencies determine
whether an institution is meeting its responsibility to comply with
applicable requirements.
The FFIEC requests comment on a proposal to revise the Uniform
Interagency Consumer Compliance Rating System, more commonly known as
the ``CC Rating System,'' to reflect the regulatory, examination
(supervisory), technological, and market changes that have occurred in
the years since the current rating system was established. The FFIEC is
proposing to revise the existing CC Rating System to better reflect
current consumer compliance supervisory approaches. The revisions are
designed to more fully align the rating system with the FFIEC Agencies'
current risk-based, tailored examination
[[Page 26554]]
approaches. The proposed revisions to the CC Rating System were not
developed to set new or higher supervisory expectations for financial
institutions and their adoption will represent no additional regulatory
burden.
The proposed revisions emphasize the importance of institutions'
compliance management systems (CMS), in particular, risk control
processes designed to manage consumer compliance risk which are needed
to support compliance and prevent consumer harm. The CC Rating System
has provided a general framework for evaluating compliance factors in
order to assign a consumer compliance rating to each federally
regulated financial institution.\1\
---------------------------------------------------------------------------
\1\ NCUA integrates the principles and standards of the current
CC Rating System into the existing CAMEL rating structure, in place
of a separate rating. When finalized, the revised CC Rating System
will be incorporated into NCUA's risk-focused examination program.
Using the principles and standards contained in the revised CC
Rating System, NCUA examiners will assess a credit union's ability
to effectively manage its compliance risk and reflect that ability
in the Management component rating and the overall CAMEL rating used
by NCUA.
---------------------------------------------------------------------------
DATES: Comments must be received on or before July 5, 2016.
ADDRESSES: Because paper mail received by the FFIEC is subject to delay
due to heightened security precautions in the Washington, DC area, you
are encouraged to submit comments by the Federal eRulemaking Portal, if
possible. Please use the title ``Consumer Compliance Rating System'' to
facilitate the organization and distribution of the comments. You may
submit comments by any of the following methods:
Federal eRulemaking Portal (Regulations.gov): Go to http://www.regulations.gov. Under the ``More Search Options'' tab, click next
to the ``Advanced Docket Search'' option where indicated, select
``FFIEC'' from the agency drop-down menu, then click ``Submit.'' In the
``Docket ID'' column, select ``Docket Number FFIEC-2016-0001'' to
submit or view public comments and to view supporting and related
materials for this notice of proposed rulemaking. The ``How to Use This
Site'' link on the Regulations.gov home page provides information on
using Regulations.gov, including instructions for submitting or viewing
public comments, viewing other supporting and related materials, and
viewing the docket after the close of the comment period.
Mail: Judith Dupre, Executive Secretary, Federal Financial
Institutions Examination Council, L. William Seidman Center, Mailstop:
7081a, 3501 Fairfax Drive, Arlington, VA 22226-3550.
Hand delivery/courier: Judith Dupre, Executive Secretary, Federal
Financial Institutions Examination Council, L. William Seidman Center,
Mailstop: B-7081a, 3501 Fairfax Drive, Arlington, VA 22226-3550.
Instructions: You must include ``FFIEC'' as the agency name and
``Docket Number FFIEC-2016-0001'' in your comment. In general, the
FFIEC will enter all comments received into the docket and publish them
on the Regulations.gov Web site without change, including any business
or personal information that you provide such as name and address
information, email addresses, or phone numbers. Comments received,
including attachments and other supporting materials, are part of the
public record and subject to public disclosure. Do not enclose any
information in your comment or supporting materials that you consider
confidential or inappropriate for public disclosure.
Docket: You may also view or request available background documents
and project summaries using the methods described above.
FOR FURTHER INFORMATION CONTACT: OCC: Ronald A. Dice, Compliance
Specialist, Office of the Comptroller of the Currency, 400 7th Street
SW., Washington, DC 20219, (202) 649-5470; or Kimberly Hebb, Director
of Compliance Policy, (202) 649-5470.
Board: Lanette Meister, Senior Supervisory Consumer Financial
Services Analyst, Board of Governors of the Federal Reserve System,
20th and C Streets NW., Washington, DC 20551, (202) 452-2705.
FDIC: Ardie Hollifield, Senior Policy Analyst, Federal Deposit
Insurance Corporation, 550 17th Street NW., Washington, DC 20429-0002,
(202) 898-6638; John Jackwood, Senior Policy Analyst, (202) 898-3991;
or Faye Murphy, Chief, Consumer Compliance and UDAP Examination
Section, (202) 898-6613.
NCUA: Jamie Goodson, Director, Division of Consumer Compliance
Policy and Outreach, Office of Consumer Protection, National Credit
Union Administration, 1775 Duke Street Alexandria, VA 22314-3428, (703)
518-1140.
CFPB: Kathleen Conley, Senior Consumer Financial Protection
Analyst, Consumer Financial Protection Bureau, 1700 G Street NW.,
Washington, DC 20552, (202) 435-7459.
SLC: Matthew Lambert, Policy Counsel, Conference of State Bank
Supervisors, 1129 20th Street NW., 9th Floor, Washington, DC 20036,
(202) 407-7130.
SUPPLEMENTARY INFORMATION:
Background
The current CC Rating System, adopted in 1980, is a supervisory
policy for evaluating financial institutions' \2\ adherence to consumer
compliance requirements. The CC Rating System provides a framework for
evaluating institutions based on assessment factors to assign a
consumer compliance rating to each institution.
---------------------------------------------------------------------------
\2\ The term financial institutions is defined in 12 U.S.C.
3302(3).
---------------------------------------------------------------------------
The CC Rating System is based upon a scale of 1 through 5, in
increasing order of supervisory concern. Thus, 1 represents the highest
rating and consequently the lowest level of supervisory concern, while
5 represents the lowest rating and consequently the most critically
deficient level of performance and the highest degree of supervisory
concern. When using the CC Rating System to assess an institution, the
Agencies do not consider an institution's record of lending performance
under the Community Reinvestment Act (CRA) because institutions are
evaluated separately for CRA.
Factors Supporting a Revised CC Rating System
The FFIEC is proposing revisions to the existing CC Rating System,
recognizing that there have been legislative, regulatory, supervisory,
technological, and market changes since the adoption of the current CC
Rating System. Since 1980, the regulatory landscape has evolved
considerably. Over the past 30 years, changes include:
The consolidation of financial institutions and resultant
changed risk profiles of entities prompted by factors such as legal
changes that allowed interstate banking;
New and revised regulatory requirements;
Major transformations in technology, business models, and
consumers' banking habits which have resulted in a broader set of risks
to consumers; and
The Dodd-Frank Wall Street Reform and Consumer Protection
Act (Dodd-Frank Act),\3\ which substantially altered the regulatory
landscape by creating the CFPB and reshaping the responsibilities of
the prudential regulators.\4\ As a result, large institutions over a
certain
[[Page 26555]]
asset threshold now have more than one FFIEC consumer compliance
supervisor.
---------------------------------------------------------------------------
\3\ 12 U.S.C. 5481 et seq.
\4\ The prudential regulators are the FRB, FDIC, NCUA, and OCC.
---------------------------------------------------------------------------
Purpose of the Revisions
The Agencies are proposing to revise the current CC Rating System
to better reflect current consumer compliance supervisory approaches.
The revisions are designed to more fully align the rating system with
the Agencies' current risk-based, tailored examination approaches. The
proposed revisions to the CC Rating System were not developed to set
new or higher supervisory expectations for financial institutions and
their adoption will represent no additional regulatory burden.
When the current CC Rating System was adopted in 1980, examinations
focused more on transaction testing for regulatory compliance rather
than evaluating the sufficiency of an institution's CMS to ensure
compliance with regulatory requirements and to prevent consumer harm.
In the intervening years, each of the FFIEC Agencies has adopted a
risk-based consumer compliance examination approach to promote strong
compliance risk management practices and consumer protection within
supervised financial institutions. Risk-based consumer compliance
supervision evaluates whether an institution's CMS effectively manages
the compliance risk in the products and services offered to its
customers. Under risk-based supervision, examiners tailor supervisory
activities to the size, complexity, and risk profile of each
institution and adjust these activities over time. While compliance
management programs vary based on the size, complexity, and risk
profile of supervised institutions, all institutions should maintain an
effective CMS. The sophistication and formality of the CMS typically
will increase commensurate with the size, complexity, and risk profile
of the entity.
As the Agencies drafted the proposed rating system definitions, one
objective was to develop a rating system appropriate for evaluating
institutions of all sizes. Therefore, the first principle discussed
within the CC Rating System conveys that the system is risk-based to
recognize and communicate clearly that compliance management programs
vary based on the size, complexity, and risk profile of supervised
institutions. This principle is reinforced in the Consumer Compliance
Rating Definitions by conveying to examiners that assessment factors
associated with an institution's CMS should be evaluated commensurate
with the institution's size, complexity, and risk profile.
In developing the revised CC Rating System, the Agencies believe it
is also important for the new rating system to establish incentives for
institutions to promote consumer protection by preventing, self-
identifying, and addressing compliance issues in a proactive manner.
The proposed rating system would also create a framework for the
Agencies to recognize institutions that consistently adopt these
compliance strategies.
Another benefit of the proposed CC Rating System is to promote
coordination, communication, and consistency among the Agencies,
consistent with the Agencies' respective supervisory authorities.
Pursuant to the proposal, each of the Agencies would use the same CC
Rating System to assign a consumer compliance rating to all supervised
institutions, including banks and non-banks. Further, revising the
rating system definitions responds to requests from industry
representatives who have asked that the CC Rating System be updated.
Proposed Consumer Compliance Rating System
The primary purpose of the proposed CC Rating System is to ensure
that all institutions are evaluated in a comprehensive and consistent
manner, and that supervisory resources are appropriately focused on
areas exhibiting risk of consumer harm and on institutions that warrant
elevated supervisory attention. The Agencies are recommending retention
of the current CC Rating System's five-scale framework for the proposed
System while also recommending revisions to the current CC Rating
System to enhance its effectiveness.
The proposed CC Rating System is based upon a numeric scale of 1
through 5 in increasing order of supervisory concern. Thus, 1
represents the highest rating and consequently the lowest degree of
supervisory concern, while 5 represents the lowest rating and the most
critically deficient level of performance, and therefore, the highest
degree of supervisory concern. Ratings of 1 or 2 represent satisfactory
or better performance. Ratings of 3, 4, or 5 indicate performance that
is less than satisfactory.
The proposed CC Rating System reflects risk-based expectations
commensurate with the size, complexity and risk profile of institutions
and incents institutions to prevent, self-identify, and address
compliance issues.
Pursuant to the proposed System, each institution would be assigned
a consumer compliance rating based primarily on the adequacy of its
CMS, which is designed to ensure compliance on a continuing basis.
The proposed CC Rating System is composed of guidance and
definitions. The guidance would provide examiners with direction on how
to use the definitions when assigning a consumer compliance rating to
an institution. The definitions consist of qualitative descriptions for
each rating category and factors regarding violations of laws and
consumer harm.
The proposed System is based on a set of key principles. The
Agencies agreed that the proposed ratings should be: (1) Risk-based;
(2) Transparent; (3) Actionable; and (4) an Incentive for Compliance.
Each principle is discussed in detail in the guidance.
The Agencies are proposing a CC Rating System that includes three
categories of assessment factors:
Board and Management Oversight
Compliance Program
Violations of Law and Consumer Harm
When assigning a rating under the proposed CC Rating System,
examiners would consider each of the assessment factors in each
category. Further, the categories would allow examiners to distinguish
between varying levels of supervisory concern when rating institutions
for compliance with federal consumer protection laws. The consumer
compliance rating reflects a comprehensive evaluation of the
institution's performance under the CC Rating System by considering the
categories and assessment factors in the context of the size,
complexity, and risk profile of an institution. It is not based on a
numeric average or any other quantitative calculation. Specific numeric
ratings will not be assigned to any of the twelve assessment factors.
Thus, an institution need not achieve a satisfactory rating in all
categories in order to be assigned an overall satisfactory rating.
Conversely, an institution may be assigned a less than satisfactory
rating even if some of its assessments were rated as satisfactory.
All institutions, regardless of size, should maintain an effective
CMS. The sophistication and formality of the CMS typically will
increase commensurate with the size, complexity, and risk profile of
the entity. The articulation of CMS assessment factors is not intended
to create new expectations for lower risk institutions.
Board and Management Oversight
The first category of the proposed CC Rating System would be used
to analyze an institution's CMS and the role of its board and
management officials. The four assessment factors would be:
[[Page 26556]]
Oversight and Commitment
Change Management
Comprehension, Identification and Management of Risk
Corrective Action and Self-Identification
The Agencies believe the above factors would provide examiners with
an effective and consistent framework for evaluating whether or not
board and management are engaged to a satisfactory degree at a
particular institution. All institutions, regardless of size, should
maintain an effective CMS. However, each institution should be
evaluated based on its size, complexity and risk profile.
Compliance Program
The second category of the proposed CC Rating System would be used
to analyze other elements of an effective CMS. The assessment factors
for Compliance Program are:
Policies and Procedures
Training
Monitoring and/or Audit
Consumer Complaint Response
The Agencies believe these factors, along with Board and Management
Oversight, would provide an effective and consistent framework to
evaluate an institution's CMS. Each of these assessment factors would
be considered in evaluating risk and assigning a consumer compliance
rating. As explained above, each institution would be evaluated based
on its size, complexity and risk profile.
Violations of Law and Consumer Harm
The third category of the proposed CC Rating System is Violations
of Law and Consumer Harm. This category would provide examiners with a
framework for considering the broad range of violations of consumer
protection laws and evidence of consumer harm.
The current CC Rating System was adopted in 1980. Since that time,
the industry has become more complex, and the broad array of risks in
the market that can cause consumer harm has become increasingly clear.
Violations of various laws, including, for example, the Servicemembers
Civil Relief Act \5\ and Section 5 of the Federal Trade Commission
Act,\6\ as well as fair lending violations, may potentially cause
significant consumer harm and raise serious supervisory concerns.
Recognizing this broad array of risks, the proposed guidance directs
examiners to consider all violations of consumer laws, based on the
root cause, severity, duration, and pervasiveness of the violation.
This approach emphasizes the importance of a range of consumer
protection laws and is intended to reflect the broader array of risks
and the potential harm caused by consumer protection related
violations.
---------------------------------------------------------------------------
\5\ 50 U.S.C. App. 501-697b.
\6\ 15 U.S.C. 45 et seq.
---------------------------------------------------------------------------
Specifically, in conjunction with assessing an institution's CMS
based on the first two categories, examiners will evaluate the consumer
protection violations and related consumer harm based on the four
assessment factors below:
Root cause, or causes, of any violations of law identified
Severity of any consumer harm resulting from violations
Duration of time over which the violations occurred
Pervasiveness of violations
Consumer harm may occur as a result of a violation of law. While
many instances of consumer harm can be quantified as a dollar amount
associated with financial loss, such as charging higher fees for a
product than was initially disclosed, consumer harm may also result
from a denial of an opportunity. For example, a consumer could be
harmed when an institution denies the consumer credit or discourages an
application in violation of the Equal Credit Opportunity Act,\7\
whether or not financial harm occurred.
---------------------------------------------------------------------------
\7\ 15 U.S.C. 1691 et seq.
---------------------------------------------------------------------------
Assignment of Ratings by Supervisor(s)
The prudential regulators will continue to assign and update, as
appropriate, consumer compliance ratings for institutions they
supervise, including those with total assets of more than $10
billion.\8\ As a member of the FFIEC, the CFPB will also use the CC
Rating System to assign a consumer compliance rating, as appropriate,
for institutions with total assets of more than $10 billion, as well as
to nonbanks for which it has jurisdiction regarding the enforcement of
Federal consumer financial laws as defined under the Dodd-Frank Act.\9\
When assigning a consumer compliance rating, as well as in other
supervisory situations as appropriate, the prudential regulators will
take into consideration any material supervisory information provided
by the CFPB, as that information relates to covered supervisory
activities or covered examinations.\10\ Similarly, the CFPB will take
into consideration any material supervisory information provided by
prudential regulators in appropriate supervisory situations, including
when assigning consumer compliance ratings.
---------------------------------------------------------------------------
\8\ Section 1025 of the Dodd-Frank Act (12 U.S.C. 5515) applies
to federally insured institutions with more than $10 billion in
total assets. This section granted the CFPB exclusive authority to
examine insured depository institutions and their affiliates for
compliance with Federal consumer financial laws. The prudential
regulators retained authority for examining insured depository
institutions with more than $10 billion in total assets for
compliance with certain other laws related to consumer financial
protection, including the Fair Housing Act, the Servicemembers Civil
Relief Act, and section 5 of the Federal Trade Commission Act.
\9\ 12 U.S.C. 5481 et seq. A financial institution with assets
over $10 billion may receive a consumer compliance rating by both
its primary prudential regulator and the CFPB. The rating is based
on each agency's review of the institution's CMS and compliance with
the federal consumer protection laws falling under each agency's
jurisdiction.
\10\ The prudential regulators and the CFPB signed a Memorandum
of Understanding on Supervisory Coordination dated May 16, 2012
(MOU) intended to facilitate the coordination of supervisory
activities involving financial institutions with more than $10
billion in assets as required under the Dodd-Frank Act.
---------------------------------------------------------------------------
State regulators maintain supervisory authority to conduct
examinations of state-chartered depository institutions and licensed
entities. As such, states may assign consumer compliance ratings to
evaluate compliance with both state and federal laws and regulations.
States will collaborate and consider material supervisory information
from other state and federal regulatory agencies during the course of
examinations.
Paperwork Reduction Act
In accordance with the Paperwork Reduction Act (44 U.S.C. 3501 et
seq.) (PRA), the Agencies may not conduct or sponsor, and a person is
not required to respond to, a collection of information unless it
displays a currently valid Office of Management and Budget (OMB)
control number. The proposed CC Rating System would not involve any new
collections of information pursuant to the PRA. Consequently, no
information will be submitted to the OMB for review.
FFIEC Guidance on Updating the Uniform Interagency Consumer Compliance
Rating System
Uniform Interagency Consumer Compliance Rating System
The Federal Financial Institutions Examination Council (FFIEC)
member agencies (Agencies) promote compliance with federal consumer
protection laws and regulations through supervisory and outreach
programs.\11\ The Agencies engage in consumer compliance supervision to
assess
[[Page 26557]]
whether a financial institution is meeting its responsibility to comply
with these requirements.
---------------------------------------------------------------------------
\11\ The FFIEC members are the Board of Governors of the Federal
Reserve System, the Federal Deposit Insurance Corporation, the
National Credit Union Administration, the Office of the Comptroller
of the Currency, the Consumer Financial Protection Bureau, and the
State Liaison Committee.
---------------------------------------------------------------------------
This Uniform Interagency Consumer Compliance Rating System (CC
Rating System) provides a general framework for assessing risks during
the supervisory process using certain compliance factors and assigning
an overall consumer compliance rating to each federally-regulated
financial institution.\12\ The primary purpose of the CC Rating System
is to ensure that regulated financial institutions are evaluated in a
comprehensive and consistent manner, and that supervisory resources are
appropriately focused on areas exhibiting risk of consumer harm and on
institutions that warrant elevated supervisory attention.
---------------------------------------------------------------------------
\12\ The Federal Financial Institutions Examination Council Act
of 1978 (12 U.S.C. 3302(3)) defines financial institution.
Additionally, as a member of the FFIEC, the CFPB will also use the
Rating System to assign a consumer compliance rating, as appropriate
for nonbanks, for which it has jurisdiction regarding the
enforcement of Federal consumer financial laws as defined under the
Dodd-Frank Act (12 U.S.C. 5481 et seq.).
---------------------------------------------------------------------------
The CC Rating System is composed of guidance and definitions. The
guidance provides examiners with direction on how to use the
definitions when assigning a consumer compliance rating to an
institution. The definitions consist of qualitative descriptions for
each rating category and include compliance management system (CMS)
elements reflecting risk control processes designed to manage consumer
compliance risk and considerations regarding violations of laws,
consumer harm, and the size, complexity, and risk profile of an
institution. The consumer compliance rating reflects the effectiveness
of an institution's CMS to ensure compliance with consumer protection
laws and regulations and reduce the risk of harm to consumers.
Principles of the Interagency CC Rating System
The Agencies developed the following principles to serve as a
foundation for the CC Rating System.
Risk-based. Recognize and communicate clearly that compliance
management programs vary based on the size, complexity, and risk
profile of supervised institutions.
Transparent. Provide clear distinctions between rating categories
to support consistent application by the Agencies across supervised
institutions. Reflect the scope of the review that formed the basis of
the overall rating.
Actionable. Identify areas of strength and direct appropriate
attention to specific areas of weakness, reflecting a risk-based
supervisory approach. Convey examiners' assessment of the effectiveness
of an institution's compliance risk management program, including its
ability to prevent consumer harm and ensure compliance with consumer
protection laws and regulations.
Incent Compliance. Incent the institution to establish an effective
consumer compliance program across the institution and to identify and
address issues promptly, including self-identification and correction
of consumer compliance weaknesses. Reflect the potential impact of any
consumer harm identified in examination findings.
Five-Level Rating Scale
The CC Rating System is based upon a numeric scale of 1 through 5
in increasing order of supervisory concern. Thus, 1 represents the
highest rating and consequently the lowest degree of supervisory
concern, while 5 represents the lowest rating and the most critically
deficient level of performance, and therefore, the highest degree of
supervisory concern.\13\ Ratings of 1 or 2 represent satisfactory or
better performance. Ratings of 3, 4, or 5 indicate performance that is
less than satisfactory. Consistent with the previously described
Principles, the rating system incents a financial institution to
establish an effective compliance management system across the
institution, to self-identify risks, and take the necessary actions to
reduce the risk of non-compliance and consumer harm.
---------------------------------------------------------------------------
\13\ The Agencies do not consider an institution's record of
performance under the Community Reinvestment Act (CRA) in
conjunction with assessing an institution under the CC Rating System
since institutions are evaluated separately under the CRA.
---------------------------------------------------------------------------
The highest rating of 1 is assigned to a financial
institution that maintains a strong CMS and takes action to prevent
violations of law and consumer harm.
A rating of 2 is assigned to a financial institution that
maintains a CMS that is satisfactory at managing consumer compliance
risk in the institution's products and services and at substantially
limiting violations of law and consumer harm.
A rating of 3 reflects a CMS deficient at managing
consumer compliance risk in the institution's products and services and
at limiting violations of law and consumer harm.
A rating of 4 reflects a CMS seriously deficient at
managing consumer compliance risk in the institution's products and
services and at preventing violations of law and consumer harm. A
rating of seriously deficient indicates fundamental and persistent
weaknesses in crucial CMS elements and severe inadequacies in core
compliance areas necessary to operate within the scope of statutory and
regulatory consumer protection requirements and to prevent consumer
harm.
A rating of 5 reflects a CMS critically deficient at
managing consumer compliance risk in the institution's products and
services and at preventing violations of law and consumer harm. A
rating of critically deficient indicates an absence of crucial CMS
elements and a demonstrated lack of willingness or capability to take
the appropriate steps necessary to operate within the scope of
statutory and regulatory consumer protection requirements and to
prevent consumer harm.
CC Rating System Categories and Assessment Factors
CC Rating System--Categories
The CC Rating System is organized under three broad categories:
1. Board and Management Oversight,
2. Compliance Program, and
3. Violations of Law and Consumer Harm.
The Consumer Compliance Rating Definitions below list the
assessment factors considered within each category, along with
narrative descriptions of performance.
The first two categories, Board and Management Oversight and
Compliance Program, are used to assess a financial institution's CMS.
As such, examiners should evaluate the assessment factors within these
two categories commensurate with the institution's size, complexity,
and risk profile. All institutions, regardless of size, should maintain
an effective CMS. The sophistication and formality of the CMS typically
will increase commensurate with the size, complexity, and risk profile
of the entity.
Additionally, compliance expectations contained within the
narrative descriptions of these two categories extend to third-party
relationships into which the financial institution has entered. There
can be certain benefits to financial institutions engaging in
relationships with third parties, including gaining operational
efficiencies or an ability to deliver additional products and services,
but such arrangements also may expose financial institutions to risks
if not managed effectively. The prudential agencies, the CFPB, and some
states
[[Page 26558]]
have issued guidance describing expectations regarding oversight of
third-party relationships. While an institution's management may make
the business decision to outsource some or all of the operational
aspects of a product or service, the institution cannot outsource the
responsibility for complying with laws and regulations or managing the
risks associated with third-party relationships.
As noted in the Consumer Compliance Rating Definitions, examiners
should evaluate activities conducted through third-party relationships
as though the activities were performed by the institution itself.
Examiners should review a financial institution's management of third-
party relationships and servicers as part of its overall compliance
program.
The third category, Violations of Law and Consumer Harm, includes
assessment factors that evaluate the dimensions of any identified
violation or consumer harm. Examiners should weigh each of these four
factors--root cause, severity, duration, and pervasiveness--in
evaluating relevant violations of law and any resulting consumer harm.
Board and Management Oversight--Assessment Factors
Under Board and Management Oversight, the examiner should assess
the financial institution's board of directors and senior management,
as appropriate for their respective roles and responsibilities, based
on the following assessment factors:
Oversight of and commitment to the institution's
compliance risk management program;
effectiveness of the institution's change management
processes, including responding timely and satisfactorily to any
variety of change, internal or external, to the institution;
comprehension, identification, and management of risks
arising from the institution's products, services, or activities; and
any corrective action undertaken as consumer compliance
issues are identified.
Compliance Program--Assessment Factors
Under Compliance Program, the examiner should assess other elements
of an effective CMS, based on the following assessment factors:
Whether the institution's policies and procedures are
appropriate to the risk in the products, services, and activities of
the institution;
the degree to which compliance training is current and
tailored to risk and staff responsibilities;
the sufficiency of the monitoring and, if applicable,
audit to encompass compliance risks throughout the institution; and
the responsiveness and effectiveness of the consumer
complaint resolution process.
Violations of Law and Consumer Harm--Assessment Factors
Under Violations of Law and Consumer Harm, the examiner should
analyze the following assessment factors:
The root cause, or causes, of any violations of law
identified during the examination;
the severity of any consumer harm resulting from
violations;
the duration of time over which the violations occurred;
and
the pervasiveness of the violations.
As a result of a violation of law, consumer harm may occur. While
many instances of consumer harm can be quantified as a dollar amount
associated with financial loss, such as charging higher fees for a
product than was initially disclosed, consumer harm may also result
from a denial of an opportunity. For example, a consumer could be
harmed when a financial institution denies the consumer credit or
discourages an application in violation of the Equal Credit Opportunity
Act,\14\ whether or not there is resulting financial harm.
---------------------------------------------------------------------------
\14\ 15 U.S.C. 1691 et seq.
---------------------------------------------------------------------------
This category of the Consumer Compliance Rating Definitions defines
four factors by which examiners can assess violations of law and
consumer harm.
Root Cause. Root cause analyzes the degree to which weaknesses in
the CMS gave rise to the violations. In many instances, the root cause
of a violation is tied to a weakness in one or more elements of the
CMS. Violations that result from critical deficiencies in the CMS
evidence a critical absence of management oversight and are of the
highest supervisory concern.
Severity. The severity dimension of the Consumer Compliance Rating
Definitions weighs the type of consumer harm, if any, that resulted
from violations of law. More severe harm results in a higher level of
supervisory concern under this factor. For example, some consumer
protection violations may cause significant financial harm to a
consumer, while other violations may cause negligible harm, based on
the specific facts involved.
Duration. Duration describes the length of time over which the
violations occurred. Violations that persist over an extended period of
time will raise greater supervisory concerns than violations that occur
for only a brief period of time. When violations are brought to the
attention of an institution's management and management allows those
violations to remain unaddressed, such violations are of the highest
supervisory concern.
Pervasiveness. Pervasiveness evaluates the extent of the
violation(s) and resulting consumer harm, if any. Violations that
affect a large number of consumers will raise greater supervisory
concern than violations that impact a limited number of consumers. If
violations become so pervasive that they are considered to be
widespread or present in multiple products or services, the
institution's performance under this factor is of the highest
supervisory concern.
Self-Identification of Violations of Law and Consumer Harm
Strong compliance programs are proactive. They promote consumer
protection by preventing, self-identifying, and addressing compliance
issues in a proactive manner. Accordingly, the CC Rating System
provides incentives for such practices through the definitions
associated with a 1 rating.
The Agencies believe that self-identification and prompt correction
of violations of law reflect strengths in an institution's CMS. A
robust CMS appropriate for the size, complexity and risk profile of an
institution's business often will prevent violations or will facilitate
early detection of potential violations. This early detection can limit
the size and scope of consumer harm. Moreover, prompt self-reporting of
serious violations represents concrete evidence of an institution's
commitment to responsibly address underlying risks. In addition,
appropriate corrective action, including both correction of
programmatic weaknesses and full redress for injured parties, limits
consumer harm and prevents violations from recurring in the future.
Thus, the CC Rating System recognizes institutions that consistently
adopt these strategies as reflected in the Consumer Compliance Rating
Definitions.
Evaluating Performance Using the CC Rating Definitions
The consumer compliance rating is derived through an evaluation of
the financial institution's performance under each of the assessment
factors
[[Page 26559]]
described above. The consumer compliance rating reflects the
effectiveness of an institution's CMS to identify and manage compliance
risk in the institution's products and services and to prevent
violations of law and consumer harm, as evidenced by the financial
institution's performance under each of the assessment factors.
The consumer compliance rating reflects a comprehensive evaluation
of the financial institution's performance under the CC Rating System
by considering the categories and assessment factors in the context of
the size, complexity, and risk profile of an institution. It is not
based on a numeric average or any other quantitative calculation.
Specific numeric ratings will not be assigned to any of the twelve
assessment factors. Thus, an institution need not achieve a
satisfactory assessment in all categories in order to be assigned an
overall satisfactory rating. Conversely, an institution may be assigned
a less than satisfactory rating even if some of its assessments were
satisfactory.
The relative importance of each category or assessment factor may
differ based on the size, complexity, and risk profile of an individual
institution. Accordingly, one or more category or assessment factor may
be more or less relevant at one financial institution as compared to
another institution. While the expectations for compliance with
consumer protection laws and regulations are the same across
institutions of varying sizes, the methods for accomplishing an
effective CMS may differ across institutions.
The evaluation of an institution's performance within the
Violations of Law and Consumer Harm category of the CC Rating
Definitions considers each of the four assessment factors: Root Cause,
Severity, Duration, and Pervasiveness. At the levels of 4 and 5 in this
category, the distinctions in the definitions are focused on the root
cause assessment factor rather than Severity, Duration, and
Pervasiveness. This approach is consistent with the other categories
where the difference between a 4 and a 5 is driven by the institution's
capacity and willingness to maintain a sound consumer compliance
system.
In arriving at the final rating, the examiner must balance
potentially differing conclusions about the effectiveness of the
financial institution's CMS over the individual products, services, and
activities of the organization. Depending on the relative materiality
of a product line to the institution, an observed weakness in the
management of that product line may or may not impact the conclusion
about the institution's overall performance in the associated
assessment factor(s). For example, serious weaknesses in the policies
and procedures or audit program of the mortgage department at a
mortgage lender would be of greater supervisory concern than those same
gaps at an institution that makes very few mortgage loans and strictly
as an accommodation. Greater weight should apply to the financial
institution's management of material products with significant
potential consumer compliance risk.
An institution may receive a less than satisfactory rating even
when no violations were identified, based on deficiencies or weaknesses
identified in the institution's CMS. For example, examiners may
identify weaknesses in elements of the CMS in a new loan product.
Because the presence of those weaknesses left unaddressed could result
in future violations of law and consumer harm, the CMS deficiencies
could impact the overall consumer compliance rating, even if no
violations were identified.
Similarly, an institution may receive a 1 or 2 rating even when
violations were present, if the CMS is commensurate with the risk
profile and complexity of the institution. For example, when violations
involve limited impact on consumers, were self-identified, and resolved
promptly, the evaluation may result in a 1 or 2 rating. After
evaluating the institution's performance in the two CMS categories,
Board and Management Oversight and Compliance Program, and the
dimensions of the violations in the third category, the examiner may
conclude that the overall strength of the CMS and the nature of
observed violations viewed together do not present significant
supervisory concerns.
Consumer Compliance Rating Definitions
--------------------------------------------------------------------------------------------------------------------------------------------------------
Assessment factors to be considered 1 2 3 4 5
--------------------------------------------------------------------------------------------------------------------------------------------------------
Board and Management Oversight
Board and management oversight factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance
expectations below extend to third-party relationships
--------------------------------------------------------------------------------------------------------------------------------------------------------
Oversight and Commitment........... Board and management Board and management Board and management Board and management Board and management
demonstrate strong provide satisfactory oversight of the oversight, oversight,
commitment and oversight of the financial resources, and resources, and
oversight to the financial institution's attention to the attention to the
financial institution's compliance risk compliance risk compliance risk
institution's compliance risk management program management program management program
compliance risk management program. is deficient. are seriously are critically
management program. deficient. deficient.
[[Page 26560]]
Substantial compliance Compliance resources Compliance resources Compliance resources Compliance resources
resources are are adequate and and staff are and staff are are critically
provided, including staff is generally inadequate to ensure seriously deficient deficient in
systems, capital, and able to ensure the the financial and are ineffective supporting the
human resources financial institution institution is in at ensuring the financial
commensurate with the is in compliance with compliance with financial institution's
institution's size, consumer laws and consumer laws and institution's compliance with
complexity, and risk regulations. regulations. compliance with consumer laws and
profile. Staff is consumer laws and regulations, and
knowledgeable, regulations. management and staff
empowered and held are unwilling or
accountable for incapable of
compliance with operating within the
consumer laws and scope of consumer
regulations. protection laws and
regulations.
Management conducts Management conducts Management does not Management oversight Management oversight
comprehensive and adequate and ongoing adequately conduct and due diligence and due diligence of
ongoing due diligence due diligence and due diligence and over third party third party
and oversight of oversight of third oversight of third performance, as well performance is
third parties parties to ensure parties to ensure as management's critically
consistent with that the financial that the financial ability to deficient.
agency expectations institution complies institution complies adequately identify,
to ensure that the with consumer with consumer measure, monitor, or
financial institution protection laws, and protection laws, nor manage compliance
complies with adequately oversees does it adequately risks, is seriously
consumer protection third parties' oversee third deficient.
laws, and exercises policies, procedures, parties' policies,
strong oversight of internal controls, procedures, internal
third parties' and training to controls, and
policies, procedures, ensure appropriate training to ensure
internal controls, oversight of appropriate
and training to compliance oversight of
ensure consistent responsibilities. compliance
oversight of responsibilities.
compliance
responsibilities.
Change Management.................. Management anticipates Management responds Management does not Management's response Management fails to
and responds promptly timely and adequately respond adequately to changes in monitor and respond
to changes in to changes in and/or timely in applicable laws and to changes in
applicable laws and applicable laws and adjusting to changes regulations, market applicable laws and
regulations, market regulations, market in applicable laws conditions, or regulations, market
conditions and conditions, products and regulations, products and conditions, or
products and services and services offered market conditions, services offered is products and
offered. by evaluating the and products and seriously deficient. services offered.
change and services offered.
implementing
responses across
impacted lines of
business.
Management conducts Management evaluates
due diligence in product changes
advance of product before and after
changes, considers implementing the
the entire life cycle change.
of a product or
service in
implementing change,
and reviews the
change after
implementation to
determine that
actions taken have
achieved planned
results.
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 26561]]
Comprehension, Identification and Management has a solid Management comprehends Management has an Management exhibits a Management does not
Management of Risk. comprehension of and and adequately inadequate seriously deficient comprehend nor
effectively identifies compliance comprehension of and comprehension of and identify compliance
identifies compliance risks, including ability to identify ability to identify risks, including
risks, including emerging risks, in compliance risks, compliance risks, emerging risks, in
emerging risks, in the financial including emerging including emerging the financial
the financial institution's risks, in the risks, in the institution.
institution's products, services, financial financial
products, services, and other activities. institution's institution.
and other activities. products, services,
and other activities.
Management actively Management adequately
engages in managing manages those risks,
those risks, including through
including through self-assessments.
comprehensive self-
assessments.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Corrective Action and Self- Management proactively Management adequately Management does not Management response Management is
Identification. identifies issues and responds to and adequately respond to deficiencies, incapable, unwilling
promptly responds to corrects deficiencies to compliance violations and and/or fails to
compliance risk and/or violations, deficiencies and examination findings respond to
management including adequate violations including is seriously deficiencies,
deficiencies and any remediation, in the those related to deficient. violations or
violations of laws or normal course of remediation. examination
regulations, business. findings.
including remediation.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Compliance Program Compliance Program factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance
expectations below extend to third-party relationships.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Policies and Procedures............ Compliance policies Compliance policies Compliance policies Compliance policies Compliance policies
and procedures and and procedures and and procedures and and procedures and and procedures and
third-party third-party third-party third-party third-party
relationship relationship relationship relationship relationship
management programs management programs management programs management programs management programs
are strong, are adequate to are inadequate at are seriously are critically
comprehensive and manage the compliance managing the deficient at absent.
provide standards to risk in the products, compliance risk in managing compliance
effectively manage services and the products, risk in the
compliance risk in activities of the services and products, services
the products, financial institution. activities of the and activities of
services and financial the financial
activities of the institution. institution.
financial institution.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Training........................... Compliance training is Compliance training Compliance training Compliance training Compliance training
comprehensive, outlining staff is not adequately is seriously is critically
timely, and responsibilities is comprehensive, deficient in its absent.
specifically tailored provided timely to timely, updated, or comprehensiveness,
to the particular appropriate staff. appropriately timeliness, or
responsibilities of tailored to the relevance to staff
the staff receiving particular with compliance
it, including those responsibilities of responsibilities, or
responsible for the staff. has numerous major
product development, inaccuracies.
marketing and
customer service.
[[Page 26562]]
The compliance The compliance
training program is training program is
updated proactively updated to encompass
in advance of the new products and to
introduction of new comply with changes
products or new to consumer
consumer protection protection laws and
laws and regulations regulations.
to ensure that all
staff are aware of
compliance
responsibilities
before rolled out.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Monitoring and/or Audit............ Compliance monitoring Compliance monitoring Compliance monitoring Compliance monitoring Compliance monitoring
practices, management practices, management practices, practices, practices,
information systems, information systems, management management management
compliance audit, and compliance audit, and information systems, information systems, information systems,
internal control internal control compliance audit, compliance audit, compliance audit, or
systems are systems adequately and internal control and internal internal controls
comprehensive, address compliance systems do not controls are are critically
timely, and risks throughout the adequately address seriously deficient absent.
successful at financial institution. risks involving in addressing risks
identifying and products, services involving products,
measuring material or other activities services or other
compliance risk including timing and activities.
management throughout scope.
the financial
institution.
Programs are monitored
proactively to
identify procedural
or training
weaknesses to
preclude regulatory
violations. Program
modifications are
made expeditiously to
minimize compliance
risk.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Consumer Complaint Response........ Processes and Processes and Processes and Processes and Processes and
procedures for procedures for procedures for procedures for procedures for
addressing consumer addressing consumer addressing consumer addressing consumer addressing consumer
complaints are complaints are complaints are complaints and complaints are
strong. Consumer adequate. Consumer inadequate. Consumer consumer complaint critically absent.
complaint complaint complaint investigations are Meaningful
investigations and investigations and investigations and seriously deficient. investigations and
responses are prompt responses are responses are not responses are
and thorough. generally prompt and thorough or timely. absent.
thorough.
Management monitors Management adequately Management does not Management monitoring Management exhibits a
consumer complaints monitors consumer adequately monitor of consumer disregard for
to identify risks of complaints and consumer complaints. complaints is complaints or
potential consumer responds to issues seriously deficient. preventing consumer
harm, program identified. harm.
deficiencies, and
customer service
issues and takes
appropriate action.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Violations of Law and Consumer Harm
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 26563]]
Root Cause......................... The violations are the Violations are the Violations are the Violations are the Violations are the
result of minor result of modest result of material result of serious result of critical
weaknesses, if any, weaknesses in the weaknesses in the deficiencies in the deficiencies in the
in the compliance compliance risk compliance risk compliance risk compliance risk
risk management management system. management system. management system. management system.
system.
Severity........................... The type of consumer The type of consumer The type of consumer The type of consumer The type of consumer
harm, if any, harm resulting from harm resulting from harm resulting from harm resulting from
resulting from the the violations would the violations would the violations would the violations would
violations would have have a limited impact have a considerable have a serious have a serious
a minimal impact on on consumers. impact on consumers. impact on consumers. impact on consumers.
consumers.
Duration........................... The violations and The violations and The violations and The violations and The violations and
resulting consumer resulting consumer resulting consumer resulting consumer resulting consumer
harm, if any, harm, if any, harm, if any, harm, if any, have harm, if any, have
occurred over a brief occurred over a occurred over an been long standing been long standing
period of time. limited period of extended period of or repeated. or repeated.
time. time.
Pervasiveness...................... The violations and The violations and The violations and The violations and The violations and
resulting consumer resulting consumer resulting consumer resulting consumer resulting consumer
harm, if any, are harm, if any, are harm, if any, are harm, if any, are harm, if any, are
isolated in number. limited in number. numerous. widespread or in widespread or in
multiple products or multiple products or
services. services.
--------------------------------------------------------------------------------------------------------------------------------------------------------
[End of proposed text.]
Dated: April 28, 2016.
Federal Financial Institutions Examination Council.
Judith E. Dupre,
FFIEC Executive Secretary.
[FR Doc. 2016-10289 Filed 5-2-16; 8:45 a.m.]
BILLING CODE 7535-01-P 6714-01-P; 6210-01-P 4810-33-P; 4810-AM-P