FFIEC Issues Uniform Interagency Consumer Compliance Rating System

The FFIEC, along with the banking brotherhood (FRB, CFPB, FDIC, NCUA, and OCC) released an updated Uniform Interagency Consumer Compliance (CC) Rating System.  The revisions to the CC Rating System were not developed to set new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden.  Agencies will begin using the updated CC Rating System on consumer compliance examinations starting March 31, 2017.

All credit union managers and directors should review the update in preparation for consumer compliance exams beginning March 31, 2017.

Principles of the Interagency CC Rating System

  • Risk-based. Recognize and communicate clearly that CMS vary based on the size, complexity, and risk profile of supervised institutions.
  • Transparent. Provide clear distinctions between rating categories to support consistent application by the Agencies across supervised institutions. Reflect the scope of the review that formed the basis of the overall rating.
  • Actionable. Identify areas of strength and direct appropriate attention to specific areas of weakness, reflecting a risk-based supervisory approach. Convey examiners’ assessment of the effectiveness of an institution’s CMS, including its ability to prevent consumer harm and ensure compliance with consumer protection laws and regulations.
  • Incent Compliance. Incent the institution to establish an effective consumer compliance system across the institution and to identify and address issues promptly, including self-identification and correction of consumer compliance weaknesses.

CC Rating System Categories and Assessment Factors

Board and Management Oversight – Assessment Factors

  • oversight of and commitment to the institution’s CMS;
  • effectiveness of the institution’s change management processes, including responding timely and satisfactorily to any variety of change, internal or external, to the institution;
  • comprehension, identification, and management of risks arising from the institution’s products, services, or activities; and
  • self-identification of consumer compliance issues and corrective action undertaken as such issues are identified.

Compliance Program – Assessment Factors

  • whether the institution’s policies and procedures are appropriate to the risk in the products, services, and activities of the institution;
  • the degree to which compliance training is current and tailored to risk and staff responsibilities;
  • the sufficiency of the monitoring and, if applicable, audit to encompass compliance risks throughout the institution; and
  • the responsiveness and effectiveness of the consumer complaint resolution process.

Violations of Law and Consumer Harm – Assessment Factors

  • the root cause, or causes, of any violations of law identified during the examination;
  • the severity of any consumer harm resulting from violations;
  • the duration of time over which the violations occurred; and
  • the pervasiveness of the violations.

This category of the Consumer Compliance Rating Definitions defines four factors by which examiners can assess violations of law and consumer harm.

  • Root Cause. The Root Cause assessment factor analyzes the degree to which weaknesses in the CMS gave rise to the violations. In many instances, the root cause of a violation is tied to a weakness in one or more elements of the CMS. Violations that result from critical deficiencies in the CMS evidence a critical absence of management oversight and are of the highest supervisory concern.
  • Severity. The Severity assessment factor of the Consumer Compliance Rating Definitions weighs the type of consumer harm, if any, that resulted from violations of law. More severe harm results in a higher level of supervisory concern under this factor. For example, some consumer protection violations may cause significant financial harm to a consumer, while other violations may cause negligible harm, based on the specific facts involved.
  • Duration. The Duration assessment factor considers the length of time over which the violations occurred. Violations that persist over an extended period of time will raise greater supervisory concerns than violations that occur for only a brief period of time. When violations are brought to the attention of an institution’s management and management allows those violations to remain unaddressed, such violations are of the highest supervisory concern.
  • Pervasiveness. The Pervasiveness assessment factor evaluates the extent of the violation(s) and resulting consumer harm, if any. Violations that affect a large number of consumers will raise greater supervisory concern than violations that impact a limited number of consumers. If violations become so pervasive that they are considered to be widespread or present in multiple products or services, the institution’s performance under this factor is of the highest supervisory concern.

The consumer compliance rating is derived through an evaluation of the financial institution’s performance under each of the assessment factors described above. The consumer compliance rating reflects the effectiveness of an institution’s CMS to identify and manage compliance risk in the institution’s products and services and to prevent violations of law and consumer harm, as evidenced by the financial institution’s performance under each of the assessment factors.

The consumer compliance rating reflects a comprehensive evaluation of the financial institution’s performance under the CC Rating System by considering the categories and assessment factors in the context of the size, complexity, and risk profile of an institution. It is not based on a numeric average or any other quantitative calculation. Specific numeric ratings will not be assigned to any of the 12 assessment factors. Thus, an institution need not achieve a satisfactory assessment in all categories in order to be assigned an overall satisfactory rating. Conversely, an institution may be assigned a less than satisfactory rating even if some of its assessments were satisfactory.

The relative importance of each category or assessment factor may differ based on the size, complexity, and risk profile of an individual institution. Accordingly, one or more category or assessment factor may be more or less relevant at one financial institution as compared to another institution. While the expectations for compliance with consumer protection laws and regulations are the same across institutions of varying sizes, the methods for accomplishing an effective CMS may differ across institutions.

The evaluation of an institution’s performance within the Violations of Law and Consumer Harm category of the CC Rating Definitions considers each of the four assessment factors: Root Cause, Severity, Duration, and Pervasiveness. At the levels of 4 and 5 in this category, the distinctions in the definitions are focused on the root cause assessment factor rather than Severity, Duration, and Pervasiveness. This approach is consistent with the other categories where the difference between a 4 and a 5 is driven by the institution’s capacity and willingness to maintain a sound consumer compliance system.

In arriving at the final rating, the examiner must balance potentially differing conclusions about the effectiveness of the financial institution’s CMS over the individual products, services, and activities of the organization. Depending on the relative materiality of a product line to the institution, an observed weakness in the management of that product line may or may not impact the conclusion about the institution’s overall performance in the associated assessment factor(s). For example, serious weaknesses in the policies and procedures or audit program of the mortgage department at a mortgage lender would be of greater supervisory concern than those same gaps at an institution that makes very few mortgage loans and strictly as an accommodation. Greater weight should apply to the financial institution’s management of material products with significant potential consumer compliance risk.

An institution may receive a less than satisfactory rating even when no violations were identified, based on deficiencies or weaknesses identified in the institution’s CMS. For example, examiners may identify weaknesses in elements of the CMS in a new loan product. Because the presence of those weaknesses left unaddressed could result in future violations of law and consumer harm, the CMS deficiencies could impact the overall consumer compliance rating, even if no violations were identified.

Similarly, an institution may receive a 1 or 2 rating even when violations were present, if the CMS is commensurate with the risk profile and complexity of the institution. For example, when violations involve limited impact on consumers, were self-identified, and resolved promptly, the evaluation may result in a 1 or 2 rating. After evaluating the institution’s performance in the two CMS categories, Board and Management Oversight and Compliance Program, and the dimensions of the violations in the third category, the examiner may conclude that the overall strength of the CMS and the nature of observed violations viewed together do not present significant supervisory concerns.

Passwords to access the blog posts, and blog posts are only for NWCG owners and retained clients. These should not be shared outside of the credit union. Blog posts generally contain only a summary of any requirements, and do not represent all potential impact on the credit unions. For further details on any blog post, contact NWCG or references cited in the blog post. The information contained on this site is provided for informational purposes only, and should not be construed as legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *