In November of 2016, the Federal Financial Institutions Examination Council published final guidance revising the consumer compliance rating system used by federal regulators during their compliance examinations effective March 31, 2017. If your institution hasn’t had a compliance examination since April 1, 2017, you may not know how the new Uniform Interagency Consumer Compliance Rating System will affect your institution’s compliance management system (CMS).
The purpose of the consumer compliance rating system is to ensure regulated financial institutions are consistently examined with a risk-based approach focusing on consumer harm. The new approach focuses on the effectiveness of the compliance management system with more focus on the CMS function and less focus on detailed technical testing. The four principals of the new rating system are to be risk-based, transparent, actionable, and to incent compliance.
The guidance states that the new rating system does not set higher supervisory expectations and should create no additional regulatory burden. It does recognize that the CMS programs in place will vary based on the size, complexity, and risk profile of a financial institution. Most importantly, the new rating system offers incentives for financial institutions that self-identify, address, and prevent compliance issues in a proactive manner. As a matter of fact, the word incent or incentive is used nine times within the final guidance related to self-identification.
The rating system includes a scale of 1 through 5 with 1 being the best rating and 5 being the worst. A rating of 1 or 2 represents satisfactory performance while a rating of 3, 4, or 5 represents less than satisfactory performance. The CMS system is rated as 1 (strong), 2 (satisfactory), 3 (deficient), 4 (seriously deficient), or 5 (critically deficient). The guidance states that a financial institution may receive a less than satisfactory rating even if no violations of law or consumer harm have been identified if examiners determine that the CMS program is not satisfactory. Likewise, a financial institution may receive a satisfactory rating even when violations of law or consumer harm are identified if the CMS program is proactive and issues were self-identified and promptly corrected.
The three broad categories covered by the rating system are Board and Management Oversight, Compliance Program, and Violations of Law and Consumer Harm. The first two categories cover CMS and include oversight of third parties within the CMS program. The third category evaluates the root cause, severity, duration, and pervasiveness of identified violations of law and any resulting consumer harm.
Under the category of Board and Management Oversight, examiners will assess financial institutions’ commitment and oversight of the CMS program, the change management process, risk assessment, and self-identification and corrective action. Under the category Compliance Program, examiners will assess the appropriateness of policies and procedures, the coverage and effectiveness of the compliance training program, the sufficiency of monitoring, and if applicable, audit and responsiveness to consumer complaints. Under the category of Violations of Law and Consumer Harm, examiners will assess what caused the issue, the extent of consumer harm, how long the issue had been occurring, and how many consumers were affected.
While most financial institutions of all sizes have many of the components considered within this rating system, not all have effective monitoring systems or audit programs to self-identify and promptly correct compliance issues. In reading the guidance, this seems to be the cornerstone of a satisfactory rating, so if financial institutions haven’t assessed their risk and implemented an effective compliance monitoring/audit program, they may be leaving themselves open to a less than satisfactory consumer compliance rating. The guidance clearly provides incentives to financial institutions to have monitoring and/or audit programs that proactively self-identify issues and provide for prompt remediation. If the current monitoring or audit program is lacking, institutions should consider investing the resources needed to improve this area of the CMS, which should increase their odds of a strong or satisfactory compliance rating. Keep in mind, even if financial institutions conduct a comprehensive audit or monitoring review, if they don’t have thorough follow-up and correction but instead tend to have repeat issues identified during subsequent reviews, there will be a negative effect on this component of their rating.
The guidance provides the rating system in a tabular format allowing you to self-assess your current CMS program. Consider taking a look at the assessment factors at https://www.ffiec.gov/press/PDF/FFIEC_CCR_SystemFR_Notice.pdf and determining where improvement is necessary.
It’s not too late to take action and improve your chances of a stronger rating.