consumer compliance handbook street reform and consumer protection act (the dodd-frank act), which...

ConsumerComplianceHandbookDivision of Consumer and Community Affairs

Inquiries or comments relating to the contents of this manual should be addressed to:

Manager, Reserve Bank Oversight and PolicyDivision of Consumer and Community AffairsBoard of Governors of the Federal Reserve SystemWashington, D.C. 20551

To obtain copies of this handbook, contact Publications Fulfillment at:

Publications FulfillmentMail Stop N-127Board of Governors of the Federal Reserve SystemWashington, D.C. 20551

202-452-3244

[email protected]

The Board makes semiannual updates to the handbook. The updates are made available free of chargeonline at www.federalreserve.gov/boarddocs/supmanual.

About this Handbook

Since the late 1960s, Congress has enacted anumber of consumer protection and civil rightslaws directly related to the activities of financialinstitutions. Most transactions involving consum-ers and financial institutions are covered by theselaws. In 2010, Congress enacted the Dodd-FrankWall Street Reform and Consumer Protection Act(the Dodd-Frank Act), which established a newregulator, the Consumer Financial ProtectionBureau (CFPB). Under the Dodd-Frank Act, theCFPB has authority to examine insured depositoryinstitutions and insured credit unions with consoli-dated assets of more than $10 billion and theiraffiliates, to assess compliance with the require-ments of 18 enumerated federal consumer finan-cial laws, and to assess risks to consumers andfinancial markets from consumer financial prod-ucts and services.

The Federal Reserve retains supervisory respon-sibility for: 1) state member banks with consoli-dated assets of more than $10 billion for theircompliance with consumer protection laws notspecifically transferred to the CFPB, and 2) statemember banks with consolidated assets of $10 bil-lion or less for their compliance with all consumerprotection laws. The Federal Reserve also retainsresponsibility for conducting Community Reinvest-ment Act (CRA) examinations for state memberbanks, regardless of asset size. In addition, theFederal Reserve remains the consolidated super-visor for all bank holding companies and has takenon additional supervisory responsibility as thededicated supervisor for savings and loan holdingcompanies.

Oversight is assigned to the Boards Division ofConsumer and Community Affairs (DCCA); directsupervision of institutions is largely the responsibil-ity of the Federal Reserve Banks, operating underdelegated authority. Specially trained consumercompliance examination staff help carry out theBoards consumer compliance supervisionprogram.

Intended Use

This Consumer Compliance Handbook providesFederal Reserve examiners (and other Systemcompliance personnel) with background on theconsumer compliance regulations and statutescovered by the Boards consumer compliancesupervision program and guidelines for conductingconsumer compliance examinations. Others in thecompliance profession may also find it useful.

The Handbook describes each regulation (or, ifno regulation exists, the statute) and, for most of theregulations, provides examination objectives,examination procedures, and a detailed examina-tion checklist. Although most of the regulations arediscussed in some detail, the discussions are notintended as a substitute for the regulation (or thestatute). For complete information, examinersshould refer to the regulation itself, as well as thestatute, official interpretations, and any related CALetters issued by the Division of Consumer andCommunity Affairs.

The Handbook primarily concerns examinationsof state member banks, but it also covers supervi-sory activities related to foreign banking offices. Forsimplicity, most discussions refer to state memberbanks (or just banks), even when they mayapply to foreign banking offices.

Contents

The first part of the Handbook covers aspects ofthe examination process in general; the remainingparts focus on individual regulations (or, in somecases, individual statutes):

I. Risk-focused consumer compliance supervision

II. Deposit-related regulations and statutes

III. Credit-related regulations and statutes

IV. Other regulations, rules, policies, and statutes

V. Federal fair lending regulations and statutes

VI. Community Reinvestment Act

Relationship toFFIEC-Issued Material

The Handbook has been prepared specifically forFederal Reserve examiners. Some of the chaptersconcerning regulations or statutes for which theFFIEC has issued supervisory materials are adaptedfrom FFIEC documents. The differences betweenthe Handbook and FFIEC materials are not sub-stantive and primarily involve formatting or otherminor changes to increase consistency amongindividual Handbook chapters.

Updates

Informal updates will be provided to System staffthrough CA Letters, conference calls, and othermeans of internal communication, as circum-

Consumer Compliance Handbook iii (11/13)

stances dictate. Formal updates will be distributedat least annually.

Questions

Questions and comments about this Handbookshould be directed to the Manager, Reserve Bank

Oversight, Division of Consumer and CommunityAffairs.

An electronic version of this printed handbook isavailable on the Boards web site, atwww.federalreserve.gov/boarddocs/SupManual/default.htm.

About this Handbook

iv (11/13) Consumer Compliance Handbook

Consumer Compliance Handbook

Contents

About this Handbook

I. Community Bank Risk-Focused Consumer Compliance Supervision Program

Executive Summary

Community Bank Risk-Focused Consumer Compliance Supervision Program

II. Deposit-Related Regulations and Statutes

Regulation E (Electronic Fund Transfers)

Regulations Q and D (Interest on Demand Deposits/Reserve Requirements)

Regulation CC (Availability of Funds and Collection of Checks)

Regulation DD (Truth in Savings)

Garnishment of Accounts

III. Credit-Related Regulations and Statutes

Regulation C (Home Mortgage Disclosure)

Regulation H (Flood Disaster Protection)

Fair Credit Reporting

Regulation Z (Truth in Lending)

Fair Debt Collection Practices Act

Homeowners Protection Act

Homeownership Counseling

Real Estate Settlement Procedures Act

Special Provisions for Servicemembers (Military Lending Act)

Servicemembers Civil Relief Act

Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act)

IV. Other Regulations, Rules, Policies, and Statutes

Regulation G (Disclosure and Reporting of CRA-Related Agreements: CRA Sunshine Requirements)

Regulation H (Section 109 of the RiegleNeal Interstate Banking and Branching Efficiency Act)

Regulation M (Consumer Leasing)

Regulation P (Privacy of Consumer Financial Information)

Federal Trade Commission Act (Section 5)

Branch Closings

Childrens Online Privacy Protection Act

Right to Financial Privacy Act

Protecting Tenants at Foreclosure

Consumer Compliance Handbook v (12/16)

V. Federal Fair Lending Regulations and Statutes

Overview

Regulation B (Equal Credit Opportunity)

Fair Housing Act

Examination procedures

Appendix

VI. Community Reinvestment Act

Regulation BB (Community Reinvestment)

Small Institutions

Intermediate Small Institutions

Large Institutions

Institutions with Strategic Plans

Wholesale or Limited-Purpose Institutions

Supplementary Guidance

Contents

Consumer Compliance Handbookvi (12/16)

Federal Reserve Community Bank Risk-Focused ConsumerCompliance Supervision Program

Executive Summary

The Community Bank Risk-Focused ConsumerCompliance Supervision Program (Program)promotes strong compliance risk managementpractices and consumer protection within statemember banks with assets of $10 billion or lessand their subsidiaries. The Program provides aframework that allows examiners to evaluatewhether a financial institution is effectively control-ling compliance risk. This framework is foundedon the following principles of successful supervi-sion:

Risk-Focused. Evaluates a financial institutionscompliance culture and processes for identify-ing, measuring, monitoring, and controlling risksand practices regarding the treatment of consum-ers, the potential for consumer harm, and com-pliance with consumer protection laws andregulations.

Proactive and Scalable. Balances the nature andbreadth of supervision with the level of risk toconsumers and financial institutions.

Efficient. Incorporates procedures and pro-cesses to ensure good stewardship of examinerresources.

Clear. Provides guidance, policies, procedures,and examination findings clearly.

Collaborative. Engages other disciplines andsupervisory agencies, as appropriate, to ensurea coordinated supervisory approach.

Understanding the Institution

The starting point for risk-focused supervision isdeveloping an understanding of the institution,

taking into account environmental factors and thelegal and regulatory landscape in which it oper-ates. Information on a financial institutions busi-ness model and strategy, major business activities,and risk tolerance serves as the foundation forassessing its associated risks and supports theexaminers observations captured in an institutionalprofile. The consumer compliance examiner willdevelop an institutional profile to provide a conciseportrait of an organizations structure and businessactivities and allow the examiner to understand thescope of activities that give rise to potentialconsumer harm and consumer compliance risk.

Examiners will contact bank management todevelop and maintain an understanding of theinstitution and the market(s) in which it operates.Such contact typically involves a specific informa-tion request that provides the opportunity to learnabout any changes that would affect the profile.These changes might include changes in manage-ment personnel, organizational structure, or theinstitutions strategic direction, including any newproducts, markets, or delivery channels the institu-tion has introduced or entered or is consideringintroducing or entering.

The Program discusses in detail the processesdepicted in the diagram on the following page.

Consumer Compliance Handbook ESUM 1 (11/13)

Executive Summary

2 (11/13) ESUM Consumer Compliance Handbook

Assessing the Institutions Risk

The institutional profile serves as the primarysource of information for developing the riskassessment, a vital part of the supervisory process.The risk assessment presents a comprehensiveview of the financial institution, delineating theareas of supervisory concern, and serves as aplatform for the supervisory plan. While the riskassessment process evaluates a financial institu-tions compliance management program as awhole, the process also evaluates the effectivenessof the institutions compliance risk controls forindividual products, services, and businessactivities.

Inherent risk considers the likelihood and impactof noncompliance with consumer laws and regula-tions prior to considering any mitigating effects ofrisk management processes. Risk managementand controls are evaluated in the context of theirlikely effectiveness in achieving compliance withlaws and regulations. Residual risk is determinedby balancing the overall level of inherent risk of anactivity (product or service) with the overall strengthof risk controls for that activity.

The goal of the risk assessment is to allowsupervisory staff to establish reasonable assurancethat material residual consumer compliance risksare identified. The risk assessment can then berelied upon as the determinant of the scope ofexamination activities. As a result, examinationresources will be focused on areas of elevatedresidual risk and not on those areas where inherentrisk is well controlled and residual risk is limited orlow.

The risk assessment process requires the exam-iner to determine: (1) products, services, andactivities that are considered material to theorganization; (2) the level of inherent risk associ-ated with these products, services, and activities;(3) the adequacy of management systems used tomeasure, monitor, and control associated risks;and (4) the residual consumer compliance riskassociated with each material product, service,and activity, as well as for the institution overall,based on the level of inherent risk and theadequacy of risk controls. The examiner willaggregate the residual risk determined for each ofthe financial institutions material products to cap-ture the residual risk for the institution as a whole.

Fair lending (the Fair Housing Act, the EqualCredit Opportunity Act, and Regulation B) and

unfair or deceptive acts or practices (UDAP)(Section 5 of the Federal Trade Commission Actand Sections 1031 and 1036 of the DoddFrankWall Street Reform and Consumer Protection Act)are two of the most significant risk areas forfinancial institutions. Violations in these areas oftencause significant consumer harm as well as legal,financial, and reputational risk to the institution.Therefore, fair lending and UDAP will always beaddressed during the risk assessment process. Forfair lending, as with the examiners evaluation of theoverall compliance management program, thelevel of examination intensity for a particularproduct will generally be commensurate with thelevel of residual risk identified in the risk assess-ment process. However, in circumstances whereinherent risk is high, examiners generally will testthe risk controls before concluding that theyeffectively mitigate the high inherent risk.

Examination Scoping and Planning

Establishing a thorough knowledge of a financialinstitutions inherent risk and an understanding ofan institutions compliance management program,including the risk controls used to mitigate inherentrisk, is a critical part of examination scoping andplanning. Ultimately, the risk assessment shoulddrive the scope of activities that will be carried outduring the examination.

The scoping process provides an opportunity tocustomize examination activities so that they areconsistent with the size, complexity, and risk profileof the financial institution. In this way, it is expectedthat a broad range of examination activities will beconsidered for products, services, and businesslines targeted for additional review. Moreover, it isexpected that planned activities involve varyinglevels of intensity and be carried out in a way thathelps the examination team draw reasonableconclusions about the adequacy of an institutionscompliance management program.

The examination work program and proceduresused to assess the risk management practices of afinancial institution with respect to a particularproduct or service or across business lines will becommensurate with the level of residual riskidentified in the risk assessment process. Thus, theexamination work program may include a range ofexamination activities, as depicted in the diagramon the following page.

Executive Summary


After assessing the financial institutions risk andidentifying the areas targeted for additional review,the examiner will develop a tailored, risk-focusedwork program for each product, service, or busi-ness line selected. In many cases, examinationobjectives for material products or for the overallinstitution may have been largely met as part of therisk assessment process. When the quality ofcompliance management systems is assessed asbeing at least satisfactory or there is a reasonablebasis for reliance on the institutions controls, andresidual risk is not elevated, examiners may needto conduct no additional work or only limitedfollow-up work during the examination.

Management and policy-related examinationanalysis performed during the risk assessmentprocess may result in the identification of proce-dural weaknesses or other risks that cannot beaddressed simply through limited follow-up. Insuch cases, the examiner should document theneed for transaction testing in the examination

scope memorandum detailing the overall examina-tion strategy.

The risk assessment and scoping processes willresult in communication to the institutions manage-ment of a request for any additional information tobe sent to the Reserve Bank or made available onsite upon examiners arrival. To the extent possible,information requests will avoid asking for informa-tion already available.

Examination Work

The examiner in charge will meet with the financialinstitutions senior management and the compli-ance officer to discuss the nature and scope of theexamination. Because the issues identified in thescoping process and the suggested levels ofreview may differ from the previous examination,the examiner will provide bank management withan understanding of the risk-focused examinationprocess and how it will be applied to the institution.

Executive Summary

4 (11/13) ESUM Consumer Compliance Handbook

The examiner in charge will inform bank manage-ment of the examinations progress and issues thatmay have arisen that could result or have resultedin a change to the scope of the examination. Bankmanagement will be given an opportunity torespond to issues and resolve them if possible, asearly in the examination process as is practical.

Formal final discussions are held to communi-cate examination findings and obtain, when neces-sary, managements commitment for correctiveaction. The board of directors has the ultimateresponsibility for operating the financial institutionin compliance with the law and for ensuring thatappropriate corrective action is taken. A meetingwith the board of directors may be appropriate incertain circumstances, such as if the programweaknesses or legal violations involve the potentialfor significant administrative and civil liability or ifthe Reserve Bank is contemplating issuing asupervisory action.

Supervisory findings are communicated in writ-ing through formal reports and letters summarizingthe results of reviews. These communications,

including the Consumer Affairs Report of Examina-tion for community banks, constitute the officialrecord of the examination and are the primary toolfor conveying examination findings to the institu-tions board of directors and senior management.

Ongoing Supervision

Ongoing supervision of a financial institutionbetween examinations, typically a supervisorycontact close to the mid-cycle between consumercompliance examinations, is critical in identifyingsignificant changes or deteriorating trends in atimely manner. Proactive monitoring also confirmswhether the institutions board and senior manage-ment have appropriately addressed previous ex-amination findings and allows for identification ofnew product lines, business activities, or otherorganizational changes. In some cases when theinstitutions risk profile is high or it changesmaterially as a result of the addition of morecomplex or higher-risk strategies, more frequentcontacts may be appropriate.

Executive Summary


Community Bank Risk-Focused ConsumerCompliance Supervision Program

I. INTRODUCTION

Overview of the Risk-FocusedFramework

The consumer compliance risk-focused supervi-sion program is designed to promote strongcompliance risk management practices and con-sumer protection by ensuring that Federal Reserve-supervised state member community banks com-ply with consumer protection laws and regulations.1

The program achieves this goal through processesdesigned to evaluate whether an organizationsconsumer compliance risk management program(compliance management program) effectivelymanages its inherent compliance risk, which in-cludes risks to the institution and its customers. Theproducts and services reviewed during a risk-focused consumer compliance examination willvary based on the inherent compliance risk presentin the institutions business lines, products, andservices and the effectiveness of the institutionscompliance management program.

The purpose of the risk-focused supervisionprogram detailed in this document is to provide aframework that allows examiners to evaluatewhether an institution is effectively controllingcompliance risk. To accomplish this objective, theprogram

incorporates guidelines for evaluating compli-ance management programs in the context ofinherent risk to the organization (including thebank, affiliates, and subsidiaries) as well as toconsumers

requires development of a supervisory strategythat recognizes the risk of noncompliance forbusiness activities at an institution and acrossinstitutions

allows Reserve Banks to tailor supervisory activi-ties to the structure, complexity, and risk of theorganization and to adjust these activities overtime, thus deploying Federal Reserve resourcesefficiently and effectively.

acknowledges the value of timely communicationregarding consumer compliance regulatory andsupervisory matters by supplementing point-in-time supervisory work with ongoing supervision

requires coordination with other supervisory dis-ciplines and other regulators, as warranted, to

ensure a full understanding of an organizationsrisk profile and a proper supervisory approach

The framework is

Risk-focused. Evaluates a financial institutionscompliance culture and processes for identify-ing, measuring, monitoring, and controlling risksand its practices regarding the treatment ofconsumers, the potential for consumer harm, andcompliance with consumer protection laws andregulations.

Proactive and scalable. Balances the nature andbreadth of supervision with the level of risk toconsumers and financial institutions.

Efficient. Incorporates procedures and pro-cesses to ensure good stewardship of examinerresources.

Clear. Provides guidance, policies, procedures,and examination findings clearly.

Collaborative. Engages other disciplines andsupervisory agencies, as appropriate, to ensurea coordinated supervisory approach.

The risk-focused supervision program outlinesstandard processes to ensure consistent andeffective supervision of Federal Reserve-supervisedinstitutions. This document discusses in detail thefollowing processes depicted in the diagram onpage 5:

Understanding the Institution

Assessing the Institutions Risk

Examination Scoping and Planning

Examination Work

Ongoing Supervision

II. UNDERSTANDING THE

INSTITUTION

Overview

The starting point for risk-focused supervision isdeveloping an understanding of the institution,taking into account environmental factors and thelegal and regulatory landscape in which it oper-ates. To understand an organizations compliancerisks, examiners must understand the types ofbusiness it conducts within the institution, itsaffiliates, and subsidiaries. Examiners must alsounderstand the structure of the organization, includ-ing the institutions compliance management pro-gram and key personnel in senior management1. A community bank is a bank with assets of $10 billion or less.

Consumer Compliance Handbook Risk-Focused Program 1 (6/14)


2 (6/14) Risk-Focused Program Consumer Compliance Handbook

and compliance roles. This step is critical totailoring the supervisory plan (including examina-tions, monitoring, and outreach) to align with therisk profile of the organization. The technological,regulatory, and market developments in the finan-cial sector and the speed with which an institutionsrisk profile can change make it critical for supervi-sors to keep abreast of material events andchanges in strategy that affect the institutions riskprofile. Accordingly, consumer compliance exam-iners should review institution-specific informationon an ongoing basis, in accordance with ongoingsupervision expectations or in response to materialevents or changes. Examiners should also stay upto date on environmental and statutory/regulatorychanges in order to maintain consumer compliance-specific information for the institutional profile thatwill communicate the examiners understanding ofthat institution and the market(s) in which itoperates.

Information about an institutions business modeland strategy, major business activities, and asso-ciated risk tolerance serves as the foundation forassessing the associated risks and should becaptured in the institutional profile. The profileshould document the internal changes driven bymanagement decisions or external events that mayalter an institutions risk profile.

Preparing the profile begins with gathering andreviewing available information, including examina-tion reports, direct observations gained throughmonitoring activities, correspondence files, finan-cial databases, information from consumer groups,news outlets, and other information generated bythe Federal Reserve and other supervisory agen-cies. Reviewing this information helps examinersidentify both the strengths and the vulnerabilities ofthe institution.

The following are some documents and sourcesthat are helpful in understanding the institution:

Information about the Institution

the institutions strategic plan

board packets or any other information that maybe provided by the organization to the ReserveBanks central point of contact (CPC)

minutes of board, loan, compliance, CommunityReinvestment Act (CRA), audit, risk, or otherrelevant committees

organizational chart and compliance manage-ment program structure

policies and procedures

product offerings by business line

internal management information system (MIS)

reports and compliance and fair lending riskassessments

compliance testing reports and internal or exter-nal audit reports, including the status of correc-tive actions

consumer complaint information

training reports and attendance records

public filings and annual reports, if applicable

consumer protection-related litigation and/or in-vestigations by other governmental or regulatoryagencies

information from news outlets and consumergroups

the institutions website, along with social media

Other Institution Data

Uniform Bank and Performance Reports (UBPR)and Consolidated Reports of Condition andIncome (Call Report)

market and community demographic data

Home Mortgage Disclosure Act (HMDA) andCRA data

electronic loan data

Reserve Bank or Federal Reserve SystemInformation

current institutional profile, if applicable

information obtained during ongoing supervisionactivities or through direct observations, ques-tionnaires, interviews, meetings with manage-ment, and/or Reserve Bank correspondence

supervisory plan and institutional overview devel-oped by Safety & Soundness

examination reports from other disciplines and/orother agencies

previous compliance examinations and targetreviews, including work papers

CRA Performance Evaluations

prior corrective action information, institutionresponses, and resolution or status information

applicable risk screening information, includingany fair lending screening results

complaint and correspondence files

applications and enforcement information

regulatory and examination procedure updates

Examiners need to contact institution managementto develop and maintain an understanding of theinstitution and the market(s) in which it operates.



Such contact typically involves a specific informa-tion request that provides the opportunity to learnabout any changes that would affect the profile.These changes might include changes in manage-ment personnel, organizational structure, or theinstitutions strategic direction, including any newproducts, markets, or delivery channels the institu-tion has introduced or entered or is consideringintroducing or entering.

Simply stated, the institutional profile provides aconcise portrait of an institutions structure andbusiness activities that should allow examiners tounderstand the scope of activities that give rise topotential consumer harm and consumer compli-ance risk. The profile must draw sufficient attentionto key areas and/or changes that contribute to theinstitutions current and prospective level of con-sumer compliance risk.

Preparation of the Institutional Profile

The purpose of the institutional profile is to conveyan understanding of the institutions present condi-tion and its current and prospective risks, as well asto highlight key issues and supervisory findings.The profile must be updated as part of the riskassessment and scoping process of an examina-tion, again at the conclusion of an examination, andlater through ongoing supervision to capture mat-ters of supervisory significance that occur duringthe supervisory cycle.

The institutional profile must reflect the materialevents, products, and services and the regulatoryenvironment that affect management decisions. Forinstance, when introducing a new product orservice, senior management should

conduct proper due diligence

assess implications of the products target mar-kets

evaluate prospective product growth

consider the products regulatory implications

ensure the institution has sufficient staff expertiseand capacity to support and deliver the productor service

Institutional Factors

Organizational Structure

Ownership. Whether the institution is owned bya bank holding company, and any functionsthat are centralized at or supported by theholding company.

Operations. The degree of operational central-ization or decentralization.

Affiliates and subsidiaries. Identification of

affiliate structure and/or subsidiaries with ac-

tivities relevant to the institutions consumer

compliance risk.

Structural changes. Any significant structural

changes since the previous examination, or

planned changes, such as mergers, acquisi-

tions, divestitures, and pending applications,

that would affect the institutions consumer

activities.

Business Model and Strategies

Risk tolerance. A summary of the scope and

complexity of the institutions business model

based on consideration of key attributes dis-

cussed below, especially in light of the imple-

mentation of decisions that change strategy.

Key business lines. Identification of key busi-

ness activities along with the stability of the

offerings. The identification of key business

lines should include an evaluation of manage-

ments description of key business areas in

comparison to the institutions stated strategy,

balance sheet composition, and other publicly

available information.

Delivery channels. Identification of primary

delivery channels for the institutions products

and services and any nontraditional or com-

plex channels. Consideration should be given

to the use of the Internet, mobile applications,

social media, brokers, referral sources, andexpansion into new or extended channels,especially those that have changed since theprevious examination.

Product mix. A discussion of loan and depositproduct mix, as well as the types of productsand services offered, considering the level ofcomplexity present in the offerings and thepotential for consumer harm associated withthe product. Consideration should be given toconcerns about consumer protection risk thathave been raised by legislative bodies,regulatory/law enforcement agencies, or con-sumer advocacy groups. To the degree thatproducts or services differ based on targetedcustomers or geographies, the discussionshould identify the variations.

Product and service changes. Identification ofany new or modified products or services,particularly any add-on products or otherproducts with complex features that wouldincrease inherent risk or raise potential forconsumer harm, and the level of managementexpertise and familiarity with the new ormodified product or service.

Marketing. A discussion of marketing strate-gies, including desired outcomes and anevaluation of targeted products, media outlets,



and targeted geographies or customers.

Product volatility. A discussion of material

changes in the institutions asset size, markets,

and volume associated with specific products

or services. Examiners should pay attention to

instances in which volume has significantly

increased, which may reflect a change in

business strategy or increased risk. Product

volume that remains constant may suggest a

stable environment, while reductions in volume

may point to lower levels of risk. Examiners

should select appropriate time intervals for

measuring change.

Systems. A discussion of the capacity of

delivery systems as well as consideration of

the degree of change due to conversions to

new systems or enhancements, including iden-

tification of the use of third-party providers or

vendors.

Compliance Management Structure and Person-

nel

Organizational chart. A discussion of the

compliance function, risk function, and busi-

ness lines, as applicable. Consideration should

be given to the level of independence of

functions responsible for compliance oversight

and the sufficiency of staffing, including the

expertise in relation to the products and

services offered.

Committees. Discussions about board and

management committees responsible for com-

pliance risk management.

Hiring, turnover, and succession planning. A

discussion of changes in management (includ-

ing the board and senior management), com-

pliance, or business line levels that could affect

the institutions ability to manage consumercompliance risk.

New product development. A discussion ofany procedures, marketing reviews, andchange control processes associated with newproduct development, including vendor man-agement and the level of involvement of staffwho have compliance expertise.

Compliance testing and audit. A discussion ofthe coverage and frequency of reviews; thequalifications of staff, whether internal or exter-nal; the process for reporting on issues andtheir resolution; and whether or not there havebeen any internal review or audit findings ofconsumer compliance violations or concerns,and if so, a description of the findings andmanagements response.

Supervisory Information

Supervisory history. A description of the recent

supervisory history of the institution.

Corrective action. The status of correctiveaction for any significant regulatory issuessuch as Matters Requiring Immediate Attention(MRIA), Matters Requiring Attention (MRA),reimbursements, previously identified con-sumer risk issues, and any supervisory ordersinvolving civil money penalties.

Areas of concern. Significant consumer com-pliance or CRA supervisory issues or concernsand other important supervisory issues.

Enforcement actions. Identification of any for-mal or informal actions and the potentialimpact on consumer compliance risk.

Financial condition. A discussion of the institu-tions financial condition, considering its im-pact on management decisions that wouldaffect the institutions compliance risk toler-ance. A discussion of whether the institution ischanging or considering changing its productsand services based upon the institutionsfinancial condition, including the effect of thesechanges on compliance controls. Consider-ation should also be given to the institutionsexpansion or contraction of markets and geog-raphies.

Other supervisory ratings. A summary of man-agement and risk management ratings for allsupervisory functions that could affect con-sumer compliance risk.

Complaints. Any pertinent consumer complaintactivity, including a discussion about thequantity and types of complaints and how theinstitution has resolved them.

Litigation. Any substantive litigation or otherlegal concerns, specific to the institution,related to consumer compliance issues, includ-ing investigations by other governmental agen-cies.

Legal and Regulatory Factors

Applicability and coverage. Identification of thelevel of regulatory complexity, key legal orregulatory developments, and changes that arematerial and affect the institution, given theinstitutions product offerings and operations.

Litigation. Consumer compliance-related substan-tive litigation, other legal concerns, or regulatoryscrutiny in the industry that would potentiallyrelate to the institutions products, services, orpractices.

Environmental Factors

Market/trade area. A description of geographic



areas or markets served by the institution. Thedescription should include the institutions delin-eated CRA assessment area and how it com-pares with its market/trade area, if they aredifferent. The description should also include theidentification of areas served and not served,considering minority composition, distressed orunderserved areas, and low- and moderate-income individuals and areas.

Offices and facilities. A discussion of the institu-tions branches, automated teller machines (ATM),and loan production offices (LPO), as applicable,in relation to consumer compliance risk, such asdemographic differences across areas servedand the degree to which products or servicesvary by location.

Interstate/intrastate structure. A statement as towhether the institution is an interstate bank, and alisting of the states, metropolitan areas, andFederal Reserve Districts in which it operates.

Business conditions. A discussion of the demandfor loans and other products or services in light ofemployment conditions, housing data, businessdemographics, local economic conditions, andother demographic considerations.

Competition. A discussion of competition basedon market share, including deposit market share,HMDA-reportable activity, and other relevantdata sources. The discussion should reflect anevaluation of the level of competition from localand national financial institutions as well asnonbank competitors. The discussion should beadjusted to capture the degree to which compe-tition varies by product or geography.

III. ASSESSING THE INSTITUTIONS

RISK

Overview

The institutional profile provides information aboutthe institutions strategy and business activities andthe environment in which it operates. The profilealso documents the institutions processes forcontrolling associated risks. Thus, the profile servesas the primary source of information for developingthe risk assessment, a vital part of the supervisoryprocess.

The risk assessment presents a comprehensiveview of the institution, delineating the areas ofsupervisory concern, and serves as a platform forthe supervisory plan. Inherent risk considers thelikelihood and impact of noncompliance with con-sumer laws and regulations prior to consideringany mitigating effects of risk management pro-cesses. Risk management and controls are evalu-

ated in the context of their likely effectiveness inachieving compliance with laws and regulations.Residual risk is determined by balancing theoverall level of inherent risk of an activity (productor service) with the overall strength of risk controlsfor that activity.

The risk assessment considers the effectivenessof an institutions overall compliance managementprogram, including four essential elements:

1. board and senior management oversight

2. policies, procedures, and limits

3. risk monitoring and management informationsystems

4. internal controls

While the risk assessment process evaluates aninstitutions compliance management program as awhole, the process also evaluates the effectivenessof the institutions compliance risk controls forindividual products, services, and business activi-ties. In particular, the levels of inherent consumercompliance risk present in the institutions prod-ucts, services, and business activities affect thetypes of risk controls necessary to ensure satisfac-tory compliance with consumer protection laws andregulations.

Objectives of the Risk Assessment

The goal of the risk assessment is to allowsupervisory staff to establish reasonable, but notabsolute, assurance that material residual con-sumer compliance risks are identified. The riskassessment can then be relied upon as thedeterminant of the scope of examination activities.As a result, examination resources will be focusedon areas of elevated residual risk and not on thoseareas where inherent risk is well controlled andresidual risk is limited or low.

Risk Assessment Process

The risk assessment process requires examiners todetermine: (1) products, services, and activitiesthat are considered material to the organization; (2)the level of inherent risk associated with theseproducts, services, and activities; (3) the adequacyof management systems used to measure, monitor,and control associated risks; and (4) the residualconsumer compliance risk associated with eachmaterial product, service, and activity, as well asfor the institution overall, based on the level ofinherent risk and the adequacy of risk controls.

Instructions for completing the risk assessmentprocess, including documenting conclusions aboutinherent risk, controls, and residual risk, areprovided in section F of this chapter, Documentingthe Consumer Compliance Risk Assessment.



A. Product Management andMateriality

Overview

Product management relates to the institutionsability to identify, measure, monitor, and managethe compliance risk inherent in a particular product.These four essential elements of risk managementserve as the foundation for assessing the manage-ment of product risk and should be evaluated in thecontext of the inherent risks associated withspecific products or services. Essential factors toconsider when evaluating the management ofproducts and services include: (1) knowledge andexpertise of the product management team; (2)adequacy of policies and procedures and effec-tiveness of internal controls; (3) adequacy ofresources (for example, staffing, MIS); (4) quality ofcompliance training; (5) frequency and scope ofcompliance reviews; (6) recent compliance history(for example, violations noted at prior examinationsand recent audit findings); (7) record of respondingappropriately to consumer complaints; (8) effective-ness of audit coverage and managements respon-siveness to audit findings; and (9) change manage-ment (for example, response to changes in laws,regulations, systems, and products).

Product Definition

A product may consist of a group of relatedproducts or services that

share similar features and structure, with differ-ences that are relatively minor (such as differentmaturities)

are broadly subject to the same regulations (evenif there is a range of risk profiles among therelated products)

are delivered in substantially the same way (forinstance, retail loan originations may be treatedas a different product than wholesale origina-tions)

are subject to the same control environment (forexample, similar products offered through differ-ent legal entities, but having the same controlenvironment, could be considered a singleproduct)

As an example, assume that an institution extendsretail mortgages, from simple fixed-rate mortgagesto more complex adjustable-rate mortgages, andall retail mortgages share a common consumercompliance control environment. Notwithstandingthe range of complexity of the related products, theresidual risk of all mortgage loans could beevaluated as a single product; the residual riskwould balance the range of inherent risks across all

of the related products and the effectiveness of riskcontrols in the context of the identified inherentrisks.

Materiality

Product materiality reflects the relative importanceof a product offered by the institution. A productmay be material compared to other products; itmay also be material based solely on its ownsignificant activity level. Accordingly, a productwith low volume (measured by number, dollarvolume, or both) compared to other products wouldlikely be considered immaterial, and a product withrelatively high volume would be considered mate-rial. Nonetheless, a product could be materialbased solely on its own substantial activity leveleven if that activity level is comparatively lower thanother products activity levels.

Examination intensity and resources should becommensurate with the consumer compliance risksassociated with the institutions material products.Thus, if an institutions material products do notinvolve significant potential consumer compliancerisk, the institution would warrant relatively fewerexamination resources, compared to an institutionwhere the products offered pose significant con-sumer risk. In other words, the absolute riskassociated with a product should be considered aswell as the risk of a product relative to the otherproducts offered. For example, if an institution isprimarily a commercial lender, examiners shouldnot shift increased scrutiny and resources to thereview of immaterial consumer products or con-sumer products that have low residual risk simplybecause these may have higher consumer riskcompared to commercial loans.

An institutions board of directors and manage-ment must demonstrate both the willingness andthe capacity to comply with all applicable con-sumer compliance laws and regulations, even inthe case of immaterial products. Evidence ofwillingness and capacity can typically be estab-lished by reviewing meeting minutes and policiesand procedures and through interviews. Withoutsuch evidence, the examination should focus onthe assessment of weaknesses in the compliancemanagement program and the changes necessaryto ensure and sustain compliance.

Materiality is also a factor to consider whengrouping products. In particular,

when a related product is both complex andmaterial on a stand-alone basis, examinersshould consider2

2. A related product would be a single product or service undera more broadly defined product category. For instance, reversemortgages would be a related product under the broadercategory of mortgage loans.



keeping the same product grouping but focus-ing on the complex and material productswhen making scoping decisions, taking intoconsideration the strength of risk controls

segregating these related products, but onlywhen there are questions regarding the qualityor capacity of the control environment for sucha related product

add-on or ancillary products or services, whenmaterial, may present unique risks or be subjectto a different control environment and warranttreatment as a separate product. For example,loan servicing, especially servicing of third-partyloans, may be treated as a separate and distinctproduct.

B. Inherent Consumer ComplianceRisk

Overview

Inherent consumer compliance risk is the riskassociated with product and service offerings,practices, or other activities that could result insignificant consumer harm or contribute to aninstitutions noncompliance with consumer protec-tion laws and regulations. It is the risk theseactivities pose absent controls or other mitigatingfactors. Such risk may be associated with thecharacteristics of the institution itself, the laws andregulations that apply to its activities, or theenvironment and market(s) in which it operates. It isimportant for an institution to effectively identify,measure, monitor, and control its compliance risksto limit any potential adverse consequences ofnoncompliance.

Consumer compliance risk, in general, is the riskof legal or regulatory sanctions, financial loss,consumer harm, or damage to reputation andfranchise value caused by a failure to comply withor adhere to

consumer protection laws, regulations, or stan-dards

the organizations own policies, procedures,codes of conduct, and ethical standards

principles of integrity and fair dealing applicableto the organizations business activities andfunctions3

An institutions failure to manage compliance riskeffectively can elevate the risk level or manifestitself as other types of key risks:

Legal risk. Arises from the potential that unen-forceable contracts, lawsuits, or adverse judg-

ments can disrupt or otherwise negatively affectthe operations or condition of a banking organi-zation. For example, failing to follow the terms ofconsumer loan agreements or to meet strictresidential mortgage regulatory requirements willlikely increase an institutions legal risk.

Reputational risk. Arises from the potential thatnegative publicity regarding an institutions busi-ness practices, whether true or not, will cause adecline in the customer base, costly litigation, orlower revenue. Any serious consumer compli-ance issue discussed publicly, such as a publicenforcement action related to a fair lending issue,will increase reputational risk.

Operational risk. Arises from the potential thatinadequate information systems, operationalproblems, breaches in internal controls, fraud, orunforeseen catastrophes will result in unex-pected losses. Operational lapses, such asfailing to keep confidential customer data secure,could result in losses for both the institution andits customers.

More specifically, noncompliance may expose theorganization to fines; civil money penalties; legaldamages; voided or unenforceable contracts; re-duced franchise value; or rejected expansionaryactivities, mergers, and acquisitions.

Risk Tolerance

An institutions tolerance for consumer compliancerisk is reflected in the choices it makes regardingthe scope and complexity of its business activities,including market service areas and the deliverychannels for products and services. Institutionsthat engage in riskier activities demonstrate ahigher tolerance for risk and are expected to havea compliance management program commensu-rate with their risk profile. A higher risk tolerancemay be reflected in product offerings that posegreater compliance risk, such as higher-costproducts or products targeted to vulnerable or lessfinancially sophisticated consumers. In general, themore willing an institution is to assume inherentcompliance risk in its operations, the stronger thecontrols must be to manage these risks effectively.

Inherent Risk Components and Drivers

A number of factors serve as potential indicators ofinherent compliance risk in an institution. All ofthese factors can also increase legal, reputational,and operational risk, especially when not managedeffectively. In general, inherent compliance riskfactors can be grouped into three primary catego-ries: institutional, legal and regulatory, and environ-mental.

3. Business activities are business lines, functions, legalentities, operations in legal jurisdictions, or other businessoperations.



Institutional Factors

Institutional factors contribute significantly to an

institutions overall inherent compliance risk level.

Some risk factors derive from the institutions

strategic and business decisions; others relate

more specifically to the products the institution

offers and the risks inherent in these products.

These institutional factors, when considered in

conjunction with the extent to which the institutions

operations are subject to consumer laws and

regulations, will be a significant driver of conclu-

sions about the level of inherent risk. Complex

products, decentralized operations, products tar-

geted to vulnerable or less financially sophisticated

consumers, failure to serve certain consumer or

geographic segments of the market, introduction of

substantively new products (rather than slight

variations of existing products), multiple delivery

channels, and third-party relationships all tend to

elevate the level of consumer compliance risk.

Strategic/Business Factors

Growth. Any substantive increase in asset size,change in business focus, or expanded marketor geographic presence (resulting from branch-ing, merger, or acquisition activity) may increasecompliance risk given the need to manage riskacross a larger operation, including additionaloffice locations. Growth may increase risk be-cause an organization may need to respond bychanging processes, staffing, or systems. Thesetypes of changes often require expanded com-pliance oversight and knowledge, and mayincrease compliance risk if not effectively man-aged.

Structural complexity. The overall complexity of abanking organizations operations, including itsbranch operations and subsidiary and affiliatedrelationships, affects compliance risk.

An institution with an extensive branch net-work, multiple or nontraditional delivery channels,or a number of subsidiary retail business opera-tions may have more compliance risk to managethan an institution with limited offices or oneprimary business operation.

The degree to which an organization, includingits related entities, has centralized operationsalso affects compliance risk. Centralized activi-ties may help limit risk by consolidating knowl-edge and processes in fewer locations. Whencentralized operations are handled effectively,the opportunity for error may decrease as aresult.

In general, increased structural complexity anddecentralization within an institution tend toincrease compliance risk, primarily because theinstitution has more facilities, staff, products, andoverall operations to manage, thus introducing

challenges associated with span of control.

History/trends. Whether an institution has effec-

tively managed its compliance risk in the past is

a risk factor to consider. Institutions that histori-

cally have supported and maintained strongcompliance management programs will gener-ally have less risk than institutions that have notexhibited such performance. The significance ofthis prior performance varies depending on theamount and type of change in an institutionscompliance management program and changesto its overall inherent compliance risk profile dueto other factors, such as product or regulatorychanges, since the previous examination.

Product Characteristics

Product volume. The absolute level of productactivity or materiality affects compliance risk.When an institution does not comply with require-ments on a high-volume product or service, thiserror affects more consumers and thus createsmore compliance risk for the institution. As withother inherent risk factors, the significance of riskassociated with high-volume products dependson the consequences that may result fromnoncompliance.

Product complexity. As with the institution itself,complexity within products or groups of productssignificantly affects compliance risk. Severalfactors affect the complexity of a product, suchas

the complexity of the products features, suchas numerous conditional requirements, op-tions, or variations

over the life cycle of the product, changes arepermitted or required that necessitate addi-tional disclosures and/or actions by the institu-tion to comply with legal or regulatory require-ments

the product targets only certain consumersegments, such as those with certain demo-graphic or credit characteristics (for instance,subprime borrowers), rather than all consum-ers

the complexity of processes surrounding thesale of products, including marketing of spe-cific product features, use of wholesale andretail delivery channels, and the sale of ancil-lary products or offering of rewards programs

Generally, as the complexity of the product in-creases, compliance risk may increase because ofthe need for additional oversight and expertise tomanage this increased complexity effectively. Com-plying with even comparatively noncomplex legalor regulatory requirements may be more challeng-ing when the product itself has inherent operationalcomplexity. Increased complexity can also be



associated with products targeted to a particular

segment of the consumer market. Inherent compli-

ance risk may be elevated if marketing efforts,

disclosures, and delivery channels do not appro-

priately consider the sophistication and reasonable

expectations of the target audience.

Product stability. Substantial change related to

product or service offerings, including changes

to existing products and services, is a significant

driver of inherent compliance risk. Factors to

consider in assessing the compliance risk asso-

ciated with a products stability include

the length of time the institution has offered the

product

what, if any, significant product terms have

changed

whether product volume has grown signifi-

cantly

any significant changes related to product

operations, including system changes that

would affect product handling or management

Product-related changes may increase compliance

risk, primarily because an institution must evaluate

these changes to determine whether other corre-

sponding processes or practices need to change

to ensure ongoing compliance. A more stable

product (one with limited changes and a history of

compliance) has a higher likelihood of continued

compliance. It should be noted that some changes

could lower compliance riskfor example, when

an institution eliminates a higher-risk feature.

Third-party involvement. An institutions reliance

on third-party providers or vendors may either

increase or decrease compliance risk. In all

cases, the use of third-party providers requires

sufficient controls to manage the relationships.

When properly chosen and managed, third-party

providers can provide an institution with valuable

expertise and service that the institution may find

difficult to provide on its own. For example, using

a third party to generate loan documents mayfacilitate consistent delivery of compliant disclo-sures. Nonetheless, relying on a third party to (1)provide bank-related products or services, suchas a loan processing system; (2) generate feeincome, such as offering add-on products; (3)assist with compliance management-related ser-vices, such as conducting compliance audits; or(4) provide other compliance-related servicesmay increase risk because the institution nolonger has direct control over these activities.Accordingly, the institution must have knowledge-able staff and effective processes to overseethese providers to ensure they meet expectationsand contractual obligations and comply withlegal and regulatory requirements.

Legal and Regulatory Factors

Another primary consideration for determining aninstitutions inherent compliance risk relates to thetypes of legal and regulatory requirements thatapply to the institutions products and services.Institutions should also evaluate concerns raisedby others, including legislative bodies, regulatoryor law enforcement agencies, or consumer advo-cacy groups. The extent of inherent compliancerisk related to legal and regulatory requirements isdriven primarily by the complexity of the require-ments themselves, the level and likelihood ofpotential consumer harm or other penalties thatcould result from failing to comply with them, andthe extent to which these requirements havechanged.

Regulation complexity. The complexity of regula-tory and legal requirements relates to the extentof judgment, knowledge, technical skills, orprocesses needed to understand and effectivelyimplement those requirements. As with productcomplexity, the increased skill and knowledgeneeded to comply with more complex regulatoryrequirements increases inherent compliance risk.Simply put, as regulatory complexity increases,so does the risk that the institution will fail tocomply with the requirements.

Consequences of noncompliance. Failure tocomply with certain legal and regulatory require-ments may have serious consequences forconsumers and the financial institution. It isimportant to consider whether and to what extentfailing to comply with the requirement wouldresult in financial, legal, or other harm to consum-ers. For the institution, failing to comply withregulatory requirements can lead to regulatorysanctions, financial losses, and reputational dam-age. In general, the severity of the consequence,whether harm to consumers or to the institution,and the level of inherent compliance risk associ-ated with noncompliance are directly related.

Regulatory or legal changes. Inherent compli-ance risk may increase when a new or modifiedlegal or regulatory requirement applies to afinancial institutions activities. The effect of anychange on inherent risk depends on severalfactors, which may include

the nature and type of the regulatory change

the significance of the change relative to theinstitutions product offerings, processes, orprocedures, including

the number of products affected

whether the change needs to be imple-mented organizationwide or just in particularbusiness lines

whether the change has serious conse-



quences for failure to implement and complyeffectively

whether the organization has the expertise tounderstand and implement the change effec-tively

When regulations and laws change, an institutionmay not fully understand the change and hencemay fail to implement effective policies, proceduresand controls in response, increasing the risk ofnoncompliance with the new requirement. Asdiscussed, the level of inherent risk posed by anyregulatory change depends on the nature of thechange and its effect on consumers and theinstitution.

Environmental Factors

The environment in which the institution operatescan affect the level of inherent compliance risk atthe institution level and at the product level.Business conditions, the demographic compositionof its assessment area(s), and the competition inthe institutions markets affect compliance risk.

Business conditions. Market conditions, such asthe demand for loans, availability of talent andexpertise, unemployment rates, and housingneeds, may affect decisions that the institutionmakes concerning the types and nature ofproducts it offers as well as its capacity toadequately support these products. Conse-quently, changing business conditions may re-quire an institution to reevaluate its currentassumptions and practices. The capacity of aninstitutions new product approval processes, itschange management practices, the robustnessof its strategic planning, and the flexibility of itsservice capacity should be evaluated in thecontext of the institutions response to changingbusiness conditions. For example, deterioratingbusiness conditions can simultaneously lead totightening of underwriting standards and a higherdefault rate on existing loans. Compliance riskpotentially increases in both cases, as consis-tency in underwriting and service levels associ-ated with loss mitigation must be maintained.

Business conditions may also drive changes toexisting products, or the introduction of newproducts, designed to generate revenue. Institu-tions operating in communities experiencingeconomic challenges may have higher inherentrisk because of the effect of these challenges onthe institutions existing activities or because ofactions the institution may take in response tothese challenges.

Demographics. The demographics of the institu-tions market area can also affect inherentcompliance risk. Serving a more diverse popula-tion requires heightened awareness and respon-

siveness to ensure that the institution is meeting apotentially broader spectrum of customer needsthrough its product offerings, marketing efforts,and overall level of service. Without a legitimatebusiness justification, ignoring the needs ofcertain segments of the population or excludinggeographic areas or populations based ondemographic composition will likely have ad-verse consequences for an institution.

Competition. The competitive environment inwhich an institution operates can affect compli-ance risk. An institution operating in a highlycompetitive environment may choose to makefrequent product, marketing, or other changes toretain or expand its market share. Competitivefactors could also lead an institution to consideroffering complex products that fall outside theinstitutions normal operations or its strategicfocus. As with the risks associated with externalbusiness conditions, the capacity of an institu-tions new product approval processes, itschange management practices, and the robust-ness of its strategic planning must be commen-surate with the degree or rapidity of changeassociated with competitive demands. Institu-tions that operate in a highly competitive environ-ment, particularly smaller institutions, may havegreater inherent risk simply because they do nothave the capacity to respond effectively tocompetitive forces.

Assessing Inherent Risk

A variety of factors affect the level of inherentcompliance risk in an institution. Effectively identi-fying and assessing this risk is an important part ofthe risk-focused examination process.

The institutional profile discusses informationabout the institution and its community(ies) that isneeded to determine the impact of institutional,legal, and environmental factors on the institutionsconsumer compliance risk level. Considering thesefactors, examiners will form conclusions about thelevel of inherent risk for each material productrelative to the consumer laws and regulationsapplicable to such products, as is discussed inmore detail later. Taking into account these productassessments, examiners will assign an aggregateinherent risk rating for the institution.

Appendix 2, Guidance for Assessing InherentConsumer Compliance Risk, is a matrix that shouldbe used when assessing inherent consumer com-pliance risk. The matrix identifies specific riskcomponents for each of the three broad sources ofrisk discussed previously (institutional, laws andregulations, and environmental). While an overallinherent risk rating must be documented only foreach material product, the matrix allows for analyz-



ing the potential level of risk associated with each

source of risk as well as each of the subsidiary risk

components that are detailed in the matrix. Exam-

iners may find that for certain institutions or

activities, it makes sense to assign ratings to

individual subsidiary risk components first and then

work to develop the overall ratings. This level of

detail is likely necessary only for larger or more

complex organizations and should be reflected in

supporting documentation maintained separately

from the assessment itself.

Inherent risk should be rated using a five-point

rating system.

Inherent Risk Rating

Low (1)

Limited (2)

Moderate (3)

Considerable (4)

High (5)

The following definitions apply to inherent con-

sumer compliance risk.

Low likelihood of significant negative impact (1)

indicates that consumer compliance risk, prior

to considering any mitigating effects of risk

management processes, is highly unlikely to

have a significant negative impact on the

institution or consumers. Expected sanctions,

losses, or damage to reputation due to con-

sumer compliance risk would have little nega-

tive impact on the institution.

Limited likelihood of significant negative impact

(2) indicates a limited likelihood that consumer

compliance risk, prior to considering any

mitigating effects of risk management pro-

cesses, will have a significant negative impact

on the institution or consumers. Expected

sanctions, losses, or damage to reputation due

to consumer compliance risk are modest and

could be absorbed by the institution in the

normal course of business.

Moderate likelihood of significant negative

impact (3) indicates a moderate likelihood that

consumer compliance risk, prior to considering

any mitigating effects of risk management

processes, will have a significant negative

impact on the institution or consumers. Ex-

pected sanctions, losses, or damage to repu-tation due to consumer compliance risk couldadversely affect the institution.

Considerable likelihood of significant negativeimpact (4) indicates a considerable likelihoodthat consumer compliance risk, prior to consid-ering any mitigating effects of risk managementprocesses, will have a significant negativeimpact on the institution or consumers. Ex-

pected sanctions, losses, or damage to repu-tation due to consumer compliance risk couldseriously affect the institution.

High likelihood of significant negative impact(5) indicates a high likelihood that consumercompliance risk, prior to considering anymitigating effects of risk management pro-cesses, will have a significant negative impacton the institution or consumers. Expectedsanctions, losses, or damage to reputation dueto consumer compliance risk will require sig-nificant changes to the management routinesand ongoing operations of the institution.

C. Consumer Compliance RiskManagement

Overview

Taking and managing risks are fundamental to thebusiness of banking. Accordingly, the FederalReserve has increasingly emphasized the impor-tance of sound risk-control processes when evalu-ating the activities of the institutions it supervises.Properly managing risks is critical to ensuringcompliance with consumer protection laws andregulations. Effective risk management has be-come even more important as new technologies,product innovation, and the size and speed offinancial transactions have changed the nature offinancial services markets. Therefore, it is essentialthat examiners give significant weight to howeffectively the institutions compliance manage-ment program manages the inherent risks associ-ated with its consumer-related activities.

An institutions failure to establish a consumercompliance management structure that adequatelyidentifies, measures, monitors, and controls theinherent risks involved in its various products,services, and lines of business is consideredunsafe and unsound conduct. Principles of soundrisk management should apply to the entire spec-trum of compliance-related risks facing a bankingorganization including, but not limited to, legal,reputational, and operational risk.

A primary goal of the supervision process is toassess the effectiveness of an institutions compli-ance management program. Identified violations ofconsumer protection laws and regulations usuallyindicate weaknesses in this program. The serious-ness of the weaknesses, however, depends on theconsequences that result from noncompliance. Forexample, a substantive violation of a fair lendinglaw or regulation has serious consequences forconsumers and the institution and thus would likelyindicate a serious compliance management weak-ness.



When an error resulting in a violation is identified,the significance of the error must be evaluated notsimply by the number of such errors or thepercentage of error but in the context of the rootcause of the error and actual harm to consumers.The root cause of an error must always beevaluated to determine whether such errors are theresult of a systemic control weakness. Whensystemic issues are identified, the underlying rootcause must be addressed. Also, correction of theroot cause of an isolated error should be consid-ered if the likelihood of avoiding repeat errors canreasonably be accomplished through modificationof business processes and/or by strengtheningelements of the compliance management program.

Elements of Risk Management

Elements of a sound risk management systeminclude

active board and senior management oversight

adequate policies, procedures, and limits

adequate risk monitoring and managementinformation systems

comprehensive internal controls

Each of these elements is described more fullybelow, along with a list of factors relevant toassessing the adequacy of that element.

Examiners should recognize that the factorsspecified in these guidelines are intended only toassist in the evaluation of risk management prac-tices and are not intended as a checklist orexhaustive list of requirements for each institution.A carefully devised, implemented, and monitoredprogram provides the foundation for ensuringcompliance with consumer banking laws andregulations. All institutions, regardless of size,should maintain an effective compliance manage-ment program. The sophistication and formality ofthe program will typically increase in direct propor-tion to the complexity of an organizations opera-tions. Examiners should evaluate the adequacy ofthe compliance management program in the con-text of inherent risk associated with the institutionscomplexity, business strategy, activities, and orga-nizational structure. The duties, responsibilities,authority, and independence of compliance per-sonnel will depend on the nature, scope, andcomplexity of operations.

For smaller institutions that engage solely intraditional banking activities and whose seniormanagers and directors are actively involved inday-to-day operations, relatively basic risk manage-ment systems may be adequate. In such institu-tions, these systems may consist of an informalcompliance program that includes both written and

unwritten policies addressing material areas of

operations such as lending, basic internal control

systems, on-the-job training, and a limited set of

management and board reports.

A larger, more complex institution would likely

require a more formal and comprehensive program

to maintain a satisfactory level of compliance and

to provide senior managers and directors with the

information they need to monitor and direct day-to-

day activities. Because of the diversity of activities

and/or the broad geographic dispersion of opera-

tions, the compliance risk management processes

of more complex banking organizations would

typically include

dedicated compliance staff with specific re-

sponsibilities and authority

detailed policies that set specific prudential

limits on acceptable activities and/or the risks

associated with specific activities

sophisticated management reporting to allow

senior management to better evaluate and

mitigate risks

These reporting systems, in turn, should provide anarray of reports that offer sufficient risk-exposureinformation that is relevant to the duties andresponsibilities of individual managers and direc-tors.

For more complex institutions, these reportingsystems will naturally require frequent monitoringand testing by independent control areas andinternal auditors to ensure the integrity of theinformation used by senior officials in overseeingcompliance with consumer protection laws andregulations. The risk management systems or unitsof such institutions must also be sufficiently inde-pendent of the business lines, in order to ensureadequate separation of duties and avoid conflictsof interest.

Regardless of the size of the institution, aneffective process must be in place to managechange. Sometimes change occurs because of anexternal event, for example, a new complianceregulation. Sometimes change is internal, such asthe introduction of a new product, or revision toexisting products. Change management should bea structured and disciplined process that isrepeatable since change can always be expected.An effective change management process

requires management and staff from all af-fected functionspotentially including compli-ance, accounting, risk, internal audit, and linemanagementto review and recommend aresponse or change proposal for senior man-agement or board approval that clearly articu-lates expected results. The entire life cycle of aproduct or service affected by the change must



be considered, whether it involves the introduc-tion of a new product or service or a changeaffecting existing bank operations.

incorporates appropriate approval processesassociated with implementation.

requires that operating policies and proce-dures are updated to provide clear guidance tostaff on how to comply with all legal orregulatory requirements

requires that staff be properly trained regard-ing the change

incorporates monitoring of the deployment ofthe new or revised process, product, or service

requires a post-implementation review to deter-mine whether the actions taken have achievedthe expected results

Also, it is important to recognize that whilemanagement can appropriately decide to out-source some or all of the operational aspects of aproduct or service, it cannot outsource the respon-sibility for complying with laws and regulations.Oversight of vendor actions is particularly impor-tant when such actions involve changes to coreprocessing, automated disclosure software, andsimilar systems, because violations may occur fromsuch changes if not monitored properly. A robustthird-party vendor management and oversightprocess will evaluate all applicable risks, includingthose related to information security, privacy, andcompliance with all applicable laws and regula-tions.

Board and Senior ManagementOversight

Boards of directors have ultimate responsibility forthe level of risk assumed by their institutions.Accordingly, the board should approve the institu-tions overall business strategies and significantpolicies, including those related to managing andtaking risks. The board should also ensure thatsenior management is fully capable of managingthe institutions activities. While all boards ofdirectors are responsible for understanding thenature of the risks significant to their organizationsand for ensuring that management is taking thesteps necessary to control these risks, the level oftechnical knowledge required of directors may varydepending on the particular circumstances at theinstitution.

For institutions with a broad range of technicallycomplex activities, directors must have a clearunderstanding of the types of risks to which theinstitution is exposed, even though the board hasdelegated day-to-day compliance managementresponsibility to bank officers and staff. For ex-ample, the directors of complex institutions should

receive reports that identify the size and signifi-

cance of the risks in terms that are meaningful to

them. In fulfilling its risk oversight responsibility, the

board of directors should take steps to develop an

appropriate understanding of the risks the institu-

tion facesfor example, through briefings from

auditors and experts external to the organization.

Using this knowledge and information, the board of

directors should provide clear guidance regarding

the level of risk acceptable to the institution and

should ensure that senior management implements

the procedures and controls necessary to comply

with the policies that have been adopted.

Directors of institutions that offer more traditional

and less complex products may be more involved

with the institutions day-to-day activities and

decisionmaking than counterparts at larger organi-

zations. Each director should then have a level of

knowledge commensurate with the nature of his or

her role in managing the institutions affairs.

Nonetheless, senior management is responsible for

implementing a program to manage the consumer

compliance risks associated with the institutions

business model, including ensuring compliance

with laws and regulations on both a long-term and

a day-to-day basis. Accordingly, management

should be fully involved in its institutions activities

and possess sufficient knowledge of all major

products to ensure that appropriate risk controls

are in place and that accountability and lines of

authority are clearly delineated. Senior manage-

ment also is responsible for establishing and

communicating a strong awareness of, and need

for, effective risk controls and high ethical stan-

dards.

In assessing the quality of board of directors and

senior management oversight, examiners should

consider whether the institution follows policies and

practices such as those described below.

The board and senior management haveidentified and have established a clear under-standing of the types of risks inherent in theinstitutions activities and make appropriateefforts to stay informed about these risks asfinancial markets, risk management practices,and the institutions activities evolve.

The board has reviewed and approved appro-priate policies to limit risks inherent in theinstitutions significant business lines, activities,or products, including ensuring effective over-sight of any third-party providers that provideproducts and services for the institution.

The board and senior management are suffi-ciently familiar with and are using adequaterecord keeping and reporting systems tomeasure and monitor the major sources of riskto the institution.



The board periodically reviews and approvesrisk exposure limits to conform to any changesin the institutions strategies, addresses newproducts, and responds to changes in marketconditions.

The board and senior management ensure thatbusinesses lines are managed and staffed bypersonnel with knowledge, experience, andexpertise consistent with the nature and scopeof the banking organizations activities.

The board and senior management ensure thatthe depth of staff resources is sufficient tooperate and manage the institutions activitiessoundly and that employees have the integrity,ethical values, and competence that are con-sistent with a prudent management philosophyand operating style.

The board and senior management at all levelsprovide adequate supervision of the day-to-day activities of officers and employees, includ-ing management supervision of senior officersor heads of business lines.

The board and management anticipate andrespond to risks that may arise from changes inthe institutions competitive environment andinnovations in its markets and to risks associ-ated with new or changing regulatory or legalrequirements.

Before embarking on new activities or introduc-ing products new to the institution, manage-ment identifies and reviews all risks associatedwith the activity or product and ensures that theinfrastructure and internal controls necessaryto manage the related risks are in place.

Policies, Procedures, and Limits

Comprehensive and fully implemented policieshelp to communicate managements commitmentand expectations related to compliance. Proce-dures should provide personnel with guidance thatenables them to complete transactions or otherprocesses in accordance with applicable laws andregulations. Such information may include appro-priate regulatory references and definitions, sampleforms, instructions, and where appropriate, direc-tions for routing, reviewing, and retaining transac-tion documents. The effectiveness of the proce-dures in meeting compliance requirements is moreimportant than the degree of formality. However,larger, more complex entities with many employeesand products, serving multiple geographic mar-kets, have a greater need for written policies andprocedures to ensure compliance with consumerprotection laws and regulations.

An institutions directors and senior managementshould tailor risk management policies and proce-

dures to the types of risks that arise from the

institutions activities. Once the risks are properly

identified, the institutions policies and its more fully

articulated procedures provide detailed guidance

for the day-to-day implementation of broad busi-

ness strategies and generally include limits de-

signed to shield the organization from excessive

and imprudent risks. All banking organizations

should have policies and procedures that address

significant activities and risks; however, the scope

and depth of such policies will vary among

institutions. A smaller, less complex institution that

has effective management heavily involved inday-to-day operations may have less formal poli-cies to address significant areas of operations, butnonetheless, have well-established embeddedpractices that have proven effective over time formanaging consumer compliance risk. In a largerinstitution, where senior managers rely on largestaffs to implement strategies in business lines ofvarying complexity, much more detailed policiesand related procedures would generally be ex-pected. In either case, however, management isexpected to ensure that policies and procedures,written or unwritten, address an institutions mate-rial areas of risk and that staff modifies theseprocedures when necessary in order to respond tosignificant changes in the banking organizationsactivities or business conditions.

Limits are mechanisms designed to prevent aninstitution from taking unnecessary risks that in-crease the likelihood of consumer harm, and theyshould be present and enforced in an institution. Anexample of a limit is an explicit statement aboutproducts or services that the institution deems tobe harmful to consumers or contrary to theinstitutions mission and that the institution choosesnot to offer. On a narrower scale, an institution mayspecifically limit the ability of lending personnel todeviate from established loan pricing guidelineswithout appropriate approval.

Ongoing education of personnel is essential tomaintaining a sound compliance program. Theorganization should make all personnel aware ofconsumer protection laws and regulations pertinentto their areas of responsibility and should providetraining regarding policies and procedures forthose areas.

An institutions training program should be com-mensurate with the entitys organizational structureand the activities in which it engages. A moreformal training program would be expected at anorganization that off

consumer compliance handbook street reform and consumer protection act (the dodd-frank act), which...

Documents