[Federal Register Volume 81, Number 85 (Tuesday, May 3, 2016)]
[Notices]
[Pages 26553-26563]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-10289]


-----------------------------------------------------------------------

FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL

[Docket No. FFIEC-2016-0001]


Uniform Interagency Consumer Compliance Rating System

AGENCY: Federal Financial Institutions Examination Council (FFIEC).

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: Pursuant to 12 U.S.C. 3301, the Federal Financial Institutions 
Examination Council (FFIEC), established in 1979, is a formal 
interagency body empowered to prescribe principles and standards for 
the federal examination of financial institutions and to make 
recommendations to promote consistency and coordination in the 
supervision of institutions.
    The six members of the FFIEC represent the Board of Governors of 
the Federal Reserve System (FRB), the Federal Deposit Insurance 
Corporation (FDIC), the National Credit Union Administration (NCUA), 
the Office of the Comptroller of the Currency (OCC), the State Liaison 
Committee (SLC), and the Consumer Financial Protection Bureau (CFPB) 
(Agencies).
    The FFIEC promotes compliance with federal consumer protection laws 
and regulations through each agency's supervisory and outreach 
programs. Through compliance supervision, the FFIEC Agencies determine 
whether an institution is meeting its responsibility to comply with 
applicable requirements.
    The FFIEC requests comment on a proposal to revise the Uniform 
Interagency Consumer Compliance Rating System, more commonly known as 
the ``CC Rating System,'' to reflect the regulatory, examination 
(supervisory), technological, and market changes that have occurred in 
the years since the current rating system was established. The FFIEC is 
proposing to revise the existing CC Rating System to better reflect 
current consumer compliance supervisory approaches. The revisions are 
designed to more fully align the rating system with the FFIEC Agencies' 
current risk-based, tailored examination

[[Page 26554]]

approaches. The proposed revisions to the CC Rating System were not 
developed to set new or higher supervisory expectations for financial 
institutions and their adoption will represent no additional regulatory 
burden.
    The proposed revisions emphasize the importance of institutions' 
compliance management systems (CMS), in particular, risk control 
processes designed to manage consumer compliance risk which are needed 
to support compliance and prevent consumer harm. The CC Rating System 
has provided a general framework for evaluating compliance factors in 
order to assign a consumer compliance rating to each federally 
regulated financial institution.\1\
---------------------------------------------------------------------------

    \1\ NCUA integrates the principles and standards of the current 
CC Rating System into the existing CAMEL rating structure, in place 
of a separate rating. When finalized, the revised CC Rating System 
will be incorporated into NCUA's risk-focused examination program. 
Using the principles and standards contained in the revised CC 
Rating System, NCUA examiners will assess a credit union's ability 
to effectively manage its compliance risk and reflect that ability 
in the Management component rating and the overall CAMEL rating used 
by NCUA.

---------------------------------------------------------------------------
DATES: Comments must be received on or before July 5, 2016.

ADDRESSES: Because paper mail received by the FFIEC is subject to delay 
due to heightened security precautions in the Washington, DC area, you 
are encouraged to submit comments by the Federal eRulemaking Portal, if 
possible. Please use the title ``Consumer Compliance Rating System'' to 
facilitate the organization and distribution of the comments. You may 
submit comments by any of the following methods:
    Federal eRulemaking Portal (Regulations.gov): Go to http://www.regulations.gov. Under the ``More Search Options'' tab, click next 
to the ``Advanced Docket Search'' option where indicated, select 
``FFIEC'' from the agency drop-down menu, then click ``Submit.'' In the 
``Docket ID'' column, select ``Docket Number FFIEC-2016-0001'' to 
submit or view public comments and to view supporting and related 
materials for this notice of proposed rulemaking. The ``How to Use This 
Site'' link on the Regulations.gov home page provides information on 
using Regulations.gov, including instructions for submitting or viewing 
public comments, viewing other supporting and related materials, and 
viewing the docket after the close of the comment period.
    Mail: Judith Dupre, Executive Secretary, Federal Financial 
Institutions Examination Council, L. William Seidman Center, Mailstop: 
7081a, 3501 Fairfax Drive, Arlington, VA 22226-3550.
    Hand delivery/courier: Judith Dupre, Executive Secretary, Federal 
Financial Institutions Examination Council, L. William Seidman Center, 
Mailstop: B-7081a, 3501 Fairfax Drive, Arlington, VA 22226-3550.
    Instructions: You must include ``FFIEC'' as the agency name and 
``Docket Number FFIEC-2016-0001'' in your comment. In general, the 
FFIEC will enter all comments received into the docket and publish them 
on the Regulations.gov Web site without change, including any business 
or personal information that you provide such as name and address 
information, email addresses, or phone numbers. Comments received, 
including attachments and other supporting materials, are part of the 
public record and subject to public disclosure. Do not enclose any 
information in your comment or supporting materials that you consider 
confidential or inappropriate for public disclosure.
    Docket: You may also view or request available background documents 
and project summaries using the methods described above.

FOR FURTHER INFORMATION CONTACT: OCC: Ronald A. Dice, Compliance 
Specialist, Office of the Comptroller of the Currency, 400 7th Street 
SW., Washington, DC 20219, (202) 649-5470; or Kimberly Hebb, Director 
of Compliance Policy, (202) 649-5470.
    Board: Lanette Meister, Senior Supervisory Consumer Financial 
Services Analyst, Board of Governors of the Federal Reserve System, 
20th and C Streets NW., Washington, DC 20551, (202) 452-2705.
    FDIC: Ardie Hollifield, Senior Policy Analyst, Federal Deposit 
Insurance Corporation, 550 17th Street NW., Washington, DC 20429-0002, 
(202) 898-6638; John Jackwood, Senior Policy Analyst, (202) 898-3991; 
or Faye Murphy, Chief, Consumer Compliance and UDAP Examination 
Section, (202) 898-6613.
    NCUA: Jamie Goodson, Director, Division of Consumer Compliance 
Policy and Outreach, Office of Consumer Protection, National Credit 
Union Administration, 1775 Duke Street Alexandria, VA 22314-3428, (703) 
518-1140.
    CFPB: Kathleen Conley, Senior Consumer Financial Protection 
Analyst, Consumer Financial Protection Bureau, 1700 G Street NW., 
Washington, DC 20552, (202) 435-7459.
    SLC: Matthew Lambert, Policy Counsel, Conference of State Bank 
Supervisors, 1129 20th Street NW., 9th Floor, Washington, DC 20036, 
(202) 407-7130.

SUPPLEMENTARY INFORMATION: 

Background

    The current CC Rating System, adopted in 1980, is a supervisory 
policy for evaluating financial institutions' \2\ adherence to consumer 
compliance requirements. The CC Rating System provides a framework for 
evaluating institutions based on assessment factors to assign a 
consumer compliance rating to each institution.
---------------------------------------------------------------------------

    \2\ The term financial institutions is defined in 12 U.S.C. 
3302(3).
---------------------------------------------------------------------------

    The CC Rating System is based upon a scale of 1 through 5, in 
increasing order of supervisory concern. Thus, 1 represents the highest 
rating and consequently the lowest level of supervisory concern, while 
5 represents the lowest rating and consequently the most critically 
deficient level of performance and the highest degree of supervisory 
concern. When using the CC Rating System to assess an institution, the 
Agencies do not consider an institution's record of lending performance 
under the Community Reinvestment Act (CRA) because institutions are 
evaluated separately for CRA.

Factors Supporting a Revised CC Rating System

    The FFIEC is proposing revisions to the existing CC Rating System, 
recognizing that there have been legislative, regulatory, supervisory, 
technological, and market changes since the adoption of the current CC 
Rating System. Since 1980, the regulatory landscape has evolved 
considerably. Over the past 30 years, changes include:
     The consolidation of financial institutions and resultant 
changed risk profiles of entities prompted by factors such as legal 
changes that allowed interstate banking;
     New and revised regulatory requirements;
     Major transformations in technology, business models, and 
consumers' banking habits which have resulted in a broader set of risks 
to consumers; and
     The Dodd-Frank Wall Street Reform and Consumer Protection 
Act (Dodd-Frank Act),\3\ which substantially altered the regulatory 
landscape by creating the CFPB and reshaping the responsibilities of 
the prudential regulators.\4\ As a result, large institutions over a 
certain

[[Page 26555]]

asset threshold now have more than one FFIEC consumer compliance 
supervisor.
---------------------------------------------------------------------------

    \3\ 12 U.S.C. 5481 et seq.
    \4\ The prudential regulators are the FRB, FDIC, NCUA, and OCC.
---------------------------------------------------------------------------

Purpose of the Revisions

    The Agencies are proposing to revise the current CC Rating System 
to better reflect current consumer compliance supervisory approaches. 
The revisions are designed to more fully align the rating system with 
the Agencies' current risk-based, tailored examination approaches. The 
proposed revisions to the CC Rating System were not developed to set 
new or higher supervisory expectations for financial institutions and 
their adoption will represent no additional regulatory burden.
    When the current CC Rating System was adopted in 1980, examinations 
focused more on transaction testing for regulatory compliance rather 
than evaluating the sufficiency of an institution's CMS to ensure 
compliance with regulatory requirements and to prevent consumer harm. 
In the intervening years, each of the FFIEC Agencies has adopted a 
risk-based consumer compliance examination approach to promote strong 
compliance risk management practices and consumer protection within 
supervised financial institutions. Risk-based consumer compliance 
supervision evaluates whether an institution's CMS effectively manages 
the compliance risk in the products and services offered to its 
customers. Under risk-based supervision, examiners tailor supervisory 
activities to the size, complexity, and risk profile of each 
institution and adjust these activities over time. While compliance 
management programs vary based on the size, complexity, and risk 
profile of supervised institutions, all institutions should maintain an 
effective CMS. The sophistication and formality of the CMS typically 
will increase commensurate with the size, complexity, and risk profile 
of the entity.
    As the Agencies drafted the proposed rating system definitions, one 
objective was to develop a rating system appropriate for evaluating 
institutions of all sizes. Therefore, the first principle discussed 
within the CC Rating System conveys that the system is risk-based to 
recognize and communicate clearly that compliance management programs 
vary based on the size, complexity, and risk profile of supervised 
institutions. This principle is reinforced in the Consumer Compliance 
Rating Definitions by conveying to examiners that assessment factors 
associated with an institution's CMS should be evaluated commensurate 
with the institution's size, complexity, and risk profile.
    In developing the revised CC Rating System, the Agencies believe it 
is also important for the new rating system to establish incentives for 
institutions to promote consumer protection by preventing, self-
identifying, and addressing compliance issues in a proactive manner. 
The proposed rating system would also create a framework for the 
Agencies to recognize institutions that consistently adopt these 
compliance strategies.
    Another benefit of the proposed CC Rating System is to promote 
coordination, communication, and consistency among the Agencies, 
consistent with the Agencies' respective supervisory authorities. 
Pursuant to the proposal, each of the Agencies would use the same CC 
Rating System to assign a consumer compliance rating to all supervised 
institutions, including banks and non-banks. Further, revising the 
rating system definitions responds to requests from industry 
representatives who have asked that the CC Rating System be updated.

Proposed Consumer Compliance Rating System

    The primary purpose of the proposed CC Rating System is to ensure 
that all institutions are evaluated in a comprehensive and consistent 
manner, and that supervisory resources are appropriately focused on 
areas exhibiting risk of consumer harm and on institutions that warrant 
elevated supervisory attention. The Agencies are recommending retention 
of the current CC Rating System's five-scale framework for the proposed 
System while also recommending revisions to the current CC Rating 
System to enhance its effectiveness.
    The proposed CC Rating System is based upon a numeric scale of 1 
through 5 in increasing order of supervisory concern. Thus, 1 
represents the highest rating and consequently the lowest degree of 
supervisory concern, while 5 represents the lowest rating and the most 
critically deficient level of performance, and therefore, the highest 
degree of supervisory concern. Ratings of 1 or 2 represent satisfactory 
or better performance. Ratings of 3, 4, or 5 indicate performance that 
is less than satisfactory.
    The proposed CC Rating System reflects risk-based expectations 
commensurate with the size, complexity and risk profile of institutions 
and incents institutions to prevent, self-identify, and address 
compliance issues.
    Pursuant to the proposed System, each institution would be assigned 
a consumer compliance rating based primarily on the adequacy of its 
CMS, which is designed to ensure compliance on a continuing basis.
    The proposed CC Rating System is composed of guidance and 
definitions. The guidance would provide examiners with direction on how 
to use the definitions when assigning a consumer compliance rating to 
an institution. The definitions consist of qualitative descriptions for 
each rating category and factors regarding violations of laws and 
consumer harm.
    The proposed System is based on a set of key principles. The 
Agencies agreed that the proposed ratings should be: (1) Risk-based; 
(2) Transparent; (3) Actionable; and (4) an Incentive for Compliance. 
Each principle is discussed in detail in the guidance.
    The Agencies are proposing a CC Rating System that includes three 
categories of assessment factors:

 Board and Management Oversight
 Compliance Program
 Violations of Law and Consumer Harm

    When assigning a rating under the proposed CC Rating System, 
examiners would consider each of the assessment factors in each 
category. Further, the categories would allow examiners to distinguish 
between varying levels of supervisory concern when rating institutions 
for compliance with federal consumer protection laws. The consumer 
compliance rating reflects a comprehensive evaluation of the 
institution's performance under the CC Rating System by considering the 
categories and assessment factors in the context of the size, 
complexity, and risk profile of an institution. It is not based on a 
numeric average or any other quantitative calculation. Specific numeric 
ratings will not be assigned to any of the twelve assessment factors. 
Thus, an institution need not achieve a satisfactory rating in all 
categories in order to be assigned an overall satisfactory rating. 
Conversely, an institution may be assigned a less than satisfactory 
rating even if some of its assessments were rated as satisfactory.
    All institutions, regardless of size, should maintain an effective 
CMS. The sophistication and formality of the CMS typically will 
increase commensurate with the size, complexity, and risk profile of 
the entity. The articulation of CMS assessment factors is not intended 
to create new expectations for lower risk institutions.

Board and Management Oversight

    The first category of the proposed CC Rating System would be used 
to analyze an institution's CMS and the role of its board and 
management officials. The four assessment factors would be:


[[Page 26556]]


 Oversight and Commitment
 Change Management
 Comprehension, Identification and Management of Risk
 Corrective Action and Self-Identification

    The Agencies believe the above factors would provide examiners with 
an effective and consistent framework for evaluating whether or not 
board and management are engaged to a satisfactory degree at a 
particular institution. All institutions, regardless of size, should 
maintain an effective CMS. However, each institution should be 
evaluated based on its size, complexity and risk profile.

Compliance Program

    The second category of the proposed CC Rating System would be used 
to analyze other elements of an effective CMS. The assessment factors 
for Compliance Program are:

 Policies and Procedures
 Training
 Monitoring and/or Audit
 Consumer Complaint Response

    The Agencies believe these factors, along with Board and Management 
Oversight, would provide an effective and consistent framework to 
evaluate an institution's CMS. Each of these assessment factors would 
be considered in evaluating risk and assigning a consumer compliance 
rating. As explained above, each institution would be evaluated based 
on its size, complexity and risk profile.

Violations of Law and Consumer Harm

    The third category of the proposed CC Rating System is Violations 
of Law and Consumer Harm. This category would provide examiners with a 
framework for considering the broad range of violations of consumer 
protection laws and evidence of consumer harm.
    The current CC Rating System was adopted in 1980. Since that time, 
the industry has become more complex, and the broad array of risks in 
the market that can cause consumer harm has become increasingly clear. 
Violations of various laws, including, for example, the Servicemembers 
Civil Relief Act \5\ and Section 5 of the Federal Trade Commission 
Act,\6\ as well as fair lending violations, may potentially cause 
significant consumer harm and raise serious supervisory concerns. 
Recognizing this broad array of risks, the proposed guidance directs 
examiners to consider all violations of consumer laws, based on the 
root cause, severity, duration, and pervasiveness of the violation. 
This approach emphasizes the importance of a range of consumer 
protection laws and is intended to reflect the broader array of risks 
and the potential harm caused by consumer protection related 
violations.
---------------------------------------------------------------------------

    \5\ 50 U.S.C. App. 501-697b.
    \6\ 15 U.S.C. 45 et seq.
---------------------------------------------------------------------------

    Specifically, in conjunction with assessing an institution's CMS 
based on the first two categories, examiners will evaluate the consumer 
protection violations and related consumer harm based on the four 
assessment factors below:

 Root cause, or causes, of any violations of law identified
 Severity of any consumer harm resulting from violations
 Duration of time over which the violations occurred
 Pervasiveness of violations

    Consumer harm may occur as a result of a violation of law. While 
many instances of consumer harm can be quantified as a dollar amount 
associated with financial loss, such as charging higher fees for a 
product than was initially disclosed, consumer harm may also result 
from a denial of an opportunity. For example, a consumer could be 
harmed when an institution denies the consumer credit or discourages an 
application in violation of the Equal Credit Opportunity Act,\7\ 
whether or not financial harm occurred.
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 1691 et seq.
---------------------------------------------------------------------------

Assignment of Ratings by Supervisor(s)

    The prudential regulators will continue to assign and update, as 
appropriate, consumer compliance ratings for institutions they 
supervise, including those with total assets of more than $10 
billion.\8\ As a member of the FFIEC, the CFPB will also use the CC 
Rating System to assign a consumer compliance rating, as appropriate, 
for institutions with total assets of more than $10 billion, as well as 
to nonbanks for which it has jurisdiction regarding the enforcement of 
Federal consumer financial laws as defined under the Dodd-Frank Act.\9\ 
When assigning a consumer compliance rating, as well as in other 
supervisory situations as appropriate, the prudential regulators will 
take into consideration any material supervisory information provided 
by the CFPB, as that information relates to covered supervisory 
activities or covered examinations.\10\ Similarly, the CFPB will take 
into consideration any material supervisory information provided by 
prudential regulators in appropriate supervisory situations, including 
when assigning consumer compliance ratings.
---------------------------------------------------------------------------

    \8\ Section 1025 of the Dodd-Frank Act (12 U.S.C. 5515) applies 
to federally insured institutions with more than $10 billion in 
total assets. This section granted the CFPB exclusive authority to 
examine insured depository institutions and their affiliates for 
compliance with Federal consumer financial laws. The prudential 
regulators retained authority for examining insured depository 
institutions with more than $10 billion in total assets for 
compliance with certain other laws related to consumer financial 
protection, including the Fair Housing Act, the Servicemembers Civil 
Relief Act, and section 5 of the Federal Trade Commission Act.
    \9\ 12 U.S.C. 5481 et seq. A financial institution with assets 
over $10 billion may receive a consumer compliance rating by both 
its primary prudential regulator and the CFPB. The rating is based 
on each agency's review of the institution's CMS and compliance with 
the federal consumer protection laws falling under each agency's 
jurisdiction.
    \10\ The prudential regulators and the CFPB signed a Memorandum 
of Understanding on Supervisory Coordination dated May 16, 2012 
(MOU) intended to facilitate the coordination of supervisory 
activities involving financial institutions with more than $10 
billion in assets as required under the Dodd-Frank Act.
---------------------------------------------------------------------------

    State regulators maintain supervisory authority to conduct 
examinations of state-chartered depository institutions and licensed 
entities. As such, states may assign consumer compliance ratings to 
evaluate compliance with both state and federal laws and regulations. 
States will collaborate and consider material supervisory information 
from other state and federal regulatory agencies during the course of 
examinations.

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act (44 U.S.C. 3501 et 
seq.) (PRA), the Agencies may not conduct or sponsor, and a person is 
not required to respond to, a collection of information unless it 
displays a currently valid Office of Management and Budget (OMB) 
control number. The proposed CC Rating System would not involve any new 
collections of information pursuant to the PRA. Consequently, no 
information will be submitted to the OMB for review.

FFIEC Guidance on Updating the Uniform Interagency Consumer Compliance 
Rating System

Uniform Interagency Consumer Compliance Rating System

    The Federal Financial Institutions Examination Council (FFIEC) 
member agencies (Agencies) promote compliance with federal consumer 
protection laws and regulations through supervisory and outreach 
programs.\11\ The Agencies engage in consumer compliance supervision to 
assess

[[Page 26557]]

whether a financial institution is meeting its responsibility to comply 
with these requirements.
---------------------------------------------------------------------------

    \11\ The FFIEC members are the Board of Governors of the Federal 
Reserve System, the Federal Deposit Insurance Corporation, the 
National Credit Union Administration, the Office of the Comptroller 
of the Currency, the Consumer Financial Protection Bureau, and the 
State Liaison Committee.
---------------------------------------------------------------------------

    This Uniform Interagency Consumer Compliance Rating System (CC 
Rating System) provides a general framework for assessing risks during 
the supervisory process using certain compliance factors and assigning 
an overall consumer compliance rating to each federally-regulated 
financial institution.\12\ The primary purpose of the CC Rating System 
is to ensure that regulated financial institutions are evaluated in a 
comprehensive and consistent manner, and that supervisory resources are 
appropriately focused on areas exhibiting risk of consumer harm and on 
institutions that warrant elevated supervisory attention.
---------------------------------------------------------------------------

    \12\ The Federal Financial Institutions Examination Council Act 
of 1978 (12 U.S.C. 3302(3)) defines financial institution. 
Additionally, as a member of the FFIEC, the CFPB will also use the 
Rating System to assign a consumer compliance rating, as appropriate 
for nonbanks, for which it has jurisdiction regarding the 
enforcement of Federal consumer financial laws as defined under the 
Dodd-Frank Act (12 U.S.C. 5481 et seq.).
---------------------------------------------------------------------------

    The CC Rating System is composed of guidance and definitions. The 
guidance provides examiners with direction on how to use the 
definitions when assigning a consumer compliance rating to an 
institution. The definitions consist of qualitative descriptions for 
each rating category and include compliance management system (CMS) 
elements reflecting risk control processes designed to manage consumer 
compliance risk and considerations regarding violations of laws, 
consumer harm, and the size, complexity, and risk profile of an 
institution. The consumer compliance rating reflects the effectiveness 
of an institution's CMS to ensure compliance with consumer protection 
laws and regulations and reduce the risk of harm to consumers.

Principles of the Interagency CC Rating System

    The Agencies developed the following principles to serve as a 
foundation for the CC Rating System.
    Risk-based. Recognize and communicate clearly that compliance 
management programs vary based on the size, complexity, and risk 
profile of supervised institutions.
    Transparent. Provide clear distinctions between rating categories 
to support consistent application by the Agencies across supervised 
institutions. Reflect the scope of the review that formed the basis of 
the overall rating.
    Actionable. Identify areas of strength and direct appropriate 
attention to specific areas of weakness, reflecting a risk-based 
supervisory approach. Convey examiners' assessment of the effectiveness 
of an institution's compliance risk management program, including its 
ability to prevent consumer harm and ensure compliance with consumer 
protection laws and regulations.
    Incent Compliance. Incent the institution to establish an effective 
consumer compliance program across the institution and to identify and 
address issues promptly, including self-identification and correction 
of consumer compliance weaknesses. Reflect the potential impact of any 
consumer harm identified in examination findings.

Five-Level Rating Scale

    The CC Rating System is based upon a numeric scale of 1 through 5 
in increasing order of supervisory concern. Thus, 1 represents the 
highest rating and consequently the lowest degree of supervisory 
concern, while 5 represents the lowest rating and the most critically 
deficient level of performance, and therefore, the highest degree of 
supervisory concern.\13\ Ratings of 1 or 2 represent satisfactory or 
better performance. Ratings of 3, 4, or 5 indicate performance that is 
less than satisfactory. Consistent with the previously described 
Principles, the rating system incents a financial institution to 
establish an effective compliance management system across the 
institution, to self-identify risks, and take the necessary actions to 
reduce the risk of non-compliance and consumer harm.
---------------------------------------------------------------------------

    \13\ The Agencies do not consider an institution's record of 
performance under the Community Reinvestment Act (CRA) in 
conjunction with assessing an institution under the CC Rating System 
since institutions are evaluated separately under the CRA.
---------------------------------------------------------------------------

     The highest rating of 1 is assigned to a financial 
institution that maintains a strong CMS and takes action to prevent 
violations of law and consumer harm.
     A rating of 2 is assigned to a financial institution that 
maintains a CMS that is satisfactory at managing consumer compliance 
risk in the institution's products and services and at substantially 
limiting violations of law and consumer harm.
     A rating of 3 reflects a CMS deficient at managing 
consumer compliance risk in the institution's products and services and 
at limiting violations of law and consumer harm.
     A rating of 4 reflects a CMS seriously deficient at 
managing consumer compliance risk in the institution's products and 
services and at preventing violations of law and consumer harm. A 
rating of seriously deficient indicates fundamental and persistent 
weaknesses in crucial CMS elements and severe inadequacies in core 
compliance areas necessary to operate within the scope of statutory and 
regulatory consumer protection requirements and to prevent consumer 
harm.
     A rating of 5 reflects a CMS critically deficient at 
managing consumer compliance risk in the institution's products and 
services and at preventing violations of law and consumer harm. A 
rating of critically deficient indicates an absence of crucial CMS 
elements and a demonstrated lack of willingness or capability to take 
the appropriate steps necessary to operate within the scope of 
statutory and regulatory consumer protection requirements and to 
prevent consumer harm.

CC Rating System Categories and Assessment Factors

CC Rating System--Categories

    The CC Rating System is organized under three broad categories:
    1. Board and Management Oversight,
    2. Compliance Program, and
    3. Violations of Law and Consumer Harm.
    The Consumer Compliance Rating Definitions below list the 
assessment factors considered within each category, along with 
narrative descriptions of performance.
    The first two categories, Board and Management Oversight and 
Compliance Program, are used to assess a financial institution's CMS. 
As such, examiners should evaluate the assessment factors within these 
two categories commensurate with the institution's size, complexity, 
and risk profile. All institutions, regardless of size, should maintain 
an effective CMS. The sophistication and formality of the CMS typically 
will increase commensurate with the size, complexity, and risk profile 
of the entity.
    Additionally, compliance expectations contained within the 
narrative descriptions of these two categories extend to third-party 
relationships into which the financial institution has entered. There 
can be certain benefits to financial institutions engaging in 
relationships with third parties, including gaining operational 
efficiencies or an ability to deliver additional products and services, 
but such arrangements also may expose financial institutions to risks 
if not managed effectively. The prudential agencies, the CFPB, and some 
states

[[Page 26558]]

have issued guidance describing expectations regarding oversight of 
third-party relationships. While an institution's management may make 
the business decision to outsource some or all of the operational 
aspects of a product or service, the institution cannot outsource the 
responsibility for complying with laws and regulations or managing the 
risks associated with third-party relationships.
    As noted in the Consumer Compliance Rating Definitions, examiners 
should evaluate activities conducted through third-party relationships 
as though the activities were performed by the institution itself. 
Examiners should review a financial institution's management of third-
party relationships and servicers as part of its overall compliance 
program.
    The third category, Violations of Law and Consumer Harm, includes 
assessment factors that evaluate the dimensions of any identified 
violation or consumer harm. Examiners should weigh each of these four 
factors--root cause, severity, duration, and pervasiveness--in 
evaluating relevant violations of law and any resulting consumer harm.

Board and Management Oversight--Assessment Factors

    Under Board and Management Oversight, the examiner should assess 
the financial institution's board of directors and senior management, 
as appropriate for their respective roles and responsibilities, based 
on the following assessment factors:
     Oversight of and commitment to the institution's 
compliance risk management program;
     effectiveness of the institution's change management 
processes, including responding timely and satisfactorily to any 
variety of change, internal or external, to the institution;
     comprehension, identification, and management of risks 
arising from the institution's products, services, or activities; and
     any corrective action undertaken as consumer compliance 
issues are identified.

Compliance Program--Assessment Factors

    Under Compliance Program, the examiner should assess other elements 
of an effective CMS, based on the following assessment factors:
     Whether the institution's policies and procedures are 
appropriate to the risk in the products, services, and activities of 
the institution;
     the degree to which compliance training is current and 
tailored to risk and staff responsibilities;
     the sufficiency of the monitoring and, if applicable, 
audit to encompass compliance risks throughout the institution; and
     the responsiveness and effectiveness of the consumer 
complaint resolution process.

Violations of Law and Consumer Harm--Assessment Factors

    Under Violations of Law and Consumer Harm, the examiner should 
analyze the following assessment factors:
     The root cause, or causes, of any violations of law 
identified during the examination;
     the severity of any consumer harm resulting from 
violations;
     the duration of time over which the violations occurred; 
and
     the pervasiveness of the violations.
    As a result of a violation of law, consumer harm may occur. While 
many instances of consumer harm can be quantified as a dollar amount 
associated with financial loss, such as charging higher fees for a 
product than was initially disclosed, consumer harm may also result 
from a denial of an opportunity. For example, a consumer could be 
harmed when a financial institution denies the consumer credit or 
discourages an application in violation of the Equal Credit Opportunity 
Act,\14\ whether or not there is resulting financial harm.
---------------------------------------------------------------------------

    \14\ 15 U.S.C. 1691 et seq.
---------------------------------------------------------------------------

    This category of the Consumer Compliance Rating Definitions defines 
four factors by which examiners can assess violations of law and 
consumer harm.
    Root Cause. Root cause analyzes the degree to which weaknesses in 
the CMS gave rise to the violations. In many instances, the root cause 
of a violation is tied to a weakness in one or more elements of the 
CMS. Violations that result from critical deficiencies in the CMS 
evidence a critical absence of management oversight and are of the 
highest supervisory concern.
    Severity. The severity dimension of the Consumer Compliance Rating 
Definitions weighs the type of consumer harm, if any, that resulted 
from violations of law. More severe harm results in a higher level of 
supervisory concern under this factor. For example, some consumer 
protection violations may cause significant financial harm to a 
consumer, while other violations may cause negligible harm, based on 
the specific facts involved.
    Duration. Duration describes the length of time over which the 
violations occurred. Violations that persist over an extended period of 
time will raise greater supervisory concerns than violations that occur 
for only a brief period of time. When violations are brought to the 
attention of an institution's management and management allows those 
violations to remain unaddressed, such violations are of the highest 
supervisory concern.
    Pervasiveness. Pervasiveness evaluates the extent of the 
violation(s) and resulting consumer harm, if any. Violations that 
affect a large number of consumers will raise greater supervisory 
concern than violations that impact a limited number of consumers. If 
violations become so pervasive that they are considered to be 
widespread or present in multiple products or services, the 
institution's performance under this factor is of the highest 
supervisory concern.

Self-Identification of Violations of Law and Consumer Harm

    Strong compliance programs are proactive. They promote consumer 
protection by preventing, self-identifying, and addressing compliance 
issues in a proactive manner. Accordingly, the CC Rating System 
provides incentives for such practices through the definitions 
associated with a 1 rating.
    The Agencies believe that self-identification and prompt correction 
of violations of law reflect strengths in an institution's CMS. A 
robust CMS appropriate for the size, complexity and risk profile of an 
institution's business often will prevent violations or will facilitate 
early detection of potential violations. This early detection can limit 
the size and scope of consumer harm. Moreover, prompt self-reporting of 
serious violations represents concrete evidence of an institution's 
commitment to responsibly address underlying risks. In addition, 
appropriate corrective action, including both correction of 
programmatic weaknesses and full redress for injured parties, limits 
consumer harm and prevents violations from recurring in the future. 
Thus, the CC Rating System recognizes institutions that consistently 
adopt these strategies as reflected in the Consumer Compliance Rating 
Definitions.

Evaluating Performance Using the CC Rating Definitions

    The consumer compliance rating is derived through an evaluation of 
the financial institution's performance under each of the assessment 
factors

[[Page 26559]]

described above. The consumer compliance rating reflects the 
effectiveness of an institution's CMS to identify and manage compliance 
risk in the institution's products and services and to prevent 
violations of law and consumer harm, as evidenced by the financial 
institution's performance under each of the assessment factors.
    The consumer compliance rating reflects a comprehensive evaluation 
of the financial institution's performance under the CC Rating System 
by considering the categories and assessment factors in the context of 
the size, complexity, and risk profile of an institution. It is not 
based on a numeric average or any other quantitative calculation. 
Specific numeric ratings will not be assigned to any of the twelve 
assessment factors. Thus, an institution need not achieve a 
satisfactory assessment in all categories in order to be assigned an 
overall satisfactory rating. Conversely, an institution may be assigned 
a less than satisfactory rating even if some of its assessments were 
satisfactory.
    The relative importance of each category or assessment factor may 
differ based on the size, complexity, and risk profile of an individual 
institution. Accordingly, one or more category or assessment factor may 
be more or less relevant at one financial institution as compared to 
another institution. While the expectations for compliance with 
consumer protection laws and regulations are the same across 
institutions of varying sizes, the methods for accomplishing an 
effective CMS may differ across institutions.
    The evaluation of an institution's performance within the 
Violations of Law and Consumer Harm category of the CC Rating 
Definitions considers each of the four assessment factors: Root Cause, 
Severity, Duration, and Pervasiveness. At the levels of 4 and 5 in this 
category, the distinctions in the definitions are focused on the root 
cause assessment factor rather than Severity, Duration, and 
Pervasiveness. This approach is consistent with the other categories 
where the difference between a 4 and a 5 is driven by the institution's 
capacity and willingness to maintain a sound consumer compliance 
system.
    In arriving at the final rating, the examiner must balance 
potentially differing conclusions about the effectiveness of the 
financial institution's CMS over the individual products, services, and 
activities of the organization. Depending on the relative materiality 
of a product line to the institution, an observed weakness in the 
management of that product line may or may not impact the conclusion 
about the institution's overall performance in the associated 
assessment factor(s). For example, serious weaknesses in the policies 
and procedures or audit program of the mortgage department at a 
mortgage lender would be of greater supervisory concern than those same 
gaps at an institution that makes very few mortgage loans and strictly 
as an accommodation. Greater weight should apply to the financial 
institution's management of material products with significant 
potential consumer compliance risk.
    An institution may receive a less than satisfactory rating even 
when no violations were identified, based on deficiencies or weaknesses 
identified in the institution's CMS. For example, examiners may 
identify weaknesses in elements of the CMS in a new loan product. 
Because the presence of those weaknesses left unaddressed could result 
in future violations of law and consumer harm, the CMS deficiencies 
could impact the overall consumer compliance rating, even if no 
violations were identified.
    Similarly, an institution may receive a 1 or 2 rating even when 
violations were present, if the CMS is commensurate with the risk 
profile and complexity of the institution. For example, when violations 
involve limited impact on consumers, were self-identified, and resolved 
promptly, the evaluation may result in a 1 or 2 rating. After 
evaluating the institution's performance in the two CMS categories, 
Board and Management Oversight and Compliance Program, and the 
dimensions of the violations in the third category, the examiner may 
conclude that the overall strength of the CMS and the nature of 
observed violations viewed together do not present significant 
supervisory concerns.

                                                         Consumer Compliance Rating Definitions
--------------------------------------------------------------------------------------------------------------------------------------------------------
Assessment factors to be considered             1                       2                      3                      4                      5
--------------------------------------------------------------------------------------------------------------------------------------------------------
Board and Management Oversight
Board and management oversight factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance
 expectations below extend to third-party relationships
--------------------------------------------------------------------------------------------------------------------------------------------------------
Oversight and Commitment...........  Board and management    Board and management    Board and management   Board and management   Board and management
                                      demonstrate strong      provide satisfactory    oversight of the       oversight,             oversight,
                                      commitment and          oversight of the        financial              resources, and         resources, and
                                      oversight to the        financial               institution's          attention to the       attention to the
                                      financial               institution's           compliance risk        compliance risk        compliance risk
                                      institution's           compliance risk         management program     management program     management program
                                      compliance risk         management program.     is deficient.          are seriously          are critically
                                      management program.                                                    deficient.             deficient.

[[Page 26560]]

 
                                     Substantial compliance  Compliance resources    Compliance resources   Compliance resources   Compliance resources
                                      resources are           are adequate and        and staff are          and staff are          are critically
                                      provided, including     staff is generally      inadequate to ensure   seriously deficient    deficient in
                                      systems, capital, and   able to ensure the      the financial          and are ineffective    supporting the
                                      human resources         financial institution   institution is in      at ensuring the        financial
                                      commensurate with the   is in compliance with   compliance with        financial              institution's
                                      institution's size,     consumer laws and       consumer laws and      institution's          compliance with
                                      complexity, and risk    regulations.            regulations.           compliance with        consumer laws and
                                      profile. Staff is                                                      consumer laws and      regulations, and
                                      knowledgeable,                                                         regulations.           management and staff
                                      empowered and held                                                                            are unwilling or
                                      accountable for                                                                               incapable of
                                      compliance with                                                                               operating within the
                                      consumer laws and                                                                             scope of consumer
                                      regulations.                                                                                  protection laws and
                                                                                                                                    regulations.
                                     Management conducts     Management conducts     Management does not    Management oversight   Management oversight
                                      comprehensive and       adequate and ongoing    adequately conduct     and due diligence      and due diligence of
                                      ongoing due diligence   due diligence and       due diligence and      over third party       third party
                                      and oversight of        oversight of third      oversight of third     performance, as well   performance is
                                      third parties           parties to ensure       parties to ensure      as management's        critically
                                      consistent with         that the financial      that the financial     ability to             deficient.
                                      agency expectations     institution complies    institution complies   adequately identify,
                                      to ensure that the      with consumer           with consumer          measure, monitor, or
                                      financial institution   protection laws, and    protection laws, nor   manage compliance
                                      complies with           adequately oversees     does it adequately     risks, is seriously
                                      consumer protection     third parties'          oversee third          deficient.
                                      laws, and exercises     policies, procedures,   parties' policies,
                                      strong oversight of     internal controls,      procedures, internal
                                      third parties'          and training to         controls, and
                                      policies, procedures,   ensure appropriate      training to ensure
                                      internal controls,      oversight of            appropriate
                                      and training to         compliance              oversight of
                                      ensure consistent       responsibilities.       compliance
                                      oversight of                                    responsibilities.
                                      compliance
                                      responsibilities.
Change Management..................  Management anticipates  Management responds     Management does not    Management's response  Management fails to
                                      and responds promptly   timely and adequately   respond adequately     to changes in          monitor and respond
                                      to changes in           to changes in           and/or timely in       applicable laws and    to changes in
                                      applicable laws and     applicable laws and     adjusting to changes   regulations, market    applicable laws and
                                      regulations, market     regulations, market     in applicable laws     conditions, or         regulations, market
                                      conditions and          conditions, products    and regulations,       products and           conditions, or
                                      products and services   and services offered    market conditions,     services offered is    products and
                                      offered.                by evaluating the       and products and       seriously deficient.   services offered.
                                                              change and              services offered.
                                                              implementing
                                                              responses across
                                                              impacted lines of
                                                              business.
                                     Management conducts     Management evaluates
                                      due diligence in        product changes
                                      advance of product      before and after
                                      changes, considers      implementing the
                                      the entire life cycle   change.
                                      of a product or
                                      service in
                                      implementing change,
                                      and reviews the
                                      change after
                                      implementation to
                                      determine that
                                      actions taken have
                                      achieved planned
                                      results.
--------------------------------------------------------------------------------------------------------------------------------------------------------

[[Page 26561]]

 
Comprehension, Identification and    Management has a solid  Management comprehends  Management has an      Management exhibits a  Management does not
 Management of Risk.                  comprehension of and    and adequately          inadequate             seriously deficient    comprehend nor
                                      effectively             identifies compliance   comprehension of and   comprehension of and   identify compliance
                                      identifies compliance   risks, including        ability to identify    ability to identify    risks, including
                                      risks, including        emerging risks, in      compliance risks,      compliance risks,      emerging risks, in
                                      emerging risks, in      the financial           including emerging     including emerging     the financial
                                      the financial           institution's           risks, in the          risks, in the          institution.
                                      institution's           products, services,     financial              financial
                                      products, services,     and other activities.   institution's          institution.
                                      and other activities.                           products, services,
                                                                                      and other activities.
                                     Management actively     Management adequately
                                      engages in managing     manages those risks,
                                      those risks,            including through
                                      including through       self-assessments.
                                      comprehensive self-
                                      assessments.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Corrective Action and Self-          Management proactively  Management adequately   Management does not    Management response    Management is
 Identification.                      identifies issues and   responds to and         adequately respond     to deficiencies,       incapable, unwilling
                                      promptly responds to    corrects deficiencies   to compliance          violations and         and/or fails to
                                      compliance risk         and/or violations,      deficiencies and       examination findings   respond to
                                      management              including adequate      violations including   is seriously           deficiencies,
                                      deficiencies and any    remediation, in the     those related to       deficient.             violations or
                                      violations of laws or   normal course of        remediation.                                  examination
                                      regulations,            business.                                                             findings.
                                      including remediation.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Compliance Program Compliance Program factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance
 expectations below extend to third-party relationships.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Policies and Procedures............  Compliance policies     Compliance policies     Compliance policies    Compliance policies    Compliance policies
                                      and procedures and      and procedures and      and procedures and     and procedures and     and procedures and
                                      third-party             third-party             third-party            third-party            third-party
                                      relationship            relationship            relationship           relationship           relationship
                                      management programs     management programs     management programs    management programs    management programs
                                      are strong,             are adequate to         are inadequate at      are seriously          are critically
                                      comprehensive and       manage the compliance   managing the           deficient at           absent.
                                      provide standards to    risk in the products,   compliance risk in     managing compliance
                                      effectively manage      services and            the products,          risk in the
                                      compliance risk in      activities of the       services and           products, services
                                      the products,           financial institution.  activities of the      and activities of
                                      services and                                    financial              the financial
                                      activities of the                               institution.           institution.
                                      financial institution.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Training...........................  Compliance training is  Compliance training     Compliance training    Compliance training    Compliance training
                                      comprehensive,          outlining staff         is not adequately      is seriously           is critically
                                      timely, and             responsibilities is     comprehensive,         deficient in its       absent.
                                      specifically tailored   provided timely to      timely, updated, or    comprehensiveness,
                                      to the particular       appropriate staff.      appropriately          timeliness, or
                                      responsibilities of                             tailored to the        relevance to staff
                                      the staff receiving                             particular             with compliance
                                      it, including those                             responsibilities of    responsibilities, or
                                      responsible for                                 the staff.             has numerous major
                                      product development,                                                   inaccuracies.
                                      marketing and
                                      customer service.

[[Page 26562]]

 
                                     The compliance          The compliance
                                      training program is     training program is
                                      updated proactively     updated to encompass
                                      in advance of the       new products and to
                                      introduction of new     comply with changes
                                      products or new         to consumer
                                      consumer protection     protection laws and
                                      laws and regulations    regulations.
                                      to ensure that all
                                      staff are aware of
                                      compliance
                                      responsibilities
                                      before rolled out.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Monitoring and/or Audit............  Compliance monitoring   Compliance monitoring   Compliance monitoring  Compliance monitoring  Compliance monitoring
                                      practices, management   practices, management   practices,             practices,             practices,
                                      information systems,    information systems,    management             management             management
                                      compliance audit, and   compliance audit, and   information systems,   information systems,   information systems,
                                      internal control        internal control        compliance audit,      compliance audit,      compliance audit, or
                                      systems are             systems adequately      and internal control   and internal           internal controls
                                      comprehensive,          address compliance      systems do not         controls are           are critically
                                      timely, and             risks throughout the    adequately address     seriously deficient    absent.
                                      successful at           financial institution.  risks involving        in addressing risks
                                      identifying and                                 products, services     involving products,
                                      measuring material                              or other activities    services or other
                                      compliance risk                                 including timing and   activities.
                                      management throughout                           scope.
                                      the financial
                                      institution.
                                     Programs are monitored
                                      proactively to
                                      identify procedural
                                      or training
                                      weaknesses to
                                      preclude regulatory
                                      violations. Program
                                      modifications are
                                      made expeditiously to
                                      minimize compliance
                                      risk.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Consumer Complaint Response........  Processes and           Processes and           Processes and          Processes and          Processes and
                                      procedures for          procedures for          procedures for         procedures for         procedures for
                                      addressing consumer     addressing consumer     addressing consumer    addressing consumer    addressing consumer
                                      complaints are          complaints are          complaints are         complaints and         complaints are
                                      strong. Consumer        adequate. Consumer      inadequate. Consumer   consumer complaint     critically absent.
                                      complaint               complaint               complaint              investigations are     Meaningful
                                      investigations and      investigations and      investigations and     seriously deficient.   investigations and
                                      responses are prompt    responses are           responses are not                             responses are
                                      and thorough.           generally prompt and    thorough or timely.                           absent.
                                                              thorough.
                                     Management monitors     Management adequately   Management does not    Management monitoring  Management exhibits a
                                      consumer complaints     monitors consumer       adequately monitor     of consumer            disregard for
                                      to identify risks of    complaints and          consumer complaints.   complaints is          complaints or
                                      potential consumer      responds to issues                             seriously deficient.   preventing consumer
                                      harm, program           identified.                                                           harm.
                                      deficiencies, and
                                      customer service
                                      issues and takes
                                      appropriate action.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Violations of Law and Consumer Harm
--------------------------------------------------------------------------------------------------------------------------------------------------------

[[Page 26563]]

 
Root Cause.........................  The violations are the  Violations are the      Violations are the     Violations are the     Violations are the
                                      result of minor         result of modest        result of material     result of serious      result of critical
                                      weaknesses, if any,     weaknesses in the       weaknesses in the      deficiencies in the    deficiencies in the
                                      in the compliance       compliance risk         compliance risk        compliance risk        compliance risk
                                      risk management         management system.      management system.     management system.     management system.
                                      system.
Severity...........................  The type of consumer    The type of consumer    The type of consumer   The type of consumer   The type of consumer
                                      harm, if any,           harm resulting from     harm resulting from    harm resulting from    harm resulting from
                                      resulting from the      the violations would    the violations would   the violations would   the violations would
                                      violations would have   have a limited impact   have a considerable    have a serious         have a serious
                                      a minimal impact on     on consumers.           impact on consumers.   impact on consumers.   impact on consumers.
                                      consumers.
Duration...........................  The violations and      The violations and      The violations and     The violations and     The violations and
                                      resulting consumer      resulting consumer      resulting consumer     resulting consumer     resulting consumer
                                      harm, if any,           harm, if any,           harm, if any,          harm, if any, have     harm, if any, have
                                      occurred over a brief   occurred over a         occurred over an       been long standing     been long standing
                                      period of time.         limited period of       extended period of     or repeated.           or repeated.
                                                              time.                   time.
Pervasiveness......................  The violations and      The violations and      The violations and     The violations and     The violations and
                                      resulting consumer      resulting consumer      resulting consumer     resulting consumer     resulting consumer
                                      harm, if any, are       harm, if any, are       harm, if any, are      harm, if any, are      harm, if any, are
                                      isolated in number.     limited in number.      numerous.              widespread or in       widespread or in
                                                                                                             multiple products or   multiple products or
                                                                                                             services.              services.
--------------------------------------------------------------------------------------------------------------------------------------------------------

[End of proposed text.]

    Dated: April 28, 2016.

Federal Financial Institutions Examination Council.
Judith E. Dupre,
FFIEC Executive Secretary.
[FR Doc. 2016-10289 Filed 5-2-16; 8:45 a.m.]
 BILLING CODE 7535-01-P 6714-01-P; 6210-01-P 4810-33-P; 4810-AM-P