[Federal Register Volume 81, Number 219 (Monday, November 14, 2016)]
[Notices]
[Pages 79473-79483]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-27226]
=======================================================================
-----------------------------------------------------------------------
FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL
[Docket No. FFIEC-2016-0003]
Uniform Interagency Consumer Compliance Rating System
AGENCY: Federal Financial Institutions Examination Council (FFIEC).
ACTION: Notice; final guidance.
-----------------------------------------------------------------------
SUMMARY: The Federal Financial Institutions Examination Council
(FFIEC), on behalf of its members, is revising the Uniform Interagency
Consumer Compliance Rating System, more commonly known as the CC Rating
System. The agencies comprising the FFIEC are the Board of Governors of
the Federal Reserve System (FRB), the Consumer Financial Protection
Bureau (CFPB), the Federal Deposit Insurance Corporation (FDIC), the
National Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the State Liaison Committee
(SLC) (Agencies). The FFIEC promotes compliance with federal consumer
protection laws and regulations through each agency's supervisory and
outreach programs.
The CC Rating System revisions reflect the regulatory, examination
(supervisory), technological, and market changes that have occurred in
the years since the original rating system was established in 1980. The
revisions are designed to better reflect current consumer compliance
supervisory approaches and to more fully align the CC Rating System
with the Agencies' current risk-based, tailored examination processes.
The CC Rating System is being published after consideration of comments
received from the public.
DATES: Effective March 31, 2017.
FOR FURTHER INFORMATION CONTACT:
[[Page 79474]]
Board: Lanette Meister, Senior Supervisory Consumer Financial
Services Analyst, Board of Governors of the Federal Reserve System,
20th and C Streets NW., Washington, DC 20551, (202) 452-2705.
CFPB: Cassandra Huggins, Attorney-Advisor, Consumer Financial
Protection Bureau, 1700 G Street NW., Washington, DC 20552, (202) 435-
9177.
FDIC: Ardie Hollifield, Senior Policy Analyst, Federal Deposit
Insurance Corporation, 550 17th Street NW., Washington, DC 20429-0002,
(202) 898-6638; John Jackwood, Senior Policy Analyst, (202) 898-3991;
or Faye Murphy, Chief, Consumer Compliance and UDAP Examination
Section, (202) 898-6613.
NCUA: Matthew J. Biliouris, Deputy Director, Office of Consumer
Financial Protection and Access, National Credit Union Administration,
1775 Duke Street, Alexandria, VA 22314-3428, (703) 518-1161.
OCC: Kimberly Hebb, Director of Compliance Policy, Office of the
Comptroller of the Currency, 400 7th Street SW., Washington, DC 20219,
(202) 649-5470; or Michael S. Robertson, Compliance Specialist, (202)
649-5470.
SLC: Matthew Lambert, Policy Counsel, Conference of State Bank
Supervisors, 1129 20th Street NW., 9th Floor, Washington, DC 20036,
(202) 407-7130.
SUPPLEMENTARY INFORMATION:
Background
Pursuant to 12 U.S.C. 3301 et seq., the FFIEC, established in 1979,
is a formal interagency body empowered to prescribe principles and
standards for the federal examination of financial institutions and to
make recommendations to promote consistency and coordination in the
supervision of institutions.
The FFIEC promotes compliance with federal consumer protection laws
and regulations through each agency's supervisory and outreach
programs. Through compliance supervision, the Agencies determine
whether an institution is meeting its responsibility to comply with
applicable requirements.
On May 3, 2016, the FFIEC published a notice and request for
comment in the Federal Register (May Proposal), 81 FR 26553, requesting
comment on proposed revisions to the CC Rating System. The CC Rating
System is a supervisory policy for evaluating financial institutions'
\1\ adherence to consumer compliance requirements. It provides a
general framework for evaluating compliance assessment factors in order
to assign a consumer compliance rating to each federally regulated
financial institution.\2\ The primary purpose of the CC Rating System
is to ensure that regulated financial institutions are evaluated in a
comprehensive and consistent manner and that supervisory resources are
appropriately focused on areas exhibiting risk of consumer harm and on
institutions that warrant elevated supervisory attention. The revised
CC Rating System emphasizes the importance of institutions' compliance
management systems (CMS), with emphasis on compliance risk management
practices designed to manage consumer compliance risk, support
compliance, and prevent consumer harm.
---------------------------------------------------------------------------
\1\ The term financial institutions is defined in 12 U.S.C.
3302(3).
\2\ NCUA integrates the principles and standards of the current
CC Rating System into the existing CAMEL rating structure, in place
of a separate rating. When finalized, the revised CC Rating System
will be incorporated into NCUA's risk-focused examination program.
Using the principles and standards contained in the revised CC
Rating System, NCUA examiners will assess a credit union's ability
to effectively manage its compliance risk and reflect that ability
in the Management component rating and the overall CAMEL rating used
by NCUA.
---------------------------------------------------------------------------
The CC Rating System is based upon a scale of 1 through 5, in
increasing order of supervisory concern. Thus, 1 represents the highest
rating and consequently the lowest level of supervisory concern, while
5 represents the lowest rating and consequently the most critically
deficient level of performance and the highest degree of supervisory
concern. When using the CC Rating System to assess an institution, the
Agencies do not consider an institution's record of performance under
the Community Reinvestment Act (CRA) because institutions are evaluated
separately for CRA.
Purpose of the Revisions
The CC Rating System revisions are designed to better reflect
current consumer compliance supervisory approaches and to more fully
align the rating system with the Agencies' current risk-based, tailored
examination processes. The revisions to the CC Rating System were not
developed to set new or higher supervisory expectations for financial
institutions and their adoption will represent no additional regulatory
burden.
When the original CC Rating System was adopted in 1980,
examinations focused more on transaction testing for regulatory
compliance rather than evaluating the sufficiency of an institution's
CMS to ensure compliance with regulatory requirements and to prevent
consumer harm. In the intervening years, each of the Agencies has
adopted a risk-based consumer compliance examination approach to
promote strong compliance risk management practices and consumer
protection within supervised financial institutions. Risk-based
consumer compliance supervision evaluates whether an institution's CMS
effectively manages the compliance risk in the products and services
offered to its customers. Under risk-based supervision, examiners
tailor supervisory activities to the size, complexity, and risk profile
of each institution and adjust these activities over time. While
compliance management programs vary based on the size, complexity, and
risk profile of supervised institutions, all institutions should
maintain an effective CMS. The sophistication and formality of the CMS
typically will increase commensurate with the size, complexity, and
risk profile of the entity.
As the Agencies drafted the new rating system definitions, one
objective was to develop a rating system appropriate for evaluating
institutions of all sizes. Therefore, the revised CC Rating System
conveys that the system is risk-based to recognize and communicate
clearly that compliance management programs vary based on the size,
complexity, and risk profile of supervised institutions. This concept
is reinforced in the Consumer Compliance Rating Definitions by
conveying to examiners that assessment factors associated with an
institution's CMS should be evaluated commensurate with the
institution's size, complexity, and risk profile.
In developing the revised CC Rating System, the Agencies believed
it was also important for the new rating system to establish incentives
for institutions to promote consumer protection by preventing, self-
identifying, and addressing compliance issues in a proactive manner.
Therefore, the revised rating system recognizes institutions that
consistently adopt these compliance strategies.
Another benefit of the new CC Rating System is to promote
coordination, communication, and consistency among the Agencies,
consistent with the Agencies' respective supervisory authorities. Each
of the Agencies will use the CC Rating System to assign a consumer
compliance rating to supervised institutions, including banks and
nonbanks, as appropriate, consistent with the agency's supervisory
authority. Further, revising the rating system definitions responds to
requests
[[Page 79475]]
from industry representatives who have asked that the CC Rating System
be updated.
Summary of Comments Received
The FFIEC received 17 comments regarding the proposed revisions to
the CC Rating System. Eight of the comments were from financial
institution trade associations, three from consumer and community
advocacy organizations, two from trade consultants, one from a
financial holding company, one from an individual, and two from
anonymous sources.
Commenters generally favored the changes to the CC Rating System,
commending the Agencies':
1. Recognition of the need for the CC Rating System to be risk-
based and focus more on the sufficiency of the CMS;
2. inclusion of incentives to support institutions' establishment
of effective consumer compliance programs;
3. consideration of violations of consumer laws based on root
cause, severity, duration, and pervasiveness;
4. inclusion of third-party relationships; and
5. application of the same rating system across providers of
consumer financial services under the Agencies' jurisdictions.
Some commenters recommended clarifying changes to various aspects
of the revised rating system, as described below. After consideration
of all comments, the FFIEC is issuing this final CC Rating System
substantially as proposed, but with some changes for clarification
purposes. The following discussion describes the comments received and
changes made to the CC Rating System in response. The final updated CC
Rating System is included at the end of this Notice.
Principles of the Interagency CC Rating System
The Agencies developed four principles to serve as a foundation for
the CC Rating System. Under those principles, the rating system must be
risk-based, transparent, actionable, and should incent compliance.
The Agencies received comments concerning the first principle,
which states that the CC Rating System must be risk-based. One
commenter encouraged the Agencies to adopt standards that are risk-
based to ensure that small institutions are not overwhelmed by unwieldy
regulatory burden. The Agencies agree. As explained above, the
revisions to the CC Rating System were not developed to set new or
higher supervisory expectations for financial institutions and their
adoption will not increase regulatory burden. Additionally, the CC
Rating System directs examiners to assess an institution's CMS
commensurate with the institution's size, complexity, and risk profile.
Five-Level Rating Scale
Commenters recommended that descriptive language be added to each
of the five levels of the CC Rating System and to certain assessment
factors, and that specific examples be provided to clarify what is
required under the new rating system. One commenter stated that the
distinction between the assessment factor levels is subjective. Another
commenter suggested that the CC Rating System use descriptive
adjectives instead of numbers to portray examination ratings. The
Agencies believe that the adjectives used in each of the assessment
factors under the numerical ratings contained in the Consumer
Compliance Rating Definitions, as well as the description of the
numerical ratings contained in the Guidance, provide useful terms and
clear distinctions between the rating levels. The rating levels and
categories will allow examiners to distinguish between varying degrees
of supervisory concern when rating institutions. Therefore, the
Agencies concluded that the addition of descriptive terms to the
numerical rating in the CC Rating System would not be necessary.
A commenter suggested that each of the three categories of
assessment factors should be assigned a numerical average or weight of
importance. The consumer compliance rating reflects a comprehensive
evaluation of a financial institution's performance by considering the
categories and assessment factors in the context of the size,
complexity, and risk profile of the institution. Thus, the rating is
not based on a numeric average or any other quantitative calculation.
The relative importance of each category or assessment factor may
differ based on the size, complexity, and risk profile of an individual
institution. Accordingly, one or more category or assessment factor may
be more or less relevant at one financial institution as compared to
another institution. An examiner must balance conclusions about the
effectiveness of the financial institution's CMS over the individual
products, services, and activities of the organization when arriving at
a consumer compliance rating. Therefore, the Agencies do not believe it
would be appropriate to implement a numerical average or weighting
within the final CC Rating System.
Board and Management Oversight
Commenters recommended that the Agencies incorporate discussion of
the Culture of Compliance into the Board and Management Oversight
category. Commenters provided components of a compliance culture such
as the Board and Management's commitment to the existence and
effectiveness of policies, procedures, risk assessments, due diligence,
training, accountability, and an environment in which staff can report
compliance issues and receive a positive response from management. The
Agencies believe that the details defined in the Consumer Compliance
Rating Definitions under Board and Management Oversight address the
concerns stated by the commenters by making clear that management teams
that achieve satisfactory or better performance exhibit a commitment to
each of those areas.
Corrective Action and Self-Identification
A commenter observed that the CC Rating System appropriately
encourages a financial institution to proactively correct violations
and to provide remediation to affected consumers. However, that
commenter suggested the Agencies provide more guidance to make clear
that an entity's subsequent corrective action would not compensate for
a consistent pattern of non-compliance and weak management. The
Agencies agree and believe that this point is reflected in the
guidance. The Violations and Consumer Harm category ensures that
examiners consider noncompliance and resulting consumer harm when
assigning a rating. The other categories require examiners to evaluate
the effectiveness of the institution's management and compliance
program to identify and manage compliance risk in the institution's
products and services and to prevent violations of law and consumer
harm.
One commenter expressed concern that the concept of self-
identification was presented inconsistently in the May Proposal. The
commenter noted that the Corrective Action and Self-Identification
assessment factor was described only as, any corrective action
undertaken as consumer compliance issues are identified within the
proposed CC Rating System guidance. The commenter noted that elsewhere
in the proposal, discussion of this assessment factor appropriately
incorporates the concept of self-identification. The Agencies have
updated language in the Guidance to clarify discussion of this
assessment factor by adding reference to self-identification of
consumer compliance
[[Page 79476]]
issues to the description of the Corrective Action and Self-
Identification assessment factor.
Training
One commenter recommended that the CC Rating System require
training programs to adequately train employees on compliance with fair
lending and consumer protection laws. The Agencies believe that the
definitions included in the Training assessment factor appropriately
describe the Agencies' expectations that compliance training programs
encompass consumer protection laws and regulations and do not believe
that more specificity would be helpful.
Third-Party Relationships
One commenter supported the assessment of third-party relationship
management within the CC Rating System. The commenter stated that
regulatory oversight of third-party relationships is critical to ensure
that financial institutions do not use those relationships to avoid
compliance with consumer protection and fair lending laws.
Another commenter suggested the CC Rating System should clarify
that the evaluation of an institution's third-party relationships will
be limited to relationships between the financial institutions and
vendors that impact consumer financial products and services.
Specifically, the commenter suggested the Agencies should clarify that
the CC Rating System does not extend to the financial institutions'
broad third-party relationship management program. The Agencies note
that the CC Rating System requires examiners to review a financial
institution's management of third-party relationships and servicers as
part of its overall consumer compliance program. The CC Rating System
does not impose specific expectations for management of third-party
relationships. Such expectations are provided in separate guidance
issued by each of the Agencies.\3\
---------------------------------------------------------------------------
\3\ Guidance from the Agencies addressing third-party
relationships is generally available on their respective Web sites.
See, e.g., CFPB Bulletin 2012-03, ``Service Providers'' (April. 13,
2012), available at http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf; FDIC FIL 44-2208,
``Managing Third-Party Risk'' (June 6, 2008), available at http://www.fdic.gov/news/news/financial/2008/fil08044a.html; NCUA Letter to
Credit Unions 07-CU-13, ``Evaluating Third Party Relationships''
(December 2007), available at http://www.ncua.gov/Resources/Documents/LCU2007-13.pdf; OCC Bulletin OCC 2013-29, ``Third-Party
Relationship: Risk Management Guidances'' (October 30, 2013),
available at http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html; Interagency Guidance, ``Weblinking:
Identifying Risks and Risk Management Techniques'' (2003), available
at http://www.occ.treas.gov/news-issuances/bulletins/2003/bulletin-2003-15a.pdf.; NCUA Letter to Credit Unions 03-CU-08, ``Weblinking:
Identifying Risks & Risk Management Techniques'' (April 2003),
available at http://ithandbook.ffiec.gov/media/resources/3315/ncu-03-cu-08_weblinking_tech.pdf. See SR 13-19/CA 13-21, ``Guidance on
Managing Outsourcing Risk'' (December 5, 2013) available at http://www.federalreserve.gov/bankinforeg/srletters/sr1319.htm.
---------------------------------------------------------------------------
Violations of Law and Consumer Harm
Commenters expressed conflicting concerns over the Violations of
Law and Consumer Harm category. Some noted that the category is defined
too narrowly in that it does not appropriately consider practices that
present a risk of harm to consumers that are not clear violations of
law. The Agencies believe that management of compliance risk is
appropriately considered in the other two categories. Specifically, the
first two categories, ``Board and Management Oversight and Compliance
Program include, for example, consideration of how effectively
institutions identify and manage compliance risks, including emerging
risks; assessment of whether institutions evaluate product changes
before and after implementing the changes; and evaluation of the
sufficiency of the institution's procedures, training, and monitoring
practices to manage compliance risk in the products, services, and
activities of the institution. Others commented that the CC Rating
System should be narrowed to address only violations of law that result
in consumer harm. These commenters believe that a CMS deficiency exists
only when a legal violation occurs that results in sufficient consumer
harm. The Agencies disagree that a CMS can only be judged to be
deficient when violations of law occur. The CC Rating System incents
institutions to implement a CMS that effectively prevents, identifies,
and addresses CMS deficiencies and any violations of laws or
regulations.
One commenter noted that the Rating Categories should be weighted,
with Violations of Law and Consumer Harm carrying the most weight
because the commenter believes that prevention of violations and
consumer harm is the entire purpose of the CC Rating System. While
preventing consumer harm is critically important and integral to the CC
Rating System, the Agencies disagree that the best way to achieve this
purpose would be by requiring that this category always be weighted
more than the others. The Agencies believe that CMS plays a critical
role in prevention of violations and consumer harm. Thus, while the
Violations of Law and Consumer Harm category evaluates violations and
harm that have occurred, the other two categories evaluate the
effectiveness of the CMS to prevent consumer violations and harm.
Severity
One commenter stated that the severity of a violation should not be
based solely on the dollar amount of consumer harm. The revised CC
Rating System does not base severity solely on a dollar amount of harm.
The CC Rating system acknowledges that while many instances of consumer
harm can be quantified as a dollar amount associated with financial
loss, such as charging higher fees for a product than was initially
disclosed, consumer harm may also result from a denial of an
opportunity.
Assignment of Ratings by Supervisors
Several commenters encouraged the Agencies to implement a rating
system with a single consumer compliance rating for all institutions,
including those with assets greater than $10 billion. Commenters noted
concerns with reconciling different ratings issued by two agencies and
questioned whether two consumer compliance ratings could provide
actionable feedback and effective incentives to supervised
institutions. The Agencies believe that the detail that examiners
provide regarding the scope of the compliance areas and products
reviewed in arriving at a consumer compliance rating furnishes
sufficient context to support effective financial institution response
to rating conclusions. The CFPB will continue to issue consumer
compliance ratings to providers of consumer financial products and
services under its supervisory jurisdiction.
Comments Out of Scope of the CC Rating System
Commenters also submitted comments that, while broadly related to
consumer compliance ratings, fall outside the scope of the CC Rating
System. For example, some commenters identified specific consumer
protection issues, such as overdraft practices and bank partnerships
with non-bank lenders, that they believe should merit heightened
consideration within the examination process. While these issues may be
important, the CC Rating System does not provide guidance to examiners
regarding specific consumer compliance issues. The Agencies provide
such issue-oriented guidance and guidance on risk-focused supervision
in separate official letters and bulletins.
Three commenters suggested that the CC Rating System require
examiners to provide a summary of the institution's
[[Page 79477]]
performance within each category. Historically, examiners at each
agency have articulated factors contributing to the consumer compliance
rating within the Report of Examination. Financial institutions will
continue to receive this information through that report.
One commenter suggested mandatory penalties for less-than-
satisfactory performance. The CC Rating System does not address the
Agencies' supervisory response to consumer compliance ratings.
Two commenters also suggested that the FFIEC should conduct an
assessment of examination results across the Agencies to evaluate the
success of the CC Rating System implementation. Each agency maintains
formal training and comprehensive quality assurance processes to ensure
consistent application of policy changes and uses these tools on an
ongoing basis.
Another commenter emphasized that the Agencies should promote
transparency through public release of ratings. Ratings are
confidential supervisory information that are prohibited from
disclosure except as authorized by federal laws and regulations.
Two commenters supported the NCUA's approach to integrate the
principles and standards of the CC Rating System into the existing
CAMEL rating structure, in place of a separate or stand-alone CC
rating. Using the principles and standards contained in the revised CC
Rating System, NCUA examiners will incorporate their assessment of a
credit union's ability to effectively manage its compliance risk into
the Management component rating and the overall CAMEL rating used by
NCUA.
Implementation Date
The FFIEC recommends that the Agencies implement the updated CC
Rating System for consumer compliance examinations that begin on or
after March 31, 2017.\4\
---------------------------------------------------------------------------
\4\ For institutions with continuous target supervisory
activities during a 12-month supervisory cycle, the Consumer
Compliance Rating System Guidance will be used when the supervisory
cycle for that institution ends on or after March 31, 2017.
---------------------------------------------------------------------------
FFIEC Guidance on the Uniform Interagency Consumer Compliance Rating
System
Uniform Interagency Consumer Compliance Rating System
The Federal Financial Institutions Examination Council (FFIEC)
member agencies (Agencies) promote compliance with federal consumer
protection laws and regulations through supervisory and outreach
programs.\5\ The Agencies engage in consumer compliance supervision to
assess whether a financial institution is meeting its responsibility to
comply with these requirements.
---------------------------------------------------------------------------
\5\ The FFIEC members are the Board of Governors of the Federal
Reserve System, the Consumer Financial Protection Bureau (CFPB), the
Federal Deposit Insurance Corporation, the National Credit Union
Administration, the Office of the Comptroller of the Currency, and
the State Liaison Committee.
---------------------------------------------------------------------------
This Uniform Interagency Consumer Compliance Rating System (CC
Rating System) provides a general framework for assessing risks during
the supervisory process using certain compliance factors and assigning
an overall consumer compliance rating to each federally regulated
financial institution.\6\ The primary purpose of the CC Rating System
is to ensure that regulated financial institutions are evaluated in a
comprehensive and consistent manner, and that supervisory resources are
appropriately focused on areas exhibiting risk of consumer harm and on
institutions that warrant elevated supervisory attention.
---------------------------------------------------------------------------
\6\ The Federal Financial Institutions Examination Council Act
of 1978 (12 U.S.C. 3302(3)) defines financial institution.
Additionally, as a member of the FFIEC, the CFPB will also use the
CC Rating System to assign a consumer compliance rating, as
appropriate for nonbanks, for which it has jurisdiction regarding
the enforcement of Federal consumer financial laws as defined under
the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-
Frank Act) (12 U.S.C. 5481 et seq.).
---------------------------------------------------------------------------
The CC Rating System is composed of guidance and definitions. The
guidance provides examiners with direction on how to use the
definitions when assigning a consumer compliance rating to an
institution. The definitions consist of qualitative descriptions for
each rating category and include compliance management system (CMS)
elements reflecting risk control processes designed to manage consumer
compliance risk and considerations regarding violations of laws,
consumer harm, and the size, complexity, and risk profile of an
institution. The consumer compliance rating reflects the effectiveness
of an institution's CMS to ensure compliance with consumer protection
laws and regulations and reduce the risk of harm to consumers.
Principles of the Interagency CC Rating System
The Agencies developed the following principles to serve as a
foundation for the CC Rating System.
Risk-based. Recognize and communicate clearly that CMS vary based
on the size, complexity, and risk profile of supervised institutions.
Transparent. Provide clear distinctions between rating categories
to support consistent application by the Agencies across supervised
institutions. Reflect the scope of the review that formed the basis of
the overall rating.
Actionable. Identify areas of strength and direct appropriate
attention to specific areas of weakness, reflecting a risk-based
supervisory approach. Convey examiners' assessment of the effectiveness
of an institution's CMS, including its ability to prevent consumer harm
and ensure compliance with consumer protection laws and regulations.
Incent Compliance. Incent the institution to establish an effective
consumer compliance system across the institution and to identify and
address issues promptly, including self-identification and correction
of consumer compliance weaknesses. Reflect the potential impact of any
consumer harm identified in examination findings.
Five-Level Rating Scale
The CC Rating System is based upon a numeric scale of 1 through 5
in increasing order of supervisory concern. Thus, 1 represents the
highest rating and consequently the lowest degree of supervisory
concern, while 5 represents the lowest rating and the most critically
deficient level of performance, and therefore, the highest degree of
supervisory concern.\7\ Ratings of 1 or 2 represent satisfactory or
better performance. Ratings of 3, 4, or 5 indicate performance that is
less than satisfactory. Consistent with the previously described
Principles, the rating system incents a financial institution to
establish an effective CMS across the institution, to self-identify
risks, and to take the necessary actions to reduce the risk of non-
compliance and consumer harm.
---------------------------------------------------------------------------
\7\ The Agencies do not consider an institution's record of
performance under the Community Reinvestment Act (CRA) in
conjunction with assessing an institution under the CC Rating System
since institutions are evaluated separately under the CRA.
---------------------------------------------------------------------------
The highest rating of 1 is assigned to a financial
institution that maintains a strong CMS and takes action to prevent
violations of law and consumer harm.
A rating of 2 is assigned to a financial institution that
maintains a CMS that is satisfactory at managing consumer compliance
risk in the institution's products and services and at substantially
limiting violations of law and consumer harm.
A rating of 3 reflects a CMS deficient at managing
consumer
[[Page 79478]]
compliance risk in the institution's products and services and at
limiting violations of law and consumer harm.
A rating of 4 reflects a CMS seriously deficient at
managing consumer compliance risk in the institution's products and
services and/or at preventing violations of law and consumer harm.
Seriously deficient indicates fundamental and persistent weaknesses in
crucial CMS elements and severe inadequacies in core compliance areas
necessary to operate within the scope of statutory and regulatory
consumer protection requirements and to prevent consumer harm.
A rating of 5 reflects a CMS critically deficient at
managing consumer compliance risk in the institution's products and
services and/or at preventing violations of law and consumer harm.
Critically deficient indicates an absence of crucial CMS elements and a
demonstrated lack of willingness or capability to take the appropriate
steps necessary to operate within the scope of statutory and regulatory
consumer protection requirements and to prevent consumer harm.
CC Rating System Categories and Assessment Factors
CC Rating System--Categories
The CC Rating System is organized under three broad categories:
1. Board and Management Oversight,
2. Compliance Program, and
3. Violations of Law and Consumer Harm.
The Consumer Compliance Rating Definitions below list the
assessment factors considered within each category, along with
narrative descriptions of performance.
The first two categories, Board and Management Oversight and
Compliance Program, are used to assess a financial institution's CMS.
As such, examiners should evaluate the assessment factors within these
two categories commensurate with the institution's size, complexity,
and risk profile. All institutions, regardless of size, should maintain
an effective CMS. The sophistication and formality of the CMS typically
will increase commensurate with the size, complexity, and risk profile
of the entity.
Additionally, compliance expectations contained within the
narrative descriptions of these two categories extend to third-party
relationships into which the financial institution has entered. There
can be certain benefits to financial institutions engaging in
relationships with third parties, including gaining operational
efficiencies or an ability to deliver additional products and services,
but such arrangements also may expose financial institutions to risks
if not managed effectively. The prudential agencies, the CFPB, and some
states have issued guidance describing expectations regarding oversight
of third-party relationships. While an institution's management may
make the business decision to outsource some or all of the operational
aspects of a product or service, the institution cannot outsource the
responsibility for complying with laws and regulations or managing the
risks associated with third-party relationships.
As noted in the Consumer Compliance Rating Definitions, examiners
should evaluate activities conducted through third-party relationships
as though the activities were performed by the institution itself.
Examiners should review a financial institution's management of third-
party relationships and servicers as part of its overall compliance
program.
The third category, Violations of Law and Consumer Harm, includes
assessment factors that evaluate the dimensions of any identified
violation or consumer harm. Examiners should weigh each of these four
factors--root cause, severity, duration, and pervasiveness--in
evaluating relevant violations of law and any resulting consumer harm.
Board and Management Oversight--Assessment Factors
Under Board and Management Oversight, the examiner should assess
the financial institution's board of directors and management, as
appropriate for their respective roles and responsibilities, based on
the following assessment factors:
Oversight of and commitment to the institution's CMS;
effectiveness of the institution's change management
processes, including responding timely and satisfactorily to any
variety of change, internal or external, to the institution;
comprehension, identification, and management of risks
arising from the institution's products, services, or activities; and
self-identification of consumer compliance issues and
corrective action undertaken as such issues are identified.
Compliance Program--Assessment Factors
Under Compliance Program, the examiner should assess other elements
of an effective CMS, based on the following assessment factors:
Whether the institution's policies and procedures are
appropriate to the risk in the products, services, and activities of
the institution;
the degree to which compliance training is current and
tailored to risk and staff responsibilities;
the sufficiency of the monitoring and, if applicable,
audit to encompass compliance risks throughout the institution; and
the responsiveness and effectiveness of the consumer
complaint resolution process.
Violations of Law and Consumer Harm--Assessment Factors
Under Violations of Law and Consumer Harm, the examiner should
analyze the following assessment factors:
the root cause, or causes, of any violations of law
identified during the examination;
the severity of any consumer harm resulting from
violations;
the duration of time over which the violations occurred;
and
the pervasiveness of the violations.
As a result of a violation of law, consumer harm may occur. While
many instances of consumer harm can be quantified as a dollar amount
associated with financial loss, such as charging higher fees for a
product than was initially disclosed, consumer harm may also result
from a denial of an opportunity. For example, a consumer could be
harmed when a financial institution denies the consumer credit or
discourages an application in violation of the Equal Credit Opportunity
Act,\8\ whether or not there is resulting financial harm.
---------------------------------------------------------------------------
\8\ 15 U.S.C. 1691 et seq.
---------------------------------------------------------------------------
This category of the Consumer Compliance Rating Definitions defines
four factors by which examiners can assess violations of law and
consumer harm.
Root Cause. The Root Cause assessment factor analyzes the degree to
which weaknesses in the CMS gave rise to the violations. In many
instances, the root cause of a violation is tied to a weakness in one
or more elements of the CMS. Violations that result from critical
deficiencies in the CMS evidence a critical absence of management
oversight and are of the highest supervisory concern.
Severity. The Severity assessment factor of the Consumer Compliance
Rating Definitions weighs the type of consumer harm, if any, that
resulted from violations of law. More severe harm results in a higher
level of supervisory concern under this factor.
[[Page 79479]]
For example, some consumer protection violations may cause significant
financial harm to a consumer, while other violations may cause
negligible harm, based on the specific facts involved.
Duration. The Duration assessment factor considers the length of
time over which the violations occurred. Violations that persist over
an extended period of time will raise greater supervisory concerns than
violations that occur for only a brief period of time. When violations
are brought to the attention of an institution's management and
management allows those violations to remain unaddressed, such
violations are of the highest supervisory concern.
Pervasiveness. The Pervasiveness assessment factor evaluates the
extent of the violation(s) and resulting consumer harm, if any.
Violations that affect a large number of consumers will raise greater
supervisory concern than violations that impact a limited number of
consumers. If violations become so pervasive that they are considered
to be widespread or present in multiple products or services, the
institution's performance under this factor is of the highest
supervisory concern.
Self-Identification of Violations of Law and Consumer Harm
Strong compliance programs are proactive. They promote consumer
protection by preventing, self-identifying, and addressing compliance
issues in a proactive manner. Accordingly, the CC Rating System
provides incentives for such practices through the definitions
associated with a 1 rating.
The Agencies believe that self-identification and prompt correction
of violations of law reflect strengths in an institution's CMS. A
robust CMS appropriate for the size, complexity and risk profile of an
institution's business often will prevent violations or will facilitate
early detection of potential violations. This early detection can limit
the size and scope of consumer harm. Moreover, self-identification and
prompt correction of serious violations represents concrete evidence of
an institution's commitment to responsibly address underlying risks. In
addition, appropriate corrective action, including both correction of
programmatic weaknesses and full redress for injured parties, limits
consumer harm and prevents violations from recurring in the future.
Thus, the CC Rating System recognizes institutions that consistently
adopt these strategies as reflected in the Consumer Compliance Rating
Definitions.
Evaluating Performance Using the CC Rating Definitions
The consumer compliance rating is derived through an evaluation of
the financial institution's performance under each of the assessment
factors described above. The consumer compliance rating reflects the
effectiveness of an institution's CMS to identify and manage compliance
risk in the institution's products and services and to prevent
violations of law and consumer harm, as evidenced by the financial
institution's performance under each of the assessment factors.
The consumer compliance rating reflects a comprehensive evaluation
of the financial institution's performance under the CC Rating System
by considering the categories and assessment factors in the context of
the size, complexity, and risk profile of an institution. It is not
based on a numeric average or any other quantitative calculation.
Specific numeric ratings will not be assigned to any of the 12
assessment factors. Thus, an institution need not achieve a
satisfactory assessment in all categories in order to be assigned an
overall satisfactory rating. Conversely, an institution may be assigned
a less than satisfactory rating even if some of its assessments were
satisfactory.
The relative importance of each category or assessment factor may
differ based on the size, complexity, and risk profile of an individual
institution. Accordingly, one or more category or assessment factor may
be more or less relevant at one financial institution as compared to
another institution. While the expectations for compliance with
consumer protection laws and regulations are the same across
institutions of varying sizes, the methods for accomplishing an
effective CMS may differ across institutions.
The evaluation of an institution's performance within the
Violations of Law and Consumer Harm category of the CC Rating
Definitions considers each of the four assessment factors: Root Cause,
Severity, Duration, and Pervasiveness. At the levels of 4 and 5 in this
category, the distinctions in the definitions are focused on the root
cause assessment factor rather than Severity, Duration, and
Pervasiveness. This approach is consistent with the other categories
where the difference between a 4 and a 5 is driven by the institution's
capacity and willingness to maintain a sound consumer compliance
system.
In arriving at the final rating, the examiner must balance
potentially differing conclusions about the effectiveness of the
financial institution's CMS over the individual products, services, and
activities of the organization. Depending on the relative materiality
of a product line to the institution, an observed weakness in the
management of that product line may or may not impact the conclusion
about the institution's overall performance in the associated
assessment factor(s). For example, serious weaknesses in the policies
and procedures or audit program of the mortgage department at a
mortgage lender would be of greater supervisory concern than those same
gaps at an institution that makes very few mortgage loans and strictly
as an accommodation. Greater weight should apply to the financial
institution's management of material products with significant
potential consumer compliance risk.
An institution may receive a less than satisfactory rating even
when no violations were identified, based on deficiencies or weaknesses
identified in the institution's CMS. For example, examiners may
identify weaknesses in elements of the CMS in a new loan product.
Because the presence of those weaknesses left unaddressed could result
in future violations of law and consumer harm, the CMS deficiencies
could impact the overall consumer compliance rating, even if no
violations were identified.
Similarly, an institution may receive a 1 or 2 rating even when
violations were present, if the CMS is commensurate with the risk
profile and complexity of the institution. For example, when violations
involve limited impact on consumers, were self-identified, and resolved
promptly, the evaluation may result in a 1 or 2 rating. After
evaluating the institution's performance in the two CMS categories,
Board and Management Oversight and Compliance Program, and the
dimensions of the violations in the third category, the examiner may
conclude that the overall strength of the CMS and the nature of
observed violations viewed together do not present significant
supervisory concerns.
Assignment of Ratings by Supervisor(s)
The prudential regulators will continue to assign and update, as
appropriate, consumer compliance ratings for institutions they
supervise, including those with total assets of more than $10
billion.\9\ As a member of the
[[Page 79480]]
FFIEC, the CFPB will also use the CC Rating System to assign a consumer
compliance rating, as appropriate, for institutions with total assets
of more than $10 billion, as well as for nonbanks for which it has
jurisdiction regarding the enforcement of Federal consumer financial
laws as defined under the Dodd-Frank Act.\10\ The prudential regulators
will take into consideration any material supervisory information
provided by the CFPB, as that information relates to covered
supervisory activities or covered examinations.\11\ Similarly, the CFPB
will take into consideration any material supervisory information
provided by prudential regulators in appropriate supervisory
situations.
---------------------------------------------------------------------------
\9\ Section 1025 of the Dodd-Frank Act (12 U.S.C. 5515) applies
to federally insured institutions with more than $10 billion in
total assets. This section granted the CFPB exclusive authority to
examine insured depository institutions and their affiliates for
compliance with Federal consumer financial laws. The prudential
regulators retained authority for examining insured depository
institutions with more than $10 billion in total assets for
compliance with certain other laws related to consumer financial
protection, including the Fair Housing Act, the Servicemembers Civil
Relief Act, and section 5 of the Federal Trade Commission Act.
\10\ 12 U.S.C. 5481 et seq. A financial institution with assets
over $10 billion may receive a consumer compliance rating by both
its primary prudential regulator and the CFPB. The rating is based
on each agency's review of the institution's CMS and compliance with
the federal consumer protection laws falling under each agency's
jurisdiction.
\11\ The prudential regulators and the CFPB signed a Memorandum
of Understanding on Supervisory Coordination dated May 16, 2012
(MOU) intended to facilitate the coordination of supervisory
activities involving financial institutions with more than $10
billion in assets as required under the Dodd-Frank Act.
---------------------------------------------------------------------------
State regulators maintain supervisory authority to conduct
examinations of state-chartered depository institutions and licensed
entities. As such, states may assign consumer compliance ratings to
evaluate compliance with both state and federal laws and regulations.
States will collaborate and consider material supervisory information
from other state and federal regulatory agencies during the course of
examinations.
Consumer Compliance Rating Definitions
--------------------------------------------------------------------------------------------------------------------------------------------------------
Assessment factors to be considered 1 2 3 4 5
--------------------------------------------------------------------------------------------------------------------------------------------------------
Board and Management Oversight
Board and management oversight factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance
expectations below extend to third-party relationships.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Oversight and Commitment........... Board and management Board and management Board and management Board and management Board and management
demonstrate strong provide satisfactory oversight of the oversight, oversight,
commitment and oversight of the financial resources, and resources, and
oversight to the financial institution's attention to the attention to the
financial institution's compliance compliance compliance
institution's compliance management management system is management system management system
compliance management system. deficient. are seriously are critically
system. deficient. deficient.
Substantial compliance Compliance resources Compliance resources Compliance resources Compliance resources
resources are are adequate and and staff are and staff are are critically
provided, including staff is generally inadequate to ensure seriously deficient deficient in
systems, capital, and able to ensure the the financial and are ineffective supporting the
human resources financial institution institution is in at ensuring the financial
commensurate with the is in compliance with compliance with financial institution's
financial consumer laws and consumer laws and institution's compliance with
institution's size, regulations. regulations. compliance with consumer laws and
complexity, and risk consumer laws and regulations, and
profile. Staff is regulations. management and staff
knowledgeable, are unwilling or
empowered and held incapable of
accountable for operating within the
compliance with scope of consumer
consumer laws and protection laws and
regulations. regulations.
Management conducts Management conducts Management does note Management oversight Management oversight
comprehensive and adequate and ongoing adequately conduct and due diligence and due diligence of
ongoing due diligence due diligence and due diligence and over third-party third-party
and oversight of oversight of third oversite of third performance, as well performance is
third parties parties to ensure parties to ensure as management's critically
consistent with that the financial that the financial ability to deficient.
agency expectations institution complies institution complies adequately identify,
to ensure that the with consumer with consumer measure, monitor, or
financial institution protection laws, and protection laws, nor manage compliance
complies with adequately oversees does it adequately risks, is seriously
consumer protection third parties' oversees third deficient.
laws, and exercises policies, procedures, parties' policies,
strong oversight of internal controls, procedures, internal
third parties' and training to controls, and
policies, procedures, ensure appropriate training to ensure
internal controls, oversight of appropriate
and training to compliance oversight of
ensure consistent responsibilities. compliance
oversight of responsibilities.
compliance
responsibilities.
[[Page 79481]]
Change Management.................. Management anticipates Management responds Management does not Management's response Management fails to
and responds promptly timely and adequately respond adequately to changes in monitor and respond
to changes in to changes in and/or timely in applicable laws and to changes in
applicable laws and applicable laws and adjusting to changes regulations, market applicable laws and
regulations, market regulations, market in applicable laws conditions, or regulations, market
conditions and conditions, products and regulations, products and conditions, or
products and services and services offered market conditions, services offered is products and
offered by evaluating by evaluating the and products and seriously deficient. services offered.
the change and change and services offered.
implementing implementing
responses across responses across
impacted lines of impacted lines of
business. business.
Management conducts Management evaluates
due diligence in product changes
advance of product before and after
changes, considers implementing the
the entire life cycle change.
of a product or
service in
implementing change,
and reviews the
change after
implementation to
determine that
actions taken have
achieved planned
results.
Comprehension, Identification and Management has a solid Management comprehends Management has an Management exhibits a Management does not
Management of Risk. comprehension of and and adequately inadequate seriously deficient comprehend nor
effectively identifies compliance comprehension of and comprehension of and identify compliance
identifies compliance risks, including ability to identify ability to identify risks, including
risks, including emerging risks, in compliance risks, compliance risks, emerging risks, in
emerging risks, in the financial including emerging including emerging the financial
the financial institution's risks, in the risks, in the institution.
institution's products, services, financial financial
products, services, and other activities. institution's institution.
and other activities. products, services,
and other activities.
Management actively Management adequately
engages in managing manages those risks,
those risks, including through
including through self-assessments.
comprehensive self-
assessments.
Corrective Action and Self- Management proactively Management adequately Management does not Management response Management is
Identification. identifies issues and responds to and adequately respond to deficiencies, incapable, unwilling
promptly responds to corrects deficiencies to compliance violations and and/or fails to
compliance risk and/or violations, deficiencies and examination findings respond to
management including adequate violations including is seriously deficiencies,
deficiencies and any remediation, in the those related to deficient. violations or
violations of laws or normal course of remediation. examination
regulations, business. findings.
including remediation.
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 79482]]
Compliance Program
Compliance Program factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance expectations below
extend to third-party relationships.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Policies and Procedures............ Compliance policies Compliance policies Compliance policies Compliance policies Compliance policies
and procedures and and procedures and and procedures and and procedures and and procedures and
third-party third-party third-party third-party third-party
relationship relationship relationship relationship relationship
management programs management programs management programs management programs management programs
are strong, are adequate to are inadequate at are seriously are critically
comprehensive and manage the compliance managing the deficient at absent.
provide standards to risk in the products, compliance risk in managing compliance
effectively manage services and the products, risk in the
compliance risk in activities of the services and products, services
the products, financial institution. activities of the and activities of
services and financial the financial
activities of the institution. institution.
financial institution.
Training........................... Compliance training is Compliance training Compliance training Compliance training Compliance training
comprehensive, outlining staff is not adequately is seriously is critically
timely, and responsibilities is comprehensive, deficient in its absent.
specifically tailored adequate and provided timely, updated, or comprehensiveness,
to the particular timely to appropriate appropriately timeliness, or
responsibilities of staff. tailored to the relevance to staff
the staff receiving particular with compliance
it, including those responsibilities of responsibilities, or
responsible for the staff. has numerous major
product development, inaccuracies.
marketing and
customer service.
The compliance The compliance
training program is training program is
updated proactively updated to encompass
in advance of the new products and to
introduction of new comply with changes
products or new to consumer
consumer protection protection laws and
laws and regulations regulations.
to ensure that all
staff are aware of
compliance
responsibilities
before rolled out.
Monitoring and/or Audit............ Compliance monitoring Compliance monitoring Compliance monitoring Compliance monitoring Compliance monitoring
practices, management practices, management practices, practices, practices,
information systems, information systems, management management management
reporting, compliance reporting, compliance information systems, information systems, information systems,
audit, and internal audit, and internal reporting, reporting, reporting,
control systems are control systems compliance audit, compliance audit, compliance audit, or
comprehensive, adequately address and internal control and internal internal controls
timely, and compliance risks systems do not controls are are critically
successful at throughout the adequately address seriously deficient absent.
identifying and financial institution. risks involving in addressing risks
measuring material products, services involving products,
compliance risk or other activities services or other
management throughout including, timing activities.
the financial and scope.
institution.
Programs are monitored
proactively to
identify procedural
or training
weaknesses to
preclude regulatory
violations. Program
modifications are
made expeditiously to
minimize compliance
risk.
[[Page 79483]]
Consumer Complaint Response........ Processes and Processes and Processes and Processes and Processes and
procedures for procedures for procedures for procedures for procedures for
addressing consumer addressing consumer addressing consumer addressing consumer addressing consumer
complaints are complaints are complaints are complaints and complaints are
strong. Consumer adequate. Consumer inadequate. Consumer consumer complaint critically absent.
complaint complaint complaint investigations are Meaningful
investigations and investigations and investigations and seriously deficient. investigations and
responses are prompt responses are responses are not responses are
and thorough. generally prompt and thorough or timely. absent.
thorough.
Management monitors Management adequately Management does not Management monitoring Management exhibits a
consumer complaints monitors consumer adequately monitor of consumer disregard for
to identify risks of complaints and consumer complaints. complaints is complaints or
potential consumer responds to issues seriously deficient. preventing consumer
harm, program identified. harm.
deficiencies, and
customer service
issues and takes
appropriate action.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Violations of Law and Consumer Harm
--------------------------------------------------------------------------------------------------------------------------------------------------------
Root Cause......................... The violations are the Violations are the Violations are the Violations are the Violations are the
result of minor result of modest result of material result of serious result of critical
weaknesses, if any, weaknesses in the weaknesses in the deficiencies in the deficiencies in the
in the compliance compliance risk compliance risk compliance risk compliance risk
risk management management system. management system. management system. management system.
system.
Severity........................... The type of consumer The type of consumer The type of consumer The type of consumer harm resulting from the
harm, if any, harm resulting from harm resulting from violations would have a serious impact on
resulting from the the violations would the violations would consumers.
violations would have have a limited impact have a considerable
a minimal impact on on consumers. impact on consumers.
consumers.
Duration........................... The violations and The violations and The violations and The violations and resulting consumer harm,
resulting consumer resulting consumer resulting consumer if any, have been long-standing or
harm, if any, harm, if any, harm, if any, repeated.
occurred over a brief occurred over a occurred over an
period of time. limited period of extended period of
time. time.
Pervasiveness...................... The violations and The violations and The violations and The violations and resulting consumer harm,
resulting consumer resulting consumer resulting consumer if any, are widespread or in multiple
harm, if any, are harm, if any, are harm, if any, are products or services.
isolated in number. limited in number. numerous.
--------------------------------------------------------------------------------------------------------------------------------------------------------
[End of proposed text.]
Dated: November 7, 2016.
Federal Financial Institutions Examination Council.
Judith E. Dupre,
FFIEC Executive Secretary.
[FR Doc. 2016-27226 Filed 11-10-16; 8:45 am]
BILLING CODE 7535-01-P; 6714-01-P; 6210-01-P; 4810-33-P; 4810-AM-P