[Federal Register Volume 81, Number 219 (Monday, November 14, 2016)]
[Notices]
[Pages 79473-79483]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-27226]


=======================================================================
-----------------------------------------------------------------------

FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL

[Docket No. FFIEC-2016-0003]


Uniform Interagency Consumer Compliance Rating System

AGENCY: Federal Financial Institutions Examination Council (FFIEC).

ACTION: Notice; final guidance.

-----------------------------------------------------------------------

SUMMARY: The Federal Financial Institutions Examination Council 
(FFIEC), on behalf of its members, is revising the Uniform Interagency 
Consumer Compliance Rating System, more commonly known as the CC Rating 
System. The agencies comprising the FFIEC are the Board of Governors of 
the Federal Reserve System (FRB), the Consumer Financial Protection 
Bureau (CFPB), the Federal Deposit Insurance Corporation (FDIC), the 
National Credit Union Administration (NCUA), the Office of the 
Comptroller of the Currency (OCC), and the State Liaison Committee 
(SLC) (Agencies). The FFIEC promotes compliance with federal consumer 
protection laws and regulations through each agency's supervisory and 
outreach programs.
    The CC Rating System revisions reflect the regulatory, examination 
(supervisory), technological, and market changes that have occurred in 
the years since the original rating system was established in 1980. The 
revisions are designed to better reflect current consumer compliance 
supervisory approaches and to more fully align the CC Rating System 
with the Agencies' current risk-based, tailored examination processes. 
The CC Rating System is being published after consideration of comments 
received from the public.

DATES: Effective March 31, 2017.

FOR FURTHER INFORMATION CONTACT: 

[[Page 79474]]

    Board: Lanette Meister, Senior Supervisory Consumer Financial 
Services Analyst, Board of Governors of the Federal Reserve System, 
20th and C Streets NW., Washington, DC 20551, (202) 452-2705.
    CFPB: Cassandra Huggins, Attorney-Advisor, Consumer Financial 
Protection Bureau, 1700 G Street NW., Washington, DC 20552, (202) 435-
9177.
    FDIC: Ardie Hollifield, Senior Policy Analyst, Federal Deposit 
Insurance Corporation, 550 17th Street NW., Washington, DC 20429-0002, 
(202) 898-6638; John Jackwood, Senior Policy Analyst, (202) 898-3991; 
or Faye Murphy, Chief, Consumer Compliance and UDAP Examination 
Section, (202) 898-6613.
    NCUA: Matthew J. Biliouris, Deputy Director, Office of Consumer 
Financial Protection and Access, National Credit Union Administration, 
1775 Duke Street, Alexandria, VA 22314-3428, (703) 518-1161.
    OCC: Kimberly Hebb, Director of Compliance Policy, Office of the 
Comptroller of the Currency, 400 7th Street SW., Washington, DC 20219, 
(202) 649-5470; or Michael S. Robertson, Compliance Specialist, (202) 
649-5470.
    SLC: Matthew Lambert, Policy Counsel, Conference of State Bank 
Supervisors, 1129 20th Street NW., 9th Floor, Washington, DC 20036, 
(202) 407-7130.

SUPPLEMENTARY INFORMATION: 

Background

    Pursuant to 12 U.S.C. 3301 et seq., the FFIEC, established in 1979, 
is a formal interagency body empowered to prescribe principles and 
standards for the federal examination of financial institutions and to 
make recommendations to promote consistency and coordination in the 
supervision of institutions.
    The FFIEC promotes compliance with federal consumer protection laws 
and regulations through each agency's supervisory and outreach 
programs. Through compliance supervision, the Agencies determine 
whether an institution is meeting its responsibility to comply with 
applicable requirements.
    On May 3, 2016, the FFIEC published a notice and request for 
comment in the Federal Register (May Proposal), 81 FR 26553, requesting 
comment on proposed revisions to the CC Rating System. The CC Rating 
System is a supervisory policy for evaluating financial institutions' 
\1\ adherence to consumer compliance requirements. It provides a 
general framework for evaluating compliance assessment factors in order 
to assign a consumer compliance rating to each federally regulated 
financial institution.\2\ The primary purpose of the CC Rating System 
is to ensure that regulated financial institutions are evaluated in a 
comprehensive and consistent manner and that supervisory resources are 
appropriately focused on areas exhibiting risk of consumer harm and on 
institutions that warrant elevated supervisory attention. The revised 
CC Rating System emphasizes the importance of institutions' compliance 
management systems (CMS), with emphasis on compliance risk management 
practices designed to manage consumer compliance risk, support 
compliance, and prevent consumer harm.
---------------------------------------------------------------------------

    \1\ The term financial institutions is defined in 12 U.S.C. 
3302(3).
    \2\ NCUA integrates the principles and standards of the current 
CC Rating System into the existing CAMEL rating structure, in place 
of a separate rating. When finalized, the revised CC Rating System 
will be incorporated into NCUA's risk-focused examination program. 
Using the principles and standards contained in the revised CC 
Rating System, NCUA examiners will assess a credit union's ability 
to effectively manage its compliance risk and reflect that ability 
in the Management component rating and the overall CAMEL rating used 
by NCUA.
---------------------------------------------------------------------------

    The CC Rating System is based upon a scale of 1 through 5, in 
increasing order of supervisory concern. Thus, 1 represents the highest 
rating and consequently the lowest level of supervisory concern, while 
5 represents the lowest rating and consequently the most critically 
deficient level of performance and the highest degree of supervisory 
concern. When using the CC Rating System to assess an institution, the 
Agencies do not consider an institution's record of performance under 
the Community Reinvestment Act (CRA) because institutions are evaluated 
separately for CRA.

Purpose of the Revisions

    The CC Rating System revisions are designed to better reflect 
current consumer compliance supervisory approaches and to more fully 
align the rating system with the Agencies' current risk-based, tailored 
examination processes. The revisions to the CC Rating System were not 
developed to set new or higher supervisory expectations for financial 
institutions and their adoption will represent no additional regulatory 
burden.
    When the original CC Rating System was adopted in 1980, 
examinations focused more on transaction testing for regulatory 
compliance rather than evaluating the sufficiency of an institution's 
CMS to ensure compliance with regulatory requirements and to prevent 
consumer harm. In the intervening years, each of the Agencies has 
adopted a risk-based consumer compliance examination approach to 
promote strong compliance risk management practices and consumer 
protection within supervised financial institutions. Risk-based 
consumer compliance supervision evaluates whether an institution's CMS 
effectively manages the compliance risk in the products and services 
offered to its customers. Under risk-based supervision, examiners 
tailor supervisory activities to the size, complexity, and risk profile 
of each institution and adjust these activities over time. While 
compliance management programs vary based on the size, complexity, and 
risk profile of supervised institutions, all institutions should 
maintain an effective CMS. The sophistication and formality of the CMS 
typically will increase commensurate with the size, complexity, and 
risk profile of the entity.
    As the Agencies drafted the new rating system definitions, one 
objective was to develop a rating system appropriate for evaluating 
institutions of all sizes. Therefore, the revised CC Rating System 
conveys that the system is risk-based to recognize and communicate 
clearly that compliance management programs vary based on the size, 
complexity, and risk profile of supervised institutions. This concept 
is reinforced in the Consumer Compliance Rating Definitions by 
conveying to examiners that assessment factors associated with an 
institution's CMS should be evaluated commensurate with the 
institution's size, complexity, and risk profile.
    In developing the revised CC Rating System, the Agencies believed 
it was also important for the new rating system to establish incentives 
for institutions to promote consumer protection by preventing, self-
identifying, and addressing compliance issues in a proactive manner. 
Therefore, the revised rating system recognizes institutions that 
consistently adopt these compliance strategies.
    Another benefit of the new CC Rating System is to promote 
coordination, communication, and consistency among the Agencies, 
consistent with the Agencies' respective supervisory authorities. Each 
of the Agencies will use the CC Rating System to assign a consumer 
compliance rating to supervised institutions, including banks and 
nonbanks, as appropriate, consistent with the agency's supervisory 
authority. Further, revising the rating system definitions responds to 
requests

[[Page 79475]]

from industry representatives who have asked that the CC Rating System 
be updated.

Summary of Comments Received

    The FFIEC received 17 comments regarding the proposed revisions to 
the CC Rating System. Eight of the comments were from financial 
institution trade associations, three from consumer and community 
advocacy organizations, two from trade consultants, one from a 
financial holding company, one from an individual, and two from 
anonymous sources.
    Commenters generally favored the changes to the CC Rating System, 
commending the Agencies':
    1. Recognition of the need for the CC Rating System to be risk-
based and focus more on the sufficiency of the CMS;
    2. inclusion of incentives to support institutions' establishment 
of effective consumer compliance programs;
    3. consideration of violations of consumer laws based on root 
cause, severity, duration, and pervasiveness;
    4. inclusion of third-party relationships; and
    5. application of the same rating system across providers of 
consumer financial services under the Agencies' jurisdictions.
    Some commenters recommended clarifying changes to various aspects 
of the revised rating system, as described below. After consideration 
of all comments, the FFIEC is issuing this final CC Rating System 
substantially as proposed, but with some changes for clarification 
purposes. The following discussion describes the comments received and 
changes made to the CC Rating System in response. The final updated CC 
Rating System is included at the end of this Notice.

Principles of the Interagency CC Rating System

    The Agencies developed four principles to serve as a foundation for 
the CC Rating System. Under those principles, the rating system must be 
risk-based, transparent, actionable, and should incent compliance.
    The Agencies received comments concerning the first principle, 
which states that the CC Rating System must be risk-based. One 
commenter encouraged the Agencies to adopt standards that are risk-
based to ensure that small institutions are not overwhelmed by unwieldy 
regulatory burden. The Agencies agree. As explained above, the 
revisions to the CC Rating System were not developed to set new or 
higher supervisory expectations for financial institutions and their 
adoption will not increase regulatory burden. Additionally, the CC 
Rating System directs examiners to assess an institution's CMS 
commensurate with the institution's size, complexity, and risk profile.

Five-Level Rating Scale

    Commenters recommended that descriptive language be added to each 
of the five levels of the CC Rating System and to certain assessment 
factors, and that specific examples be provided to clarify what is 
required under the new rating system. One commenter stated that the 
distinction between the assessment factor levels is subjective. Another 
commenter suggested that the CC Rating System use descriptive 
adjectives instead of numbers to portray examination ratings. The 
Agencies believe that the adjectives used in each of the assessment 
factors under the numerical ratings contained in the Consumer 
Compliance Rating Definitions, as well as the description of the 
numerical ratings contained in the Guidance, provide useful terms and 
clear distinctions between the rating levels. The rating levels and 
categories will allow examiners to distinguish between varying degrees 
of supervisory concern when rating institutions. Therefore, the 
Agencies concluded that the addition of descriptive terms to the 
numerical rating in the CC Rating System would not be necessary.
    A commenter suggested that each of the three categories of 
assessment factors should be assigned a numerical average or weight of 
importance. The consumer compliance rating reflects a comprehensive 
evaluation of a financial institution's performance by considering the 
categories and assessment factors in the context of the size, 
complexity, and risk profile of the institution. Thus, the rating is 
not based on a numeric average or any other quantitative calculation. 
The relative importance of each category or assessment factor may 
differ based on the size, complexity, and risk profile of an individual 
institution. Accordingly, one or more category or assessment factor may 
be more or less relevant at one financial institution as compared to 
another institution. An examiner must balance conclusions about the 
effectiveness of the financial institution's CMS over the individual 
products, services, and activities of the organization when arriving at 
a consumer compliance rating. Therefore, the Agencies do not believe it 
would be appropriate to implement a numerical average or weighting 
within the final CC Rating System.

Board and Management Oversight

    Commenters recommended that the Agencies incorporate discussion of 
the Culture of Compliance into the Board and Management Oversight 
category. Commenters provided components of a compliance culture such 
as the Board and Management's commitment to the existence and 
effectiveness of policies, procedures, risk assessments, due diligence, 
training, accountability, and an environment in which staff can report 
compliance issues and receive a positive response from management. The 
Agencies believe that the details defined in the Consumer Compliance 
Rating Definitions under Board and Management Oversight address the 
concerns stated by the commenters by making clear that management teams 
that achieve satisfactory or better performance exhibit a commitment to 
each of those areas.

Corrective Action and Self-Identification

    A commenter observed that the CC Rating System appropriately 
encourages a financial institution to proactively correct violations 
and to provide remediation to affected consumers. However, that 
commenter suggested the Agencies provide more guidance to make clear 
that an entity's subsequent corrective action would not compensate for 
a consistent pattern of non-compliance and weak management. The 
Agencies agree and believe that this point is reflected in the 
guidance. The Violations and Consumer Harm category ensures that 
examiners consider noncompliance and resulting consumer harm when 
assigning a rating. The other categories require examiners to evaluate 
the effectiveness of the institution's management and compliance 
program to identify and manage compliance risk in the institution's 
products and services and to prevent violations of law and consumer 
harm.
    One commenter expressed concern that the concept of self-
identification was presented inconsistently in the May Proposal. The 
commenter noted that the Corrective Action and Self-Identification 
assessment factor was described only as, any corrective action 
undertaken as consumer compliance issues are identified within the 
proposed CC Rating System guidance. The commenter noted that elsewhere 
in the proposal, discussion of this assessment factor appropriately 
incorporates the concept of self-identification. The Agencies have 
updated language in the Guidance to clarify discussion of this 
assessment factor by adding reference to self-identification of 
consumer compliance

[[Page 79476]]

issues to the description of the Corrective Action and Self-
Identification assessment factor.

Training

    One commenter recommended that the CC Rating System require 
training programs to adequately train employees on compliance with fair 
lending and consumer protection laws. The Agencies believe that the 
definitions included in the Training assessment factor appropriately 
describe the Agencies' expectations that compliance training programs 
encompass consumer protection laws and regulations and do not believe 
that more specificity would be helpful.

Third-Party Relationships

    One commenter supported the assessment of third-party relationship 
management within the CC Rating System. The commenter stated that 
regulatory oversight of third-party relationships is critical to ensure 
that financial institutions do not use those relationships to avoid 
compliance with consumer protection and fair lending laws.
    Another commenter suggested the CC Rating System should clarify 
that the evaluation of an institution's third-party relationships will 
be limited to relationships between the financial institutions and 
vendors that impact consumer financial products and services. 
Specifically, the commenter suggested the Agencies should clarify that 
the CC Rating System does not extend to the financial institutions' 
broad third-party relationship management program. The Agencies note 
that the CC Rating System requires examiners to review a financial 
institution's management of third-party relationships and servicers as 
part of its overall consumer compliance program. The CC Rating System 
does not impose specific expectations for management of third-party 
relationships. Such expectations are provided in separate guidance 
issued by each of the Agencies.\3\
---------------------------------------------------------------------------

    \3\ Guidance from the Agencies addressing third-party 
relationships is generally available on their respective Web sites. 
See, e.g., CFPB Bulletin 2012-03, ``Service Providers'' (April. 13, 
2012), available at http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf; FDIC FIL 44-2208, 
``Managing Third-Party Risk'' (June 6, 2008), available at http://www.fdic.gov/news/news/financial/2008/fil08044a.html; NCUA Letter to 
Credit Unions 07-CU-13, ``Evaluating Third Party Relationships'' 
(December 2007), available at http://www.ncua.gov/Resources/Documents/LCU2007-13.pdf; OCC Bulletin OCC 2013-29, ``Third-Party 
Relationship: Risk Management Guidances'' (October 30, 2013), 
available at http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html; Interagency Guidance, ``Weblinking: 
Identifying Risks and Risk Management Techniques'' (2003), available 
at http://www.occ.treas.gov/news-issuances/bulletins/2003/bulletin-2003-15a.pdf.; NCUA Letter to Credit Unions 03-CU-08, ``Weblinking: 
Identifying Risks & Risk Management Techniques'' (April 2003), 
available at http://ithandbook.ffiec.gov/media/resources/3315/ncu-03-cu-08_weblinking_tech.pdf. See SR 13-19/CA 13-21, ``Guidance on 
Managing Outsourcing Risk'' (December 5, 2013) available at http://www.federalreserve.gov/bankinforeg/srletters/sr1319.htm.
---------------------------------------------------------------------------

Violations of Law and Consumer Harm

    Commenters expressed conflicting concerns over the Violations of 
Law and Consumer Harm category. Some noted that the category is defined 
too narrowly in that it does not appropriately consider practices that 
present a risk of harm to consumers that are not clear violations of 
law. The Agencies believe that management of compliance risk is 
appropriately considered in the other two categories. Specifically, the 
first two categories, ``Board and Management Oversight and Compliance 
Program include, for example, consideration of how effectively 
institutions identify and manage compliance risks, including emerging 
risks; assessment of whether institutions evaluate product changes 
before and after implementing the changes; and evaluation of the 
sufficiency of the institution's procedures, training, and monitoring 
practices to manage compliance risk in the products, services, and 
activities of the institution. Others commented that the CC Rating 
System should be narrowed to address only violations of law that result 
in consumer harm. These commenters believe that a CMS deficiency exists 
only when a legal violation occurs that results in sufficient consumer 
harm. The Agencies disagree that a CMS can only be judged to be 
deficient when violations of law occur. The CC Rating System incents 
institutions to implement a CMS that effectively prevents, identifies, 
and addresses CMS deficiencies and any violations of laws or 
regulations.
    One commenter noted that the Rating Categories should be weighted, 
with Violations of Law and Consumer Harm carrying the most weight 
because the commenter believes that prevention of violations and 
consumer harm is the entire purpose of the CC Rating System. While 
preventing consumer harm is critically important and integral to the CC 
Rating System, the Agencies disagree that the best way to achieve this 
purpose would be by requiring that this category always be weighted 
more than the others. The Agencies believe that CMS plays a critical 
role in prevention of violations and consumer harm. Thus, while the 
Violations of Law and Consumer Harm category evaluates violations and 
harm that have occurred, the other two categories evaluate the 
effectiveness of the CMS to prevent consumer violations and harm.

Severity

    One commenter stated that the severity of a violation should not be 
based solely on the dollar amount of consumer harm. The revised CC 
Rating System does not base severity solely on a dollar amount of harm. 
The CC Rating system acknowledges that while many instances of consumer 
harm can be quantified as a dollar amount associated with financial 
loss, such as charging higher fees for a product than was initially 
disclosed, consumer harm may also result from a denial of an 
opportunity.

Assignment of Ratings by Supervisors

    Several commenters encouraged the Agencies to implement a rating 
system with a single consumer compliance rating for all institutions, 
including those with assets greater than $10 billion. Commenters noted 
concerns with reconciling different ratings issued by two agencies and 
questioned whether two consumer compliance ratings could provide 
actionable feedback and effective incentives to supervised 
institutions. The Agencies believe that the detail that examiners 
provide regarding the scope of the compliance areas and products 
reviewed in arriving at a consumer compliance rating furnishes 
sufficient context to support effective financial institution response 
to rating conclusions. The CFPB will continue to issue consumer 
compliance ratings to providers of consumer financial products and 
services under its supervisory jurisdiction.

Comments Out of Scope of the CC Rating System

    Commenters also submitted comments that, while broadly related to 
consumer compliance ratings, fall outside the scope of the CC Rating 
System. For example, some commenters identified specific consumer 
protection issues, such as overdraft practices and bank partnerships 
with non-bank lenders, that they believe should merit heightened 
consideration within the examination process. While these issues may be 
important, the CC Rating System does not provide guidance to examiners 
regarding specific consumer compliance issues. The Agencies provide 
such issue-oriented guidance and guidance on risk-focused supervision 
in separate official letters and bulletins.
    Three commenters suggested that the CC Rating System require 
examiners to provide a summary of the institution's

[[Page 79477]]

performance within each category. Historically, examiners at each 
agency have articulated factors contributing to the consumer compliance 
rating within the Report of Examination. Financial institutions will 
continue to receive this information through that report.
    One commenter suggested mandatory penalties for less-than-
satisfactory performance. The CC Rating System does not address the 
Agencies' supervisory response to consumer compliance ratings.
    Two commenters also suggested that the FFIEC should conduct an 
assessment of examination results across the Agencies to evaluate the 
success of the CC Rating System implementation. Each agency maintains 
formal training and comprehensive quality assurance processes to ensure 
consistent application of policy changes and uses these tools on an 
ongoing basis.
    Another commenter emphasized that the Agencies should promote 
transparency through public release of ratings. Ratings are 
confidential supervisory information that are prohibited from 
disclosure except as authorized by federal laws and regulations.
    Two commenters supported the NCUA's approach to integrate the 
principles and standards of the CC Rating System into the existing 
CAMEL rating structure, in place of a separate or stand-alone CC 
rating. Using the principles and standards contained in the revised CC 
Rating System, NCUA examiners will incorporate their assessment of a 
credit union's ability to effectively manage its compliance risk into 
the Management component rating and the overall CAMEL rating used by 
NCUA.

Implementation Date

    The FFIEC recommends that the Agencies implement the updated CC 
Rating System for consumer compliance examinations that begin on or 
after March 31, 2017.\4\
---------------------------------------------------------------------------

    \4\ For institutions with continuous target supervisory 
activities during a 12-month supervisory cycle, the Consumer 
Compliance Rating System Guidance will be used when the supervisory 
cycle for that institution ends on or after March 31, 2017.
---------------------------------------------------------------------------

FFIEC Guidance on the Uniform Interagency Consumer Compliance Rating 
System

Uniform Interagency Consumer Compliance Rating System

    The Federal Financial Institutions Examination Council (FFIEC) 
member agencies (Agencies) promote compliance with federal consumer 
protection laws and regulations through supervisory and outreach 
programs.\5\ The Agencies engage in consumer compliance supervision to 
assess whether a financial institution is meeting its responsibility to 
comply with these requirements.
---------------------------------------------------------------------------

    \5\ The FFIEC members are the Board of Governors of the Federal 
Reserve System, the Consumer Financial Protection Bureau (CFPB), the 
Federal Deposit Insurance Corporation, the National Credit Union 
Administration, the Office of the Comptroller of the Currency, and 
the State Liaison Committee.
---------------------------------------------------------------------------

    This Uniform Interagency Consumer Compliance Rating System (CC 
Rating System) provides a general framework for assessing risks during 
the supervisory process using certain compliance factors and assigning 
an overall consumer compliance rating to each federally regulated 
financial institution.\6\ The primary purpose of the CC Rating System 
is to ensure that regulated financial institutions are evaluated in a 
comprehensive and consistent manner, and that supervisory resources are 
appropriately focused on areas exhibiting risk of consumer harm and on 
institutions that warrant elevated supervisory attention.
---------------------------------------------------------------------------

    \6\ The Federal Financial Institutions Examination Council Act 
of 1978 (12 U.S.C. 3302(3)) defines financial institution. 
Additionally, as a member of the FFIEC, the CFPB will also use the 
CC Rating System to assign a consumer compliance rating, as 
appropriate for nonbanks, for which it has jurisdiction regarding 
the enforcement of Federal consumer financial laws as defined under 
the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-
Frank Act) (12 U.S.C. 5481 et seq.).
---------------------------------------------------------------------------

    The CC Rating System is composed of guidance and definitions. The 
guidance provides examiners with direction on how to use the 
definitions when assigning a consumer compliance rating to an 
institution. The definitions consist of qualitative descriptions for 
each rating category and include compliance management system (CMS) 
elements reflecting risk control processes designed to manage consumer 
compliance risk and considerations regarding violations of laws, 
consumer harm, and the size, complexity, and risk profile of an 
institution. The consumer compliance rating reflects the effectiveness 
of an institution's CMS to ensure compliance with consumer protection 
laws and regulations and reduce the risk of harm to consumers.

Principles of the Interagency CC Rating System

    The Agencies developed the following principles to serve as a 
foundation for the CC Rating System.
    Risk-based. Recognize and communicate clearly that CMS vary based 
on the size, complexity, and risk profile of supervised institutions.
    Transparent. Provide clear distinctions between rating categories 
to support consistent application by the Agencies across supervised 
institutions. Reflect the scope of the review that formed the basis of 
the overall rating.
    Actionable. Identify areas of strength and direct appropriate 
attention to specific areas of weakness, reflecting a risk-based 
supervisory approach. Convey examiners' assessment of the effectiveness 
of an institution's CMS, including its ability to prevent consumer harm 
and ensure compliance with consumer protection laws and regulations.
    Incent Compliance. Incent the institution to establish an effective 
consumer compliance system across the institution and to identify and 
address issues promptly, including self-identification and correction 
of consumer compliance weaknesses. Reflect the potential impact of any 
consumer harm identified in examination findings.

Five-Level Rating Scale

    The CC Rating System is based upon a numeric scale of 1 through 5 
in increasing order of supervisory concern. Thus, 1 represents the 
highest rating and consequently the lowest degree of supervisory 
concern, while 5 represents the lowest rating and the most critically 
deficient level of performance, and therefore, the highest degree of 
supervisory concern.\7\ Ratings of 1 or 2 represent satisfactory or 
better performance. Ratings of 3, 4, or 5 indicate performance that is 
less than satisfactory. Consistent with the previously described 
Principles, the rating system incents a financial institution to 
establish an effective CMS across the institution, to self-identify 
risks, and to take the necessary actions to reduce the risk of non-
compliance and consumer harm.
---------------------------------------------------------------------------

    \7\ The Agencies do not consider an institution's record of 
performance under the Community Reinvestment Act (CRA) in 
conjunction with assessing an institution under the CC Rating System 
since institutions are evaluated separately under the CRA.
---------------------------------------------------------------------------

     The highest rating of 1 is assigned to a financial 
institution that maintains a strong CMS and takes action to prevent 
violations of law and consumer harm.
     A rating of 2 is assigned to a financial institution that 
maintains a CMS that is satisfactory at managing consumer compliance 
risk in the institution's products and services and at substantially 
limiting violations of law and consumer harm.
     A rating of 3 reflects a CMS deficient at managing 
consumer

[[Page 79478]]

compliance risk in the institution's products and services and at 
limiting violations of law and consumer harm.
     A rating of 4 reflects a CMS seriously deficient at 
managing consumer compliance risk in the institution's products and 
services and/or at preventing violations of law and consumer harm. 
Seriously deficient indicates fundamental and persistent weaknesses in 
crucial CMS elements and severe inadequacies in core compliance areas 
necessary to operate within the scope of statutory and regulatory 
consumer protection requirements and to prevent consumer harm.
     A rating of 5 reflects a CMS critically deficient at 
managing consumer compliance risk in the institution's products and 
services and/or at preventing violations of law and consumer harm. 
Critically deficient indicates an absence of crucial CMS elements and a 
demonstrated lack of willingness or capability to take the appropriate 
steps necessary to operate within the scope of statutory and regulatory 
consumer protection requirements and to prevent consumer harm.

CC Rating System Categories and Assessment Factors

CC Rating System--Categories

    The CC Rating System is organized under three broad categories:
    1. Board and Management Oversight,
    2. Compliance Program, and
    3. Violations of Law and Consumer Harm.
    The Consumer Compliance Rating Definitions below list the 
assessment factors considered within each category, along with 
narrative descriptions of performance.
    The first two categories, Board and Management Oversight and 
Compliance Program, are used to assess a financial institution's CMS. 
As such, examiners should evaluate the assessment factors within these 
two categories commensurate with the institution's size, complexity, 
and risk profile. All institutions, regardless of size, should maintain 
an effective CMS. The sophistication and formality of the CMS typically 
will increase commensurate with the size, complexity, and risk profile 
of the entity.
    Additionally, compliance expectations contained within the 
narrative descriptions of these two categories extend to third-party 
relationships into which the financial institution has entered. There 
can be certain benefits to financial institutions engaging in 
relationships with third parties, including gaining operational 
efficiencies or an ability to deliver additional products and services, 
but such arrangements also may expose financial institutions to risks 
if not managed effectively. The prudential agencies, the CFPB, and some 
states have issued guidance describing expectations regarding oversight 
of third-party relationships. While an institution's management may 
make the business decision to outsource some or all of the operational 
aspects of a product or service, the institution cannot outsource the 
responsibility for complying with laws and regulations or managing the 
risks associated with third-party relationships.
    As noted in the Consumer Compliance Rating Definitions, examiners 
should evaluate activities conducted through third-party relationships 
as though the activities were performed by the institution itself. 
Examiners should review a financial institution's management of third-
party relationships and servicers as part of its overall compliance 
program.
    The third category, Violations of Law and Consumer Harm, includes 
assessment factors that evaluate the dimensions of any identified 
violation or consumer harm. Examiners should weigh each of these four 
factors--root cause, severity, duration, and pervasiveness--in 
evaluating relevant violations of law and any resulting consumer harm.

Board and Management Oversight--Assessment Factors

    Under Board and Management Oversight, the examiner should assess 
the financial institution's board of directors and management, as 
appropriate for their respective roles and responsibilities, based on 
the following assessment factors:
     Oversight of and commitment to the institution's CMS;
     effectiveness of the institution's change management 
processes, including responding timely and satisfactorily to any 
variety of change, internal or external, to the institution;
     comprehension, identification, and management of risks 
arising from the institution's products, services, or activities; and
     self-identification of consumer compliance issues and 
corrective action undertaken as such issues are identified.

Compliance Program--Assessment Factors

    Under Compliance Program, the examiner should assess other elements 
of an effective CMS, based on the following assessment factors:
     Whether the institution's policies and procedures are 
appropriate to the risk in the products, services, and activities of 
the institution;
     the degree to which compliance training is current and 
tailored to risk and staff responsibilities;
     the sufficiency of the monitoring and, if applicable, 
audit to encompass compliance risks throughout the institution; and
     the responsiveness and effectiveness of the consumer 
complaint resolution process.

Violations of Law and Consumer Harm--Assessment Factors

    Under Violations of Law and Consumer Harm, the examiner should 
analyze the following assessment factors:
     the root cause, or causes, of any violations of law 
identified during the examination;
     the severity of any consumer harm resulting from 
violations;
     the duration of time over which the violations occurred; 
and
     the pervasiveness of the violations.
    As a result of a violation of law, consumer harm may occur. While 
many instances of consumer harm can be quantified as a dollar amount 
associated with financial loss, such as charging higher fees for a 
product than was initially disclosed, consumer harm may also result 
from a denial of an opportunity. For example, a consumer could be 
harmed when a financial institution denies the consumer credit or 
discourages an application in violation of the Equal Credit Opportunity 
Act,\8\ whether or not there is resulting financial harm.
---------------------------------------------------------------------------

    \8\ 15 U.S.C. 1691 et seq.
---------------------------------------------------------------------------

    This category of the Consumer Compliance Rating Definitions defines 
four factors by which examiners can assess violations of law and 
consumer harm.
    Root Cause. The Root Cause assessment factor analyzes the degree to 
which weaknesses in the CMS gave rise to the violations. In many 
instances, the root cause of a violation is tied to a weakness in one 
or more elements of the CMS. Violations that result from critical 
deficiencies in the CMS evidence a critical absence of management 
oversight and are of the highest supervisory concern.
    Severity. The Severity assessment factor of the Consumer Compliance 
Rating Definitions weighs the type of consumer harm, if any, that 
resulted from violations of law. More severe harm results in a higher 
level of supervisory concern under this factor.

[[Page 79479]]

For example, some consumer protection violations may cause significant 
financial harm to a consumer, while other violations may cause 
negligible harm, based on the specific facts involved.
    Duration. The Duration assessment factor considers the length of 
time over which the violations occurred. Violations that persist over 
an extended period of time will raise greater supervisory concerns than 
violations that occur for only a brief period of time. When violations 
are brought to the attention of an institution's management and 
management allows those violations to remain unaddressed, such 
violations are of the highest supervisory concern.
    Pervasiveness. The Pervasiveness assessment factor evaluates the 
extent of the violation(s) and resulting consumer harm, if any. 
Violations that affect a large number of consumers will raise greater 
supervisory concern than violations that impact a limited number of 
consumers. If violations become so pervasive that they are considered 
to be widespread or present in multiple products or services, the 
institution's performance under this factor is of the highest 
supervisory concern.

Self-Identification of Violations of Law and Consumer Harm

    Strong compliance programs are proactive. They promote consumer 
protection by preventing, self-identifying, and addressing compliance 
issues in a proactive manner. Accordingly, the CC Rating System 
provides incentives for such practices through the definitions 
associated with a 1 rating.
    The Agencies believe that self-identification and prompt correction 
of violations of law reflect strengths in an institution's CMS. A 
robust CMS appropriate for the size, complexity and risk profile of an 
institution's business often will prevent violations or will facilitate 
early detection of potential violations. This early detection can limit 
the size and scope of consumer harm. Moreover, self-identification and 
prompt correction of serious violations represents concrete evidence of 
an institution's commitment to responsibly address underlying risks. In 
addition, appropriate corrective action, including both correction of 
programmatic weaknesses and full redress for injured parties, limits 
consumer harm and prevents violations from recurring in the future. 
Thus, the CC Rating System recognizes institutions that consistently 
adopt these strategies as reflected in the Consumer Compliance Rating 
Definitions.

Evaluating Performance Using the CC Rating Definitions

    The consumer compliance rating is derived through an evaluation of 
the financial institution's performance under each of the assessment 
factors described above. The consumer compliance rating reflects the 
effectiveness of an institution's CMS to identify and manage compliance 
risk in the institution's products and services and to prevent 
violations of law and consumer harm, as evidenced by the financial 
institution's performance under each of the assessment factors.
    The consumer compliance rating reflects a comprehensive evaluation 
of the financial institution's performance under the CC Rating System 
by considering the categories and assessment factors in the context of 
the size, complexity, and risk profile of an institution. It is not 
based on a numeric average or any other quantitative calculation. 
Specific numeric ratings will not be assigned to any of the 12 
assessment factors. Thus, an institution need not achieve a 
satisfactory assessment in all categories in order to be assigned an 
overall satisfactory rating. Conversely, an institution may be assigned 
a less than satisfactory rating even if some of its assessments were 
satisfactory.
    The relative importance of each category or assessment factor may 
differ based on the size, complexity, and risk profile of an individual 
institution. Accordingly, one or more category or assessment factor may 
be more or less relevant at one financial institution as compared to 
another institution. While the expectations for compliance with 
consumer protection laws and regulations are the same across 
institutions of varying sizes, the methods for accomplishing an 
effective CMS may differ across institutions.
    The evaluation of an institution's performance within the 
Violations of Law and Consumer Harm category of the CC Rating 
Definitions considers each of the four assessment factors: Root Cause, 
Severity, Duration, and Pervasiveness. At the levels of 4 and 5 in this 
category, the distinctions in the definitions are focused on the root 
cause assessment factor rather than Severity, Duration, and 
Pervasiveness. This approach is consistent with the other categories 
where the difference between a 4 and a 5 is driven by the institution's 
capacity and willingness to maintain a sound consumer compliance 
system.
    In arriving at the final rating, the examiner must balance 
potentially differing conclusions about the effectiveness of the 
financial institution's CMS over the individual products, services, and 
activities of the organization. Depending on the relative materiality 
of a product line to the institution, an observed weakness in the 
management of that product line may or may not impact the conclusion 
about the institution's overall performance in the associated 
assessment factor(s). For example, serious weaknesses in the policies 
and procedures or audit program of the mortgage department at a 
mortgage lender would be of greater supervisory concern than those same 
gaps at an institution that makes very few mortgage loans and strictly 
as an accommodation. Greater weight should apply to the financial 
institution's management of material products with significant 
potential consumer compliance risk.
    An institution may receive a less than satisfactory rating even 
when no violations were identified, based on deficiencies or weaknesses 
identified in the institution's CMS. For example, examiners may 
identify weaknesses in elements of the CMS in a new loan product. 
Because the presence of those weaknesses left unaddressed could result 
in future violations of law and consumer harm, the CMS deficiencies 
could impact the overall consumer compliance rating, even if no 
violations were identified.
    Similarly, an institution may receive a 1 or 2 rating even when 
violations were present, if the CMS is commensurate with the risk 
profile and complexity of the institution. For example, when violations 
involve limited impact on consumers, were self-identified, and resolved 
promptly, the evaluation may result in a 1 or 2 rating. After 
evaluating the institution's performance in the two CMS categories, 
Board and Management Oversight and Compliance Program, and the 
dimensions of the violations in the third category, the examiner may 
conclude that the overall strength of the CMS and the nature of 
observed violations viewed together do not present significant 
supervisory concerns.

Assignment of Ratings by Supervisor(s)

    The prudential regulators will continue to assign and update, as 
appropriate, consumer compliance ratings for institutions they 
supervise, including those with total assets of more than $10 
billion.\9\ As a member of the

[[Page 79480]]

FFIEC, the CFPB will also use the CC Rating System to assign a consumer 
compliance rating, as appropriate, for institutions with total assets 
of more than $10 billion, as well as for nonbanks for which it has 
jurisdiction regarding the enforcement of Federal consumer financial 
laws as defined under the Dodd-Frank Act.\10\ The prudential regulators 
will take into consideration any material supervisory information 
provided by the CFPB, as that information relates to covered 
supervisory activities or covered examinations.\11\ Similarly, the CFPB 
will take into consideration any material supervisory information 
provided by prudential regulators in appropriate supervisory 
situations.
---------------------------------------------------------------------------

    \9\ Section 1025 of the Dodd-Frank Act (12 U.S.C. 5515) applies 
to federally insured institutions with more than $10 billion in 
total assets. This section granted the CFPB exclusive authority to 
examine insured depository institutions and their affiliates for 
compliance with Federal consumer financial laws. The prudential 
regulators retained authority for examining insured depository 
institutions with more than $10 billion in total assets for 
compliance with certain other laws related to consumer financial 
protection, including the Fair Housing Act, the Servicemembers Civil 
Relief Act, and section 5 of the Federal Trade Commission Act.
    \10\ 12 U.S.C. 5481 et seq. A financial institution with assets 
over $10 billion may receive a consumer compliance rating by both 
its primary prudential regulator and the CFPB. The rating is based 
on each agency's review of the institution's CMS and compliance with 
the federal consumer protection laws falling under each agency's 
jurisdiction.
    \11\ The prudential regulators and the CFPB signed a Memorandum 
of Understanding on Supervisory Coordination dated May 16, 2012 
(MOU) intended to facilitate the coordination of supervisory 
activities involving financial institutions with more than $10 
billion in assets as required under the Dodd-Frank Act.
---------------------------------------------------------------------------

    State regulators maintain supervisory authority to conduct 
examinations of state-chartered depository institutions and licensed 
entities. As such, states may assign consumer compliance ratings to 
evaluate compliance with both state and federal laws and regulations. 
States will collaborate and consider material supervisory information 
from other state and federal regulatory agencies during the course of 
examinations.

                                                         Consumer Compliance Rating Definitions
--------------------------------------------------------------------------------------------------------------------------------------------------------
Assessment factors to be considered             1                       2                      3                      4                      5
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                             Board and Management Oversight
      Board and management oversight factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance
                                                 expectations below extend to third-party relationships.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Oversight and Commitment...........  Board and management    Board and management    Board and management   Board and management   Board and management
                                      demonstrate strong      provide satisfactory    oversight of the       oversight,             oversight,
                                      commitment and          oversight of the        financial              resources, and         resources, and
                                      oversight to the        financial               institution's          attention to the       attention to the
                                      financial               institution's           compliance             compliance             compliance
                                      institution's           compliance management   management system is   management system      management system
                                      compliance management   system.                 deficient.             are seriously          are critically
                                      system.                                                                deficient.             deficient.
                                     Substantial compliance  Compliance resources    Compliance resources   Compliance resources   Compliance resources
                                      resources are           are adequate and        and staff are          and staff are          are critically
                                      provided, including     staff is generally      inadequate to ensure   seriously deficient    deficient in
                                      systems, capital, and   able to ensure the      the financial          and are ineffective    supporting the
                                      human resources         financial institution   institution is in      at ensuring the        financial
                                      commensurate with the   is in compliance with   compliance with        financial              institution's
                                      financial               consumer laws and       consumer laws and      institution's          compliance with
                                      institution's size,     regulations.            regulations.           compliance with        consumer laws and
                                      complexity, and risk                                                   consumer laws and      regulations, and
                                      profile. Staff is                                                      regulations.           management and staff
                                      knowledgeable,                                                                                are unwilling or
                                      empowered and held                                                                            incapable of
                                      accountable for                                                                               operating within the
                                      compliance with                                                                               scope of consumer
                                      consumer laws and                                                                             protection laws and
                                      regulations.                                                                                  regulations.
                                     Management conducts     Management conducts     Management does note   Management oversight   Management oversight
                                      comprehensive and       adequate and ongoing    adequately conduct     and due diligence      and due diligence of
                                      ongoing due diligence   due diligence and       due diligence and      over third-party       third-party
                                      and oversight of        oversight of third      oversite of third      performance, as well   performance is
                                      third parties           parties to ensure       parties to ensure      as management's        critically
                                      consistent with         that the financial      that the financial     ability to             deficient.
                                      agency expectations     institution complies    institution complies   adequately identify,
                                      to ensure that the      with consumer           with consumer          measure, monitor, or
                                      financial institution   protection laws, and    protection laws, nor   manage compliance
                                      complies with           adequately oversees     does it adequately     risks, is seriously
                                      consumer protection     third parties'          oversees third         deficient.
                                      laws, and exercises     policies, procedures,   parties' policies,
                                      strong oversight of     internal controls,      procedures, internal
                                      third parties'          and training to         controls, and
                                      policies, procedures,   ensure appropriate      training to ensure
                                      internal controls,      oversight of            appropriate
                                      and training to         compliance              oversight of
                                      ensure consistent       responsibilities.       compliance
                                      oversight of                                    responsibilities.
                                      compliance
                                      responsibilities.

[[Page 79481]]

 
Change Management..................  Management anticipates  Management responds     Management does not    Management's response  Management fails to
                                      and responds promptly   timely and adequately   respond adequately     to changes in          monitor and respond
                                      to changes in           to changes in           and/or timely in       applicable laws and    to changes in
                                      applicable laws and     applicable laws and     adjusting to changes   regulations, market    applicable laws and
                                      regulations, market     regulations, market     in applicable laws     conditions, or         regulations, market
                                      conditions and          conditions, products    and regulations,       products and           conditions, or
                                      products and services   and services offered    market conditions,     services offered is    products and
                                      offered by evaluating   by evaluating the       and products and       seriously deficient.   services offered.
                                      the change and          change and              services offered.
                                      implementing            implementing
                                      responses across        responses across
                                      impacted lines of       impacted lines of
                                      business.               business.
                                     Management conducts     Management evaluates
                                      due diligence in        product changes
                                      advance of product      before and after
                                      changes, considers      implementing the
                                      the entire life cycle   change.
                                      of a product or
                                      service in
                                      implementing change,
                                      and reviews the
                                      change after
                                      implementation to
                                      determine that
                                      actions taken have
                                      achieved planned
                                      results.
Comprehension, Identification and    Management has a solid  Management comprehends  Management has an      Management exhibits a  Management does not
 Management of Risk.                  comprehension of and    and adequately          inadequate             seriously deficient    comprehend nor
                                      effectively             identifies compliance   comprehension of and   comprehension of and   identify compliance
                                      identifies compliance   risks, including        ability to identify    ability to identify    risks, including
                                      risks, including        emerging risks, in      compliance risks,      compliance risks,      emerging risks, in
                                      emerging risks, in      the financial           including emerging     including emerging     the financial
                                      the financial           institution's           risks, in the          risks, in the          institution.
                                      institution's           products, services,     financial              financial
                                      products, services,     and other activities.   institution's          institution.
                                      and other activities.                           products, services,
                                                                                      and other activities.
                                     Management actively     Management adequately
                                      engages in managing     manages those risks,
                                      those risks,            including through
                                      including through       self-assessments.
                                      comprehensive self-
                                      assessments.
Corrective Action and Self-          Management proactively  Management adequately   Management does not    Management response    Management is
 Identification.                      identifies issues and   responds to and         adequately respond     to deficiencies,       incapable, unwilling
                                      promptly responds to    corrects deficiencies   to compliance          violations and         and/or fails to
                                      compliance risk         and/or violations,      deficiencies and       examination findings   respond to
                                      management              including adequate      violations including   is seriously           deficiencies,
                                      deficiencies and any    remediation, in the     those related to       deficient.             violations or
                                      violations of laws or   normal course of        remediation.                                  examination
                                      regulations,            business.                                                             findings.
                                      including remediation.
--------------------------------------------------------------------------------------------------------------------------------------------------------

[[Page 79482]]

 
                                                                   Compliance Program
  Compliance Program factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance expectations below
                                                          extend to third-party relationships.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Policies and Procedures............  Compliance policies     Compliance policies     Compliance policies    Compliance policies    Compliance policies
                                      and procedures and      and procedures and      and procedures and     and procedures and     and procedures and
                                      third-party             third-party             third-party            third-party            third-party
                                      relationship            relationship            relationship           relationship           relationship
                                      management programs     management programs     management programs    management programs    management programs
                                      are strong,             are adequate to         are inadequate at      are seriously          are critically
                                      comprehensive and       manage the compliance   managing the           deficient at           absent.
                                      provide standards to    risk in the products,   compliance risk in     managing compliance
                                      effectively manage      services and            the products,          risk in the
                                      compliance risk in      activities of the       services and           products, services
                                      the products,           financial institution.  activities of the      and activities of
                                      services and                                    financial              the financial
                                      activities of the                               institution.           institution.
                                      financial institution.
Training...........................  Compliance training is  Compliance training     Compliance training    Compliance training    Compliance training
                                      comprehensive,          outlining staff         is not adequately      is seriously           is critically
                                      timely, and             responsibilities is     comprehensive,         deficient in its       absent.
                                      specifically tailored   adequate and provided   timely, updated, or    comprehensiveness,
                                      to the particular       timely to appropriate   appropriately          timeliness, or
                                      responsibilities of     staff.                  tailored to the        relevance to staff
                                      the staff receiving                             particular             with compliance
                                      it, including those                             responsibilities of    responsibilities, or
                                      responsible for                                 the staff.             has numerous major
                                      product development,                                                   inaccuracies.
                                      marketing and
                                      customer service.
                                     The compliance          The compliance
                                      training program is     training program is
                                      updated proactively     updated to encompass
                                      in advance of the       new products and to
                                      introduction of new     comply with changes
                                      products or new         to consumer
                                      consumer protection     protection laws and
                                      laws and regulations    regulations.
                                      to ensure that all
                                      staff are aware of
                                      compliance
                                      responsibilities
                                      before rolled out.
Monitoring and/or Audit............  Compliance monitoring   Compliance monitoring   Compliance monitoring  Compliance monitoring  Compliance monitoring
                                      practices, management   practices, management   practices,             practices,             practices,
                                      information systems,    information systems,    management             management             management
                                      reporting, compliance   reporting, compliance   information systems,   information systems,   information systems,
                                      audit, and internal     audit, and internal     reporting,             reporting,             reporting,
                                      control systems are     control systems         compliance audit,      compliance audit,      compliance audit, or
                                      comprehensive,          adequately address      and internal control   and internal           internal controls
                                      timely, and             compliance risks        systems do not         controls are           are critically
                                      successful at           throughout the          adequately address     seriously deficient    absent.
                                      identifying and         financial institution.  risks involving        in addressing risks
                                      measuring material                              products, services     involving products,
                                      compliance risk                                 or other activities    services or other
                                      management throughout                           including, timing      activities.
                                      the financial                                   and scope.
                                      institution.
                                     Programs are monitored
                                      proactively to
                                      identify procedural
                                      or training
                                      weaknesses to
                                      preclude regulatory
                                      violations. Program
                                      modifications are
                                      made expeditiously to
                                      minimize compliance
                                      risk.

[[Page 79483]]

 
Consumer Complaint Response........  Processes and           Processes and           Processes and          Processes and          Processes and
                                      procedures for          procedures for          procedures for         procedures for         procedures for
                                      addressing consumer     addressing consumer     addressing consumer    addressing consumer    addressing consumer
                                      complaints are          complaints are          complaints are         complaints and         complaints are
                                      strong. Consumer        adequate. Consumer      inadequate. Consumer   consumer complaint     critically absent.
                                      complaint               complaint               complaint              investigations are     Meaningful
                                      investigations and      investigations and      investigations and     seriously deficient.   investigations and
                                      responses are prompt    responses are           responses are not                             responses are
                                      and thorough.           generally prompt and    thorough or timely.                           absent.
                                                              thorough.
                                     Management monitors     Management adequately   Management does not    Management monitoring  Management exhibits a
                                      consumer complaints     monitors consumer       adequately monitor     of consumer            disregard for
                                      to identify risks of    complaints and          consumer complaints.   complaints is          complaints or
                                      potential consumer      responds to issues                             seriously deficient.   preventing consumer
                                      harm, program           identified.                                                           harm.
                                      deficiencies, and
                                      customer service
                                      issues and takes
                                      appropriate action.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                           Violations of Law and Consumer Harm
--------------------------------------------------------------------------------------------------------------------------------------------------------
Root Cause.........................  The violations are the  Violations are the      Violations are the     Violations are the     Violations are the
                                      result of minor         result of modest        result of material     result of serious      result of critical
                                      weaknesses, if any,     weaknesses in the       weaknesses in the      deficiencies in the    deficiencies in the
                                      in the compliance       compliance risk         compliance risk        compliance risk        compliance risk
                                      risk management         management system.      management system.     management system.     management system.
                                      system.
Severity...........................  The type of consumer    The type of consumer    The type of consumer   The type of consumer harm resulting from the
                                      harm, if any,           harm resulting from     harm resulting from     violations would have a serious impact on
                                      resulting from the      the violations would    the violations would                    consumers.
                                      violations would have   have a limited impact   have a considerable
                                      a minimal impact on     on consumers.           impact on consumers.
                                      consumers.
Duration...........................  The violations and      The violations and      The violations and      The violations and resulting consumer harm,
                                      resulting consumer      resulting consumer      resulting consumer          if any, have been long-standing or
                                      harm, if any,           harm, if any,           harm, if any,                           repeated.
                                      occurred over a brief   occurred over a         occurred over an
                                      period of time.         limited period of       extended period of
                                                              time.                   time.
Pervasiveness......................  The violations and      The violations and      The violations and      The violations and resulting consumer harm,
                                      resulting consumer      resulting consumer      resulting consumer        if any, are widespread or in multiple
                                      harm, if any, are       harm, if any, are       harm, if any, are                 products or services.
                                      isolated in number.     limited in number.      numerous.
--------------------------------------------------------------------------------------------------------------------------------------------------------

[End of proposed text.]

    Dated: November 7, 2016.

Federal Financial Institutions Examination Council.
Judith E. Dupre,
FFIEC Executive Secretary.
[FR Doc. 2016-27226 Filed 11-10-16; 8:45 am]
 BILLING CODE 7535-01-P; 6714-01-P; 6210-01-P; 4810-33-P; 4810-AM-P