Skip to Content

Notice

Uniform Interagency Consumer Compliance Rating System

Document Details

Information about this document as published in the Federal Register.

Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Financial Institutions Examination Council (FFIEC).

ACTION:

Notice and request for comment.

SUMMARY:

Pursuant to 12 U.S.C. 3301, the Federal Financial Institutions Examination Council (FFIEC), established in 1979, is a formal interagency body empowered to prescribe principles and standards for the federal examination of financial institutions and to make recommendations to promote consistency and coordination in the supervision of institutions.

The six members of the FFIEC represent the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the State Liaison Committee (SLC), and the Consumer Financial Protection Bureau (CFPB) (Agencies).

The FFIEC promotes compliance with federal consumer protection laws and regulations through each agency's supervisory and outreach programs. Through compliance supervision, the FFIEC Agencies determine whether an institution is meeting its responsibility to comply with applicable requirements.

The FFIEC requests comment on a proposal to revise the Uniform Interagency Consumer Compliance Rating System, more commonly known as the “CC Rating System,” to reflect the regulatory, examination (supervisory), technological, and market changes that have occurred in the years since the current rating system was established. The FFIEC is proposing to revise the existing CC Rating System to better reflect current consumer compliance supervisory approaches. The revisions are designed to more fully align the rating system with the FFIEC Agencies' current risk-based, tailored examination Start Printed Page 26554approaches. The proposed revisions to the CC Rating System were not developed to set new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden.

The proposed revisions emphasize the importance of institutions' compliance management systems (CMS), in particular, risk control processes designed to manage consumer compliance risk which are needed to support compliance and prevent consumer harm. The CC Rating System has provided a general framework for evaluating compliance factors in order to assign a consumer compliance rating to each federally regulated financial institution.[1]

DATES:

Comments must be received on or before July 5, 2016.

ADDRESSES:

Because paper mail received by the FFIEC is subject to delay due to heightened security precautions in the Washington, DC area, you are encouraged to submit comments by the Federal eRulemaking Portal, if possible. Please use the title “Consumer Compliance Rating System” to facilitate the organization and distribution of the comments. You may submit comments by any of the following methods:

Federal eRulemaking Portal (Regulations.gov): Go to http://www.regulations.gov. Under the “More Search Options” tab, click next to the “Advanced Docket Search” option where indicated, select “FFIEC” from the agency drop-down menu, then click “Submit.” In the “Docket ID” column, select “Docket Number FFIEC-2016-0001” to submit or view public comments and to view supporting and related materials for this notice of proposed rulemaking. The “How to Use This Site” link on the Regulations.gov home page provides information on using Regulations.gov, including instructions for submitting or viewing public comments, viewing other supporting and related materials, and viewing the docket after the close of the comment period.

Mail: Judith Dupre, Executive Secretary, Federal Financial Institutions Examination Council, L. William Seidman Center, Mailstop: 7081a, 3501 Fairfax Drive, Arlington, VA 22226-3550.

Hand delivery/courier: Judith Dupre, Executive Secretary, Federal Financial Institutions Examination Council, L. William Seidman Center, Mailstop: B-7081a, 3501 Fairfax Drive, Arlington, VA 22226-3550.

Instructions: You must include “FFIEC” as the agency name and “Docket Number FFIEC-2016-0001” in your comment. In general, the FFIEC will enter all comments received into the docket and publish them on the Regulations.gov Web site without change, including any business or personal information that you provide such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not enclose any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

Docket: You may also view or request available background documents and project summaries using the methods described above.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

OCC: Ronald A. Dice, Compliance Specialist, Office of the Comptroller of the Currency, 400 7th Street SW., Washington, DC 20219, (202) 649-5470; or Kimberly Hebb, Director of Compliance Policy, (202) 649-5470.

Board: Lanette Meister, Senior Supervisory Consumer Financial Services Analyst, Board of Governors of the Federal Reserve System, 20th and C Streets NW., Washington, DC 20551, (202) 452-2705.

FDIC: Ardie Hollifield, Senior Policy Analyst, Federal Deposit Insurance Corporation, 550 17th Street NW., Washington, DC 20429-0002, (202) 898-6638; John Jackwood, Senior Policy Analyst, (202) 898-3991; or Faye Murphy, Chief, Consumer Compliance and UDAP Examination Section, (202) 898-6613.

NCUA: Jamie Goodson, Director, Division of Consumer Compliance Policy and Outreach, Office of Consumer Protection, National Credit Union Administration, 1775 Duke Street Alexandria, VA 22314-3428, (703) 518-1140.

CFPB: Kathleen Conley, Senior Consumer Financial Protection Analyst, Consumer Financial Protection Bureau, 1700 G Street NW., Washington, DC 20552, (202) 435-7459.

SLC: Matthew Lambert, Policy Counsel, Conference of State Bank Supervisors, 1129 20th Street NW., 9th Floor, Washington, DC 20036, (202) 407-7130.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Background

The current CC Rating System, adopted in 1980, is a supervisory policy for evaluating financial institutions' [2] adherence to consumer compliance requirements. The CC Rating System provides a framework for evaluating institutions based on assessment factors to assign a consumer compliance rating to each institution.

The CC Rating System is based upon a scale of 1 through 5, in increasing order of supervisory concern. Thus, 1 represents the highest rating and consequently the lowest level of supervisory concern, while 5 represents the lowest rating and consequently the most critically deficient level of performance and the highest degree of supervisory concern. When using the CC Rating System to assess an institution, the Agencies do not consider an institution's record of lending performance under the Community Reinvestment Act (CRA) because institutions are evaluated separately for CRA.

Factors Supporting a Revised CC Rating System

The FFIEC is proposing revisions to the existing CC Rating System, recognizing that there have been legislative, regulatory, supervisory, technological, and market changes since the adoption of the current CC Rating System. Since 1980, the regulatory landscape has evolved considerably. Over the past 30 years, changes include:

  • The consolidation of financial institutions and resultant changed risk profiles of entities prompted by factors such as legal changes that allowed interstate banking;
  • New and revised regulatory requirements;
  • Major transformations in technology, business models, and consumers' banking habits which have resulted in a broader set of risks to consumers; and
  • The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act),[3] which substantially altered the regulatory landscape by creating the CFPB and reshaping the responsibilities of the prudential regulators.[4] As a result, large institutions over a certain Start Printed Page 26555asset threshold now have more than one FFIEC consumer compliance supervisor.

Purpose of the Revisions

The Agencies are proposing to revise the current CC Rating System to better reflect current consumer compliance supervisory approaches. The revisions are designed to more fully align the rating system with the Agencies' current risk-based, tailored examination approaches. The proposed revisions to the CC Rating System were not developed to set new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden.

When the current CC Rating System was adopted in 1980, examinations focused more on transaction testing for regulatory compliance rather than evaluating the sufficiency of an institution's CMS to ensure compliance with regulatory requirements and to prevent consumer harm. In the intervening years, each of the FFIEC Agencies has adopted a risk-based consumer compliance examination approach to promote strong compliance risk management practices and consumer protection within supervised financial institutions. Risk-based consumer compliance supervision evaluates whether an institution's CMS effectively manages the compliance risk in the products and services offered to its customers. Under risk-based supervision, examiners tailor supervisory activities to the size, complexity, and risk profile of each institution and adjust these activities over time. While compliance management programs vary based on the size, complexity, and risk profile of supervised institutions, all institutions should maintain an effective CMS. The sophistication and formality of the CMS typically will increase commensurate with the size, complexity, and risk profile of the entity.

As the Agencies drafted the proposed rating system definitions, one objective was to develop a rating system appropriate for evaluating institutions of all sizes. Therefore, the first principle discussed within the CC Rating System conveys that the system is risk-based to recognize and communicate clearly that compliance management programs vary based on the size, complexity, and risk profile of supervised institutions. This principle is reinforced in the Consumer Compliance Rating Definitions by conveying to examiners that assessment factors associated with an institution's CMS should be evaluated commensurate with the institution's size, complexity, and risk profile.

In developing the revised CC Rating System, the Agencies believe it is also important for the new rating system to establish incentives for institutions to promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner. The proposed rating system would also create a framework for the Agencies to recognize institutions that consistently adopt these compliance strategies.

Another benefit of the proposed CC Rating System is to promote coordination, communication, and consistency among the Agencies, consistent with the Agencies' respective supervisory authorities. Pursuant to the proposal, each of the Agencies would use the same CC Rating System to assign a consumer compliance rating to all supervised institutions, including banks and non-banks. Further, revising the rating system definitions responds to requests from industry representatives who have asked that the CC Rating System be updated.

Proposed Consumer Compliance Rating System

The primary purpose of the proposed CC Rating System is to ensure that all institutions are evaluated in a comprehensive and consistent manner, and that supervisory resources are appropriately focused on areas exhibiting risk of consumer harm and on institutions that warrant elevated supervisory attention. The Agencies are recommending retention of the current CC Rating System's five-scale framework for the proposed System while also recommending revisions to the current CC Rating System to enhance its effectiveness.

The proposed CC Rating System is based upon a numeric scale of 1 through 5 in increasing order of supervisory concern. Thus, 1 represents the highest rating and consequently the lowest degree of supervisory concern, while 5 represents the lowest rating and the most critically deficient level of performance, and therefore, the highest degree of supervisory concern. Ratings of 1 or 2 represent satisfactory or better performance. Ratings of 3, 4, or 5 indicate performance that is less than satisfactory.

The proposed CC Rating System reflects risk-based expectations commensurate with the size, complexity and risk profile of institutions and incents institutions to prevent, self-identify, and address compliance issues.

Pursuant to the proposed System, each institution would be assigned a consumer compliance rating based primarily on the adequacy of its CMS, which is designed to ensure compliance on a continuing basis.

The proposed CC Rating System is composed of guidance and definitions. The guidance would provide examiners with direction on how to use the definitions when assigning a consumer compliance rating to an institution. The definitions consist of qualitative descriptions for each rating category and factors regarding violations of laws and consumer harm.

The proposed System is based on a set of key principles. The Agencies agreed that the proposed ratings should be: (1) Risk-based; (2) Transparent; (3) Actionable; and (4) an Incentive for Compliance. Each principle is discussed in detail in the guidance.

The Agencies are proposing a CC Rating System that includes three categories of assessment factors:

  • Board and Management Oversight
  • Compliance Program
  • Violations of Law and Consumer Harm

When assigning a rating under the proposed CC Rating System, examiners would consider each of the assessment factors in each category. Further, the categories would allow examiners to distinguish between varying levels of supervisory concern when rating institutions for compliance with federal consumer protection laws. The consumer compliance rating reflects a comprehensive evaluation of the institution's performance under the CC Rating System by considering the categories and assessment factors in the context of the size, complexity, and risk profile of an institution. It is not based on a numeric average or any other quantitative calculation. Specific numeric ratings will not be assigned to any of the twelve assessment factors. Thus, an institution need not achieve a satisfactory rating in all categories in order to be assigned an overall satisfactory rating. Conversely, an institution may be assigned a less than satisfactory rating even if some of its assessments were rated as satisfactory.

All institutions, regardless of size, should maintain an effective CMS. The sophistication and formality of the CMS typically will increase commensurate with the size, complexity, and risk profile of the entity. The articulation of CMS assessment factors is not intended to create new expectations for lower risk institutions.

Board and Management Oversight

The first category of the proposed CC Rating System would be used to analyze an institution's CMS and the role of its board and management officials. The four assessment factors would be:

Start Printed Page 26556
  • Oversight and Commitment
  • Change Management
  • Comprehension, Identification and Management of Risk
  • Corrective Action and Self-Identification

The Agencies believe the above factors would provide examiners with an effective and consistent framework for evaluating whether or not board and management are engaged to a satisfactory degree at a particular institution. All institutions, regardless of size, should maintain an effective CMS. However, each institution should be evaluated based on its size, complexity and risk profile.

Compliance Program

The second category of the proposed CC Rating System would be used to analyze other elements of an effective CMS. The assessment factors for Compliance Program are:

  • Policies and Procedures
  • Training
  • Monitoring and/or Audit
  • Consumer Complaint Response

The Agencies believe these factors, along with Board and Management Oversight, would provide an effective and consistent framework to evaluate an institution's CMS. Each of these assessment factors would be considered in evaluating risk and assigning a consumer compliance rating. As explained above, each institution would be evaluated based on its size, complexity and risk profile.

Violations of Law and Consumer Harm

The third category of the proposed CC Rating System is Violations of Law and Consumer Harm. This category would provide examiners with a framework for considering the broad range of violations of consumer protection laws and evidence of consumer harm.

The current CC Rating System was adopted in 1980. Since that time, the industry has become more complex, and the broad array of risks in the market that can cause consumer harm has become increasingly clear. Violations of various laws, including, for example, the Servicemembers Civil Relief Act [5] and Section 5 of the Federal Trade Commission Act,[6] as well as fair lending violations, may potentially cause significant consumer harm and raise serious supervisory concerns. Recognizing this broad array of risks, the proposed guidance directs examiners to consider all violations of consumer laws, based on the root cause, severity, duration, and pervasiveness of the violation. This approach emphasizes the importance of a range of consumer protection laws and is intended to reflect the broader array of risks and the potential harm caused by consumer protection related violations.

Specifically, in conjunction with assessing an institution's CMS based on the first two categories, examiners will evaluate the consumer protection violations and related consumer harm based on the four assessment factors below:

  • Root cause, or causes, of any violations of law identified
  • Severity of any consumer harm resulting from violations
  • Duration of time over which the violations occurred
  • Pervasiveness of violations

Consumer harm may occur as a result of a violation of law. While many instances of consumer harm can be quantified as a dollar amount associated with financial loss, such as charging higher fees for a product than was initially disclosed, consumer harm may also result from a denial of an opportunity. For example, a consumer could be harmed when an institution denies the consumer credit or discourages an application in violation of the Equal Credit Opportunity Act,[7] whether or not financial harm occurred.

Assignment of Ratings by Supervisor(s)

The prudential regulators will continue to assign and update, as appropriate, consumer compliance ratings for institutions they supervise, including those with total assets of more than $10 billion.[8] As a member of the FFIEC, the CFPB will also use the CC Rating System to assign a consumer compliance rating, as appropriate, for institutions with total assets of more than $10 billion, as well as to nonbanks for which it has jurisdiction regarding the enforcement of Federal consumer financial laws as defined under the Dodd-Frank Act.[9] When assigning a consumer compliance rating, as well as in other supervisory situations as appropriate, the prudential regulators will take into consideration any material supervisory information provided by the CFPB, as that information relates to covered supervisory activities or covered examinations.[10] Similarly, the CFPB will take into consideration any material supervisory information provided by prudential regulators in appropriate supervisory situations, including when assigning consumer compliance ratings.

State regulators maintain supervisory authority to conduct examinations of state-chartered depository institutions and licensed entities. As such, states may assign consumer compliance ratings to evaluate compliance with both state and federal laws and regulations. States will collaborate and consider material supervisory information from other state and federal regulatory agencies during the course of examinations.

Paperwork Reduction Act

In accordance with the Paperwork Reduction Act (44 U.S.C. 3501 et seq.) (PRA), the Agencies may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid Office of Management and Budget (OMB) control number. The proposed CC Rating System would not involve any new collections of information pursuant to the PRA. Consequently, no information will be submitted to the OMB for review.

FFIEC Guidance on Updating the Uniform Interagency Consumer Compliance Rating System

Uniform Interagency Consumer Compliance Rating System

The Federal Financial Institutions Examination Council (FFIEC) member agencies (Agencies) promote compliance with federal consumer protection laws and regulations through supervisory and outreach programs.[11] The Agencies engage in consumer compliance supervision to assess Start Printed Page 26557whether a financial institution is meeting its responsibility to comply with these requirements.

This Uniform Interagency Consumer Compliance Rating System (CC Rating System) provides a general framework for assessing risks during the supervisory process using certain compliance factors and assigning an overall consumer compliance rating to each federally-regulated financial institution.[12] The primary purpose of the CC Rating System is to ensure that regulated financial institutions are evaluated in a comprehensive and consistent manner, and that supervisory resources are appropriately focused on areas exhibiting risk of consumer harm and on institutions that warrant elevated supervisory attention.

The CC Rating System is composed of guidance and definitions. The guidance provides examiners with direction on how to use the definitions when assigning a consumer compliance rating to an institution. The definitions consist of qualitative descriptions for each rating category and include compliance management system (CMS) elements reflecting risk control processes designed to manage consumer compliance risk and considerations regarding violations of laws, consumer harm, and the size, complexity, and risk profile of an institution. The consumer compliance rating reflects the effectiveness of an institution's CMS to ensure compliance with consumer protection laws and regulations and reduce the risk of harm to consumers.

Principles of the Interagency CC Rating System

The Agencies developed the following principles to serve as a foundation for the CC Rating System.

Risk-based. Recognize and communicate clearly that compliance management programs vary based on the size, complexity, and risk profile of supervised institutions.

Transparent. Provide clear distinctions between rating categories to support consistent application by the Agencies across supervised institutions. Reflect the scope of the review that formed the basis of the overall rating.

Actionable. Identify areas of strength and direct appropriate attention to specific areas of weakness, reflecting a risk-based supervisory approach. Convey examiners' assessment of the effectiveness of an institution's compliance risk management program, including its ability to prevent consumer harm and ensure compliance with consumer protection laws and regulations.

Incent Compliance. Incent the institution to establish an effective consumer compliance program across the institution and to identify and address issues promptly, including self-identification and correction of consumer compliance weaknesses. Reflect the potential impact of any consumer harm identified in examination findings.

Five-Level Rating Scale

The CC Rating System is based upon a numeric scale of 1 through 5 in increasing order of supervisory concern. Thus, 1 represents the highest rating and consequently the lowest degree of supervisory concern, while 5 represents the lowest rating and the most critically deficient level of performance, and therefore, the highest degree of supervisory concern.[13] Ratings of 1 or 2 represent satisfactory or better performance. Ratings of 3, 4, or 5 indicate performance that is less than satisfactory. Consistent with the previously described Principles, the rating system incents a financial institution to establish an effective compliance management system across the institution, to self-identify risks, and take the necessary actions to reduce the risk of non-compliance and consumer harm.

  • The highest rating of 1 is assigned to a financial institution that maintains a strong CMS and takes action to prevent violations of law and consumer harm.
  • A rating of 2 is assigned to a financial institution that maintains a CMS that is satisfactory at managing consumer compliance risk in the institution's products and services and at substantially limiting violations of law and consumer harm.
  • A rating of 3 reflects a CMS deficient at managing consumer compliance risk in the institution's products and services and at limiting violations of law and consumer harm.
  • A rating of 4 reflects a CMS seriously deficient at managing consumer compliance risk in the institution's products and services and at preventing violations of law and consumer harm. A rating of seriously deficient indicates fundamental and persistent weaknesses in crucial CMS elements and severe inadequacies in core compliance areas necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.
  • A rating of 5 reflects a CMS critically deficient at managing consumer compliance risk in the institution's products and services and at preventing violations of law and consumer harm. A rating of critically deficient indicates an absence of crucial CMS elements and a demonstrated lack of willingness or capability to take the appropriate steps necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.

CC Rating System Categories and Assessment Factors

CC Rating System—Categories

The CC Rating System is organized under three broad categories:

1. Board and Management Oversight,

2. Compliance Program, and

3. Violations of Law and Consumer Harm.

The Consumer Compliance Rating Definitions below list the assessment factors considered within each category, along with narrative descriptions of performance.

The first two categories, Board and Management Oversight and Compliance Program, are used to assess a financial institution's CMS. As such, examiners should evaluate the assessment factors within these two categories commensurate with the institution's size, complexity, and risk profile. All institutions, regardless of size, should maintain an effective CMS. The sophistication and formality of the CMS typically will increase commensurate with the size, complexity, and risk profile of the entity.

Additionally, compliance expectations contained within the narrative descriptions of these two categories extend to third-party relationships into which the financial institution has entered. There can be certain benefits to financial institutions engaging in relationships with third parties, including gaining operational efficiencies or an ability to deliver additional products and services, but such arrangements also may expose financial institutions to risks if not managed effectively. The prudential agencies, the CFPB, and some states Start Printed Page 26558have issued guidance describing expectations regarding oversight of third-party relationships. While an institution's management may make the business decision to outsource some or all of the operational aspects of a product or service, the institution cannot outsource the responsibility for complying with laws and regulations or managing the risks associated with third-party relationships.

As noted in the Consumer Compliance Rating Definitions, examiners should evaluate activities conducted through third-party relationships as though the activities were performed by the institution itself. Examiners should review a financial institution's management of third-party relationships and servicers as part of its overall compliance program.

The third category, Violations of Law and Consumer Harm, includes assessment factors that evaluate the dimensions of any identified violation or consumer harm. Examiners should weigh each of these four factors—root cause, severity, duration, and pervasiveness—in evaluating relevant violations of law and any resulting consumer harm.

Board and Management Oversight—Assessment Factors

Under Board and Management Oversight, the examiner should assess the financial institution's board of directors and senior management, as appropriate for their respective roles and responsibilities, based on the following assessment factors:

  • Oversight of and commitment to the institution's compliance risk management program;
  • effectiveness of the institution's change management processes, including responding timely and satisfactorily to any variety of change, internal or external, to the institution;
  • comprehension, identification, and management of risks arising from the institution's products, services, or activities; and
  • any corrective action undertaken as consumer compliance issues are identified.

Compliance Program—Assessment Factors

Under Compliance Program, the examiner should assess other elements of an effective CMS, based on the following assessment factors:

  • Whether the institution's policies and procedures are appropriate to the risk in the products, services, and activities of the institution;
  • the degree to which compliance training is current and tailored to risk and staff responsibilities;
  • the sufficiency of the monitoring and, if applicable, audit to encompass compliance risks throughout the institution; and
  • the responsiveness and effectiveness of the consumer complaint resolution process.

Violations of Law and Consumer Harm—Assessment Factors

Under Violations of Law and Consumer Harm, the examiner should analyze the following assessment factors:

  • The root cause, or causes, of any violations of law identified during the examination;
  • the severity of any consumer harm resulting from violations;
  • the duration of time over which the violations occurred; and
  • the pervasiveness of the violations.

As a result of a violation of law, consumer harm may occur. While many instances of consumer harm can be quantified as a dollar amount associated with financial loss, such as charging higher fees for a product than was initially disclosed, consumer harm may also result from a denial of an opportunity. For example, a consumer could be harmed when a financial institution denies the consumer credit or discourages an application in violation of the Equal Credit Opportunity Act,[14] whether or not there is resulting financial harm.

This category of the Consumer Compliance Rating Definitions defines four factors by which examiners can assess violations of law and consumer harm.

Root Cause. Root cause analyzes the degree to which weaknesses in the CMS gave rise to the violations. In many instances, the root cause of a violation is tied to a weakness in one or more elements of the CMS. Violations that result from critical deficiencies in the CMS evidence a critical absence of management oversight and are of the highest supervisory concern.

Severity. The severity dimension of the Consumer Compliance Rating Definitions weighs the type of consumer harm, if any, that resulted from violations of law. More severe harm results in a higher level of supervisory concern under this factor. For example, some consumer protection violations may cause significant financial harm to a consumer, while other violations may cause negligible harm, based on the specific facts involved.

Duration. Duration describes the length of time over which the violations occurred. Violations that persist over an extended period of time will raise greater supervisory concerns than violations that occur for only a brief period of time. When violations are brought to the attention of an institution's management and management allows those violations to remain unaddressed, such violations are of the highest supervisory concern.

Pervasiveness. Pervasiveness evaluates the extent of the violation(s) and resulting consumer harm, if any. Violations that affect a large number of consumers will raise greater supervisory concern than violations that impact a limited number of consumers. If violations become so pervasive that they are considered to be widespread or present in multiple products or services, the institution's performance under this factor is of the highest supervisory concern.

Self-Identification of Violations of Law and Consumer Harm

Strong compliance programs are proactive. They promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner. Accordingly, the CC Rating System provides incentives for such practices through the definitions associated with a 1 rating.

The Agencies believe that self-identification and prompt correction of violations of law reflect strengths in an institution's CMS. A robust CMS appropriate for the size, complexity and risk profile of an institution's business often will prevent violations or will facilitate early detection of potential violations. This early detection can limit the size and scope of consumer harm. Moreover, prompt self-reporting of serious violations represents concrete evidence of an institution's commitment to responsibly address underlying risks. In addition, appropriate corrective action, including both correction of programmatic weaknesses and full redress for injured parties, limits consumer harm and prevents violations from recurring in the future. Thus, the CC Rating System recognizes institutions that consistently adopt these strategies as reflected in the Consumer Compliance Rating Definitions.

Evaluating Performance Using the CC Rating Definitions

The consumer compliance rating is derived through an evaluation of the financial institution's performance under each of the assessment factors Start Printed Page 26559described above. The consumer compliance rating reflects the effectiveness of an institution's CMS to identify and manage compliance risk in the institution's products and services and to prevent violations of law and consumer harm, as evidenced by the financial institution's performance under each of the assessment factors.

The consumer compliance rating reflects a comprehensive evaluation of the financial institution's performance under the CC Rating System by considering the categories and assessment factors in the context of the size, complexity, and risk profile of an institution. It is not based on a numeric average or any other quantitative calculation. Specific numeric ratings will not be assigned to any of the twelve assessment factors. Thus, an institution need not achieve a satisfactory assessment in all categories in order to be assigned an overall satisfactory rating. Conversely, an institution may be assigned a less than satisfactory rating even if some of its assessments were satisfactory.

The relative importance of each category or assessment factor may differ based on the size, complexity, and risk profile of an individual institution. Accordingly, one or more category or assessment factor may be more or less relevant at one financial institution as compared to another institution. While the expectations for compliance with consumer protection laws and regulations are the same across institutions of varying sizes, the methods for accomplishing an effective CMS may differ across institutions.

The evaluation of an institution's performance within the Violations of Law and Consumer Harm category of the CC Rating Definitions considers each of the four assessment factors: Root Cause, Severity, Duration, and Pervasiveness. At the levels of 4 and 5 in this category, the distinctions in the definitions are focused on the root cause assessment factor rather than Severity, Duration, and Pervasiveness. This approach is consistent with the other categories where the difference between a 4 and a 5 is driven by the institution's capacity and willingness to maintain a sound consumer compliance system.

In arriving at the final rating, the examiner must balance potentially differing conclusions about the effectiveness of the financial institution's CMS over the individual products, services, and activities of the organization. Depending on the relative materiality of a product line to the institution, an observed weakness in the management of that product line may or may not impact the conclusion about the institution's overall performance in the associated assessment factor(s). For example, serious weaknesses in the policies and procedures or audit program of the mortgage department at a mortgage lender would be of greater supervisory concern than those same gaps at an institution that makes very few mortgage loans and strictly as an accommodation. Greater weight should apply to the financial institution's management of material products with significant potential consumer compliance risk.

An institution may receive a less than satisfactory rating even when no violations were identified, based on deficiencies or weaknesses identified in the institution's CMS. For example, examiners may identify weaknesses in elements of the CMS in a new loan product. Because the presence of those weaknesses left unaddressed could result in future violations of law and consumer harm, the CMS deficiencies could impact the overall consumer compliance rating, even if no violations were identified.

Similarly, an institution may receive a 1 or 2 rating even when violations were present, if the CMS is commensurate with the risk profile and complexity of the institution. For example, when violations involve limited impact on consumers, were self-identified, and resolved promptly, the evaluation may result in a 1 or 2 rating. After evaluating the institution's performance in the two CMS categories, Board and Management Oversight and Compliance Program, and the dimensions of the violations in the third category, the examiner may conclude that the overall strength of the CMS and the nature of observed violations viewed together do not present significant supervisory concerns.

Consumer Compliance Rating Definitions

Assessment factors to be considered12345
Board and Management Oversight
Board and management oversight factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance expectations below extend to third-party relationships
Oversight and CommitmentBoard and management demonstrate strong commitment and oversight to the financial institution's compliance risk management programBoard and management provide satisfactory oversight of the financial institution's compliance risk management programBoard and management oversight of the financial institution's compliance risk management program is deficientBoard and management oversight, resources, and attention to the compliance risk management program are seriously deficientBoard and management oversight, resources, and attention to the compliance risk management program are critically deficient.
Start Printed Page 26560
Substantial compliance resources are provided, including systems, capital, and human resources commensurate with the institution's size, complexity, and risk profile. Staff is knowledgeable, empowered and held accountable for compliance with consumer laws and regulationsCompliance resources are adequate and staff is generally able to ensure the financial institution is in compliance with consumer laws and regulationsCompliance resources and staff are inadequate to ensure the financial institution is in compliance with consumer laws and regulationsCompliance resources and staff are seriously deficient and are ineffective at ensuring the financial institution's compliance with consumer laws and regulationsCompliance resources are critically deficient in supporting the financial institution's compliance with consumer laws and regulations, and management and staff are unwilling or incapable of operating within the scope of consumer protection laws and regulations.
Management conducts comprehensive and ongoing due diligence and oversight of third parties consistent with agency expectations to ensure that the financial institution complies with consumer protection laws, and exercises strong oversight of third parties' policies, procedures, internal controls, and training to ensure consistent oversight of compliance responsibilitiesManagement conducts adequate and ongoing due diligence and oversight of third parties to ensure that the financial institution complies with consumer protection laws, and adequately oversees third parties' policies, procedures, internal controls, and training to ensure appropriate oversight of compliance responsibilitiesManagement does not adequately conduct due diligence and oversight of third parties to ensure that the financial institution complies with consumer protection laws, nor does it adequately oversee third parties' policies, procedures, internal controls, and training to ensure appropriate oversight of compliance responsibilitiesManagement oversight and due diligence over third party performance, as well as management's ability to adequately identify, measure, monitor, or manage compliance risks, is seriously deficientManagement oversight and due diligence of third party performance is critically deficient.
Change ManagementManagement anticipates and responds promptly to changes in applicable laws and regulations, market conditions and products and services offeredManagement responds timely and adequately to changes in applicable laws and regulations, market conditions, products and services offered by evaluating the change and implementing responses across impacted lines of businessManagement does not respond adequately and/or timely in adjusting to changes in applicable laws and regulations, market conditions, and products and services offeredManagement's response to changes in applicable laws and regulations, market conditions, or products and services offered is seriously deficientManagement fails to monitor and respond to changes in applicable laws and regulations, market conditions, or products and services offered.
Management conducts due diligence in advance of product changes, considers the entire life cycle of a product or service in implementing change, and reviews the change after implementation to determine that actions taken have achieved planned resultsManagement evaluates product changes before and after implementing the change
Start Printed Page 26561
Comprehension, Identification and Management of RiskManagement has a solid comprehension of and effectively identifies compliance risks, including emerging risks, in the financial institution's products, services, and other activitiesManagement comprehends and adequately identifies compliance risks, including emerging risks, in the financial institution's products, services, and other activitiesManagement has an inadequate comprehension of and ability to identify compliance risks, including emerging risks, in the financial institution's products, services, and other activitiesManagement exhibits a seriously deficient comprehension of and ability to identify compliance risks, including emerging risks, in the financial institutionManagement does not comprehend nor identify compliance risks, including emerging risks, in the financial institution.
Management actively engages in managing those risks, including through comprehensive self-assessmentsManagement adequately manages those risks, including through self-assessments
Corrective Action and Self-IdentificationManagement proactively identifies issues and promptly responds to compliance risk management deficiencies and any violations of laws or regulations, including remediationManagement adequately responds to and corrects deficiencies and/or violations, including adequate remediation, in the normal course of businessManagement does not adequately respond to compliance deficiencies and violations including those related to remediationManagement response to deficiencies, violations and examination findings is seriously deficientManagement is incapable, unwilling and/or fails to respond to deficiencies, violations or examination findings.
Compliance Program Compliance Program factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance expectations below extend to third-party relationships.
Policies and ProceduresCompliance policies and procedures and third-party relationship management programs are strong, comprehensive and provide standards to effectively manage compliance risk in the products, services and activities of the financial institutionCompliance policies and procedures and third-party relationship management programs are adequate to manage the compliance risk in the products, services and activities of the financial institutionCompliance policies and procedures and third-party relationship management programs are inadequate at managing the compliance risk in the products, services and activities of the financial institutionCompliance policies and procedures and third-party relationship management programs are seriously deficient at managing compliance risk in the products, services and activities of the financial institutionCompliance policies and procedures and third-party relationship management programs are critically absent.
TrainingCompliance training is comprehensive, timely, and specifically tailored to the particular responsibilities of the staff receiving it, including those responsible for product development, marketing and customer serviceCompliance training outlining staff responsibilities is provided timely to appropriate staffCompliance training is not adequately comprehensive, timely, updated, or appropriately tailored to the particular responsibilities of the staffCompliance training is seriously deficient in its comprehensiveness, timeliness, or relevance to staff with compliance responsibilities, or has numerous major inaccuraciesCompliance training is critically absent.
Start Printed Page 26562
The compliance training program is updated proactively in advance of the introduction of new products or new consumer protection laws and regulations to ensure that all staff are aware of compliance responsibilities before rolled outThe compliance training program is updated to encompass new products and to comply with changes to consumer protection laws and regulations
Monitoring and/or AuditCompliance monitoring practices, management information systems, compliance audit, and internal control systems are comprehensive, timely, and successful at identifying and measuring material compliance risk management throughout the financial institutionCompliance monitoring practices, management information systems, compliance audit, and internal control systems adequately address compliance risks throughout the financial institutionCompliance monitoring practices, management information systems, compliance audit, and internal control systems do not adequately address risks involving products, services or other activities including timing and scopeCompliance monitoring practices, management information systems, compliance audit, and internal controls are seriously deficient in addressing risks involving products, services or other activitiesCompliance monitoring practices, management information systems, compliance audit, or internal controls are critically absent.
Programs are monitored proactively to identify procedural or training weaknesses to preclude regulatory violations. Program modifications are made expeditiously to minimize compliance risk
Consumer Complaint ResponseProcesses and procedures for addressing consumer complaints are strong. Consumer complaint investigations and responses are prompt and thoroughProcesses and procedures for addressing consumer complaints are adequate. Consumer complaint investigations and responses are generally prompt and thoroughProcesses and procedures for addressing consumer complaints are inadequate. Consumer complaint investigations and responses are not thorough or timelyProcesses and procedures for addressing consumer complaints and consumer complaint investigations are seriously deficientProcesses and procedures for addressing consumer complaints are critically absent. Meaningful investigations and responses are absent.
Management monitors consumer complaints to identify risks of potential consumer harm, program deficiencies, and customer service issues and takes appropriate actionManagement adequately monitors consumer complaints and responds to issues identifiedManagement does not adequately monitor consumer complaintsManagement monitoring of consumer complaints is seriously deficientManagement exhibits a disregard for complaints or preventing consumer harm.
Violations of Law and Consumer Harm
Start Printed Page 26563
Root CauseThe violations are the result of minor weaknesses, if any, in the compliance risk management systemViolations are the result of modest weaknesses in the compliance risk management systemViolations are the result of material weaknesses in the compliance risk management systemViolations are the result of serious deficiencies in the compliance risk management systemViolations are the result of critical deficiencies in the compliance risk management system.
SeverityThe type of consumer harm, if any, resulting from the violations would have a minimal impact on consumersThe type of consumer harm resulting from the violations would have a limited impact on consumersThe type of consumer harm resulting from the violations would have a considerable impact on consumersThe type of consumer harm resulting from the violations would have a serious impact on consumersThe type of consumer harm resulting from the violations would have a serious impact on consumers.
DurationThe violations and resulting consumer harm, if any, occurred over a brief period of timeThe violations and resulting consumer harm, if any, occurred over a limited period of timeThe violations and resulting consumer harm, if any, occurred over an extended period of timeThe violations and resulting consumer harm, if any, have been long standing or repeatedThe violations and resulting consumer harm, if any, have been long standing or repeated.
PervasivenessThe violations and resulting consumer harm, if any, are isolated in numberThe violations and resulting consumer harm, if any, are limited in numberThe violations and resulting consumer harm, if any, are numerousThe violations and resulting consumer harm, if any, are widespread or in multiple products or servicesThe violations and resulting consumer harm, if any, are widespread or in multiple products or services.

[End of proposed text.]

Start Signature

Dated: April 28, 2016.

Federal Financial Institutions Examination Council.

Judith E. Dupre,

FFIEC Executive Secretary.

End Signature End Supplemental Information

Footnotes

1.  NCUA integrates the principles and standards of the current CC Rating System into the existing CAMEL rating structure, in place of a separate rating. When finalized, the revised CC Rating System will be incorporated into NCUA's risk-focused examination program. Using the principles and standards contained in the revised CC Rating System, NCUA examiners will assess a credit union's ability to effectively manage its compliance risk and reflect that ability in the Management component rating and the overall CAMEL rating used by NCUA.

Back to Citation

2.  The term financial institutions is defined in 12 U.S.C. 3302(3).

Back to Citation

4.  The prudential regulators are the FRB, FDIC, NCUA, and OCC.

Back to Citation

5.  50 U.S.C. App. 501-697b.

Back to Citation

8.  Section 1025 of the Dodd-Frank Act (12 U.S.C. 5515) applies to federally insured institutions with more than $10 billion in total assets. This section granted the CFPB exclusive authority to examine insured depository institutions and their affiliates for compliance with Federal consumer financial laws. The prudential regulators retained authority for examining insured depository institutions with more than $10 billion in total assets for compliance with certain other laws related to consumer financial protection, including the Fair Housing Act, the Servicemembers Civil Relief Act, and section 5 of the Federal Trade Commission Act.

Back to Citation

9.  12 U.S.C. 5481 et seq. A financial institution with assets over $10 billion may receive a consumer compliance rating by both its primary prudential regulator and the CFPB. The rating is based on each agency's review of the institution's CMS and compliance with the federal consumer protection laws falling under each agency's jurisdiction.

Back to Citation

10.  The prudential regulators and the CFPB signed a Memorandum of Understanding on Supervisory Coordination dated May 16, 2012 (MOU) intended to facilitate the coordination of supervisory activities involving financial institutions with more than $10 billion in assets as required under the Dodd-Frank Act.

Back to Citation

11.  The FFIEC members are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee.

Back to Citation

12.  The Federal Financial Institutions Examination Council Act of 1978 (12 U.S.C. 3302(3)) defines financial institution. Additionally, as a member of the FFIEC, the CFPB will also use the Rating System to assign a consumer compliance rating, as appropriate for nonbanks, for which it has jurisdiction regarding the enforcement of Federal consumer financial laws as defined under the Dodd-Frank Act (12 U.S.C. 5481 et seq.).

Back to Citation

13.  The Agencies do not consider an institution's record of performance under the Community Reinvestment Act (CRA) in conjunction with assessing an institution under the CC Rating System since institutions are evaluated separately under the CRA.

Back to Citation

[FR Doc. 2016-10289 Filed 5-2-16; 8:45 a.m.]

BILLING CODE 7535-01-P 6714-01-P; 6210-01-P 4810-33-P; 4810-AM-P