Compliance - Part I Flashcards

Question

What are some key points related to consumer harm? [II-2.1 Evaluating Consumer Harm]

Answer 1

Consumer harm is a broad concept and the examples provided here are not exhaustive. Among key points are that consumer harm is not limited to monetary loss, can be quantifiable or non-quantifiable, can be actual harm or potential harm, and may be caused by activities conducted through third-party relationships.

Answer 2

The FDIC’s mission of promoting public confidence in the financial system is best served through a supervisory approach focused on identifying, addressing, and preventing consumer harm

Answer 3

Supervisory and examination activities are driven by a focus on identifying the inherent risk of consumer harm that may occur in a financial institution’s business activity

Answer 4

Inherent risk is the compliance risk associated with product and service offerings, practices, or other activities that could directly or indirectly result in significant consumer harm or noncompliance with consumer protection rules and regulations. For example, a new loan product, a change to deposit account terms, or a third party relationship all represent inherent risk.

Answer 5

When inherent risks of consumer harm are identified, examiners will ensure the institution takes appropriate action to address or mitigate these risks. Corrective action for violations of law and regulations should remediate consumer harm when it occurs and remove underlying incentives to engage in practices harmful to consumers. Where there is a violation of law or regulation, the extent and severity of consumer harm informs the type and scope of enforcement action sought to correct the violation.

Answer 6

Mitigating factors are the strength of the compliance management system (CMS) to mitigate inherent risk. Examples of mitigating factors include strong management controls, effective training programs, and on-going monitoring efforts. Supervisory efforts should encourage institutions to have an effective CMS to avoid and mitigate risks of consumer harm. To support that effort, examination and other staff communicate information and best practices in a variety of settings to assist institutions in managing risks of consumer harm when conducting their business. Identifying, addressing, and preventing consumer harm is an important consideration in all examination and enforcement activities, as identified in the following diagram and discussed below.

Answer 7

The FDIC’s supervisory strategies are designed to promote compliance with consumer protection laws and regulations in FDIC-supervised institutions.

Answer 8

Activities used to implement FDIC supervisory strategies include examinations, targeted reviews, visitations, investigations, and offsite analysis of how the bank manages its consumer compliance responsibilities. The timing and frequency of these activities can be adjusted based upon indications of risk of consumer harm, such as consumer complaints, referral from other divisions or agencies, changes in the institutions’ products, services, or markets, or reliance on third parties to offer products and services to consumers. Supervisory strategies should be flexible to respond to indications of increasing or decreasing risk of consumer harm.

Answer 9

All applicable federal consumer compliance laws and regulations are considered in connection with any bank compliance examination through the risk scoping process. However, the FDIC’s supervisory approach apportions resources to areas of higher risk for consumer harm rather than to uncovering technical issues in meeting regulatory requirements. This approach also results in the identification of the most serious violations of federal consumer compliance laws and regulations during the examination. If financial institutions understand the potential for consumer harm and choose to develop and implement institution-specific plans, policies, and processes to prevent and mitigate consumer harm based on their risk profiles, it may assist institutions in avoiding risk and promoting compliance with the federal consumer protection regulations.

Answer 10

Examiners have several tools available to assist them in identifying risks of consumer harm. Examiners evaluate risks of consumer harm through an analysis of an institution’s historical CMS, the products and services currently offered, the markets served, and existing and new third-party relationships.

Answer 11

Examiner judgment is the most critical aspect of properly evaluating an institution’s risk profile. The FDIC’s approach tailors the examination to focus primarily on those areas that present the highest risk of consumer harm, as examiners are unable to review all aspects of an institution’s CMS at any given examination. The pre-examination planning process, which includes review of the pre-exam questionnaire with bank management and preparation of the automated Compliance Information and Document Request (CIDR), guides examiners in requesting the information necessary to identify areas of the greatest risk of potential consumer harm

Answer 12

Inherent risk refers to the risk that a product, service, practice, or other activity would pose if no controls or other mitigating factors were in place.

Answer 13

Examiners also focus on whether a bank is effectively and independently managing or mitigating the risk of consumer harm that comes from the products and services the institution offers and markets in which they serve. After considering an institution’s inherent risks, and the strength of its CMS, residual risk exposure may remain.

Answer 14

Residual risk refers to the risk exposure that remains after identifying the level of inherent risk and factoring in the strength of the mitigating factors to control that risk. The guiding principle is a risk scoping formula: inherent risk – mitigating factors = residual risk. For example, a bank introduces a new overdraft program with no due diligence, no monitoring or auditing, and numerous customer inquiries. This example represents a high risk product without effective CMS elements to mitigate inherent risk; therefore, a higher level of residual risk remains, and this product warrants review and transaction testing during an examination. As part of the examination scoping process, examiners focus on areas where residual risk is elevated and not on areas where risk is well controlled and residual risk of consumer harm is low.

Answer 15

Examination procedures are drafted and implemented in a manner to guide examiners in assessing the risk of consumer harm in the conduct of the examination. Well-crafted examination procedures that are focused on risks and potential for consumer harm promote the efficient use of resources, identification of root causes of deficiencies, and allocation of resources to areas presenting the highest risk, while avoiding unnecessary review of areas with little or no risk of consumer harm. As an example, examination procedures regarding overdraft programs differentiate the type and extent of review based on the type of overdraft program offered (e.g., automated versus ad hoc) and further reserves more detailed transaction testing to situations where examiners have identified specific risks or weaknesses.

Answer 16

The Federal Financial Institutions Examination Council’s Uniform Interagency Consumer Compliance Rating System (CC Rating System), which is a supervisory policy for evaluating financial institutions’ adherence to consumer compliance requirements, includes a section titled Violations of Law and Consumer Harm. The CC Rating System emphasizes the importance of institution’ compliance management systems, with emphasis on compliance risk management practices designed to manage consumer compliance risk, support compliance, and prevent consumer harm.

Answer 17

The Report of Examination plays an important role in communicating the FDIC’s assessment of the CMS to the institution. The FDIC classifies violations of federal consumer laws based, in part, on the level of risk of consumer harm. In the event violations are identified in the Report of Examination, this classification process serves to communicate to banks the FDIC’s conclusions about the severity, extent, or potential consumer harm caused by the violation. The expectation is that FDIC-supervised institutions will prioritize corrective action and on-going management of their CMS to correct errors and mitigate risks of consumer harm.

Answer 18

Effective supervision includes requiring institutions to take corrective action when weaknesses in the CMS or violations are identified. Appropriate corrective action considers the overall effectiveness of the institution’s CMS, the root cause(s) of the deficiencies as well as the extent and impact of consumer harm. When there is a violation of law or regulation that results in consumer harm, the FDIC will seek corrective action, which may include restitution to consumers as part of an appropriate enforcement action. Civil money penalties (CMPs) may also be assessed to sanction an institution or an institution-affiliated party according to the degree of culpability. Other factors examiners consider include intent and severity of the violation of law or regulation, breach of fiduciary duty, and/or whether a practice is unsafe or unsound. CMPs are also assessed to deter future misconduct.

Answer 19

Communication and technical assistance to supervised institutions is an important component of the FDIC’s supervisory approach in preventing consumer harm by supporting institutions’ efforts to maintain an effective CMS. Communication is especially important during periods of regulatory change and transition. The FDIC communicates through a number of channels, including national and regional bankers’ teleconferences on emerging topics; speaking engagements at national, regional, state, and local conferences and conventions; a web-based regulatory calendar; Supervisory Insights Journal articles; regional newsletters; banker and bank director trainings and online technical assistance videos; meetings with industry trade groups; and issuance of guidance through Financial Institution Letters. Communicating the focus of FDIC examination efforts and supervisory priorities through these diverse channels assists bankers in identifying and reviewing key areas of concern and addressing deficiencies promptly, prior to and unrelated to a specific examination activity. In addition, examiners can provide certain types of technical assistance to community bankers during the course of an examination that may enable an institution to reduce the risk of consumer harm in the operation of its business. These communication and technical assistance efforts provide bankers with tools to address issues that may pose risk of consumer harm.

Answer 20

Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market globalization. To remain profitable in such an environment, financial institutions continuously assess and modify their product and service offerings and operations in the context of a business strategy. At the same time, new legislation may be enacted to address developments in the marketplace. All these forces combine to create inherent risk.

Answer 21

To address this risk, a financial institution must develop and maintain a sound compliance management system (CMS) that is integrated into the overall risk management strategy of the institution. Ultimately, consumer compliance should be part of the daily routine of management and employees of a financial institution.

Answer 22

A CMS is how an institution: learns about its consumer compliance responsibilities; • ensures that employees understand these responsibilities; • ensures that requirements are incorporated into business processes; • reviews operations to ensure responsibilities are carried out and requirements are met; and • takes corrective action and updates materials as necessary.

Answer 23

The Board of a financial institution is ultimately responsible for developing and administering a CMS that ensures compliance with federal consumer protection laws and regulations. To a large degree, the success of an institution’s CMS is founded on the actions taken by its Board and management.

Answer 24

• demonstrating clear and unequivocal expectations about consumer compliance, not only within the institution, but also to third-party providers; • adopting clear policy statements; • appointing a compliance officer with authority and accountability; • allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations; • anticipating and evaluating changes in the institution’s operating environment and implementing responses across impacted lines of business; • identifying compliance risk in the institution’s products, services, and other activities, and responding to deficiencies and violations; • conducting periodic compliance audits; and • providing for recurrent reports by the compliance officer to the Board.

Answer 25

Leadership on consumer compliance by the Board and management sets the tone in an organization. The Board and management should discuss compliance topics during their meetings. They should include compliance matters in their communications to institution personnel and the general public. Institution management and staff should have a clear understanding that compliance is important to the Board and management, and that they are expected to incorporate compliance in their daily operations.

Answer 26

Regardless of size or institution complexity, the first step Board and management should take in providing for the administration of the compliance program is the designation of a compliance officer.

Answer 27

• cross departmental lines; • have access to all areas of the institution’s operations; and • effect corrective action.

Answer 28

A compliance committee, as an alternative to or in addition to a full-time compliance officer, could be formed consisting of the compliance officer, representatives from various departments, and member(s) of management or the Board. However, the ultimate responsibility of overall compliance with all statutes and regulations resides with the Board.

Answer 29

A qualified compliance officer will have knowledge and understanding of all consumer protection laws and regulations that apply to the business operations of the financial institution. The compliance officer should also have general knowledge of the overall operations of the institution and interact with all of the departments and branches to keep abreast of changes (e.g., new products, services or business practices; personnel turnover) that may require action to manage perceived risk. In larger or more complex institutions the compliance officer may devote all of his or her time to compliance activities. In smaller or less complex institutions, where staffing is limited, a full-time compliance officer may not be necessary; instead, the compliance responsibilities may be divided between various individuals by type of regulation, such as loan-related or deposit-related regulations. In some instances, several banks may share a compliance officer.

Answer 30

A compliance officer’s general responsibilities, regardless of the size or complexity of the institution’s operations, include: • developing compliance policies and procedures; • training management and employees in consumer protection laws and regulations; • reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures; • assessing emerging issues or potential liabilities; • coordinating responses to consumer complaints; • reporting compliance activities and audit/review findings to the Board; and • ensuring that corrective actions are implemented in a timely fashion and are effective at preventing recurrence.

Answer 31

To be effective at overseeing compliance and maintaining a strong compliance posture, a compliance officer must be: provided with ongoing training, as well as sufficient time and adequate resources to do the job. The compliance officer may utilize third-party service providers or consultants to help administer the compliance program or audit functions. However, the compliance officer should perform sufficient due diligence to verify that the provider is qualified, because ultimately the institution’s Board and management are responsible for identifying and controlling compliance risks arising from third-party relationships, to the same extent as if the third-party activity was handled within the institution.

Answer 32

If an institution engages the services of a third party, the Board and management must ensure that the third-party operations, products, services, and activities are reviewed for compliance with consumer protection laws and regulations. An effective compliance risk management process will vary depending on the complexity and risk potential of the third-party relationship, but generally includes risk assessment, due diligence in selecting the third-party provider, appropriate contract structuring and review, and sufficient oversight of third-party activities, including adequate quality control over products or services provided.

Answer 33

The objective of the pre-examination planning process is to collect necessary information to understand an institution and the risks of consumer harm prior to the start of an examination. This information allows the Examiner-in Charge (EIC) and the examination team to plan and conduct the examination, to develop the scope of the examination, and to accomplish supervisory objectives in an efficient and effective manner.

Answer 34

1. Information Package (IP) 2. Pre-Examination Planning Phase 1 (PEP-1) 3. Pre-Examination Planning Phase 2 (PEP-2)

Answer 35

The examination planning process begins with the Field Supervisor (FS) or the Supervisory Examiner (SE) calling the institution’s management to inform them of the projected start date of the examination, explain that an IP will be sent, and discuss how the IP will be provided .

Answer 36

The FS or SE submits the IP to the institution no less than 90 calendar days before the projected start date of the examination.

Answer 37

The IP is designed to increase banker awareness of the examination process prior to the examination; to promote open communication with examination staff; and to ensure that the institution’s management team knows what to expect during the examination and where to go in the event their expectations are not met. The FS or SE explains that the IP includes a list of interview questions, which will help the EIC develop an examination plan and an information and document request list tailored specifically to the institution’s activities. The interview questions are provided early so the institution’s management team can prepare to discuss them with the EIC and can invite the appropriate persons to participate in the pre-examination interview that occurs several weeks before the examination start date.

Answer 38

The institution may elect to provide written responses to the pre-examination interview questions; however, the FS, SE, EIC, or other examination staff should not request or require written responses from the institution.

Answer 39

After contacting institution management, the FS, SE, or designee submits the IP to the institution according to the previously stated timing requirements. To facilitate efficient and secure exchange of information, the FS or SE should determine the institution’s willingness to use applications, such as the Enterprise File Exchange (EFX), that provide a secure method for financial institutions to exchange information with the FDIC. When the institution is willing to use such applications, the FS, SE, or designee should initiate a session and electronically submit the IP to the institution. When the institution is unwilling to use secure applications for the electronic exchange of examination related information, the FS, SE, or designee should use an alternative delivery method (e.g., encrypted e-mail, express mail courier service) that meets the security measures discussed in the FDIC’s policies for the exchange, use, and storage of information. Each field office will establish procedures to ensure the FS, SE, or designee (1) provides the IP to the institution in a timely manner; (2) records the IP sent date in the System of Uniform Reporting of Compliance and CRA Examinations (SOURCE); and (3) if applicable, records any reasons for timing delays in SOURCE.

Answer 40

The IP module in the PEP System is used to produce the IP, which includes a standardized introductory letter that provides an overview of the examination process; discusses various resources available that explain the examination process; identifies the appropriate communication channels for any concerns about the examination process or the resultant ratings; and provides contact information for the FS and/or the SE.

Answer 41

The IP letter has been standardized and automated within the PEP System and should be consistently used by all field offices without changes. A sample IP letter is included in this Manual (see Section III). If electronically submitting the IP to the institution, the FS, SE, or designee should convert the IP letter to an Adobe portable document format (.pdf). Supervisors should also follow any national or regional instructions governing the use of electronic signatures for examination-related documents. In the absence of such instructions, a supervisor can either use his or her typed name as an electronic signature, using the same font as the body of the letter, or use Adobe’s “Fill & Sign” feature.

Answer 42

Lastly, as part of the examination planning process, the FS or SE schedules examiners for PEP-1 and PEP-2. In particular, the FS or SE will select the EIC and schedule sufficient dedicated time for the EIC to conduct all activities of PEP-1 and PEP-2 prior to the examination start date. As a general rule, the EIC (or Acting EIC) should conduct PEP activities to have sufficient time to learn about the institution and prepare an examination plan tailored to the institution’s areas of highest risk. Other examiners may conduct PEP activities on a limited basis when scheduling conflicts arise or limited staffing resources exist. Additionally, if examiners other than the EIC will perform the CRA or fair lending reviews, then those staff members should be scheduled sufficient dedicated time, when possible, to perform CRA- and fair lending-related examination planning activities so that the results are available for the EIC’s review and consideration.

Answer 43

For the largest Home Mortgage Disclosure Act (HMDA) reporters (over 500 LAR lines) and/or Community Reinvestment Act (CRA) reporters, validation testing should be conducted in advance of scheduled fair lending and CRA examinations. This approach will allow the institution to resolve any data errors so the examination can proceed without significant delay. In addition, validation testing must be conducted for HMDA Outlier reviews prior to the start of the examination. For examinations of all other reporters, the validation testing will generally be conducted during the examination. However, a field office has the option to perform a data validation prior to the examination start date for other institutions if the field office has sufficient resources to complete it. The HMDA validations should be conducted following the FDIC HMDA validation procedures, considering the scale and complexity of the institution’s mortgage lending activities and an overall assessment of the institution’s prior practices and compliance risk profile.

Answer 44

A HMDA/CRA Validation Letter is to be provided to institutions when data validations occur prior to any examination. A data validation letter has been standardized and included in the IP module of the PEP System and should be used consistently. This letter is either sent with or after the IP to allow sufficient time for the data validation process. The letter should be sent using the same secure delivery method established for providing the IP. If HMDA Data Analysts will be used for the validation process, the FS or SE should communicate this with the institution, either verbally or in the letter.

Answer 45

The risk assessment of the institution begins during PEP-1.

Answer 46

Every institution has inherent risk based on strategic plans, products and services offered, past supervisory actions, business activity, and other factors.

Answer 47

PEP-1 starts the process of identifying and documenting risk based on the institution’s structure, supervisory history, financial performance, and market area. The various activities performed during PEP-1 are meant to promote critical thinking about the possible inherent risks in the institution being examined.

Answer 48

• 2) Gathering information about the institution from both internal and external sources; • 1) Contacting the institution to conduct the pre-examination interview (PEP interview); --> (3. conducting the PEP Interview) • 4) Preparing and sending the Entry Letter to the institution along with the Compliance Information and Document Request (CIDR) that primarily requests CMS-related information and documents; and • 5) Beginning Section 1 of the Assessment of Risk of Consumer Harm (ARCH) and Section 1 of the Fair Lending Scope and Conclusions memo (FLSC). This activity is optional during PEP-1. The ARCH and FLSC can be started to the extent possible and when time or examination scheduling permits it; however, most work on the ARCH will occur during PEP-2 and most work on the FLSC will occur during PEP-2 and the examination.

Answer 49

The EIC should begin PEP-1 no less than 45 calendar days prior to the scheduled start date of the examination. However, institutions must have at least 30 calendar days to complete the CIDR and provide requested documents. Longer time periods may be necessary based on the institution’s size, resources, and complexity. The EIC should communicate with the institution’s management during the PEP interview to determine a sufficient amount of time to provide the requested materials. This timeframe is also discussed in the Entry Letter.

Answer 50

The EIC should first concentrate on gathering as much of the information as possible from FDIC records and databases and from publicly available sources before obtaining information from the financial institution. The following is a list of some key documents and information the EIC should obtain for review because of their relevance to the financial institution’s compliance posture: FDIC Records/Databases: • Data Gathering Tool, which compiles institution, examination, supervisory, and financial information from multiple FDIC systems and databases • Prior ARCH, FLSC, and other information from SOURCE or the Regional Automated Document Distribution (RADD) • Previous Reports of Examination (ROEs) and supporting workpapers for compliance, risk management, trust, and information systems • Prior corrective actions (such as restitution) and responses to ROEs • Supervisory plans (for large and/or complex institutions, or others, as available) • CRA Performance Evaluations • Demographic data for CRA assessment area(s) or market area(s) • Uniform Bank Performance Reports (UBPRs) and Reports of Condition and Income (Call Reports) • FDIC monitoring reports • Complaint and correspondence files • Applications in process Publicly Available (External) Sources: Previous years’ HMDA and CRA data disclosure reports • Content of the financial institution’s website • Public records, such as securities filings • Newspaper or website articles that raise potential examination-related issues • Community contacts (for CRA evaluations)

Answer 51

The PEP interview questions are maintained in the Compliance Pre-Examination Request Package (C-PREP) module of the PEP System and updated on a periodic basis. The EIC will contact the institution and arrange a PEP interview to be conducted either by telephone, a secure communication platform (such as Microsoft Teams or another FDIC-approved system), or through an in-person discussion.

Answer 52

The purpose of the interview is to gather current information to understand the institution’s risk profile, size, complexity, and the types of products or services offered. The interview questions are provided to the institution with the IP discussed previously. Staff cannot require the institution to provide written answers to the interview questions in advance. If the institution elects to provide written answers, the EIC is still expected to conduct an interview to verify and clarify responses received. While examiners cannot add, revise, or delete interview questions in the PEP System, the EIC should tailor interview questions based on what is learned about the institution through the internal and external data gathering process. This demonstrates that the EIC has performed research to become familiar with the institution. The EIC should also ask any necessary follow-up or additional questions during the PEP interview to understand the institution’s profile and to determine inherent risk.

Answer 53

The EIC should also use the interview as an opportunity to answer the institution’s questions about the examination process and to discuss the timing and logistics of the examination. Additionally, the EIC should determine the applicability of the FDIC’s e-Exam Policy, should confirm previously discussed electronic document/data access requirements and delivery method(s) with the institution’s management; and determine off-site examination capabilities. The PEP interview also provides an opportunity to identify the institution’s staff members who will need to be available to the examination team during the examination. This will allow the institution to take steps to ensure, to the extent possible, that those persons are available when needed.

Answer 54

Director Involvement: During the PEP interview, the EIC should also inform management that members of the institution’s Board of Directors are welcome to participate in regularly scheduled meetings with examiners or to schedule individual meetings with the EIC, if desired. The EIC should emphasize that such participation is purely voluntary and that a lack of participation will not be viewed negatively. As stated in the memorandum announcing this initiative, “The primary objectives are to improve communication with outside Directors, increase director knowledge of the examination process, provide an opportunity for Directors to discuss their views with examiners on banking-related matters, and give examiners the opportunity to gain further insight into the experience levels and leadership qualities of bank management.”

Answer 55

The C-PREP module in the PEP System is used to produce the Entry Letter and Electronic Data Download Instructions and the CIDR. These documents must be tailored, as appropriate, for each institution.

Answer 56

After conducting the information gathering and PEP interview outlined above, the EIC (or a designee with whom he or she communicates closely) is required to use C-PREP to customize and create the CIDR based on an institution’s products and services.

Answer 57

The interview responses must be input to the PEP System to ensure the CIDR is tailored to request only what is necessary to conduct the examination. C-PREP filters the CIDR to make available certain items based on the institution’s responses to the PEP interview questions. The CIDR created during PEP-1 primarily requests information and documents to assess the CMS, as well as information and some documents to understand the characteristics of products or services offered. The majority of transaction-level documentation will be requested during PEP-2.

Answer 58

The institution’s response to the initial CIDR will provide the EIC with enough information to properly scope the examination and to identify products, services, and regulations (PSRs) on the ARCH that exhibit inherent risk not sufficiently mitigated by the institution’s CMS (i.e., residual risks). These residual risks will be the basis for requesting transaction testing-related documentation (e.g., disclosures, loan files) during PEP-2. Also, requesting fair lending-related information through the CIDR will allow the examiner conducting the fair lending review to complete the majority of Section 1 of the FLSC prior to the start of the examination. Thus, the EIC should ensure all applicable fair lending-related information is requested through the CIDR so the examiner conducting the fair lending review has access to this information during the scoping process.

Answer 59

When completing the CIDR and requesting items such as minutes, training records, or reports, the EIC indicates the timeframe for the review (e.g., since the previous examination, in the past year, in the last two years). This will help the institution avoid the submission of voluminous information or data not relevant to the examination. Additional information about how to use C-PREP can be obtained from the user guide available within the PEP System

Answer 60

The Entry Letter and CIDR should be provided to the institution in either a paper-based format or an electronic format using the secure delivery method previously established for the examination process. As discussed previously, if electronically providing the Entry Letter to the institution, the EIC (or designee) should convert it to an Adobe portable document file (.pdf). The EIC (or designee) should also follow any national or regional instructions governing the use of electronic signatures for examination related documents. In the absence of such instructions, the EIC (or designee) can either use his or her typed name as an electronic signature, using the same font as the body of the letter, or use Adobe’s “Fill & Sign” feature.

Answer 61

The Entry Letter instructs the institution on how to deliver the materials to the EIC or examination team and in what format. As previously discussed, institutions must have at least 30 calendar days to complete the CIDR and provide requested documents. The timing of the request and the turnaround must ensure that the institution has sufficient time to assemble the requested information and the examination team has sufficient time to adequately review the materials. The FDIC prefers the use of applications, such as EFX, that provide a secure method for financial institutions to exchange examination files and information electronically with the FDIC. However, where appropriate and with supervisor approval, the EIC may visit the institution prior to the official start date either to pick up the documents or to review any documents that are confidential or too bulky to duplicate.

Answer 62

ARCH and FLSC – Sections 1 The ARCH documents the scope of the examination and assists with prioritization of efforts, time, and resources toward those PSRs with the highest residual risk of consumer harm. The FLSC documents the fair lending review conducted in accordance with the Federal Financial Institutions Examination Council’s Fair Lending Examination Procedures. After conducting the PEP interview and recording the institution’s responses in the PEP System, the ARCH and FLSC can be created in the PEP System. In an effort to make the PEP process more efficient, Sections 1 of the ARCH and FLSC have been coordinated with and linked to the PEP interview. Several responses for Sections 1 of the ARCH and FLSC will pre-populate based on what is entered into C-PREP from the PEP interview. However, the EIC should review the pre-populated questions and answers to ensure they are correct.

Answer 63

The EIC has the option to begin Sections 1 of the ARCH and FLSC during PEP-1 using available information gathered. A series of questions help document various risks identified during examination planning. The ARCH was developed to engage examiner’s critical thinking skills and to focus examination resources on areas presenting the highest degree of consumer harm risk. Additional information about preparing the ARCH is included in this Manual (see Section II – Review and Analysis). Examiners can also find information about how to use the ARCH and FLSC modules in the user guides available within the PEP System.

Answer 64

The review and analysis phase of the consumer compliance examination starts with a top down, comprehensive evaluation of the compliance management system(CMS) used by the financial institution to identify, monitor, and manage its compliance responsibilities and risks.

Answer 65

The Examiner-in-Charge (EIC) reviews and analyzes the material gathered from FDIC, third parties, and the institution in response to the Compliance Information and Document Request (CIDR) in order to develop the scope memorandum and plan the examination. This review and analysis should be broad enough to obtain an understanding of the organizational structure of the institution, its related activities, and compliance risks associated with each of its activities.

Answer 66

The review should be used to preliminarily determine whether the institution’s Board of Directors (Board) and management identify, understand, and adequately control the elements of risks facing the financial institution. In general, management and Directors are expected to have a clearly defined system of risk management controls governing the institution’s compliance operations, including those activities conducted by affiliates and third party vendors. During this review the EIC should consider what types of questions should be asked during the examination to test whether the institution’s written policies and procedures accurately reflect actual operations.

Answer 67

The goal of a risk-focused, process-oriented examination is to direct resources toward areas with higher degrees of risk of consumer harm.

Answer 68

To accomplish this goal, the examiner must assess the financial institution’s CMS as it applies to key operational areas and evaluate the risk of non-compliance with applicable laws and regulations. This process is documented by the examiner in a scoping memorandum, the Assessment of Risk of Consumer Harm (ARCH), which is reviewed and approved by the supervisor. The ARCH is developed during the pre-examination planning process and utilizes historical data, information obtained from the interview with the institution, and documents and information submitted by the institution in response to the CIDR. The ARCH describes the focus of the examination, including issues to be investigated and the products, services, or regulations that exhibit inherent risk not sufficiently mitigated by the institution’s CMS. The identified areas with residual risk will be further reviewed or transaction tested during the examination.

Answer 69

-Institution structure -Supervisory History -Operational Areas - Product/Service/Regulation (PSR) Risk

Answer 70

Conducting key meetings, including exit/Board meetings, and significant conversations with bank officers about potential consumer harm, possible downgrades, enforcement actions, significant fair lending discussions (e.g. criteria interviews), Unfair or Deceptive Acts or Practices concerns, and the CMS interview for higher-risk institutions. • Training and instilling FDIC culture for pre-commissioned examiners and interns [note: this can be done with a combination of off-site in the field office and on-site at the bank] • Observing situations that could lead to further investigation/examination activities (e.g. detecting internal control weaknesses, potential fraud, dominant officer situation, etc.) • Training on first-time significant benchmarks to provide a more collaborative and hands-on development experience [note: the trainee and coach should generally work on-site together, in the bank and/or field office, as appropriate, while completing the benchmark] • Working side-by-side for Acting EIC assignments [note: Signing EIC and Acting EIC should be together to complete relevant portions of the exam for the EIC to observe and coach the Acting EIC on examination oversight either in the bank and/or field office] • Conducting transaction testing for high-risk PSRs, or when remote access is not available

Answer 71

During the pre-examination planning stage, the EIC should schedule a meeting with senior management (e.g., the president, chief executive officer, compliance officer, and if they wish, members of the Board). This meeting should take place as soon as possible after beginning the examination and should facilitate the discussion of various administrative items and the scope of the examination. Matters to be discussed during the entrance meeting include: • An overview of the examination process, including the use of information collected during pre-examination planning and its impact on the scope of the examination • The names of FDIC examiners on the examination and whether they will be working on-site or off-site • Anticipated length of the examination • Activities expected to be conducted on-site and off-site, and communicating that adjustments may be made based on risk • The EIC’s accessibility throughout the examination to discuss any issues relating to the examination and/or FDIC policy and practices and communication preferences • The identity of the individual(s) who is/are the primary contact person(s) for examination related issues and communication preferences for both on-site and off-site examiners • Any issues identified during off-site review and analysis, particularly areas of significant risk of consumer harm that will be receiving close attention The materials requested during pre-examination planning that were not provided by the financial institution prior to the examination start date • An explanation of the closing management meeting procedures • The date of the next Board/trustees meeting (Management should be advised that depending upon the examination findings, the FDIC may need to attend the regularly scheduled meeting or call for a special Board meeting.) • Any issues related to the CRA evaluation and fair lending review

Answer 72

Communication between financial institution management, Board, institution staff, and FDIC examination staff is a major component of an effective examination or visitation. Open communication should be maintained with management during the course of the examination. To the extent possible, all issues of concern should be discussed with management as they arise. This allows management time to provide additional relevant information or to begin correcting problems where appropriate.

Answer 73

The financial institution’s Directors/trustees are encouraged to participate in regularly scheduled meetings with examiners. However, examination findings should be discussed with management prior to discussing with Board members. Also, the EIC should notify the financial institution’s management as early as possible of any plans to meet with the Board to present examination findings. This will provide Directors/trustees with an opportunity to forego meetings during the examination, if that is their preference.

Answer 74

Determine the quality of the institution’s CMS, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations • Assess whether the CMS is effective at facilitating compliance • Identify potential deficiencies in the CMS and areas of greatest risk of consumer harm • Determine where transaction testing is necessary

Answer 75

Material to be reviewed during completion of this section will include, at a minimum: •The examiner-determined risk profile of the financial institution as it relates to management oversight • Prior Reports of Examination, including Consumer Compliance, Risk Management, and specialty examinations (with a focus on the management component of each) • Minutes of the meetings of the Board, Compliance Committee, Discount Committee, etc. • New, modified or amended compliance-related policies, procedures, and other internal memoranda • All files related to the receipt and resolution of compliance related consumer complaints archived by the institution or the FDIC, including information from the FDIC’s automated complaint tracking system managed by the FDIC’s Consumer Response Unit • Written management and Board response and follow-up to internal monitoring and to internal and external audits, if applicable • Agreements with third parties to provide products or services, such as an outside vendor to provide compliance services and educational materials or with a networking broker/dealer to provide brokerage services • Institution organizational chart and management résumés • Examiner notes from discussions with the compliance officer, managers, etc.

Answer 76

Examiners are to determine whether the institution’s policies and procedures are appropriate to the risk in the products, services, and markets of the institution. Material to be reviewed during completion of this section will include, at a minimum: • The examiner-determined risk profile of the financial institution as it relates to policies and procedures, including the institution’s business strategy, product offering, branches, third party relationships, etc. • Compliance-related policies and other written compliance procedures • Board minutes, Compliance Committee minutes, and other committee minutes, as applicable • Examiner notes from discussions with the compliance officer, senior managers, etc.

Answer 77

- Compliance policy -Lending policy -Deposits -E-Banking policy -Privacy -NDIP -Branch closing -TIL -FCRA -ODs

Answer 78

Examiners communicate Matters Requiring Board Attention (MRBAs) when significant issues are identified requiring an institution’s Board and management to take prompt corrective action on behalf of the institution and elevated supervisory attention is necessary. * Examiners also provide recommendations to management when issues are identified that have a lower risk of consumer harm and are correctable by management in the normal course of business. If institutions take recommended actions, their CMS generally improves, and subsequent supervisory attention may not be necessary.

Answer 79

An exit meeting is held with management at the conclusion of a consumer compliance and CRA examination or review. When practical, at least two FDIC representatives should be present at the exit meeting. Attendance by financial institution representatives other than management is at the discretion of management. These participants may include: consultants, agents, counsel, accountants, holding company officers, directors, and employees who work directly with consumer protection laws or CRA. The presence of the aforementioned representatives should only be during segments that pertain to their area of responsibility. Third party participants must be under contract with the bank, with appropriate confidentiality language, in order to attend the exit meeting

Answer 80

During concurrent examinations with Risk Management Supervision (RMS), DCP’s Examiner-in-Charge (EIC) coordinates with RMS examiners to schedule the exit and Board meetings in an effort to ensure that all necessary attendees are present and that the bank’s and FDIC staff’s time is used efficiently. Reasonable requests from management, such as for separate meetings, are considered and accommodated, if practical.

Answer 81

Examination findings, including consumer compliance and CRA ratings, are not final until the appropriate reviews are conducted by review staff, and/or the Regional or Washington Offices, as applicable. Prior to the exit meeting, Regional Offices generally consult with examiners and approve enforcement action recommendations.

Answer 82

Summarize review or examination findings. All critical issues are discussed. If significant issues arise subsequently, they are discussed with management either in person, virtually, or by telephone. If management presents significant, new information at the exit meeting, additional review by the examiner may be required. In such instances, the examination process is left open for further review of applicable regulatory issues and the institution’s records. A second meeting with management may be necessary to discuss any additional matters. • Discuss, when appropriate, positive findings to acknowledge the effectiveness of the institution’s consumer compliance or CRA efforts. • Provide recommendations to address noted weaknesses or deficiencies. • Recommend actions that would strengthen or enhance the financial institution’s CMS, as applicable. • Obtain management’s response(s) and commitment(s) for corrective action for deficiencies identified in the CMS, including recommendations, and for cited violations and the resulting consumer harm. • Advise management of recommended consumer compliance and CRA ratings, as well as any recommendations for formal or informal enforcement actions.

Answer 83

The agenda for the exit meeting lists the discussion items in the order of their significance in relation to the overall conclusions. The agenda also includes a tentative listing of Level 3 and Level 2 violations, and to the extent possible, draft copies of the pertinent violation sections of the ROE. At the exit meeting, examiners also provide management with a copy of the Level 1 violations, if applicable. A copy of the agenda is provided to management and included in the examination workpapers. *Question: What is meant by "tentative listing of L2 and L3 violations? Aren't L2 and L3 includes as headers in Agenda but discussed orally, then any L1 violations are distributed?

Answer 84

The purpose of a meeting with the financial institution’s Board is to convey the pertinent findings of the examination directly to persons ultimately responsible for the operating policies and procedures of the institution. Board meetings are conducted after the exit meeting with management, and are planned for regularly scheduled Board meetings, whenever possible. When significant issues requiring consultation with the Regional Office are present, the FDIC’s Consultation Policy is followed prior to scheduling the Board meeting. *Question: I thought that for DCP, an Exit does not have to have the Board (i.e. for RMS a wrap up is just with management and an Exit is with management and the Board); here, we can have an Exit with just management, but if the Board wants to attend that has to be separate? What if just one member of the Board wants to attend?

Answer 85

Board meetings must be attended by at least a quorum of Directors/Trustees. The EIC, Field Supervisor, Supervisory Examiner, and/or Review Examiner or senior member of the Regional Office staff attend, as deemed appropriate.

Answer 86

Board meetings may be appropriate in a variety of situations, but are required under one or more of the following circumstances: • An informal or formal enforcement action is recommended • The proposed consumer compliance rating is “3,” “4,” or “5” • The proposed composite CRA rating, state rating, or multistate rating is “Needs to Improve” or “Substantial Noncompliance” • The institution’s management or Board requests such a meeting

Answer 87

A Board meeting is not required for: • Visitations; • Consumer Complaint Investigations; or • Other Special Reviews.

Answer 88

The ROE is a consumer compliance examination’s principal document of record. It communicates the results of an examination to the Board and management of the financial institution. The ROE highlights the strengths and weaknesses of a financial institution’s CMS and cites violations (if any) in order of significance. The ROE may also include pages that inform the institution about MRBAs, compliance with enforcement actions, or other matters. The ROE offers recommendations for addressing deficiencies and improving future compliance management performance. Compliance examiners develop the ROE’s content and its findings based on bank information reviewed during the supervisory process, FDIC examination policies and procedures, and examiner experience and professional judgment.

Answer 89

Transmittal Letter • Report Cover • Examiner’s Comments and Conclusions o Consumer Compliance Examination Scope and Rating o Compliance Management System  Board and Management Oversight  Compliance Program o Optional headers to address significant findings (if applicable), such as Third Party Oversight, Fair Lending, etc. o Violations of Law and Consumer Harm o Community Reinvestment Act Scope and Rating (if applicable) o Enforcement Action(s) (if applicable, including proposed enforcement actions) o Matters Requiring Board Attention (if applicable) o Recommendation(s) o Meeting with Management o Meeting with Board of Directors (if applicable) Matters Requiring Board Attention (if applicable) • Compliance with Enforcement Actions (if applicable) • Level 3/High Severity Violations (if applicable) • Level 2/Medium Severity Violations (if applicable) • Other Matters (if applicable) • Compliance - Supervisory Section (if applicable) -What about the banker survey? -I didn't think we did the transmittal letter?

Answer 90

Transmittal Letter A transmittal letter accompanies a ROE to a financial institution’s Board. The transmittal letter requires the institution, within a timeframe established by the applicable Regional Office, to send a letter or letters to the appropriate FDIC office notifying it, in sufficient detail, of the actual resolution of the MRBAs, recommendations, and Level 3 and Level 2 violations. Appropriate staff at the Regional Office reviews an institution’s response and determines whether the response sufficiently addresses the issues. The Regional Office maintains a tracking system to ensure responses are received and corrective actions are completed in a timely manner. In cases where an enforcement action is pursued against an institution, examination staff will follow established monitoring procedures.

Answer 91

The guiding principle for completing the ROE is that it contains all information that is necessary and useful for the institution’s Board and management to understand the scope and conclusions of the examination and any corrective actions that may be necessary to achieve compliance or address consumer harm. The ROE should aid the Board and management in developing an action plan to address any findings or supervisory concerns. Examiners exercise judgment and discretion when determining the amount of information and detail to include in the ROE. Factors examiners could consider when determining the amount of detail include significant CMS structure or management changes, significant changes in business strategy that impact the consumer harm risk profile, changes in ratings or adverse ratings, CMS weaknesses, violations resulting in significant consumer harm, civil money penalties, de novo or charter conversion status, complex or unusual programs or products, or management disagreement with ratings.

Answer 92

The Fair Credit Reporting Act (FCRA) is U.S. Code 15 USC 1681 and became effective in 1971.

Answer 93

The FCRA is a part of acts contained in the Federal Consumer Protection Act, such as TIL and FDPA (15 USC §1601 et seq)

Answer 94

Subsequent to passing FCRA, Congress passed the Consumer Credit Reporting Reform Act of 1996, which substantially revised the FCRA - mostly effective in 1997

Answer 95

Minor amendments to the FCRA were made in 1997 and 1998

Answer 96

The Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat. 1338 (1999)) made additional changes, including provisions removing a previous statutory prohibition against conducting routine FCRA examinations, and permitting regulations to be adopted to implement the requirements of the FCRA; The FCRA was substantively amended in 2003 upon the passage of the FACT Act (Pub. L. No. 108-159, 117 Stat. 1952). The FACT Act created many new responsibilities for consumer reporting agencies and users of consumer reports. It contained many new consumer disclosure requirements as well as provisions to address identity theft. In addition, it provided free annual consumer report rights for consumers and improved access to consumer report information to help increase the accuracy of data in the consumer reporting system.

Answer 97

Regulation V implements FCRA.

Answer 98

12 CFR 1022

Answer 99

The FCRA contains significant responsibilities for business entities that are consumer reporting agencies and lesser responsibilities for those that are not. Generally, financial institutions are not considered to function as consumer reporting agencies; however, depending on the degree to which their information sharing business practices approximate those of a consumer reporting agency, they can be deemed as such.

Answer 100

In addition to the requirements related to financial institutions acting as consumer reporting agencies, FCRA requirements also apply to financial institutions that operate in the following capacities: 1. Procurers and users of information (for example, as credit grantors, purchasers of dealer paper, or when opening deposit accounts); 2. Furnishers and transmitters of information (by reporting information to consumer reporting agencies or other third parties, or to affiliates); 3. Marketers of credit or insurance products; or 4. Employers.

Answer 101

“Adverse Action” has the same meaning as used in section 701(d)(6) [15 USC1691(d)(6)] of the Equal Credit Opportunity Act (“ECOA”). Under the ECOA, it means a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the same amount or on terms substantially similar to those requested. Under the ECOA, the term does not include a refusal to extend additional credit under an existing credit arrangement where the applicant is delinquent or otherwise in default, or where such additional credit would exceed a previously established credit limit. The term has the following additional meanings for purposes of the FCRA: 1. A denial or cancellation of, an increase in any charge for, or a reduction or other adverse or unfavorable change in the terms of coverage or amount of, any insurance, existing or applied for, in connection with the underwriting of insurance; 2. A denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee; 3. A denial or cancellation of, an increase in any charge for, or any other adverse or unfavorable change in the terms of, any license or benefit described in section 604(a)(3)(D) [15 USC §1681b(a)(3)(D)]; and 4. An action taken or determination that is (a) made in connection with an application made by, or transaction initiated by, any consumer, or in connection with a review of an account to determine whether the consumer continues to meet the terms of the account, and (b) adverse to the interests of the consumer.

Answer 102

Consumer reporting agencies have a significant amount of personal information about consumers. This information is invaluable in assessing a consumer’s creditworthiness for a variety of products and services, including loan and deposit accounts, insurance, and utility services, among others. Access to this information is governed by the Fair Credit Reporting Act (FCRA) to ensure that it for permissible purposes and not exploited for illegitimate purposes; The FCRA requires any prospective “user” of a consumer report, for example a lender, insurer, landlord, or employer, among others, to have a legally permissible purpose to obtain a report.

Answer 103

Section 604 Permissible Purposes of Consumer Reports: Legally Permissible Purposes. The FCRA allows a consumer reporting agency to furnish a consumer report for the following circumstances and no other: 1. In response to a court order or Federal Grand Jury subpoena. 2. In accordance with the written instructions of the consumer. 3. To a person, including a financial institution, which it has reason to believe: a. Intends to use the report in connection with a credit transaction involving the consumer (includes extending, reviewing, and collecting credit); b. Intends to use the information for employment purposes; c. Intends to use the information in connection with the underwriting of insurance involving the consumer; d. Intends to use the information in connection with a determination of the consumer’s eligibility for a license or other benefit granted by a governmental instrumentality that is required by law to consider an applicant’s financial responsibility; e. Intends to use the information, as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; or f. Otherwise has a legitimate business need for the information: i. In connection with a business transaction that is initiated by the consumer; or i. To review an account to determine whether the consumer continues to meet the terms of the account. 4. In response to a request by the head of a State or local child support enforcement agency (or authorized appointee) if the person certifies various information to the consumer reporting agency regarding the need to obtain the report. (Generally, this particular purpose does not impact a financial institution that is not a consumer reporting agency.)

Answer 104

Prescreened Consumer Reports. Users of consumer reports, such as financial institutions, may obtain prescreened consumer reports to make firm offers of credit or insurance to consumers, unless the consumers have elected to opt out of being included on prescreened lists. The FCRA contains many requirements, including an opt out notice requirement when prescreened consumer reports are used. In addition to defining prescreened consumer reports, Module 3 covers these requirements.

Answer 105

Investigative Consumer Reports. Section 606 contains specific requirements for use of an investigative consumer report. This type of consumer report contains information about a consumer’s character, general reputation, personal characteristics, or mode of living that is obtained in whole or in part through personal interviews with neighbors, friends, or associates of the consumer. If a financial institution procures an investigative consumer report, or causes one to be prepared, the institution must meet the following requirements:

Answer 106

1. The institution clearly and accurately discloses to the consumer that an investigative consumer report may be obtained. 2. The disclosure contains a statement of the consumer’s right to request other information about the report, and a summary of the consumer’s rights under the FCRA. 3. The disclosure is in writing and is mailed or otherwise delivered to the consumer not later than three business days after the date on which the report was first requested. 4. The financial institution procuring the report certifies to the consumer reporting agency that it has complied with the disclosure requirements and will comply in the event that the consumer requests additional disclosures about the report.

Answer 107

Institution Procedures. Given the preponderance of electronically available information and the growth of identity theft, financial institutions should manage the risks associated with obtaining and using consumer reports. Financial institutions should employ procedures, controls, or other safeguards to ensure that consumer reports are obtained and used only in situations for which there are permissible purposes. Access to, and storage and destruction of this information is dealt with under an institution’s Information Security Program; however, obtaining consumer reports initially must be done in compliance with the FCRA.

Answer 108

Examination documentation should demonstrate a clear trail of decisions and supporting logic within a given area. Documentation should provide a written record of the examiner’s decisions and analysis and provide support for assertions of fact or opinion in the Consumer Compliance Report of Examination (ROE). A well-constructed examination documentation file will provide sufficient data to reconstruct the examiner’s decision process for each step of the examination. This includes support for the examiner’s decision to include or exclude a regulation or area of review from the scope of the examination, as well as providing documentation of significant findings, including Level 3 and Level 2 violations.

Answer 109

Review of the ROE; • Expanded explanations of Level 3 and Level 2 violations in the event of subsequent enforcement action or appeals of supervisory determinations; • Development of a supervisory plan; • A current risk profile; and • Developing the scope of future examinations and limiting future information and document requests of the institution.• Review of the ROE; • Expanded explanations of Level 3 and Level 2 violations in the event of subsequent enforcement action or appeals of supervisory determinations; • Development of a supervisory plan; • A current risk profile; and • Developing the scope of future examinations and limiting future information and document requests of the institution.

Answer 110

1. The Assessment of Risk of Consumer Harm (ARCH) is used to identify and document inherent risk. Some areas of risk will be eliminated from further review during pre-examination planning based on their low level of inherent and/or residual risk. Section 3 of the ARCH should explain why areas are eliminated from review. Comments should be concise but specific enough to indicate why consumer harm risk is low and how CMS factors mitigate the inherent risk. 2. The ARCH also is also used to identify and documents the areas with moderate or high level of potential consumer harm risk that are not mitigated by the strength of the CMS. Section 3 of the ARCH also establishes specific products, services, or regulations (PSRs) for review or transaction testing. As discussed in this manual, PSRs are based on residual consumer harm risk and only PSRs exhibiting such residual risk are included in the examination scope. There may be certain situations in which transaction testing or other review procedures will be necessary but is not predicated upon residual consumer harm risk. These types of reviews should be addressed in Section 4 of the ARCH but in the Other Areas for Review section rather than as a PSR. Training and development needs are one example.[II-7.1 Documenting the Examination]

Answer 111

3. An Examiner Summary workpaper should be prepared for each area selected for transaction testing or other review procedures. The Examiner Summary should support examination findings, conclusions, and recommendations and discuss applicable strengths and weaknesses relevant to inherent risk and how effectively the bank is identifying, addressing, and preventing consumer harm. The Examiner Summary, in conjunction with the ARCH and the ROE, will allow subsequent readers to clearly identify the scope of work performed and the basis for the examiner’s conclusion.

Answer 112

A statement indicating the scope of the review and describing the examination procedures used. Copies of the procedures, marked to indicate the portions used, may be substituted for the description. • Examiner Summaries should include (1) significant findings and their impact on the CMS rating and (2) any deficiencies or violations noted during the examination that are not contained in the ROE. • Generally, the examiner should maintain all discussion notes and all copies of bank documentation obtained during the examination. Exceptions can be made for irrelevant material or bulky items that have limited audit trail value. A copy of any document which is being directly criticized, or which supports a criticism made during the examination, must be maintained in the workpapers. Again, Examiner Summaries are only necessary for areas selected for transaction testing or other review procedures. The ARCH will be used to provide a summary of the other areas not reviewed.

Answer 113

4. When a violation of a specific regulation has been identified, then: --> Ensure the appropriate workpapers are fully completed and that supporting documentation is attached. The use of standardized workpapers is required. The examiner is required to download the most current version of the standardized workpaper prior to the start of the current examination. The workpaper and documentation should be sufficient to enable an examiner having no previous connection with the examination to ascertain the evidence supporting the significant conclusions, judgments, cited violations, and compliance with any outstanding enforcement action. --> Assign a violation code to each violation identified during the examination. All violation codes, regardless of whether or not they were detailed in the ROE, should be uploaded through the System of Uniform Reporting of Compliance and CRA Examinations (SOURCE) at the completion of the examination

Answer 114

5. Ensure the workpapers include clear and legible notes from discussions with management. All responses to examiner questions should be readily attributable to specific members of management. Specific comments made by management that are relevant to a significant finding should be marked or highlighted accordingly.

Answer 115

6. Attach to the relevant workpapers the documents supporting each finding noted in the ROE. For example: • A copy of the relevant portion of the bank’s compliance policy which stipulates procedures that are in contradiction to the procedures actually performed. • Copies of notes and related disclosure statements for violations of Regulation Z, Truth in Lending. • Copies of adverse action notifications for violations of Fair Credit Reporting Act and/or Regulation B, Equal Credit Opportunity. • Copies of completed hold notices where the financial institution failed to make $200 available at the start of the next business day in violation of Regulation CC, Expedited Funds Availability. NOTE: For any violations cited as systemic or a pattern or practice, the examiner need only attach enough copied documents to support this conclusion. Additionally, any violations cited in the ROE that contain examples of specific transactions should have corresponding evidence in the examination file. Furthermore, any violation that results in the imposition of a civil money penalty should be supported with all applicable documentation.

Answer 116

The EIC is responsible for ensuring that all appropriate documents are uploaded according to national standardized workpapers filing schema for the areas reviewed during the examination and ensuring the documents are complete and legible. The EIC can assign this responsibility to team members, as appropriate (e.g., the examiner reviewing an area could be assigned responsibility to upload the appropriate documents in that specific review). The EIC (or designee) should: • Review workpapers to ensure that they are accurate, legible, and complete. • Determine that appropriate bank documentation, where applicable, has been attached and retained in the workpapers. • Confirm that mandatory workpapers are appropriately organized and uploaded to electronic storage. • Close the examination in the electronic storage database after the EIC has been informed that the RE review process is complete.

Answer 117

The EIC, or designee, should upload workpapers into the electronic storage database: a. Check to make sure that you are not overwriting a more current version of the document; b. Do a quality control check to ensure that the documents are legible and that all pages have been included (front and back). 2. Workpapers are generally not changed after the conclusion of an examination. However, if revising a workpaper in any manner after the completion of an examination is necessary, such revisions should be clearly documented on the workpaper. 3. Some checklists in this manual have been incorporated into the national standardized workpapers and are required to be completed in conjunction with the review of an area. In situations where the national standardized workpapers have not incorporated the checklists within the manual, or if a checklist is obtained elsewhere, the completion of these checklists is optional. The examiner has the option of completing relevant portions of the checklists or using them merely as a guide. If used, they should be maintained in the workpapers, as they help document the procedures performed during the examination. 4. Documents added into the electronic storage database are only those not required to be uploaded to SOURCE.

Answer 118

Retain workpapers for a period of at least two years or until the next examination, whichever is later. Retain workpapers for longer periods in the following instances, until corrective action or other resolution is complete: • Truth in Lending violations requiring reimbursement; Fair lending violations resulting in referrals to the Department of Justice or Department of Housing and Urban Development; • Any type of enforcement action that has been placed on or remains outstanding against the financial institution; • A criminal referral has been made regarding the institution or any of its directors, trustees, management, or employees; and • Other reasons, at the discretion of the Regional Director or Field Supervisor, for which the retention of documents and workpapers is required. Consult the FDIC Records Schedule directives for further information.

Answer 119

SOURCE is the system of record for the compliance and CRA examination program and is extensively used by compliance field supervisors, examiners, review examiners, and Washington Office staff. SOURCE is used to support reporting requirements, provides substantial task support for staff, and is a management support and decision tool. Among other functions, SOURCE: • Generates examination schedules that are used to support workload projections by incorporating quarter planning and benchmark hours; • Provides information to facilitate the pre-exam process; • Captures examination summary information; • Attaches examination documents for divisional sharing and historical reference; • Tracks information through the consultation process; and • Facilitates the reporting of examination data for legislatively mandated reporting.

Answer 120

Information in SOURCE should be complete, accurate, and timely. • Examiners and reviewers should ensure that the most current versions of documents are attached and labeled correctly. For example, and when applicable: o Transmittal Letter; o Cover Page; o Examiner’s Comments and Conclusions; o CRA Performance Evaluation; o Supervisory Comments; o Level 1, Level 2, and Level 3 Violations Pages; o Final examination scoping documents for compliance and fair lending (i.e., ARCH and FLSC). • Examiners and reviewers should ensure that all required information fields are completed at the conclusion of the examination; • Supervisors should plan examinations and visitations in advance and indicate the quarter for which the activity is planned; and • EIC, or designees, should update required dates, such as the examination On-Site Date, as soon as possible.

Answer 121

Consumer complaint investigations are generally handled by Consumer Response Unit staff. Examiners will be requested to assist if deemed necessary. As with all sensitive matters, close cooperation between staff in the field office, region, and Washington is essential to a prompt and appropriate resolution of a complaint.

Answer 122

Informal actions represent the final supervisory step before formal enforcement proceedings are initiated. [II-9.1 Enforcement Actions]

Answer 123

The FDIC has broad enforcement powers under the Federal Deposit Insurance (FDI) Act to issue formal enforcement actions. [II-9.1 Enforcement Actions]

Answer 124

Board Resolution: Informal commitments developed and adopted by a financial institution’s Board of Directors/trustees, often at the request of an FDIC Regional Director, directing the institution’s personnel to take corrective action regarding specific noted deficiencies. The FDIC is not a party to the resolution, but approves and accepts the resolution as a means to initiate corrective action. [II-9.1 Enforcement Actions]

Answer 125

Memorandum of Understanding: Informal agreement between an institution and the FDIC that is drafted by the Regional Office staff to address and correct identified weaknesses in an institution’s compliance or CRA posture. A Memorandum of Understanding is generally used in place of a Board Resolution when the FDIC has reason to believe that a Board Resolution would not adequately address the deficiencies noted during the examination. [II-9.1 Enforcement Actions]

Answer 126

Formal enforcement actions are those taken pursuant to the powers granted to the FDIC’s Board of Directors under Section 8 of the FDI Act. Each situation and circumstance determines the most appropriate action(s) to be taken. It is of note that formal enforcement actions are publicly available records. [II-9.1 Enforcement Actions]

Answer 127

-Termination of Insurance: Section 8(a). -Cease-and-Desist Order: Section 8(b): Issued to halt violations of laws or regulations as well as to require affirmative action to correct any condition resulting from such violations. By ordering an institution or an institution affiliated party (IAP), including an individual officer or director of an institution, to cease and desist from practices and/or take affirmative actions, the FDIC may prevent the problems facing the institution from reaching such serious proportions as to require more severe enforcement actions. If an institution voluntarily agrees to the entry of a Cease - and- Desist Order, it is entitled a “Consent Order.” -• Order for Restitution: Section 8(b)(6): Issued to require an institution or IAP to disgorge any unjust enrichment to consumers and/or take other affirmative action to redress consumer harm. -Temporary Cease-and-Desist Order: Section 8(c): Issued in the most severe situations to halt particularly egregious practices pending a formal hearing on permanent Cease and-Desist Orders issued pursuant to Section 8(b). -Removal and Prohibition Order: Section 8(e)(1): The FDIC has the authority to order the removal of an IAP, i.e., director, officer, employee, controlling stockholder other than a bank holding company, or agent for an insured depository institution. The prohibition may be for specific activities or may be industry-wide -Temporary Suspension Order: Section 8(e)(3): The FDIC may order the temporary suspension of an IAP pending a hearing on an Order of Removal if the individual’s continued participation poses an immediate threat to the institution or to the interests of the institution’s depositors. -Suspension Order: Section 8(g): Issued to IAPs who are charged with felonies involving dishonesty or a breach of trust pending the disposition of the criminal charges. -Civil Money Penalties: Section 8(i)(2): CMPs are assessed to sanction an institution, IAP, or an individual for a violation, breach of a fiduciary duty, and/or practice. They are also assessed to deter future occurrences. In the case of a CMP assessed to an institution or IAP, twelve factors that measure the breadth and severity of the problem are considered, including consumer harm, cooperation, and supervisory history. Additionally, the asset size of the institution is taken into account. In the case of a CMP assessed to an individual, a similar analysis is performed. The FDIC utilizes separate matrices for institutions and individuals. In both cases, the CMP matrices are guidance intended to promote consistency in the assessment of CMPs. The matrices aid the examiner in determining the appropriateness and/or level of CMPs. Each CMP matrix is included at the end of this section [II-11.1 Appeals]

Answer 128

Section 309(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 (Public Law 103-325, 108 Stat.2160) (Riegle Act) required the Federal Deposit Insurance Corporation (FDIC) to establish an independent intra-agency appellate process to review material supervisory determinations made at insured depository institutions that it supervises. The Guidelines for Appeals of Material Supervisory Determinations (“guidelines”) describe the types of determinations that are eligible for review and the process by which appeals will be considered and decided. The procedures set forth in these guidelines establish an appeals process for the review of material supervisory determinations by the Supervision Appeals Review Committee (“SARC”). [II-11.1 Appeals]

Answer 129

Institutions Eligible To Appeal The guidelines apply to the insured depository institutions that the FDIC supervises (i.e., insured State nonmember banks, insured branches of foreign banks, and state savings associations) and to other insured depository institutions with respect to which the FDIC makes material supervisory determinations. [II-11.1 Appeals]

Answer 130

Determinations Subject To Appeal An institution may appeal any material supervisory determination pursuant to the procedures set forth in these guidelines. Material supervisory determinations include: a. CAMELS ratings under the Uniform Financial Institutions Rating System; b. IT ratings under the Uniform Interagency Rating System for Data Processing Operations; c. Trust ratings under the Uniform Interagency Trust Rating System; d. CRA ratings under the Revised Uniform Interagency Community Reinvestment Act Assessment Rating System; e. Consumer compliance ratings under the Uniform Interagency Consumer Compliance Rating System; f. Registered transfer agent examination ratings; g. Government securities dealer examination ratings; h. Municipal securities dealer examination ratings; i. Determinations relating to the adequacy of loan loss reserve provisions; j. Classifications of loans and other assets in dispute the amount of which, individually or in the aggregate, exceed 10 percent of an institution’s total capital; k. Determinations relating to violations of a statute or regulation that may affect the capital, earnings, or operating flexibility of an institution, or otherwise affect the nature and level of supervisory oversight accorded an institution; l. Truth in Lending (Regulation Z) restitution; m. Filings made pursuant to 12 CFR 303.11(f), for which a Request for Reconsideration has been granted, other than denials of a change in bank control, change in senior executive officer or board of directors, or denial of an application pursuant to section 19 of the Federal Deposit Insurance Act (“FDI Act”), 12 U.S.C. §1829 (which are contained in 12 CFR §308, subparts D, L, and M, respectively), if the filing was originally denied by the DCP Director, Deputy Director or Associate Director; and n Decisions to initiate informal enforcement actions (such as memoranda of understanding): o. Determinations regarding the institution’s level of compliance with formal enforcement action; however, if the FDIC determines that the lack of compliance with an existing formal enforcement action requires additional enforcement action, the proposed new enforcement action is not appealable; p. Matters requiring board attention; and q. Any other supervisory determination (unless otherwise not eligible for appeal) that may affect the capital, earnings, operating flexibility, or capital category for prompt corrective action purposes of an institution, or otherwise affect the nature and level of supervisory oversight accorded an institution. [II-11.1 Appeals]

Answer 131

Material supervisory a. Decisions to appoint a conservator or receiver for an insured depository institution; b. Decisions to take prompt corrective action pursuant to section 38 of the FDI Act, 12 U.S.C.§1831o;determinations do not include: [II-11.1 Appeals] c. Determinations for which other appeals procedures exist (such as determinations of deposit insurance assessment risk classifications and payment calculations); and d. Formal enforcement-related actions and decisions, including determinations and the underlying facts and circumstances that form the basis of a recommended or pending formal enforcement action. [II-11.1 Appeals]

Answer 132

A formal enforcement-related action or decision commences, and becomes unappealable, when the FDIC initiates a formal investigation under 12 U.S.C. §1820(c) or provides written notice to the institution of a recommended or proposed formal enforcement action under applicable statutes or published enforcement-related policies of the FDIC, including written notice of a referral to the Attorney General pursuant to the Equal Credit Opportunity Act (“ECOA”) or a notice to the Secretary of Housing and Urban Development (“HUD”) for violations of the ECOA or the Fair Housing Act (“FHA”). For the purposes of these Guidelines, remarks in a Report of Examination do not constitute written notice of a recommended or proposed enforcement action. A formal enforcement-related action or decision does not affect the appeal of any material supervisory determination that is pending under these Guidelines. [II-11.1 Appeals]

Answer 133

Additional SARC Rights a. In the case of any written notice from the FDIC to the institution of a recommended or proposed formal en-forcement action, including a draft consent order, is not pursued within 120 days of the written notice, SARC ap-peal rights will be made available pursuant to these guide-lines. The FDIC may extend this 120-day period, with the approval of the SARC Chairperson, if the FDIC notifies the institution that the relevant Division Director is seek-ing formal authority to take an enforcement action. b. In the case of a referral to the Attorney General for viola-tions of the ECOA, if the Attorney General returns the matter to the FDIC and the FDIC does not initiate an en-forcement action within 120 days of the date the referral is returned, SARC appeal rights will be made available pur-suant to these guidelines. c. In the case of providing the notice to HUD for violations of the ECOA or the FHA, if the FDIC does not initiate an enforcement action within 120 days of the date the notice is provided, SARC appeal rights will be made available under these guidelines. d. Written notification of SARC rights will be provided to the institution within 10 days of a determination that such rights have been made available. e. The FDIC and an institution may mutually agree to extend the timeframes in paragraphs (a), (b), and (c) if the parties deem it appropriate in order to reach a mutually agreeable solution. [II-11.1 Appeals]

Answer 134

An institution should make a good faith effort to resolve any dispute concerning a material supervisory determination with the on-site examiner and/or the appropriate Regional Office. The on-site examiner and the Regional Office will promptly respond to any concerns raised by an institution regarding a material supervisory determination. Informal resolution of disputes with the on-site examiner and/or the appropriate Regional Office is encouraged, but seeking such a resolution is not a condition to filing a request for review with the Division of Depositor and Consumer Protection or an appeal to the SARC under these guidelines. [II-11.1 Appeals]

Answer 135

An institution may file a request for review of a material supervisory determination with the Director, Division of Depositor and Consumer Protection, 550 17th Street, NW, Room F-4076, Washington, DC 20429, within 60 calendar days following the institution’s receipt of a report of examination containing a material supervisory determination or other written communication of a material supervisory determination. [II-11.1 Appeals]

Answer 136

A request for review must be in writing and must include: a. A detailed description of the issues in dispute, the surrounding circumstances, the institution’s position regarding the dispute and any arguments to support that position (including citation of any relevant statute, regulation, policy statement or other authority), how resolution of the dispute would materially affect the institution, and whether a good faith effort was made to resolve the dispute with the on-site examiner and the Regional Office; and b. A statement that the institution’s board of directors has considered the merits of the request and has authorized that it be filed. The Division Director will review the appeal for consistency with the policies, practices, and mission of the FDIC and the overall reasonableness of, and the support offered for, the positions advanced. The Division Director will issue a written determination on the request for review, setting forth the grounds for that determination, within 45 days of receipt of the request. No appeal to the SARC will be allowed unless an institution has first filed a timely request for review with the appropriate Division Director.

Answer 137

An appeal to the SARC will be considered filed if the written appeal is received by the FDIC within 30 calendar days from the date of the Division Director’s written determination or if the written appeal is placed in the U.S. mail within that 30-day period. If the 30th day after the date of the Division Director’s written determination is a Saturday, Sunday, or Federal holiday, filing may be made on the next business day. The appeal should be sent to the address indicated on the Division Director’s determination being appealed. [II-11.1 Appeals]

Answer 138

The appeal should be labeled to indicate that it is an appeal to the SARC and should contain the name, address, and telephone number of the institution and any representative, as well as a copy of the Division Director’s determination being appealed. If oral presentation is sought, that request should be included in the appeal. Only matters previously reviewed at the division level, resulting in a written determination or direct referral to the SARC, may be appealed to the SARC. Evidence not presented for review to the Division Director may be submitted to the SARC only if authorized by the SARC Chairperson. The institution should set forth all of the reasons, legal and factual, why it disagrees with the Division Director’s determination. Nothing in the SARC administrative process shall create any discovery or other such rights. [II-11.1 Appeals]

Answer 139

The burden of proof as to all matters at issue in the appeal, including timeliness [II-11.1 Appeals]

Answer 140

An appeal may be dismissed by the SARC if it is not timely filed, if the basis for the appeal is not discernable from the appeal, or if the institution moves to withdraw the appeal. An appeal may be rejected if the right to appeal has been cut off. [II-11.1 Appeals]

Answer 141

The SARC will review the appeal for consistency with the policies, practices and mission of the FDIC and the overall reasonableness of and the support offered for the positions advanced. The SARC will notify the institution, in writing, of its decision concerning the disputed material supervisory determination(s) within 45 days from the date the SARC meets to consider the appeal, which meeting will be held within 90 days from the date of the filing of the appeal. SARC review will be limited to the facts and circumstances as they existed prior to, or at the time the material supervisory determination was made, even if later discovered, and no consideration will be given to any facts or circumstances that occur or corrective action taken after the determination was made. The SARC may reconsider its decision only on a showing of an intervening change in the controlling law or the availability of material evidence not reasonably available when the decision was issued. [II-11.1 Appeals]

Answer 142

SARC decisions will be published as soon as practicable, and the published decisions will be redacted to avoid disclosure of exempt information. In cases in which redaction is deemed to be insufficient to prevent improper disclosure, published decisions may be presented in summary form. Published SARC decisions may be cited as precedent in appeals to the SARC. Annual reports on Division Directors’ decisions with respect to institutions’ requests for review of material supervisory determinations also will be published. [II-11.1 Appeals]

Answer 143

Appeals to the SARC will be governed by these guidelines. The SARC will retain the discretion to waive any provision of the guidelines for good cause. The SARC may adopt supplemental rules governing its operations; order that material be kept confidential; and consolidate similar appeals. [II-11.1 Appeals]

Answer 144

The subject matter of a material supervisory determination for which either an appeal to the SARC has been filed, or a final SARC decision issued is not eligible for consideration by the Ombudsman. [II-11.1 Appeals]

Answer 145

In the event that a material supervisory determination subject to a request for review is the joint product of the FDIC and a State regulatory authority, the Director, Division of Depositor and Consumer Protection, will promptly notify the appropriate State regulatory authority of the request, provide the regulatory authority with a copy of the institution’s request for review and any other related materials, and solicit the regulatory authority’s views regarding the merits of the request before making a determination. In the event that an appeal is subsequently filed with the SARC, the SARC will notify the institution and the State regulatory authority of its decision. Once the SARC has issued its determination, any other issues that may remain between the institution and the State authority will be left to those parties to resolve. [II-11.1 Appeals]

Answer 146

The FDIC conducts examinations of institutions it supervises at intervals established by FDIC policy. Generally, newly chartered insured institutions or institutions that changed charters and are newly supervised by the FDIC receive a visitation within the first 12 months of operation/conversion and a full-scope examination within the first 24 months. To foster open dialogue and early communication during the initial stage of operations as a FDIC-supervised institution, the institution’s supervisory region will arrange an introductory meeting with management prior to the initial visitation. After the first examination, the institution will follow the Standard Examination Frequency Schedule. [II-12.1 Examination and Visitation Frequency]

Answer 147

The FDIC will conduct examinations at other institutions at intervals outlined in the Standard Examination Frequency Schedule that sets examination intervals by an institution’s total asset size and the ratings assigned during the most recent Compliance examination and Community Reinvestment Act (CRA) evaluation. [II-12.1 Examination and Visitation Frequency]

Answer 148

When scheduling an examination, the objectives are to: • Target examinations and supervisory efforts where risk of consumer harm is greatest; • Allocate appropriate examination resources; and • Conduct concurrent examinations, when requested by the bank, if practical. [II-12.1 Examination and Visitation Frequency]

Answer 149

This Manual presents the Initial Examination Frequency Schedule below in Table 1, the Standard Examination Frequency Schedule for institutions with total assets of $250 million or less in Table 2, and the Standard Examination Frequency Schedule for institutions with total assets of greater than $250 million in Table 3. Examinations become subject to the greater than $250 million threshold when an institution’s reported total assets are in excess of $250 million as of December 31 for the prior two calendar years. The examination interval is measured as the period between the date one examination report was transmitted to the institution and the start date of the subsequent examination at the same institution. Regional and/or field management may schedule visitations at its discretion. Typically, Consumer Compliance and CRA ratings will not change at a visitation, but if the visitation does result in a rating change, the Standard Examination Frequency Schedule noted below will still apply. Regional and/or field management may also schedule examinations earlier than the standard schedule when warranted dependent upon supervisory concern or other factors. For example, for institutions rated “Needs to Improve” or “Substantial Noncompliance” for CRA, field management, at its discretion, may schedule a targeted CRA examination or a concurrent Compliance and CRA examination based upon the risk factors involved. Additionally, under certain circumstances, field management will need to be proactive in manually adding a supervisory activity to avoid potentially lengthy gaps in examinations. This could occur, for example, when a Compliance and CRA Examination for an institution with assets of $250 million or less results in a “3” Consumer Compliance rating and a “Satisfactory” or “Outstanding” CRA rating and field management schedules a Compliance-only examination at the 12-month point. If the Compliance-only examination results in an upgrade to the rating, the institution would not, per the following table, be subject to another examination until the next Compliance and CRA activity. Consequently, field management should manually schedule another Compliance-only activity to occur between the 30-36-month timeframe. Under the Gramm-Leach-Bliley Act, a financial institution with aggregate assets of $250 million or less may be subject to more or less frequent CRA examinations because of a determination of “reasonable cause.” Examples of “reasonable cause” may include, among other things, identification of significant fair lending violations during a Compliance-only examination that would affect overall CRA performance, receipt of credible complaints indicating deterioration in the bank’s CRA performance, or requests from affiliated institutions to be examined concurrently. [II-12.1 Examination and Visitation Frequency]

Answer 150

The FDIC conducts concurrent Compliance/CRA, risk management, and specialty examinations to accommodate the preferences of the bank, unless doing so would be impractical or inefficient. Examinations of banks subject to Consumer Financial Protection Bureau (CFPB) supervision will be coordinated with the requirements of Section 1025(e) of the Dodd-Frank Act. [II-12.1 Examination and Visitation Frequency]

Answer 151

The FDIC assigns consumer compliance ratings to institutions it supervises pursuant to the Uniform Interagency Consumer Compliance Rating System (CC Rating System) approved by the Federal Financial Institutions Examination Council (FFIEC) in 2016 and effective on March 31, 2017. [II-13.1]

Answer 152

The CC Rating System is a supervisory policy for evaluating financial institutions’ adherence to consumer protection requirements. It is composed of guidance and definitions which are contained in this section of the manual. [II-13.1]

Answer 153

The primary purpose of the CC Rating System is to ensure that regulated financial institutions are evaluated in a comprehensive and consistent manner and that supervisory resources are appropriately focused on areas exhibiting risk of consumer harm and on institutions that warrant elevated supervisory attention. The CC Rating System serves as a useful tool for summarizing the compliance position of individual institutions. [II-13.1]

Answer 154

Under the CC Rating System, each financial institution is assigned a consumer compliance rating. The CC Rating System is based upon a scale of 1 through 5 in increasing order of supervisory concern. [II-13.1]

Answer 155

The CC Rating System is composed of guidance and definitions. The guidance provides examiners with direction on how to use the definitions when assigning a consumer compliance rating to an institution. The definitions consist of qualitative descriptions for each rating category and include compliance management system (CMS) elements reflecting risk control processes designed to manage consumer compliance risk and considerations regarding violations of laws, consumer harm, and the size, complexity, and risk profile of an institution. The consumer compliance rating reflects the effectiveness of an institution’s CMS to ensure compliance with consumer protection laws and regulations and reduce the risk of harm to consumers. [II-13.1]

Answer 156

1. risk-based; 2. transparent; 3. actionable; 4. intent compliance Risk-based. Recognize and communicate clearly that CMS vary based on the size, complexity, and risk profile of super- vised institutions. Transparent. Provide clear distinctions between rating catego- ries to support consistent application by the Agencies across supervised institutions. Reflect the scope of the review that formed the basis of the overall rating. Actionable. Identify areas of strength and direct appropriate attention to specific areas of weakness, reflecting a risk-based supervisory approach. Convey examiners’ assessment of the effectiveness of an institution’s CMS, including its ability to prevent consumer harm and ensure compliance with consumer protection laws and regulations. Incent Compliance. Incent the institution to establish an effec- tive consumer compliance system across the institution and to identify and address issues promptly, including self- identification and correction of consumer compliance weak- nesses. Reflect the potential impact of any consumer harm identified in examination findings. [II-13.1]

Compliance - Part I Flashcards

(180 cards)