On November 7th, the FFIEC finalized the issuance of its updated Interagency Consumer Compliance Rating System (“CCRS”). The press release that accompanied the revision stated that the document was intended to “more fully align the rating system with the FFIEC agencies current risk-focused, tailored examination approaches” and that “the rating system’s adoption will represent no additional regulatory burden for financial institutions”. Or does it?
So, far so good as we’ve all long known, through various industry communications and exam reports, that our bank’s Compliance Management Systems (CMS) were to be risk focused. The November, 2016 document was the first material update to the agencies written CCRS methodology since 1980 and provides greater clarification of what are considered the 12 assessment factors that will impact a bank’s numerical compliance rating and whether these might be risk weighted or not.
The document clarifies that consumer compliance examinations are no longer primarily focused on transaction testing but then separately provides expanded guidance on how to address violations of law which are typically only discovered during transaction testing. The document also explains that a bank should be proactive in self-identifying violations of laws and regulations and to be particularly mindful of the root cause, harm to consumers, duration, and pervasiveness throughout the bank of any violations. Lack of financial harm to a consumer can’t be used by the bank as an excuse.
The press release further states that the updated CCRS “was not developed with the intention of new or higher supervisory expectations for financial institutions”. It provides pearls of wisdom and provides all banks with an opportunity to review their present Compliance Management policy and ensure that it is updated to stay abreast with the regulatory release and expectations. The guidance indicates that the prudential banking regulatory agencies plan on using the updated rating system on consumer compliance examinations that begin on or after March 31, 2017. At the very least your bank will need to share this information with your Board and Senior Management and be sure that such discussion is reflected in Board meeting minutes along with training and oversight documentation.
The CCRS is now split into three main categories “Board and Management Oversight”, “Compliance Program” and “Violations of Law and Consumer Harm” with each of these categories split into four smaller sections. Of particular attention in this 31-page document is the four-page Definition matrix at the end. My reading of the matrix, as well as select other sections of the document, indicates that the following will be material to your bank’s CMS in order to align with regulatory expectations commensurate with bank size, complexity and risk profile because a bank’s internal monitoring system needs to emulate a banking regulatory agencies compliance examination manual:
- Substantial human resources such as compliance personnel;
- Periodic risk assessment of bank’s compliance management system to identify current or emerging risks with reporting to Board and Senior Management;
- Knowledge level of compliance staff;
- Accountability of compliance staff for consumer affairs laws and regulations – perhaps in job descriptions or within written policies and procedures;
- Initial and ongoing comprehensive oversight of any third parties that perform functions for the bank which might impact consumer compliance responsibilities to include a review of third party policies, procedures, training materials and internal controls;
- Change management process for new laws and regulations;
- Comprehensive consumer complaint program including periodic monitoring;
- Promptness and comprehensiveness in responding to identified compliance deficiencies; and
- Tailored, periodic, comprehensive compliance training for all bank personnel including those responsible for product development, marketing and customer service.