FDIC Consumer Compliance Examination Manual PDF
Document Details
Uploaded by ImpressedVolcano
2023
Tags
Related
- Evaluating Impact of Consumer Harm PDF
- Consumer Compliance Examinations - Compliance Management System PDF
- FDIC Consumer Compliance Examination Manual PDF
- FDIC Rules and Regulations for Advertisement of Membership PDF
- Bank Subsidiaries and Affiliates PDF
- FDIC Consumer Compliance Examiner Manual CAN-SPAM PDF
Summary
This document is a manual for consumer compliance examinations conducted by the FDIC. It details the examination process, risk assessment procedures, and important considerations for financial institutions. It covers topics such as risk profiles and the scope of examinations.
Full Transcript
II. Consumer Compliance Examinations – Review and Analysis Re view and Analysis Introduction The FDIC’s consumer compliance examination process assesses how well a financial institution manages compliance with federal consumer protection laws and regulations. The review period or scope typically cov...
II. Consumer Compliance Examinations – Review and Analysis Re view and Analysis Introduction The FDIC’s consumer compliance examination process assesses how well a financial institution manages compliance with federal consumer protection laws and regulations. The review period or scope typically covers bank activities conducted over a discrete period of time from the start date of the prior examination through the start date of the current examination. The review and analysis phase of the consumer compliance examination starts with a topdown, comprehensive evaluation of the compliance management system (CM S) used by the financial institution to identify, monitor, and manage its compliance responsibilities and risks. The procedures outlined below guide the examiner through an assessment of an institution’s CM Sand assist the examiner in identifying specific areas of weakness for further analysis. M any procedures listed in this section can be performed at the field office or other location prior to the start of the examination, if materials are available. Off-Site Review and Analysis The Examiner-in-Charge (EIC) reviews and analyzes the material gathered from FDIC, third parties, and the institution in response to the Compliance Information and Document Request (CIDR) in order to develop the scope memorandum and plan the examination. This review and analysis should be broad enough to obtain an understanding of the organizational structure of the institution, its related activities, and compliance risks associated with each of its activities. The review should be used to preliminarily determine whether the institution’s Board of Directors (Board) and management identify, understand, and adequately control the elements of risks facing the financial institution. In general, management and Directors are expected to have a clearly defined system of risk management controls governing the institution’s compliance operations, including those activities conducted by affiliates and third party vendors. During this review the EIC should consider what types of questions should be asked during the examination to test whether the institution’s written policies and procedures accurately reflect actual operations. interview with the institution, and documents and information submitted by the institution in response to the CIDR. The ARCH describes the focus of the examination, including issues to be investigated and the products, services, or regulations that exhibit inherent risk not sufficiently mitigated by the institution’s CM S. The identified areas with residual risk will be further reviewed or transaction tested during the examination. During the examination, the EIC should obtain approval for any material changes to the scope of the examination. The EIC describes the changes in a scope amendment that is submitted to the Field Supervisor and all appropriate Supervisory Examiners for review and approval The final ARCH should be posted to the System of Uniform Reportingof Compliance and CRA Examinations (FOCUS), making it available to all staff and management during the exam review and for future internal use, especially for the start of the subsequent examination. Developing a Risk Profile Every institution has inherent risk based on strategic plans, products and services offered, past supervisory actions, business activity, and other factors. The ARCH will document the identified areas of inherent risk by considering the following: • Institution Structure: o Significant factors or changes o M ergers or acquisitions o Significant growth since prior examination o De Novo status • Supervisory History: o Current and past enforcement actions o Reimbursement history o History of compliance with fair lending laws and regulations o Current and prior regulator ratings and recommendations Risk Scope Memorandum o Consumer-related litigation The goal of a risk-focused, process-oriented examination is to direct resources toward areas with higher degrees of risk of consumer harm. To accomplish this goal, the examiner must assess the financial institution’s CM S as it applies to key operational areas and evaluate the risk of non-compliance with applicable laws and regulations. This process is documented by the examiner in a scoping memorandum, the Assessment of Risk of Consumer Harm (ARCH), which is reviewed and approved by the supervisor. The ARCH is developed during the pre-examination planning process and utilizes historical data, information obtained from the o Consumer complaints FDIC Consumer Compliance Examination Manual - November 2023 • Operational Areas - Product/Service/Regulation (PSR) Risk: o M ajor product lines o New or revised products/services/regulations o Applicable regulations o Recent case law o Growth in operations o Complexity of operations II-5.1 II. Consumer Compliance Examinations – Review and Analysis o Third party affiliations Institution S tructure: A key component of a financial institution’s risk profile is its structure and business model. An examiner will consider the nature and complexity of, or any changes to, the organizational, management, and ownership structure; business strategy; market areas and customers served; delivery channels; any subsidiaries or affiliates that offer products or services or support operations; branching activities; any unique or niche characteristics; and any significant changes in the institution’s balance sheet composition or income. S upervisory History: The financial institution’s past consumer compliance performance is an important consideration when developing its risk profile. Historic effectiveness of the CM S, including the results of previous examinations and management’s record of taking corrective measures, will impact its risk profile and ultimately the scope of the examination. The most recent consumer compliance history should be given the most weight. The EIC will be able to locate performance risk information in various areas, including the FDIC’s correspondence and enforcement records for the subject institution. The most recent Risk M anagement report and workpapers may contain additional information on the institution’s performance risk (e.g., comments regarding institution management). Operational Areas – PS R Risk: The nature and scope of a financial institution’s activities is a critical consideration in the identification of inherent risk. PSR risks can exist in the following operational areas: • Lending • Deposits • Retail Investment and Insurance Sales • Privacy and Consumer Information • Advertising, M arketing, and Social M edia • Debt Collection • Third-Party Relationships • Other Products • Other Regulations or Supervisory Guidance The institution’s products and services impact the institution’s risk depending upon the financial institution’s size, market share, and portfolio concentration. The complexity of products offered and the associated likelihood of error should be considered. Third-party relationships can present heightened risk, particularly for product delivery, but also for any operation, product, service, or activity provided or conducted by a third party on behalf of the institution. Finally, the institution’s strategic plan for growth and for the introduction of new products or services should also be II – 5.2 taken into account. Regulation risk measures the possible consequences to the institution and its customers of noncompliance with specific regulatory provisions. Regulation risk recognizes that the impact of noncompliance differs depending on the consumer law or regulation. For the public, it is the measurement of relative adverse financial impact or other harm that noncompliance may produce. For the institution, regulation risk is the measurement of legal, reputation, and financial harm that noncompliance may produce. For example, the financial harm both to the institution and to consumers associated with violations of the Truth in Lending Act (Regulation Z) requiring reimbursements far exceeds the consequences of an isolated undocumented check hold. The level of regulation risk is affected by such factors as: • Potential financial and/or reputation harm to consumers; • Potential legal, reputation, and financial harm to an institution; • New laws, regulations, or amendments thereof; and • The amount of transaction activity subject to a specific regulation. In order to properly assess a financial institution’s risk, the EIC or designee also reviews the following aspects of the CM S, which may or may not mitigate the identified inherent risks: • Board and M anagement Oversight • Compliance Program o Policies and Procedures o Training o M onitoring and/or Audit Procedures o Complaint Response Taking into consideration the conclusions drawn in each of the preceding components, and any other pertinent information, the examiner should identify and assess the inherent risk within the institution’sPSRs. When the institution’s inherent risk is not sufficiently mitigatedby its CMS, residual risk is present. To develop a risk profile of the institution and set the examination scope, the examiner should keep the risk scopingformula in mind (Inherent Risk– Mitigating Factors =Residual Risk). The areas with residual risk should be further reviewed or transaction tested duringthe examination. The result of the EIC’s assessment of risk and the specific issues to be investigated and areas to be targeted with transaction testing should be addressed in the ARCH, which is discussed in the next section. It is important to remember that one element of a financial institution’s consumer compliance efforts may influence another area. Be aware of relationships and their mutual impact. For FDIC Consumer Compliance Examination Manual – November 2023 II. Consumer Compliance Examinations – Review and Analysis example, if the initial review of institution practices identifies a lack of audit of loan denials, the examiner should look to see whether monitoring procedures are in place to mitigate the impact of the lack of audit procedures. The existence of monitoring procedures may lead the examiner to determine that the absence of an audit does not raise the institution’s risk profile. Conversely, if the initial review of institution policies and procedures identifies well-organized, appropriate, and upto-date written guidelines for deposit compliance management, the examiner should also consider the institution’s record of oversight in this area. If deposit compliance has historically suffered from poor management oversight, then the existence of written procedures should be given less weight when determining the risk profile. It is important to accurately identify inherent risk and weight any mitigating factors that reduce the risk. This process requires the use of sound examiner judgment. Developing the ARCH The EIC should begin the risk scopingprocess by gathering information about the institution from both internal and external sources. The EIC uses information, such as prior consumer compliance and risk management reports of examination, correspondence, and available complaint information, to prepare for the pre-examination planning interview with the institution. Once the pre-examination planning interview is complete and the institution provides responses to the CIDR, the EIC can complete the ARCH. Follow-up contact with institution personnel during pre-examination planning is encouraged, if warranted, to properly determine the most appropriate examination scope. The ARCH is divided into five sections and begins with an overview of the institution and examination, including current examination information, financial data, and previous examination supervisory comments. Examiners start the risk assessment process by describing the institution's structure and supervisory history in Section 1, followed by an initial assessment of the CM S in Section 2. Examiners identify inherent risks in Section 3 by answering a series of questions about the institution's operations, followed by an analysis of whether each inherent risk is low, mitigated, or results in residual risk of consumer harm. Examiners identify areas that result in residual risk as a PSR that will be reviewed as part of the scope of the examination. The PSRs are summarized in a table in Section 4, where examiners also document additional scope information. Sections 1-4 should be completed and approved by a supervisor or delegated designee prior to the start of the examination. Section 5 should be completed and approved if material changes to the scope of the examination are warranted. Examiner judgment is a critical aspect of properly evaluatingan institution’s risk profile. The ARCH allows examiners to use their judgment to focus and prioritize resources on areas (products, services, or regulations) that present the highest risk of consumer FDIC Consumer Compliance Examination Manual - November 2023 harm. The questions in the ARCH do not cover every potential risk but rather set out a basic framework to assist examiners in assessingand documenting an institution’s risk of consumer harm. Examiners are not limited to these questions and should consider all relevant facts when evaluatingthe institution’s risk profile. The ARCH is completed within DCP’s Pre-Examination Planning System and the final, approved ARCH must be uploaded and maintained in FOCUS. Examination Decisioning: Activities: On-site and Off-site The FDIC has established standard consumer compliance consideration factors to ensure consistency in local decision-making when determining which examination activities should be completed on-site versus off-site. Each examination will be tailored to the risks identified during the planning process; however, all examinations are expected to have an on-site presence. This risk- focused approach encourages flexibility in application and relies on examiner judgment (in consultation with field management) to conduct the most effective and efficient examination that facilitates examiners assessing institutions’ compliance with consumer protection laws and the Community Reinvestment Act. T he appropriate mix of on-site and off-site examination activities will depend upon many factors, including the bank’s business model, risk profile, and complexity; loan file imaging and technological capabilities; institution space/working accommodations; banker feedback; training needs; on-site/off-site plans of RMS and other agencies (CFPB, state authority, etc.), when applicable; ability to collaborate on joint activities; and the need to establish ongoing and effective communication with bank management at each examination, among other considerations. T he list below provides a general outline of certain examination activities that can be conducted on-site or off-site. However, examiners should consider the risk profile of the institution and the other factors provided above when determining which activities should be performed onsite versus off-site. When making determinations regarding off-site activities, examiners should further assess the aforementioned factors to decide whether to perform such activities in a field office or virtual environment. NOTE: The activities listed below are not intended to be all-inclusive, nor is this direction meant to limit or constrain examiner judgment in conducting on-site activities when warranted. Examiners may perform the following portions of the examination off-site, keeping in mind the risk profile of the institution: • Conducting pre-examination planning and scoping activities • Completing portions of low-risk fair lending and Home M ortgage Disclosure Act (HM DA) reviews II-5.3 II. Consumer Compliance Examinations – Review and Analysis [note: the trainee and coach should generally work on-site together, in the bank and/or field office, as appropriate, while completing the benchmark] • Conducting portions of Community Reinvestment Act (CRA) evaluations, particularly for Small Banks and Intermediate Small Banks • Working side-by-side for Acting EIC assignments [note: Signing EIC and Acting EIC should be together to complete relevant portions of the exam for the EIC to observe and coach the Acting EIC on examination oversight either in the bank and/or field office] • Reviewing policies/procedures; Board/committee packages and meeting minutes; risk assessments; and audit reports/workpapers • Utilizing Regional Office and Washington Office specialist and Subject M atter Expert resources, including consumer compliance technology specialists, fair lending examination specialists, examination specialists, and other exam team members for out-of-territory exams when their assistance doesn’t require being on-site • Conducting transaction testing for high-risk PSRs, or when remote access is not available Examination Review and Analysis • Reviewing loan files and deposit disclosures to the extent technology allows • Completing training benchmarks where on-site performance is not necessary for effective training or clearly not required • Training for large groups of pre- or newly-commissioned examiners via a training team [note: collaborative spaces in the field office can serve as an effective forum for group training sessions] Entrance Meeting with Senior Management • Assessing and transaction testingfor portions of lowercomplexity/lower- risk areas • Reviewing online bank systems, such as e-OSCAR, rewards checking, automated overdraft programs, credit bureau reporting, and escrow account administration, unless technology limitations require on-site review • Writing the Report of Examination and finalizing examination workpapers Examiners are generally expected to perform the following portions of the examination on-site: • Conducting key meetings, including exit/Board meetings, and significant conversations with bank officers about potential consumer harm, possible downgrades, enforcement actions, significant fair lending discussions (e.g. criteria interviews), Unfair or Deceptive Acts or Practices concerns, and the CM S interview for higherrisk institutions. • Training and instilling FDIC culture for pre-commissioned examiners and interns [note: this can be done with a combination of off-site in the field office and on-site at the bank] • Observing situations that could lead to further investigation/examination activities (e.g. detecting internal control weaknesses, potential fraud, dominant officer situation, etc.) • Training on first-time significant benchmarks to provide a more collaborative and hands-on development experience II – 5.4 Throughout the review and analysis phase of the examination, the examiner should have discussions with management, the compliance officer, Directors, and other personnel to develop an understanding of how management approaches its consumer compliance responsibilities. These discussions will enable the examiner to determine whether and to what extent the financial institution has a CM S that is integrated into its daily operations. During the pre-examination planning stage, the EIC should schedule a meeting with senior management (e.g., the president, chief executive officer, compliance officer, and if they wish, members of the Board). This meeting should take place as soon as possible after beginning the examination and should facilitate the discussion of various administrative items and the scope of the examination. M atters to be discussed during the entrance meeting include: • An overview of the examination process, including the use of information collected during pre-examination planning and its impact on the scope of the examination • The names of FDIC examiners on the examination and whether they will be working on-site or off-site • Anticipated length of the examination • Activities expected to be conducted on-site and off-site, and communicating that adjustments may be made based on risk • The EIC’s accessibility throughout the examination to discuss any issues relating to the examination and/or FDIC policy and practices and communication preferences • The identity of the individual(s) who is/are the primary contact person(s) for examination related issues and communication preferences for both on-site and off-site examiners • Any issues identified during off-site review and analysis, particularly areas of significant risk of consumer harm that will be receiving close attention FDIC Consumer Compliance Examination Manual – November 2023 II. Consumer Compliance Examinations – Review and Analysis • The materials requested during pre-examination planning that were not provided by the financial institution prior to the examination start date • An explanation of the closing management meeting procedures • The date of the next Board/trustees meeting (M anagement should be advised that depending upon the examination findings, the FDIC may need to attend the regularly scheduled meeting or call for a special Board meeting.) • Any issues related to the CRA evaluation and fair lending review Examiners should use a written agenda to document the issues covered at the entrance meeting, and file a copy in the examination workpapers Ongoing Communication Communication between financial institution management, Board, institution staff, and FDIC examination staff is a major component of an effective examination or visitation. Open communication should be maintained with management during the course of the examination. To the extent possible, all issues of concern should be discussed with management as they arise. This allows management time to provide additional relevant information or to begin correcting problems where appropriate. The following sections include question lists that are intended to serve only as general guidance for the matters to be addressed during the examiner’s dialogue with institution personnel. The sections are organized by elements of the CM Sand should be considered in conjunction with each of the different operational areas of the institution to come to a conclusion about the strength of each element overall. The questions will not apply to every examination scenario and should be customized to each situation. Examiner judgment must be used to determine whether additional pertinent questions should be asked. Because all the facets of a CM S are interrelated, certain themes will be repeated in the question lists for multiple sections. Throughout the examination process, the examiner should refer to the FDIC Laws, Regulations, and Related Acts as well as any pertinent outstandingFDIC guidance regarding the regulatory or policy requirements of each area under review. NOTE: The Examination Checklists/Workpapers are not to be given to institution management to complete. Applicable Statutes and Regulations The CM S must adequately address (through oversight, policies and procedures, training, monitoring and/or audit, and complaint response) all areas related to the following Federal consumer laws, regulations, rules, and policy statements: Lending The financial institution’s Directors/trustees are encouraged to participate in regularly scheduled meetings with examiners. However, examination findings should be discussed with management prior to discussing with Board members. Also, the EIC should notify the financial institution’s management as early as possible of any plans to meet with the Board to present examination findings. This will provide Directors/trustees with an opportunity to forego meetings during the examination, if that is their preference. Truth in Lending Review of the CMS Flood Insurance Based on information gleaned from the discussions with institution management and staff, along with the off-site review and analysis, the examiner should: Homeownership Counseling • Determine the quality of the institution’s CM S, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations • Assess whether the CMS is effective at facilitating compliance • Identify potential deficiencies in the CM S and areas of greatest risk of consumer harm • Determine where transaction testing is necessary Real Estate Settlement Procedures Homeowners Protection Equal Credit Opportunity Fair Housing Home M ortgage Disclosure Preservation of Consumers’ Claims and Defenses Servicemembers Civil Relief Consumer Leasing M ilitary Lending Act Secure and Fair Enforcement for M ortgage Licensing Protecting Tenants at Foreclosure Deposits Truth in Savings Electronic Fund Transfers Expedited Funds Availability Garnishment of Accounts Containing Federal Benefit Payments Part 360 – Resolution and Receivership Rules FDIC Consumer Compliance Examination Manual - November 2023 II-5.5
