FDIC Consumer Compliance Examination Manual PDF

Summary

This document is a manual for consumer compliance examinations of financial institutions. It details the process, including off-site reviews, risk profiles, and the creation of the assessment of risk of consumer harm (ARCH) document. It covers key topics such as institution structure, supervisory history, and operational areas.

Full Transcript

II. Consumer Compliance Examinations – Review and Analysis
Re view and Analysis
Introduction
The FDIC’s consumer compliance examination process
assesses how well a financial institution manages
compliance with federal consumer protection laws and
regulations. The review period or scope typically covers
bank activities conducted over a discrete period of time from
the start date of the prior examination through the start date
of the current examination. The review and analysis phase
of the consumer compliance examination starts with a topdown, comprehensive evaluation of the compliance
management system (CM S) used by the financial institution
to identify, monitor, and manage its compliance
responsibilities and risks. The procedures outlined below
guide the examiner through an assessment of an institution’s
CM Sand assist the examiner in identifying specific areas of
weakness for further analysis. M any procedures listed in
this section can be performed at the field office or other
location prior to the start of the examination, if materials are
available.

Off-Site Review and Analysis
The Examiner-in-Charge (EIC) reviews and analyzes the
material gathered from FDIC, third parties, and the institution
in response to the Compliance Information and Document
Request (CIDR) in order to develop the scope memorandum
and plan the examination. This review and analysis should be
broad enough to obtain an understanding of the organizational
structure of the institution, its related activities, and
compliance risks associated with each of its activities.
The review should be used to preliminarily determine whether
the institution’s Board of Directors (Board) and management
identify, understand, and adequately control the elements of
risks facing the financial institution. In general, management
and Directors are expected to have a clearly defined system of
risk management controls governing the institution’s
compliance operations, including those activities conducted by
affiliates and third party vendors. During this review the EIC
should consider what types of questions should be asked during
the examination to test whether the institution’s written policies
and procedures accurately reflect actual operations.

interview with the institution, and documents and information
submitted by the institution in response to the CIDR. The
ARCH describes the focus of the examination, including
issues to be investigated and the products, services, or
regulations that exhibit inherent risk not sufficiently mitigated
by the institution’s CM S. The identified areas with residual
risk will be further reviewed or transaction tested during the
examination.
During the examination, the EIC should obtain approval for
any material changes to the scope of the examination. The
EIC describes the changes in a scope amendment that is
submitted to the Field Supervisor and all appropriate
Supervisory Examiners for review and approval
The final ARCH should be posted to the System of Uniform
Reportingof Compliance and CRA Examinations (FOCUS),
making it available to all staff and management during the
exam review and for future internal use, especially for the start
of the subsequent examination.

Developing a Risk Profile
Every institution has inherent risk based on strategic plans,
products and services offered, past supervisory actions,
business activity, and other factors. The ARCH will document
the identified areas of inherent risk by considering the
following:
• Institution Structure:
o Significant factors or changes
o M ergers or acquisitions
o Significant growth since prior examination
o De Novo status
• Supervisory History:
o Current and past enforcement actions
o Reimbursement history
o History of compliance with fair lending laws and
regulations
o Current and prior regulator ratings and
recommendations

Risk Scope Memorandum

o Consumer-related litigation

The goal of a risk-focused, process-oriented examination is to
direct resources toward areas with higher degrees of risk of
consumer harm. To accomplish this goal, the examiner must
assess the financial institution’s CM S as it applies to key
operational areas and evaluate the risk of non-compliance
with applicable laws and regulations. This process is
documented by the examiner in a scoping memorandum, the
Assessment of Risk of Consumer Harm (ARCH), which is
reviewed and approved by the supervisor. The ARCH is
developed during the pre-examination planning process and
utilizes historical data, information obtained from the

o Consumer complaints

FDIC Consumer Compliance Examination Manual - November 2023

• Operational Areas - Product/Service/Regulation (PSR) Risk:
o M ajor product lines
o New or revised products/services/regulations
o Applicable regulations
o Recent case law
o Growth in operations
o Complexity of operations

II-5.1

II. Consumer Compliance Examinations – Review and Analysis
o Third party affiliations
Institution S tructure: A key component of a financial
institution’s risk profile is its structure and business model.
An examiner will consider the nature and complexity of, or
any changes to, the organizational, management, and
ownership structure; business strategy; market areas and
customers served; delivery channels; any subsidiaries or
affiliates that offer products or services or support
operations; branching activities; any unique or niche
characteristics; and any significant changes in the
institution’s balance sheet
composition or income.
S upervisory History: The financial institution’s past
consumer compliance performance is an important
consideration when developing its risk profile. Historic
effectiveness of the CM S, including the results of previous
examinations and management’s record of taking corrective
measures, will impact its risk profile and ultimately the scope
of the examination. The most recent consumer compliance
history should be given the most weight. The EIC will be
able to locate performance risk information in various areas,
including the FDIC’s correspondence and enforcement
records for the subject institution. The most recent Risk
M anagement report and workpapers may contain additional
information on the institution’s performance risk (e.g.,
comments regarding institution management).
Operational Areas – PS R Risk: The nature and scope of a
financial institution’s activities is a critical consideration in
the identification of inherent risk. PSR risks can exist in the
following operational areas:
• Lending
• Deposits
• Retail Investment and Insurance Sales
• Privacy and Consumer Information
• Advertising, M arketing, and Social M edia
• Debt Collection
• Third-Party Relationships
• Other Products
• Other Regulations or Supervisory Guidance
The institution’s products and services impact the
institution’s risk depending upon the financial institution’s
size, market share, and portfolio concentration. The
complexity of products offered and the associated
likelihood of error should be considered. Third-party
relationships can present heightened risk, particularly for
product delivery, but also for any
operation, product, service, or activity provided or
conducted by a third party on behalf of the institution.
Finally, the institution’s strategic plan for growth and for
the introduction of new products or services should also be

II – 5.2

taken into account.
Regulation risk measures the possible consequences to the
institution and its customers of noncompliance with specific
regulatory provisions. Regulation risk recognizes that the
impact of noncompliance differs depending on the consumer
law or regulation. For the public, it is the measurement of
relative adverse financial impact or other harm that
noncompliance may produce. For the institution, regulation
risk is the measurement of legal, reputation, and financial harm
that noncompliance may produce. For example, the financial
harm both to the institution and to consumers associated with
violations of the Truth in Lending Act (Regulation Z)
requiring reimbursements far exceeds the consequences of an
isolated undocumented check hold. The level of regulation
risk is affected by such factors as:
• Potential financial and/or reputation harm to consumers;
• Potential legal, reputation, and financial harm to an
institution;
• New laws, regulations, or amendments thereof; and
• The amount of transaction activity subject to a specific
regulation.
In order to properly assess a financial institution’s risk, the
EIC or designee also reviews the following aspects of the
CM S, which may or may not mitigate the identified inherent
risks:
• Board and M anagement Oversight
• Compliance Program
o Policies and Procedures
o Training
o M onitoring and/or Audit Procedures
o Complaint Response
Taking into consideration the conclusions drawn in each of
the preceding components, and any other pertinent
information, the examiner should identify and assess the
inherent risk within the institution’sPSRs. When the
institution’s inherent risk is not sufficiently mitigatedby its CMS,
residual risk is present. To develop a risk profile of the
institution and set the examination scope, the examiner should
keep the risk scopingformula in mind (Inherent Risk– Mitigating
Factors =Residual Risk).
The areas with residual risk should be further reviewed or
transaction tested duringthe examination. The result of the EIC’s
assessment of risk and the specific issues to be investigated
and areas to be targeted with transaction testing should be
addressed in the ARCH, which is discussed in the next
section.
It is important to remember that one element of a financial
institution’s consumer compliance efforts may influence another
area. Be aware of relationships and their mutual impact. For
FDIC Consumer Compliance Examination Manual – November 2023

II. Consumer Compliance Examinations – Review and Analysis
example, if the initial review of institution practices identifies
a lack of audit of loan denials, the examiner should look to
see whether monitoring procedures are in place to mitigate the
impact of the lack of audit procedures. The existence of
monitoring procedures may lead the examiner to determine
that the absence of an audit does not raise the institution’s risk
profile. Conversely, if the initial review of institution policies
and procedures identifies well-organized, appropriate, and upto-date written guidelines for deposit compliance management,
the examiner should also consider the institution’s record of
oversight in this area. If deposit compliance has historically
suffered from poor management oversight, then the existence
of written procedures should be given less weight when
determining the risk profile. It is important to accurately
identify inherent risk and weight any mitigating factors that
reduce the risk. This process requires the use of sound
examiner judgment.

Developing the ARCH
The EIC should begin the risk scopingprocess by gathering
information about the institution from both internal and
external sources. The EIC uses information, such as prior
consumer compliance and risk management reports of
examination, correspondence, and available complaint
information, to prepare for the pre-examination planning
interview with the institution. Once the pre-examination
planning interview is complete and the institution
provides responses to the CIDR, the EIC can complete
the ARCH. Follow-up contact with institution personnel
during pre-examination planning is encouraged, if
warranted, to properly determine the most appropriate
examination scope.
The ARCH is divided into five sections and begins with
an overview of the institution and examination, including
current examination information, financial data, and
previous examination supervisory comments. Examiners
start the risk assessment process by describing the
institution's structure and supervisory history in Section
1, followed by an initial assessment of the CM S in
Section 2. Examiners identify inherent risks in Section 3
by answering a series of questions about the institution's
operations, followed by an analysis of whether each
inherent risk is low, mitigated, or results in residual risk
of consumer harm. Examiners identify areas that result in
residual risk as a PSR that will be reviewed as part of the
scope of the examination. The PSRs are summarized in a
table in Section 4, where examiners also document
additional scope information. Sections 1-4 should be
completed and approved by a supervisor or delegated
designee prior to the start of the examination. Section 5
should be completed and approved if material changes to
the scope of the examination are warranted.
Examiner judgment is a critical aspect of properly
evaluatingan institution’s risk profile. The ARCH
allows examiners to use their judgment to focus and
prioritize resources on areas (products, services, or
regulations) that present the highest risk of consumer
FDIC Consumer Compliance Examination Manual - November 2023

harm. The questions in the ARCH do not cover every
potential risk but rather set out a basic framework to assist
examiners in assessingand documenting an institution’s
risk of consumer harm. Examiners are not limited to these
questions and should consider all relevant facts when
evaluatingthe institution’s risk profile.
The ARCH is completed within DCP’s Pre-Examination
Planning System and the final, approved ARCH must be
uploaded and maintained in FOCUS.

Examination
Decisioning:

Activities:

On-site

and

Off-site

The FDIC has established standard consumer compliance
consideration factors to ensure consistency in local
decision-making when determining which examination
activities should be completed on-site versus off-site.
Each examination will be tailored to the risks identified during
the planning process; however, all examinations are expected to
have an on-site presence. This risk- focused approach
encourages flexibility in application and relies on examiner
judgment (in consultation with field management) to conduct
the most effective and efficient examination that facilitates
examiners assessing institutions’ compliance with consumer

protection laws and the Community Reinvestment Act. T he
appropriate mix of on-site and off-site examination activities will
depend upon many factors, including the bank’s business model,
risk profile, and complexity; loan file imaging and technological
capabilities; institution space/working accommodations; banker
feedback; training needs; on-site/off-site plans of RMS and other
agencies (CFPB, state authority, etc.), when applicable; ability to
collaborate on joint activities; and the need to establish ongoing and
effective communication with bank management at each
examination, among other considerations. T he list below provides
a general outline of certain examination activities that can be
conducted on-site or off-site. However, examiners should consider
the risk profile of the institution and the other factors provided
above when determining which activities should be performed onsite versus off-site. When making determinations regarding off-site
activities, examiners should further assess the aforementioned
factors to decide whether to perform such activities in a field office
or virtual environment.

NOTE: The activities listed below are not intended to be
all-inclusive, nor is this direction meant to limit or
constrain examiner judgment in conducting on-site
activities when warranted.
Examiners may perform the following portions of the
examination off-site, keeping in mind the risk profile of the
institution:
• Conducting pre-examination planning and scoping activities
• Completing portions of low-risk fair lending and
Home M ortgage Disclosure Act (HM DA) reviews

II-5.3

II. Consumer Compliance Examinations – Review and Analysis
[note: the trainee and coach should generally work on-site
together, in the bank and/or field office, as appropriate,
while completing the benchmark]

• Conducting portions of Community Reinvestment Act
(CRA) evaluations, particularly for Small Banks and
Intermediate Small Banks

• Working side-by-side for Acting EIC assignments [note:
Signing EIC and Acting EIC should be together to complete
relevant portions of the exam for the EIC to observe and
coach the Acting EIC on examination oversight either in the
bank and/or field office]

• Reviewing policies/procedures; Board/committee packages
and meeting minutes; risk assessments; and audit
reports/workpapers
• Utilizing Regional Office and Washington Office specialist
and Subject M atter Expert resources, including consumer
compliance technology specialists, fair lending
examination specialists, examination specialists, and other
exam team members for out-of-territory exams when their
assistance doesn’t require being on-site

• Conducting transaction testing for high-risk PSRs, or when
remote access is not available

Examination Review and Analysis

• Reviewing loan files and deposit disclosures to the extent
technology allows
• Completing training benchmarks where on-site performance
is not necessary for effective training or clearly not required
• Training for large groups of pre- or newly-commissioned
examiners via a training team [note: collaborative spaces in
the field office can serve as an effective forum for group
training sessions]

Entrance Meeting with Senior Management

• Assessing and transaction testingfor portions of lowercomplexity/lower- risk areas
• Reviewing online bank systems, such as e-OSCAR, rewards
checking, automated overdraft programs, credit bureau
reporting, and escrow account administration, unless
technology limitations require on-site review
• Writing the Report of Examination and finalizing
examination workpapers
Examiners are generally expected to perform the
following portions of the examination on-site:
• Conducting key meetings, including exit/Board meetings,
and significant conversations with bank officers about
potential consumer harm, possible downgrades,
enforcement actions, significant fair lending discussions
(e.g. criteria interviews), Unfair or Deceptive Acts or
Practices concerns, and the CM S interview for higherrisk institutions.
• Training and instilling FDIC culture for pre-commissioned
examiners and interns [note: this can be done with a
combination of off-site in the field office and on-site at the
bank]
• Observing situations that could lead to further
investigation/examination activities (e.g. detecting internal
control weaknesses, potential fraud, dominant officer
situation, etc.)
• Training on first-time significant benchmarks to provide a
more collaborative and hands-on development experience

II – 5.4

Throughout the review and analysis phase of the examination,
the examiner should have discussions with management, the
compliance officer, Directors, and other personnel to develop
an understanding of how management approaches its
consumer compliance responsibilities. These discussions will
enable the examiner to determine whether and to what extent
the financial institution has a CM S that is integrated into its
daily operations.

During the pre-examination planning stage, the EIC should
schedule a meeting with senior management (e.g., the
president, chief executive officer, compliance officer, and if
they wish, members of the Board). This meeting should take
place as soon as possible after beginning the examination and
should facilitate the discussion of various administrative items
and the scope of the examination. M atters to be discussed
during the entrance meeting include:
• An overview of the examination process, including the use
of information collected during pre-examination planning
and its impact on the scope of the examination
• The names of FDIC examiners on the examination and
whether they will be working on-site or off-site
• Anticipated length of the examination
• Activities expected to be conducted on-site and off-site, and
communicating that adjustments may be made based on risk
• The EIC’s accessibility throughout the examination to
discuss any issues relating to the examination and/or FDIC
policy and practices and communication preferences
• The identity of the individual(s) who is/are the primary
contact person(s) for examination related issues and
communication preferences for both on-site and off-site
examiners
• Any issues identified during off-site review and analysis,
particularly areas of significant risk of consumer harm that
will be receiving close attention

FDIC Consumer Compliance Examination Manual – November 2023

II. Consumer Compliance Examinations – Review and Analysis
• The materials requested during pre-examination planning
that were not provided by the financial institution prior to
the examination start date
• An explanation of the closing management meeting
procedures
• The date of the next Board/trustees meeting (M anagement
should be advised that depending upon the examination
findings, the FDIC may need to attend the regularly
scheduled meeting or call for a special Board meeting.)
• Any issues related to the CRA evaluation and fair lending
review
Examiners should use a written agenda to document the issues
covered at the entrance meeting, and file a copy in the
examination workpapers

Ongoing Communication
Communication between financial institution management,
Board, institution staff, and FDIC examination staff is a major
component of an effective examination or visitation. Open
communication should be maintained with management during
the course of the examination. To the extent possible, all
issues of concern should be discussed with management as
they arise. This allows management time to provide additional
relevant information or to begin correcting problems where
appropriate.

The following sections include question lists that are intended
to serve only as general guidance for the matters to be
addressed during the examiner’s dialogue with institution
personnel. The sections are organized by elements of the
CM Sand should be considered in conjunction with each of
the different operational areas of the institution to come to a
conclusion about the strength of each element overall. The
questions will not apply to every examination scenario and
should be customized to each situation. Examiner judgment
must be used to determine whether additional pertinent
questions should be asked. Because all the facets of a CM S
are interrelated, certain themes will be repeated in the question
lists for multiple sections. Throughout the examination
process, the examiner should refer to the FDIC Laws,
Regulations, and Related Acts as well as any pertinent
outstandingFDIC guidance regarding the regulatory or policy
requirements of each area under review.
NOTE: The Examination Checklists/Workpapers are not to
be given to institution management to complete.

Applicable Statutes and Regulations
The CM S must adequately address (through oversight,
policies and procedures, training, monitoring and/or audit,
and complaint response) all areas related to the following
Federal consumer laws, regulations, rules, and policy
statements:

Lending

The financial institution’s Directors/trustees are encouraged to
participate in regularly scheduled meetings with examiners.
However, examination findings should be discussed with
management prior to discussing with Board members. Also,
the EIC should notify the financial institution’s management
as early as possible of any plans to meet with the Board to
present examination findings. This will provide
Directors/trustees with an opportunity to forego meetings
during the examination, if that is their preference.

Truth in Lending

Review of the CMS

Flood Insurance

Based on information gleaned from the discussions with
institution management and staff, along with the off-site
review and analysis, the examiner should:

Homeownership Counseling

• Determine the quality of the institution’s CM S, including
the degree to which management has taken a proactive
approach to compliance and whether management can
demonstrate its ability to assure compliance with federal
consumer laws and regulations
• Assess whether the CMS is effective at facilitating
compliance
• Identify potential deficiencies in the CM S and areas of
greatest risk of consumer harm
• Determine where transaction testing is necessary

Real Estate Settlement Procedures
Homeowners Protection
Equal Credit Opportunity
Fair Housing
Home M ortgage Disclosure
Preservation of Consumers’ Claims and Defenses
Servicemembers Civil Relief
Consumer Leasing
M ilitary Lending Act
Secure and Fair Enforcement for M ortgage Licensing
Protecting Tenants at Foreclosure

Deposits
Truth in Savings
Electronic Fund Transfers
Expedited Funds Availability
Garnishment of Accounts Containing Federal Benefit Payments
Part 360 – Resolution and Receivership Rules

FDIC Consumer Compliance Examination Manual - November 2023

II-5.5

II. Consumer Compliance Examinations – Review and Analysis
Non-Deposit Products
Investment Sales/Recordkeeping
Broker/Dealer Rules and Exemptions (Regulation R)
Consumer Protection in Sales of Insurance

Other Products or Issues
Advertisement of M embership Electronic
Banking
Privacy of Consumer Financial Information Fair

the FDIC, including information from the FDIC’s automated
complaint tracking system managed by the FDIC’s
Consumer Response Unit
• Written management and Board response and follow-up to
internal monitoring and to internal and external audits, if
applicable
• Agreements with third parties to provide products or
services, such as an outside vendor to provide compliance
services and educational materials or with a networking
broker/dealer to provide brokerage services
• Institution organizational chart and management résumés

Credit ReportingAct, including FACTA Fair

• Examiner notes from discussions with the compliance
officer, managers, etc.

Debt Collection Practices

Procedures

Right to Financial Privacy

1. Review Board and committee meeting minutes. Review
of these documents should give the examiner an indication
of the following:

Children’s Online Privacy Protection

Telephone Consumer Protection

• Extent of Board oversight/involvement in assuring compliance
with consumer protection and fair lending laws and regulations
by the institution and, as applicable, by third-party providers

Controlling the Assault of Non-Solicited Pornography and
M arketing

• Training of Directors and management regarding consumer
compliance and fair lending issues

Third-Party Risk

• Rationale for implementing new policies or procedures or
modifying existing ones

Unfair or Deceptive Acts or Practices

Overdraft Payment Programs

Community ReinvestmentAct (CRA)
CRA Technical Requirements
Branch Closings
Interstate Banking and Branching

Evaluating Management Oversight
M aterial to be reviewed during completion of this section will
include, at a minimum:
• The examiner-determined risk profile of the financial
institution as it relates to management oversight
• Prior Reports of Examination, including
Consumer Compliance, Risk M anagement, and
specialty examinations (with a focus on the
management component of each)
• M inutes of the meetings of the Board,
Compliance Committee, Discount Committee,
etc.
• New, modified or amended compliance-related
policies, procedures, and other internal memoranda
• All files related to the receipt and resolution of compliancerelated consumer complaints archived by the institution or

II – 5.6

• Any negative comments on rejected loan applications during
Loan Committee or any other meeting (such records must be
traced to the specific loan file to assure that no unlawful
disparate treatment or discrimination was involved in the
denial)
• Consideration of new loan or deposit products and strategies
for their implementation
• Consideration of new software or software vendors
• Consideration of third parties for compliance audit, if
applicable
• Approval of, and rationale for, branch openings and closings
• Whether the Board documented a review of the prior
Consumer Compliance Report of Examination (ROE) that
included, as applicable: a discussion of recommendations for
policy changes, an adoption of those revisions, and a report
regarding corrective action and subsequent testing for
identified violations
2. Based on the material reviewed during pre-examination
planning and the examination, and based on discussions
with management, answer the following questions:
• What is the institution’s business strategy and what are the
compliance implications of that strategy (for example,
elevated risk due to rapidly growing subprime lending,
cutting-edge e-banking activities, etc.)?
FDIC Consumer Compliance Examination Manual – November 2023

II. Consumer Compliance Examinations – Review and Analysis
• What particular compliance-related areas does management
feel are weak or in need of review?

reviewed during completion of this section will include, at a
minimum:

• Have the Board and management worked to foster a positive
climate for compliance?

• The examiner-determined risk profile of the financial
institution as it relates to policies and procedures, including
the institution’s business strategy, product offering,
branches, third party relationships, etc.

• Has management allocated the appropriate level of resources
to compliance?
• Does the institution have a designated compliance officer
and/or Compliance Committee? If not, is the absence of an
officer or committee significant in light of the institution’s
resources and risk profile?
• Has management ensured that the compliance officer(s)
and/or Compliance Committee has the appropriate level of
authority and accountability to effectively administer the
institution’s CMS?
• Has management responded appropriately and promptly to
consumer complaints?
• Has management responded appropriately to deficiencies
noted and suggestions made at previous examinations and
audits?
• How does management stay abreast of changes in regulatory
requirements and other compliance issues? Is this method
appropriate in light of the institution’s resources and risk
profile?
• How does management ensure that the institution’s staff
stays abreast of changes?
• How does management ensure that compliance is considered
as part of new product and service development, marketing,
and advertising?
• How does management ensure that due diligence is performed
prior to changing third-party product or service providers,
such as software vendors or third-party audit providers?

• Compliance-related policies and other written compliance
procedures
• Board minutes, Compliance Committee minutes, and other
committee minutes, as applicable
• Examiner notes from discussions with the compliance
officer, senior managers, etc.
Policies and procedures, whether written or unwritten, should
cover all of the areas listed below. A financial institution may
have other policies or procedures related to compliance not
listed here that should be included in the examiner’s review,
depending on the institution’s activities and risk profile.
• Compliance Policy – This may be a single document or a
compilation of various documents each relating to specific
areas of institution activity. In addition to specific guidance
on daily compliance activities, the policy should provide for
an adequate level of responsibility and authority for the
compliance officer, Compliance Committee, and individual
employees.
• Lending – Often, institutions will have separate policies for
various lending types such as consumer, real estate,
commercial, agricultural, etc. All should be reviewed
during pre-examination planning.
• Deposits – Institutions often have separate policies for
Regulation DD, Regulation E, Regulation CC, and Part 329.

• What is the level of management’s knowledge of
compliance issues?

• Electronic Banking – The adequacy of e-banking policies
should be assessed in light of the level of activity in which
the institution is engaged.

• Does the review of the Board and/or Compliance
Committee minutes indicate a reasonable level of Board
involvement?

• Privacy – Institution privacy policies and procedures vary
widely, depending on the level of information sharing
involved.

• Is the Board aware that it is ultimately responsible for the
institution’s CMS?

• Non-Deposit Products – Policies and procedures must
provide adequate guidance for the sale of investment and
insurance products by institution employees (including loan
officers who sell insurance during the loan process), dual
employees, and on-site non-employee brokers.

3. Develop and document a preliminary assessment of the
institution’s performance related to this area. Is
management oversight generally strong, adequate, or
weak? On what is this assessment based?

Evaluating the Consumer Compliance Program
Policies and Procedures
Examiners are to determine whether the institution’s policies
and procedures are appropriate to the risk in the products,
services, and markets of the institution. M aterial to be
FDIC Consumer Compliance Examination Manual - November 2023

• Branch Closing Policy – Section 42 of the Federal Deposit
Insurance Act requires every financial institution that has
one or more branch locations to maintain a branch closing
policy.
• Truth in Lending Policy – Applicable to institutions as
defined under section 1503(3) of the SAFE Act, 12 U.S.C.
5102(3). These may be incorporated into the Loan Policy or
as stand-alone policies. For these institutions, written

II-5.7

II. Consumer Compliance Examinations – Review and Analysis
personnel turnover?

policies and procedures must be appropriate to the nature,
size, complexity, and scope of the mortgage lending
activities of the depository institution and its subsidiaries.
They specifically must address lender compensation,
prohibition on steering, and the requirements under the
SAFE Act.

• Are policies, procedures, and standardized forms
periodically reviewed and updated in response to regulatory
changes and changes in the institutions risk profile? How
frequent are the reviews?
• Does the Board review and approve all changes to policies
and procedures? If not, is the level of approval appropriate
given the examiner-determined institution risk profile?

• Fair Credit ReportingAct – Policies and procedures must
provide adequate guidance for the adequate reportingof
consumer information, complaint resolution of consumer
information, and safeguarding of consumer information.

• Are there any practices that have become policy by virtue of
the frequency of their occurrence? If so, do these practices
conflict with formal policies or procedures?

• Overdraft Programs – Institutions providingoverdraft
programs should adopt written policies and procedures
adequate to address the credit, operational, and other risks
associated with these types of programs.
In order to ensure an accurate assessment of the institution’s
CM S, each policy and procedure must be reviewed during preexamination planning or the examination unless all the
following are true:
1) The policy was reviewed at the prior FDIC consumer
compliance examination

NOTE: Additional guidance for the review of loan and
appraisal policies is located in the Fair Lending
Examination Procedures.
2. Determine whether the institution’s policies and procedures
provide the appropriate level of guidance for all employees and
include clearly defined goals and objectives.
3. Develop and document a preliminary assessment of the
institution’s performance related to this area. Are policies
and procedures considered generally strong, adequate, or
weak? On what is this assessment based?

2) The review of the policy at the prior examination found no
deficiencies

Training

3) No changes or amendments have been made since the
policy was last reviewed
4) There have been no significant regulatory or operational
changes pertinent to the area covered by the policy since
the prior examination.

Examiners will determine whether consumer compliance
training is current and tailored to risk of the institution and
staff responsibilities. M aterial to be reviewed during
completion of this section will include, at a minimum:

1. Conduct sufficient documentation reviews and management
discussions to answer the following questions.

• The examiner-determined risk profile of the financial
institution as it relates to training

• What areas of compliance do the written policies or procedures
cover?

• Compliance-related training documentation

• Which policies or procedures are unwritten?
• Is the use of unwritten policies/procedures adequate for
the institution’s needs?
• Do the policies give effective guidance to
institution employees?
• Are policies and procedures structured and implemented
in such a way as to ensure fair and equitable treatment of
all consumers?
• Do the policies assign compliance responsibility? Are the
assignments logical and reasonable given the time and
resources available to those employees?

• Examiner notes from discussions with compliance officer,
managers, etc.
1. Review the institution’s trainingrecords and have sufficient
discussions with management to answer the following
questions:
• Does every employee receive appropriate traininggiven his
or her compliance responsibilities?
• Do third party service providers receive appropriate
training?
• How often is training conducted? Is the frequency of
training acceptable?

• Do the policies provide appropriate authority to employees
responsible for identifying and correcting deficiencies?

• Is the training program continuously updated to incorporate
accurate, complete information on new products and
services, regulatory changes, emerging issues, etc.?

• Are the policies and procedures established in such a way
as to ensure a smooth transition in the case of key

• Is the effectiveness of the training evaluated by management
through delayed testing, before-and-after work product

II – 5.8

FDIC Consumer Compliance Examination Manual – November 2023

II. Consumer Compliance Examinations – Review and Analysis
reviews, or other means?
• Regardless of whether staff training is conducted primarily
in-house or is out-sourced, does management evaluate
whether the institution’s trainingneeds are being met? As
EIC, do you agree or disagree with management’s
conclusions?
2. Develop and document a preliminary assessment of the
institution’s performance related to this area. Is the
institution’s training considered generally strong, adequate, or
weak? On what is this assessment based?

Monitoring and/or Audit
Examiners should determine the sufficiency of the monitoring
and, if applicable, audit to encompass consumer compliance
risks throughout the institution. M aterial to be reviewed during
completion of this section will include, at a minimum:
• The examiner-determined risk profile of the financial
institution as it relates to monitoring

3. Develop and document a preliminary assessment of the
institution’s performance related to this area. Is the
institution’s monitoringeffort generally strong, adequate, or
weak? On what is this assessment based?
Evaluating the Audit Function:

M aterial to be reviewed during completion of this section will
include, at a minimum:
• The examiner-determined risk profile of the financial
institution as it relates to the audit function
• Audit policy, external audit agreement, or other written audit
guidelines
• Compliance-related internal and external audit reports,
responses, and follow-up
• Internal and external audit workpapers
• Institution organizational chart

• Compliance-related policies and other written compliance
procedures

• Board minutes, Compliance Committee minutes, and other
committee minutes, as applicable

• Documentation of the results of monitoring activities

• Examiner notes from discussions with audit staff,
compliance officer, managers, etc.

• Formal and/or informal reports to management of the
findings, corrective actions, and related follow-up from
monitoring procedures
• Examiner notes from discussions with the compliance
officer, manager, etc.
Conduct documentation review and have sufficient discussions
with management to answer the following questions:
• What monitoring systems are in place for loan
transactions? Deposit transactions? Investment and
insurance sales activities?
• Is every transaction subject to monitoring? If not, what is
the level of transactional review? Is the level of monitoring
adequate?
• Does monitoring include a review of the performance
by third party product or service providers?
• Are the appropriate personnel conducting the monitoring
(i.e. someone with daily involvement in the monitored
area and who has received adequate training)?
• How are errors that are identified during the
monitoring process documented?
• How are the errors corrected?
• Is there appropriate follow-up when errors are identified
(i.e. refresher training, disciplinary action)?
2. Determine whether the institution’s monitoring
efforts encompass all applicable regulations.
FDIC Consumer Compliance Examination Manual - November 2023

Exception: Do not request fair lending self-testing reports
(or results). If, however, a financial institution voluntarily
provides documentation of its fair lending self-testing,
review the findings as part of the fair lending examination.
NOTE: A financial institution’s audit or review of loan files,
internal policies, and training material may indicate
difference in the treatment of applicants that could constitute a
violation of the fair lending laws.
1. Conduct documentation review and have sufficient
discussions with management to answer the following
questions:
• Are internal audits conducted? How often and by whom?
• If internal audits are conducted, is the auditor independent of
the transaction being audited? If not, is this considered
acceptable considering the institution’s resources and risk
profile?
• Are external audits conducted? How often and by whom?
• Are internal/external audits comprehensive in scope? If
audits are not comprehensive, do they cover all areas of
significant risk? Do they include reviews at every branch
location and of significant third party relationships?
• Are audit findings compiled in writing? Do they identify the
nature and circumstances (i.e., cause, time period, etc.) of the
identified exceptions? Do they provide management enough
information to (1) determine cause and (2) formulate an
appropriate corrective action?
• Are internal/external audits of sufficient quality?

II-5.9

II. Consumer Compliance Examinations – Review and Analysis
• Are the audit findings communicated to the Board either
directly or through the compliance committee?

institution’s consumer complaint response processes generally
strong, adequate, or weak? On what is this assessment based?

• Have audit report findings been appropriately addressed by
the Board and senior management in a timely manner and
include corrective actions and follow-up efforts?

Transaction Sampling and Testing

• Are written audit reports readily available for examiner
review?
2. Develop and document a preliminary assessment of the
institution’s performance related to this area. Is the audit
function generally strong, adequate, or weak? On what is this
assessment based?

Consumer Complaint Response
Examiners are to determine the responsiveness and
effectiveness of the consumer complaint resolution process.
M aterial to be reviewed during completion of this section will
include, at a minimum:
• The examiner-determined risk profile of the financial
institution as it relates to consumer complaints
• Consumer complaint policy or other written
compliance procedures regarding complaints
• All files related to the receipt and resolution of
compliance- related consumer complaints archived
by the institution or the FDIC, including information
from the FDIC’s automated complaint tracking
system (EPIC)
• Board minutes, Compliance Committee minutes, and
other committee minutes, as applicable
• Examiner notes from discussions with the
compliance officer, managers, etc.
1. Conduct documentation review and have sufficient
discussions with management to answer the following
questions:
• Has the institution implemented policies and procedures
to handle consumer complaints about the institution and,
as applicable, third party providers?
• If policies and procedures are in place, do they comply with
all regulatory requirements regarding complaints (maximum
time limits for response, documentation requirements, etc.)?
• If the institution has received consumer complaints, have all
complaints been resolved satisfactorily?
• Cross-referencing the complaints to all other areas of the
CM S, does the t ype or quantity of complaints suggest
any other areas in need of in-depth review?

After analyzing the CM S elements in relationship to each of
the institution’s inherent risks, the EIC will identify PSRs
with residual risks and decide what transaction sampling and
testing is necessary. The number of transactions and the
particular regulatory requirements to be reviewed should be
carefully tailored to weaknesses identified in the CM S as it
relates to specific PSRs. For example, if there is a weakness
in monitoring the calculation of Annual Percentage Rates in
open-end credit transactions, then a sample of those
calculations should be tested. It would not be necessary to
test all Truth in Lending Act requirements.
The severity of CM Sweakness and inherent risk will dictate the
intensity of transaction testing; greater weakness and higher risk
will generally lead to the review of more transactions. If the
examiner finds a moderate degree of risk, then sufficient testing
should be done to support a conclusion.
Depending on the importance of an element, the examiner may
find it appropriate to conduct a limited review of a couple of
transactions to support a favorable conclusion. In certain cases,
however, management’s admission that a violation
occurred is sufficient to warrant the citation without transaction
testing. This also negates the need to list specific transactions
in the ROE.
When transaction sampling and testing are conducted for
PSRs exhibiting higher levels of residual risk, the examiner
should tailor the actual sample and test to the identified
weakness. If an inherent risk is sufficiently mitigated by the
strength of the CM S, then minimal residual risk of consumer
harm exists and transaction testingis not considered
necessary.

Consultation Policy
Consultations and communication between field, regional,
and Washington staff members help maintain the quality and
consistency of consumer compliance, fair lending, and CRA
examinations and supervision. Information communicated
informally or through consultations alerts senior DCP
officials to significant, unusual or emerging supervisory
issues, which ensures that these issues receive appropriate and
timely consideration. Current information from examiners in
the field also helps the FDIC and interagency groups develop
more realistic policies and regulations.

• Does the institution review complaints to determine
whether improvements or changes to products or
operations should be made?

Examination staff should consult with regional or field office
management or staff if they find an unusual issue or problem.
In turn, regional or field office management and staff are
encouraged to consult with Washington subject matter
experts, particularly with respect to findings, issues, or
potential violations requiring guidance with respect to new
regulations, or involving emerging/sensitive policy concerns.

2. Develop and document a preliminary assessment of the
institution’s performance related to this area. Are the

Certain situations, because of their sensitivity or potential
impact, mandate that the regional and/or Washington

II – 5.10

FDIC Consumer Compliance Examination Manual – November 2023

II. Consumer Compliance Examinations – Review and Analysis
office(s) be consulted. Actions that require either approval
or concurrence under delegated authority or DCP policy
also require formal documentation.
If a consultation results in an outcome inconsistent with the
examiner’s recommendation, then the examiner and the
review examiner should ensure that the language of the ROE
or CRA Performance Evaluation is consistent with the final
outcome.

FDIC Consumer Compliance Examination Manual - November 2023

II-5.11