On November 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) announced the adoption of a new interagency consumer compliance rating system, which applied to all consumer compliance examinations as of March 31, 2017. The new system reflects current regulatory expectations and existing examination practices and, as such, does not increase the regulatory burden.
The original rating system had been in place since 1980. At the time, examiners focused on transaction testing for regulatory compliance rather than evaluating the sufficiency of an institution's compliance management systems (CMS) to ensure compliance with regulatory requirements and prevent consumer harm. Over time, the agencies of the FFIEC adopted risk-based consumer compliance examination processes.
The revised system provides a framework and guidance to examiners to assist in assessing the effectiveness of an institution's CMS and overall compliance with consumer laws and regulations and protection of consumers.
Achieving multifaceted goals
The agencies' goals in updating the rating system include:
- Reflecting the changes in regulations, examinations, technology, and markets since the release of the original system
- Developing a tiered system appropriate for evaluating institutions of all sizes, complexities, and risk profiles
- Promoting consistency, communication, and cooperation between agencies in examination assessment and outcomes
- Responding to industry comments
The new rating system incorporates a risk-based, tailored approach. It also facilitates a transparent assessment and ratings process, provides actionable feedback to institutions, and offers incentives for institutions to ensure consumer protection by recognizing the value of proactively preventing, identifying, and addressing compliance issues.
Exploring the new rating scale
Examiner assessment of the CMS is a key factor in determining an institution's consumer compliance rating. The rating scale ranges from 1 through 5 in increasing order of supervisory concern. Thus, a rating of 1 represents the least supervisory concern, and a rating of 5 indicates the most critically deficient level of performance and the highest degree of supervisory concern. Below are specific definitions for each rating:
- The highest rating of 1 goes to a financial institution that maintains a strong CMS and takes action to prevent violations of law and consumer harm.
- A rating of 2 goes to a financial institution that maintains a CMS that is satisfactory at managing consumer compliance risk in the institution's products and services and at substantially limiting violations of law and consumer harm.
- A rating of 3 reflects a CMS deficient in managing consumer compliance risk in the institution's products and services and in limiting violations of law and consumer harm.
- A rating of 4 reflects a CMS seriously deficient in managing consumer compliance risk in the institution's products and services and/or in preventing violations of law and consumer harm. This designation indicates fundamental and persistent weaknesses in crucial CMS elements and severe inadequacies in core compliance areas necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.
- A rating of 5 indicates a CMS critically deficient in managing consumer compliance risk in the institution's products and services and/or in preventing violations of law and consumer harm. This designation indicates an absence of crucial CMS elements and a demonstrated lack of willingness or capability to take the appropriate steps necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.
Understanding the rating system categories and assessment factors
The assessment framework considers three categories: board and management oversight, compliance program, and violations of law and consumer harm. The first two categories assess the effectiveness of the CMS and should be evaluated in light of each institution's size, complexity, and risk profile. The expectations for these two categories also apply to third-party relationships, which can expose institutions to risks if not managed appropriately.
Although operations for products or services may be outsourced, the financial institution is responsible for ensuring compliance with laws and regulations and managing the associated risks. The final category evaluates the dimensions of any identified violation and consumer harm. The table below lists the assessment factors for each rating system category.
Category | Factors |
---|---|
Board and management oversight |
|
Compliance program |
|
Violations of law and consumer harm |
|
Evaluating performance using the consumer compliance ratings definitions
The consumer compliance rating is determined through an evaluation of the firm's performance under each of the assessment factors. To facilitate a transparent assessment and ratings process, each factor includes definitions for describing the supervisory considerations used to evaluate compliance performance. Specific numeric ratings will not be assigned to any of the 12 assessment factors. The rating reflects the effectiveness of an institution's CMS to identify and manage compliance risk in products and services and to prevent violations of law and consumer harm.
The evaluation of an institution's performance within the violations of law and consumer harm category takes into account each of the four assessment factors: root cause, severity, duration, and pervasiveness. At the levels of 4 and 5 in this category, the distinctions in the definitions focus on the root cause assessment factor rather than severity, duration, and pervasiveness. This approach is consistent with the other categories, where the difference between a 4 and a 5 is driven by the institution's capacity and willingness to maintain a sound consumer compliance management system.
The attachment to the FFIEC agencies' announcement provides additional information on the rating definitions and assessment factors.
How supervisors assign ratings
One of the goals of the revised consumer compliance rating system is promoting consistency, communication, and cooperation among agencies in examination assessments and outcomes. As such, the prudential regulators (the Federal Reserve, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the National Credit Union Administration) will continue to assign and update, as appropriate, consumer compliance ratings for institutions they supervise, including those with total assets of more than $10 billion.
As a member of the FFIEC, the Consumer Financial Protection Bureau (CFPB) will also use the consumer compliance rating system to assign a consumer compliance rating, as appropriate, for institutions with total assets of more than $10 billion. It will also use the system to assign a rating for nonbanks for which it has jurisdiction regarding the enforcement of federal consumer financial laws as defined under the Dodd-Frank Act. The prudential regulators will take into consideration any material supervisory information provided by the CFPB as that information relates to covered supervisory activities or covered examinations as defined in the May 16, 2012, memorandum of understanding on supervisory coordination. Similarly, the CFPB will take into consideration any material supervisory information provided by prudential regulators in appropriate supervisory situations.
State regulators maintain supervisory authority to conduct examinations of state-chartered depository institutions and licensed entities. As such, states may assign consumer compliance ratings to evaluate compliance with both state and federal laws and regulations. States will also collaborate and consider material supervisory information from other state and federal regulatory agencies during the course of examinations.