On April 29, 2016, the Federal Financial Institutions Examination Council (“FFIEC”) proposed a new uniform interagency consumer compliance rating system (the “CC rating system”). The FFIEC intends for this new CC rating system to align with the current FFIEC risk-based examination approach, with the focus on compliance management systems (“CMS”).1 The changes to the CC rating system are intended to address changes in consumer compliance supervision since the current system was adopted in 1980. Back in 1980, consumer compliance examinations were focused predominantly on transaction and other testing. Now, compliance examinations are intended to be more risk focused (a similar approach in goal to that of safety and soundness examinations).
In proposing the changes to the CC rating system, the FFIEC made clear that the proposal was not developed to set a new or higher supervisory expectation for compliance examinations, nor was the adoption of the proposal intended to represent any additional regulatory burden. Comments on the proposal are required by June 28, 2016.
The FFIEC proposes to retain its current scale of 1-5 consumer compliance rating2 with “1” representing the highest rating and “5” representing the lowest rating in increasing order of supervisory concern.3
The proposed changes emphasize that the CC rating system is intended to be “risk-based” in order to encapsulate the need for CMS to vary with the size, complexity and risk profile of the financial institution. Risk-based consumer compliance supervision evaluates whether a financial institution’s CMS effectively manages the compliance risk in products and services offered to consumers.
Notably, the FFIEC states that the Agencies believe it is important that the new rating system provide incentives for financial institutions to promote consumer protection by “preventing, self-identifying, and addressing compliance issues in a proactive manner.” The proposed ratings are intended to be (1) risk- based4, (2) transparent5, (3) actionable6 and (4) incent compliance.7 The primary purpose of the proposal is to provide that all institutions are evaluated both in a comprehensive and in a consistent manner, and that the Agencies use their resources to focus on areas exhibiting risk of consumer harm or on financial institutions that warrant elevated attention.
The proposed CC rating system includes three categories of assessment factors, which are:
- board and management oversight,
- compliance program, and
- violation of law and consumer harm.8
Under each of these four assessment factors, there are a number of sub-factors. Under the “board and management oversight” assessment factor, examiners will consider:
- oversight and commitment,
- change management,
- identification and management of risk, and
- corrective action and self-identification.
The overriding goal is to determine whether the board and management are sufficiently engaged in overseeing consumer compliance.
The compliance program will be assessed based on the following:
- policies and procedures,
- monitoring and/or audit, and
- consumer complaint response.
Thus, as we have recommended since the CFPB first adopted its consumer complaint process, financial institutions must have a vibrant consumer complaint system.
The third category of the proposed CC rating system is the one that we have found to have the most impact on the overall rating in the past, which is “violations of law and consumer harm.” The assessment factors are:
- root cause or causes of any violations of law identified,
- severity of any consumer harm resulting from violations,
- duration of time over which the violations occurred, and
- pervasiveness of the violations.
The FFIEC proposal further breaks down each of the assessment areas and correlates activity to what would generate a 1-5 rating. In this regard, the proposal is refreshing. Before the proposal, an institution had limited recourse in pushing back on assigned ratings. Pronouncements by the Agencies as to what would generate a poor rating were ill-defined. Previously, terms such as “system wide” and “significant” with regard to violations were used subjectively by examiners. In this regard, the FFIEC proposal puts welcomed “meat on the bones.”
Notably, the CFPB intends to apply the consumer rating system to nonbanks as well as those financial institutions with total assets of more than $10 billion. For institutions that are both supervised by a prudential regulator and the CFPB, the prudential regulators are to take into consideration any “material supervisory information” provided by the CFPB and vice versa. The state regulators may also conduct examinations of state-chartered financial institutions and other licensed entities (nonbanks, such as mortgage companies) and assign their own consumer compliance rating.
There are a number of helpful nuggets in the proposed changes. For instance, the FFIEC provides that the “relevant materiality of a product line” is meaningful to the overall rating. So, no more examinations where everything is just as important as everything else. The FFIEC provides an example. Specifically, it notes that serious weaknesses in the policies and procedures or audit program of the mortgage department at a mortgage lender would be of greater supervisory concern than the same gaps at an institution that makes very few mortgage loans and does so strictly as an accommodation. This example further reflects the intention that the evaluation of CMS should be scaled based upon the nature and extent of an institution’s activities.
Although the “proof will be in the pudding,” the proposal appears to be a welcome addition to the previously very limited canon of compliance standards.9 Institutions, especially compliance and risk management staff, would be well advised to “dog ear” much of what is in the proposal.