On April 29, 2016, the Federal Financial Institutions Examination Council (“FFIEC”) released a proposal to revise the existing Uniform Interagency Consumer Compliance Rating System (the “CC Rating System”).1 If adopted, the new CC Rating System would be used by prudential regulators2 and the Consumer Financial Protection Bureau (“CFPB”) in determining supervised entities’ consumer compliance ratings.
The FFIEC notes that the proposed changes are designed to better reflect agencies’ risk-based approach to examinations and changes to the legislative, regulatory, supervisory, technological and market environment since the CC Rating System was introduced in 1980. Although the ratings scale of 1 to 5 would not change under the proposal, the factors used by examiners in determining ratings would be different. As described in greater detail below, the new framework emphasizes the effectiveness of institutions’ compliance management systems (“CMS”) in managing compliance risk and preventing violations of law.3 The current CC Rating System evaluates many of the same factors, such as management’s commitment to compliance and adequacy of internal controls, but has historically viewed those items from a more transactional perspective. The proposed changes would require examiners to evaluate consumer compliance from a more formalized, systemic perspective. The proposed changes provide more detailed guidance on the elements of a CMS that examiners will expect to see.
The 12 new assessment factors are divided into three categories: (1) board and management oversight, (2) compliance program, and (3) violations of law and consumer harm. Institutions would receive a single overall rating, rather than a numeric rating for each factor. Institutions would also be eligible for incentives for preventing, self-identifying, and addressing consumer compliance violations.
Board and Management Oversight. Under the proposed CC Rating System examiners would assess board and management oversight using the following four factors:
- Oversight and commitment to risk management, including devoting resources to compliance functions, ensuring accountability in compliance roles and performing comprehensive and ongoing due diligence of third parties.
- Change management, including prompt responses to, and due diligence in handling, changes in external factors (e.g., applicable laws and regulations and market changes) and internal factors (e.g., products and services offered).
- Comprehension, identification and management of risks associated with offered products and services, including emerging risks.
- Corrective action and self-identification, including responding to and remediating deficiencies.
Compliance Program. Under the proposed CC Rating System examiners would assess institutions’ compliance programs using the following four factors:
- Adoption of policies and procedures that are appropriate to the risk in the products, services and activities of the institution and ensuring that third-party relationship management programs are strong.
- Training that is current, timely, proactively updated and appropriately tailored to the responsibilities of those receiving it.
- Monitoring and/or audit (if applicable) that is comprehensive, timely and tailored in order to measure material compliance risks throughout the institution.
- Consumer complaint handling that is responsive and effective and that involves management monitoring for potential consumer harm and deficiencies.
Violations of Law and Consumer Harm. The proposal emphasizes that the “consumer harm” that could raise supervisory concerns includes not just financial harm, but also harm to consumers particularly under fair lending laws, laws prohibiting unfair or deceptive acts or practices4 and the Servicemembers Civil Relief Act.5 Under the proposed CC Rating System examiners would assess how institutions handle violations of law and consumer harm using the following four factors:
- Root causes and whether the identified violations of law reflect weaknesses in the institution’s CMS.
- Severity of the harm to the consumer.
- Duration of the violations and whether they were addressed in a timely manner by management.
- Pervasiveness of the violations, including the number of consumers affected and whether the violations occurred across different products and services.
Incentives. The proposed CC Rating System would provide incentives to institutions for self-identifying violations of law and consumer harm. In particular, institutions’ ratings would be credited for early detection of compliance issues, prompt self-reporting of serious violations and appropriate corrective actions including programmatic changes and full redress for consumer injuries.
Ratings. Institutions subject to the proposed CC Rating System would continue to receive a rating of 1 to 5, with a rating of 1 reflecting a strong CMS that takes action to prevent violations of law and consumer harm and a rating of 5 reflecting a CMS that is critically deficient at managing consumer compliance risk and preventing violations of law and consumer harm. Under the proposed framework, ratings would account for the size, complexity and risk profile of the institution. In proposing the new CC Rating System, the FFIEC acknowledged that the sophistication and formality of an institution’s CMS are affected by these factors.
Timing. Comments on the proposed revisions to the Uniform Interagency CC Rating System are due by July 5, 2016. Comments can be submitted via Regulations.gov under Docket Number FFIEC-2016-0001.
In anticipation of the new CC Ratings System, supervised institutions should consider evaluating their own CMS against the proposed assessment factors.