Updated Interagency Consumer Compliance Rating System

State member banks (SMBs) and other federally regulated banks will now receive consumer compliance ratings based on an updated interagency rating system. The Federal Financial Institutions Examination Council (FFIEC) issued the Uniform Interagency Consumer Compliance Rating System (CC Rating System) in November 2016.¹ The Federal Reserve System is applying the CC Rating System to exams that began on or after March 31, 2017. The updated system better reflects how we currently examine our SMBs, focusing on the SMB’s compliance management program and how effectively that program manages the SMB’s compliance risk. The updated system also supports comprehensive and consistent evaluation of financial institutions across the federal regulatory agencies and focuses supervisory resources on higher-risk areas. In this article, I discuss the factors that examiners will consider when determining a bank’s compliance rating, as well as some ways that banks can use the system to evaluate their own compliance programs.

How examiners will use the CC Rating System

What factors will examiners consider in determining a compliance rating? Banks will continue to receive a consumer compliance examination rating based on a scale of 1 to 5.² The rating system includes definitions for three rating categories that consist of qualitative descriptions rather than one definition for each rating. Specifically, examiners will evaluate the following 12 assessment factors, organized under three main categories, to determine the rating:

1. Board and Management Oversight
   • Oversight and Commitment
   • Change Management
   • Comprehension, Identification, and Management of Risk
   • Corrective Action and Self-Identification
2. Compliance Program
   • Policies and Procedures
   • Training
   • Monitoring and/or Audit
   • Consumer Complaint Response
3. Violations of Law and Consumer Harm
   • Root Cause
   • Severity
   • Duration
   • Pervasiveness

The first two rating categories—Board and Management Oversight and Compliance Program—include factors related to the bank’s compliance management system (CMS). Examiners will consider the size, complexity and risk profile of the bank when evaluating the effectiveness of the bank’s CMS. Examiners will evaluate the four factors in the third category—Violations of Law and Consumer Harm—to determine the significance of the violations, including the level of consumer harm involved.

Will anything change during the examination process? For the most part, the compliance examination process will not change. Examiners will continue to evaluate the effectiveness of the bank’s compliance management program, given the bank’s compliance risks, and will assess the significance of any identified violations. The CC Rating System addresses several areas in more detail than before, such as how a bank anticipates and responds to changes that impact compliance, the process the bank has for receiving and responding to consumer complaints, how a bank manages third-party relationships and how a bank self-identifies and/or takes corrective action on violations or other compliance weaknesses noted.

Our SMBs will likely see a few additional changes during our examinations. For example, the format and content of the compliance examination report will change somewhat to help ensure that we sufficiently explain the bank’s rating under the CC Rating System.

How banks can use the CC Rating System

The updated CC Rating System and the existing Community Bank Risk-Focused Consumer Compliance Supervision Program (Risk-Focused Program)³ provide useful guidance for banks when evaluating the effectiveness of their own compliance management programs. Each assessment factor in the new CC Rating System definitions contains a description and list of actions that correspond to the five rating levels.⁴ These descriptions provide details on factors that support particular ratings and help show how examiners will evaluate a bank’s compliance management program. Banks may find it valuable to assess their own programs using these same factors. Similarly, banks can use the Risk-Focused Program as a guide for self-assessing compliance risks and determining the most effective controls to use for addressing these risks. Using the CC Rating System and the Risk-Focused Program as guides for compliance self-assessment reviews can help the bank identify potential issues and address them effectively through improvements to the bank’s compliance program and/or operations.

Compliance resources

• CA 16-8: Uniform Interagency Consumer Compliance Rating System.
• CA 13-19: Community Bank Risk-Focused Consumer Compliance Supervision Program

Endnotes

1 Federal Reserve System, Consumer Affairs (CA) letter 16-8.

2 Under the rating system, a 1 rating represents the highest rating and consequently the lowest level of supervisory concern, while the 5 rating represents the lowest rating and consequently the most critically deficient level of performance and the highest degree of supervisory concern. Ratings of 1 or 2 indicate satisfactory or better performance. Ratings of 3, 4 or 5 indicate less-than-satisfactory performance. See CA letter 16-8.

3 CA letter 13-19.

4 FFIEC Guidance on the Uniform Interagency Consumer Compliance Rating System, CA letter 16-8.