The Federal Financial Institutions Examination Council (FFIEC), whose members include the CFPB, has finalized guidance setting forth a revised uniform interagency consumer compliance rating system (CCRS). The revisions reflect changes in consumer compliance supervision since the current rating system was adopted in 1980. The other FFIEC members are the Fed, FDIC, NCUA, OCC, and State Liaison Committee. The FFIEC members plan to implement the revised rating system for consumer compliance examinations that begin on or after March 31, 2017.
The guidance states that as a FFIEC member, the CFPB will use the CCRS “to assign a compliance rating, as appropriate, for institutions with total assets of more than $10 billion, as well as for nonbanks for which it has jurisdiction regarding enforcement of Federal consumer financial laws as defined under the Dodd-Frank Act.” (While the guidance refers to the CFPB’s “jurisdiction regarding enforcement,” it seems a more accurate reference would have been to the CFPB’s authority to supervise such entities for compliance with Federal consumer financial laws.)
The guidance also states that the prudential regulators will take into consideration any material supervisory information provided by the CFPB as it relates to covered supervisory activities or covered exams and that the CFPB will similarly take into consideration any material supervisory information provided by prudential regulators in appropriate supervisory situations. It notes further that an institution with total assets of more than $10 billion can receive a consumer compliance rating from both its primary prudential regulator and the CFPB which is based on each agency’s review of the institution’s CMS and compliance with federal consumer protection laws falling under each agency’s jurisdiction.
In the Supplementary Information accompanying the final guidance, the FFIEC observes that when the current system was adopted, examinations focused more on transaction testing for regulatory compliance than on an institution’s compliance management system (CMS) to ensure compliance with regulatory requirements and prevent consumer harm. The FFIEC states that the revised system is “designed to better reflect current consumer compliance supervisory approaches and to more fully align the [CCRS] with the Agencies’ current risk-based, tailored examination approaches” and were “not developed with the intention of setting new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden.”
The CCRS includes three categories of assessment factors: board and management oversight, compliance program, and violations of law and consumer harm. The assessment factors in the three categories consist of the following:
- To assess an institution’s board and management oversight, examiners will consider: oversight and commitment to the institution’s CMS; effectiveness of the institution’s change management process; comprehension, identification and management of risks arising from the institution’s products, services, and activities; and any corrective action undertaken as consumer compliance issues are identified.
- To assess an institution’s compliance program, examiners will consider: whether the institution’s policies and procedures are appropriate to the risk in the institution’s products, services, and activities; the degree to which compliance training is current and tailored to risk and staff responsibilities; the sufficiency of monitoring, and if applicable, auditing, to encompass compliance risks; and the responsiveness and effectiveness of the consumer complaint resolution process.
- To assess an institution’s violations of law and consumer harm, examiners will consider: the root causes of any violations identified during examinations; the severity of any consumer harm resulting from the violations; the duration of time over which the violations occurred; and the pervasiveness of the violations. The CCRS includes incentives for self-identification and prompt correction of violations.
The revised rating system uses a scale of 1 through 5, with 1 representing the highest rating and lowest degree of supervisory concern and 5 representing the lowest rating and most critically deficient level of performance and thus the highest degree of supervisory concern. An institution’s overall rating under the CCRS is intended to reflect a comprehensive evaluation of the institution’s performance under the rating system by considering the categories and assessment factors in the context of the institution’s size, complexity, and risk profile.
The CCRS does not assign specific numeric ratings to any of the above assessment factors and an institution’s rating is not be based on a numeric average or any other quantitative calculation. As a result, an institution does not have to receive a satisfactory rating in all categories to receive an overall satisfactory rating. Conversely, even if some assessments are rated as satisfactory, an institution can still receive an overall less than satisfactory rating.