April A. Breslaw
On November 7, 2016, the agencies that comprise the Federal Financial Institutions Examination Council (FFIEC) finalized a proposal to revamp the consumer compliance rating system that they have used for 36 years. In doing so, the agencies—the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), State Liaison Committee (SLC), and Consumer Financial Protection Bureau (CFPB)—adopted the revised system substantially as they proposed it last May. Financial institutions should expect to receive supervisory ratings based on the new system in examinations that begin on or after March 31, 2017. This article explores what that will mean for the range of companies that offer consumer financial products and services.
Background and Implications
The revisions were proposed to reflect the regulatory, supervisory, technological, and market changes that have occurred in the years since the current rating system was established. According to the agencies, the adjustments are designed to align the rating system with their current risk-based approach to compliance examinations.
These goals translate into a heavy focus on the quality of a company’s compliance management system (CMS). The agencies believe that this approach could help to ensure compliance on a continuing basis, while recognizing that “… the sophistication and formality of the CMS typically will increase commensurate with the size, complexity, and risk of the entity.” The agencies assert that the new system is not intended to set new or higher supervisory expectations—and will not increase regulatory burden.
In practice, that may or may not be the case. All of the federal agencies do already conduct risk-focused exams. But implementing a robust CMS is a resource-intensive project—and the new rating system’s emphasis on CMS makes allocating these resources essential. In fact, it does not appear that companies will be eligible to receive a satisfactory rating under the new system unless they have a strong CMS—whether violations have occurred or not. Not only that, but if violations are deemed to be the result of serious or critical CMS deficiencies, adverse “4” or “5” ratings are likely.
What difference does an adverse compliance rating make? All of the agencies view an adverse rating as a sign that more supervisory attention is needed. An adverse compliance rating therefore increases the likelihood that a company will be re-examined soon—as well as monitored to ensure that the concerns that support the rating have been addressed. An adverse compliance rating also has implications for the safety and soundness of the institution itself, since the prudential regulators consider an institution’s ability to identify, measure, monitor, and control risks—including consumer compliance risks—as they evaluate the quality of management from a safety and soundness perspective.
What is the New System Expected to Accomplish?
The new system is intended to achieve multiple objectives. Most relate to the effectiveness of the rating system itself, meaning that it should help to ensure that:
• All institutions are evaluated in a comprehensive and consistent manner;
• The rating system is appropriate for institutions of all sizes;
• Institutions are incented to promote consumer protection in a proactive manner; and
• The agencies coordinate, communicate, and take consistent positions.
Separately, the new system should help ensure that the agencies deploy supervisory resources efficiently, i.e., focus on areas that pose risk of consumer harm and on institutions that warrant elevated supervisory attention.
How the New System Will Work: Rating Scale
For those a bit weary of change in the consumer compliance space, the good news is that the agencies are keeping the current five-scale framework. As is now the case, a “1” is the highest rating and also signals the lowest degree of supervisory concern. Under the new system, it will be assigned to a financial institution that “maintains a strong CMS and takes action to prevent violations of law and consumer harm.”
To achieve a “1,” companies must “promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner.” Put another way, the agencies have expressly defined the “1” rating to motivate companies to be proactive. Importantly, it also shows that the agencies recognize that violations can occur even at well-managed companies—but what matters is whether such problems are spotted promptly and resolved.
At the other end of the scale, a “5” represents the lowest rating. It signals an agency’s assessment that a company’s performance is critically deficient, and therefore warrants the highest degree of supervisory concern. A rating of critically deficient “indicates an absence of crucial CMS elements and a demonstrated lack of willingness or capability to take the appropriate steps necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.”
Notably, the distinction between a “4” and a “5” is driven by a company’s “capacity and willingness” to maintain a sound CMS, as well as the level of CMS deficiency that triggers violations. Consistent with this view, the agencies have stated that “an institution may receive a less than satisfactory rating even when no violations were identified, based on deficiencies or weaknesses identified in the institution’s CMS.”
Another way to think about it is that ratings of “1” or “2” represent satisfactory or better performance, while ratings of “3,” “4,” or “5” indicate performance that is less than satisfactory. This approach is consistent with the existing rating scale. But it is important to recognize that under the new system, a “2” will essentially become a “passing” rating. It will be assigned to a financial institution that maintains a CMS “… that is satisfactory at managing consumer compliance risk in the institution’s products and services and at substantially limiting violations of law and consumer harm.”
This type of rating does not exist in the current system. Instead, a “1” or “2” rating now indicates a “strong” compliance position and “3,” “4,” or “5” indicates a “weak” one. There is no “adequate” rating. In practice, the absence of a “satisfactory” rating has caused the regulators to apply the “2” and “3” ratings a bit subjectively. For example, consider a situation in which violations have caused only minor consumer harm and reasonable CMS adjustments could eliminate the problem. In such a case, it might be appropriate to assign a “2” rating under the current system because the company’s CMS is generally strong. Nevertheless, a “3” rating might be assigned because violations did occur and increased efforts are necessary. Supervisory staff may have been applying the stricter approach as a way of pressing an institution to make changes—even if some aspects of the current “3” definition didn’t fit.
The new system would offer the agencies the opportunity to provide a more accurate assessment based on a broader range of factors than they have previously used. But they may still face challenges as they attempt to evaluate companies that have demonstrated adequate performance in some areas and inconsistent performance in others.
Guiding Principles and Focus Categories
The new system will be based on a set of four key principles. The ratings are intended to be:
• actionable; and
• an incentive for compliance.
To carry out these principles, examiners will use a set of 12 assessment factors to evaluate the following three broad categories:
• board and management oversight;
• compliance program; and
• violations of law and consumer harm.
By evaluating board and management oversight and a company’s compliance program, examiners will reach conclusions about a company’s CMS. Consequently, this assessment will be made, “in the context of the size, complexity, and risk profile of an institution.” The third category includes assessment factors that will allow examiners to evaluate “the dimensions of any identified violation or consumer harm.”
Notably, under the new system, a company’s rating “… is not based on a numeric average or any other quantitative calculation.” On one hand, this means that an institution does not need to achieve a satisfactory rating in all categories in order to be assigned an overall satisfactory rating. So weaknesses in the management of a relatively limited product line might not generate supervisory concern. But it also means that an institution may be assigned a less than satisfactory rating even if it is performing adequately in some areas. This is because “[g]reater weight should apply to the financial institution’s management of material products with significant potential consumer compliance risk.” These provisions suggest that the risk profile of an institution will play a particularly important role in the determinations that examiners make.
Separately, companies should recognize that the agencies’ compliance expectations for board and management oversight and compliance programs extend to third-party relationships into which a financial institution has entered. In other words, a company’s compliance rating may be adversely affected by its failure to effectively manage the risks associated with outsourcing.
Assessing Board and Management Oversight
Examiners will make this assessment by determining whether or not board and management are engaged to a satisfactory degree at a particular institution. They will consider whether the company’s change management processes are effective, how the company manages compliance risks, and whether the company self-identifies consumer compliance issues and takes corrective action. Arguably, the quality of a company’s “compliance culture” could also be factored into this assessment.
Taking Stock of Compliance Programs
This aspect of the rating system covers the rest of the elements of an effective CMS: policies and procedures, training, monitoring and/or audit, and consumer complaint response. To evaluate the quality of a company’s program, examiners will consider whether its policies and procedures match the risk exhibited by its products, services, and activities; whether compliance training is current and tailored to both institutional risk and staff responsibilities; whether the company’s monitoring and audit efforts encompass compliance risks throughout the institution; and whether the company’s consumer complaint resolution process is responsive and effective.
Evaluating Violations of Law and Consumer Harm
According to the agencies, “Violations that result from critical deficiencies in the CMS evidence a critical absence of management oversight and are of the highest supervisory concern.” Consequently, when assessing violations of law and consumer harm, the agencies will allow examiners to consider the full range of market risks that may cause consumer harm in today’s business environment.
And consumer harm is defined broadly—it includes both financial and non-financial harm, such as denial of opportunity. The new system therefore directs examiners to consider all violations of consumer laws in the context in which they have occurred. This is a departure from the current system, in which only substantive fair lending violations explicitly receive adverse consideration.
Under the new system, examiners would incorporate violations into their rating assessments by considering four dimensions of the situation. These are:
• root cause (CMS weakness that gave rise to the problem);
• severity (type of consumer harm caused by the violation);
• duration; and
• pervasiveness (number of consumers affected and range of products and services involved).
Challenges of the New System
All of the agencies will use the new system to rate the institutions—bank and nonbank—under their respective jurisdictions. For a bank with assets over $10 billion, this means that both the CFPB and its prudential regulator will review and rate its CMS as well as its compliance with the various consumer protection laws that fall under each agency’s jurisdiction. Although the federal agencies primarily enforce federal law, state regulators may also consider whether a company is operating consistently with state law, if they assign consumer compliance ratings.
While this situation creates the potential for conflict, the agencies stated that all will continue to take each other’s “material supervisory information” into account as ratings are assigned. This arrangement does not ensure that the agencies will coordinate their approaches and work toward consistent results, although it does show that they are aware of the risks associated with pursuing inconsistent strategies.
It also highlights another issue: the new system does not require examiners to clearly explain their conclusions. Consequently, the system would be materially improved if it required examiners to supplement ratings with a statement highlighting the program elements and examination findings that support their assessments. As a practical matter, the agencies may expect their examiners to take this approach. If so, the agencies may be better able to appreciate the risk of inconsistent ratings and avoid them. Moreover, if examiners explain their conclusions clearly, companies will be better able to understand the range of feedback that the agencies provide when they evaluate different aspects of an institution’s business.
The finalized revisions to the consumer compliance rating system should enable the agencies to provide a more thoughtful assessment of companies’ consumer compliance performance. And the proposal’s emphasis on CMS may reinforce efforts by many companies to devote resources to this area. However, both the agencies and supervised companies would benefit if the agencies adopted the practice of requiring examiners to plainly state the basis for their evaluations.
What Stays the Same
- Use of 1-5 rating system
- Adverse impact of violations that persist over time or are widespread
- Role of examiner judgment in assigning ratings
- Consideration of a company’s size, complexity, and risk profile as rating assigned
- All federal financial regulatory agencies would use rating system for all companies under their jurisdiction (bank and nonbank)
- Significant focus on CMS
- To receive a “1,” a company’s compliance program must prevent, self-identify, and address compliance issues proactively
- A “2” rating would signal “satisfactory” performance
- Management of third-party relationships are explicitly factored into a company’s rating
- A company’s risk profile will influence rating decisions
- Difference between “4” and “5” rating is the level of CMS deficiency and lack of oversight that presumably worsened problems
- All—not just those relating to fair lending—considered based on their severity
- Both financial and non-financial consumer harm taken into account
- States that assign consumer compliance ratings exams may use system
View as PDF
Treliant Risk Advisors, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry, brings to you New Coordinates, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the Fall-Winter 2016 issue. To subscribe to our quarterly newsletter, please Contact Us.