What Does Your Compliance Rating Mean?
by Darlia Fogarty, COO and Director of Compliance
The regulatory agencies developed a rating system in 1980, and at that time the rating was to reflect a validation for regulatory compliance rather than focusing on the effectiveness of the bank’s Compliance Management System (CMS). In November of 2016 the agencies announced an updated Consumer Compliance rating system. The new rating is reflective of the evaluation for the bank’s CMS. The change in mindset for ratings is based on the fact that violation of law and regulation are less likely and can even effectively prevent violations of law and regulation, all the while supporting consumer protection in the delivery of financial services.
The agencies developed the following principles as guidelines in assigning ratings for banks Consumer Compliance Examination:
Risk-based — Recognize and communicate clearly that a CMS can vary based on the size, complexity, and risk profile of each individual bank;
Transparent — Provide clear distinctions between rating categories to support consistent application by the agencies across all supervised banks; reflect the scope of the review that formed the basis of the overall rating;
Actionable — Identify areas of strength and direct adequate attention to specific areas of weakness, reflecting a risk-based supervisory approach; convey examiners’ assessment of the effectiveness of an bank’s CMS, including its ability to prevent consumer harm and to ensure compliance with consumer protection laws and regulations; and
Incentives for Compliance — Provide incentives for the bank to establish an effective consumer compliance system across the bank and to identify and address issues promptly, including self-identification and correction of consumer compliance weaknesses; reflect the potential impact of any consumer harm identified in examination findings.
It is important to note that the revisions to the rating system were not developed to set new or higher supervisory expectations for banks. Instead, the revised system provides a consumer compliance rating that more fully represents the agencies’ risk-focused examination approach.
The new (and improved) rating system incorporates assessment factors from the following three categories:
Board and Management Oversight
- Oversight and Commitment
- Change Management and regulatory tracking
- Comprehension, Identification and Management of Risk
- Corrective Action and Self-Identification
- Policies and Procedures
- Day-to-day monitoring and/or audit
- Consumer Complaint Response program
Violations of Law and Consumer Harm
- Root Cause
- Pervasiveness or frequency
The first two categories are a direct reflection of the bank’s CMS. Examiners will evaluate the bank’s performance under these categories based upon the bank’s size, complexity, and risk profile. This tailored evaluation acknowledges that the roles and responsibilities of boards and management teams and the sophistication of compliance programs can vary significantly between banks and yet still be effective at ensuring compliance with regulatory requirements and preventing consumer harm. All banks, regardless of size, should and can maintain an effective CMS.
Compliance expectations within the first two categories of assessment factors also extend to third-party relationships in which the bank is engaged. Managing third-party relationships is also a reflection of a strong CMS. However, the rating will also reflect that, if a bank outsources the operational aspects of a product or service, the bank cannot abdicate the responsibility for complying with the law or managing the risks associated with those third-party relationships.
The third category encompasses assessment factors that measure the dimensions of identified violations of consumer protection laws and regulations and any resultant consumer harm. Similar to the old rating system, the assigned consumer compliance rating will be a number ranging from 1 to 5, in increasing order of supervisory concern.
The ratings are defined as:
- The highest rating of 1 is assigned to a bank that maintains a strong CMS and takes action to prevent violations of law and consumer harm.
- A rating of 2 is assigned to a bank that maintains a CMS that is satisfactory at managing consumer compliance risk in the bank’s products and services and at substantially limiting violations of law and consumer harm.
- A rating of 3 reflects a CMS deficient at managing consumer compliance risk in the bank’s products and services and at limiting violations of law and consumer harm.
- A rating of 4 reflects a CMS seriously deficient at managing consumer compliance risk in the bank’s products and services and/or at preventing violations of law and consumer harm. “Seriously deficient” indicates fundamental and persistent weaknesses in crucial CMS elements and severe inadequacies in core compliance areas necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.
- A rating of 5 reflects a CMS critically deficient at managing consumer compliance risk in the bank’s products and services and/or at preventing violations of law and consumer harm. “Critically deficient” indicates an absence of crucial CMS elements and a demonstrated lack of willingness or capability to take the appropriate steps necessary to operate within the scope of statutory and regulatory consumer protection requirements and to prevent consumer harm.
Examiners will assign a consumer compliance rating after weighing the bank’s performance under the new guidance. The bank will need not achieve a satisfactory assessment in all of the factors to be assigned an overall satisfactory rating. However, the bank may be assigned a less-than-satisfactory rating even if some of its individual assessments are satisfactory.
The rating will be assigned at the conclusion of that examination and will represent an overall evaluation of the bank’s entire CMS and any violations, especially those that are determined to have resulted in consumer harm.
This article was originally published in the March 2018 edition of the C/A ACCESS magazine and may not be reproduced or reprinted without the expressed written permission of Compliance Alliance. All content is copyrighted with all rights reserved. For information about the author or republication of the article, please contact C/A at [email protected]