FDIC's Compliance Examinations - An Overview for Credit Unions
FDIC's Compliance Examinations - An Overview for Credit Unions
[00:00:00]
Samantha: Hello, this is Samantha Shares. This episode covers the F D I C’s overview of its compliance examination program. This is relevant to credit unions since National Credit Union Administration Board Chairman Todd Harper has publicly discussed that the agency will soon begin separate compliance examinations and compliance ratings for some credit unions. It is reasonable to assume that N C U A will rely heavily on the F D I C’s approach.
The following is an audio version of that F D I C overview. This podcast is educational and is not legal advice. We are sponsored by Credit Union Exam Solutions Incorporated, whose team has over two hundred and Forty years of National Credit Union Administration experience. We assist our clients with N C U A so they save time and money. If you are worried about a recent, upcoming or in process N C U A examination, reach out to learn how they can assist at Mark Treichel DOT COM. Also check out our other podcast called With Flying Colors where we [00:01:00] provide tips on how to achieve success with N C U A.
And now the Overview of Compliance Examinations
Introduction
The Federal Deposit Insurance Corporation (F D I C) promotes compliance with federal consumer protection laws, fair lending statutes and regulations, and the Community Reinvestment Act through supervisory and outreach.
programs. The F D I C conducts three types of supervisory activities to review an institution’s compliance management system: consumer compliance examinations, visitations, and investigations.
Consumer compliance examinations are the primary means the F D I C uses to determine whether a financial institution is meeting its responsibility to comply with the requirements and prescriptions of federal consumer protection laws and regulations. The consumer compliance examination review
period or scope typically covers bank activities conducted over a discrete period of time from the start date of the prior examination through the start date of the [00:02:00] current examination. The F D I C conducts visitations for a variety of reasons: to review the compliance posture of newly chartered institutions or those converting to state non-member status; to review.
progress on corrective actions or compliance with an enforcement action in the interval between examinations; or to investigate problems brought to the attention of the F D I C.
Visitations are usually targeted events aimed at specific operational areas, or an entire compliance management system (CM S) previously identified as significantly deficient Consumer compliance examinations and visitations may also be considered during the review of an application submitted to the F D I C (e.g., application for deposit insurance or establishing a branch). Finally, investigations are conducted primarily to follow-up on particular consumer inquiries or complaints, including fair lending complaints.
This section provides a general overview of the F D I C compliance examination. The [00:03:00] purposes of compliance examinations are to:
• assess the quality of an F D I C-supervised institution’s C M S (see “Evaluating the Compliance management System”) for implementing federal consumer protection statutes and regulations;
• review compliance with relevant laws and regulations; and
• initiate effective supervisory action when elements of an institution’s C M S are deficient and/or when violations of law are found.
Examination Approach
In general, F D I C consumer compliance examinations of supervised institutions blend risk-focused and process- oriented approaches. Risk-focusing involves using information gathered about a financial institution to direct F D I C examiner resources to those operational areas where compliance errors present the greatest potential risks of having a negative impact on bank customers, resulting in consumer harm (See the Evaluating Impact of Consumer Harm section of this manual at page II-2.1 for additional information.) [00:04:00] Concentrating on the institution’s internal control infrastructure and methods, or the “process” used to ensure compliance with federal consumer protection laws and regulations, both acknowledges that the ultimate responsibility for compliance rests with the institution and encourages examination efficiency. These examinations are conducted at periodic intervals established by F D I C policy.
In addition, for certain institutions that exhibit elevated or unique risks of consumer harm (See the Complex Bank
Supervision Program section of this manual at page II-15.1 for additional information), the F D I C has implemented a Complex Bank Supervision Program that employs a continuous supervisory strategy. These institutions often have complex business models, offer nontraditional products or services, and/or rely heavily on third-party relationships.
Determining Risk
Risk-focusing involves:
• developing a compliance risk profile for an institution [00:05:00] using various sources of information about its products, services, markets, organizational structure, operations, and past supervisory performance;
• assessing the quality of an institution’s C M S in light of the inherent risks associated with the level and complexity of its business operations and product and service offerings; and
• testing selected transactions based on risk such as when an operational area is determined to have a high risk of consumer harm and the institution’s compliance management efforts appear weak.
Evaluating the Compliance Management System
Compliance examinations start with a top-down, risk- focused process to comprehensively analyze and review an institution’s C M S. The compliance examiner considers:
Board and Management Oversight
• Commitment to and oversight of the institution’s CM S;
• Level of resources dedicated toward compliance functions;
• Due diligence and oversight of third parties to ensure compliance with consumer protection laws and [00:06:00] regulations, and appropriate oversight of third parties’ complianceresponsibilities.
• Anticipation and responsiveness to changes in applicable laws and regulations, market conditions, and products and services offered;
• Due diligence reviews performed in advance of product changes, considering the entire lifecycle of the product or service, and after implementation of changes;
• Comprehension and identification of compliance risks, including emerging risks, in the institution’s financial products, services, and other activities;
• Management of identified risks, including self-assessments; and
• Identification of and responsiveness to compliance risk management deficiencies and violations of law or regulations, including remediation.
Compliance Program
• Appropriateness of the institution’s policies and procedures to address the risk in the products, services, and activities of the institution;
• Adequacy of third-party relationship program management;
• Degree to which compliance training is current [00:07:00] and tailored to risk and staff responsibilities;
• Sufficiency of monitoring and, if applicable, audit to encompass compliance risks throughout the institution; and
• Responsiveness and effectiveness of the consumer complaint resolution process.
Based on the results of this review, the examiner may conclude that weaknesses in the institution’s C M S may result in current or future noncompliance with federal consumer protection laws, regulations, or policy statements, thereby resulting in potential consumer harm. The examiner must determine, based on this analysis, whether transaction testing is warranted to further study particular risk in an entire operational area or regulation, or only a limited aspect of an area or regulation.
The F D I C examination approach appropriately recognizes that the Board of Directors and management of a financial institution are responsible for complying with all federal consumer protection laws and regulations. While the formality and comp lexity of the CM Swill vary greatly among [00:08:00] institutions, the F D I C expects the Board of Directors and management of each institution to have a system in place to effectively manage its compliance risk, consistent with the size and complexity of its products, services, and markets
Samantha: Managing the examination based on risk maximizes examiner efficiency and may reduce the on-site examination presence or examination timeframe, while emphasizing areas requiring elevated supervisory attention. By focusing on the CM S, examiners will be able to identify the root causes of deficiencies and suggest appropriate corrective actions designed to address the problem and prevent recurrence.
Applicability and Adaptability to Large and Small Institutions
In order to provide as much relevant and useful guidance as possible, the procedures detailed in this Manual include
instructions for reviewing the various elements of a CM S, such as written policies and procedures, monitoring and/or audit, and training. When these elements are in place at an institution being [00:09:00] examined, the examiner will use the guidance to evaluate their effectiveness. However, the fact that certain elements of a C M S S are described in these examination procedures is not intended to suggest that all institutions must maintain a C M S that includes all of these elements. Many institutions do not. There is no reason for them to, if their operations do not warrant it. Conclusions about the adequacy of a bank’s CM S must be based on the effectiveness of those elements that are in
place, taken as a whole, for that bank’s particular operations.
For example, assume two institutions – a large, complex bank and a small, non-complex bank – each has a record of strong compliance with all regulations that apply to the products and services it offers. Because of the complex nature of its operations, the large bank’s CM S includes comprehensive external audits and formalized training from third-party vendors. The smaller bank’s CM S includes no internal or external audits and no formalized training except for the compliance [00:10:00] officer, who trains bank staff individually when needed. After reviewing all relevant material available, the examiner finds no significant deficiencies in the small bank’s CM Sand no reason to believe that the adoption of an audit function or formalized training is necessary to ensure ongoing compliance. The examiner would not criticize the small bank for the absence of audit (or formal training). Nor should the examiner feel obliged to assign a higher rating to the larger bank simply because its CM Shas more elements than the smaller bank. This is because each bank has a C M S that is adequate for the compliance responsibilities that are incumbent upon it due to its operating environment.
The descriptions of C M S Elements provided in the Manual will assist the examiner in evaluating the element if one exists and in suggesting content if he or she determines that management should consider adopting an element.
Role of the Compliance Examiner
Compliance examiners play a crucial role in the supervisory process. The [00:11:00] compliance examination, and follow-up
Samantha: supervisory attention to an institution’s compliance program deficiencies and violations, helps to ensure that consumers and businesses obtain the benefits and protections afforded them under federal law. To this end, an examiner’s efforts should help the financial institution improve its compliance posture and prevent future violations. Primarily, examiners must:
• establish an examination scope focused on areas of highest consumer harm risk;
• evaluate an institution’s C M S;
• conduct transaction testing where risks intersect with weaknesses in the C M S or uncertainties about aspects of that system; and
• report findings to the Board of Directors and management of the institution.
As part of the examination process, examiners are expected to:
• take a reasoned, common-sense approach to examining and use sound judgment when making decisions;
• maintain ongoing communication with financial institution management throughout an [00:12:00] examination.
• assist an institution to help itself improve performance by providing management with sound recommendations for enhancing its CM S;
• share experiences and knowledge of a successful CM S; and
• provide guidance regarding the various consumer protection and fair lending laws and regulations.
Overview of the Examination Process
Compliance examinations primarily involve three stages:
pre-examination planning; review and analysis, both off-site and on-site; and communicating findings to institution management via meetings and a Report of Examination.
Pre-examination Planning
Pre-examination planning involves gathering information available in F D I C records and databases, contacting the financial institution to review and narrow the draft request for information and documents, and delivering a letter to the institution requesting specific information and documents for detailed analysis by the examination team (see Section III). Proper examination [00:13:00] preparation and planning maximizes an examination team’s time and resources.
Review and Analysis
Samantha: During the review and analysis phase of an examination, an examiner thoroughly evaluates an institution’s C M S to assess its quality and effectiveness, and documents system weaknesses and violations of federal consumer protection laws and regulations, if any. The Examiner-in-Charge (EIC) starts by analyzing information about the type, level, and complexity of the institution’s operations, and begins to develop the scope of the examination and plan for resource deployment to areas of highest risk. The EIC also preliminarily assesses the
potential risk of consumer harm based upon the information available at the time of pre-examination planning.
The scope of an examination will be preliminarily established prior to entering the financial institution and should be refined through the results of examiner discussions with management, the compliance officer (or staff assigned), and the internal auditor. Consistent with the F D I C’s [00:14:00] approach, examination resources are focused on addressing the areas of highest consumer harm risk. Additionally, there may be some cases where the E I C may include additional areas in the examination scope even though consumer harm risk is not exhibited. An examiner may also limit the scope of the compliance review based on reliable procedures and controls in place. Similarly, the examiner may expand the review based on, for example, management’s view about compliance, a lack of necessary procedures or controls, the presence of violations, the identification of potential or actual consumer harm, or the presence of new or significantly amended regulations. The compliance review continues with an evaluation of the:
• commitment of the Board of Directors, management, and staff to compliance;
• qualifications of the compliance officer or designated staff;
• scope and effectiveness of compliance policies and procedures;
• effectiveness of training;
• thoroughness of monitoring and any internal/external reviews or [00:15:00] audits; and
• responsiveness of the Board of Directors and management to the findings of internal/external reviews and to the findings of the previous examination.
An examiner must consider the size, level, and complexity of an institution’s operations when evaluating the adequacy of an institution’s CM S.
The examination procedures outlined in this Manual are designed to enable an examiner to identify and measure compliance risk; make an assessment of an institution’s compliance infrastructure and methods for identifying, monitoring, and controlling compliance risk and potential consumer harm; and determine the transaction testing needed
Samantha: to assess the integrity of the CM S. The number of transactions selected and the type of sampling used should be relative to the perceived risk of consumer harm and the need to assess the level of compliance in an activity or function.
At the conclusion of the review and analysis phase, an examiner:
• summarizes all findings regarding the strengths and weaknesses of an institution’s CM [00:16:00] S;
• determines the cause(s) of programmatic deficiencies or Level 3 or Level 2 violations and relates them to the underlying root causes as well as specific weakness(es) in the institution’s CM S; and
• identifies actions necessary to address deficiencies or violations.
Determining the cause(s) of a program deficiency or violation is critical to recommending solutions that will successfully address problem areas and strengthen an institution’s compliance posture for the future.
Communicating Findings
Examiners must discuss findings and recommendations with management and obtain a commitment for corrective action. These discussions will be held during the course of the examination and at an exit meeting with management and/or the Board of Directors.
The results of the examination will also be communicated to the Board of Directors and management of the institution in a Report of Examination. The Report of Examination
provides an account of the strengths and weaknesses of a C M S during the review period. [00:17:00] It is more than an exception- based document and should add value to the institution’s compliance efforts.
Samantha: Distinguishing Between Laws, Regulations, and Supervisory Guidance
Supervisory communications should distinguish clearly and accurately between the requirements of laws and regulations, which are legally binding and enforceable, and supervisory guidance, which is not itself enforceable but sets forth information including the factors the F D I C considers when exercising its supervisory authority.
As articulated in the Interagency Statement Clarifying the Role of Supervisory Guidance dated September 17, 2018 (FIL-49-2018), unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on
supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject [00:18:00] area.
Examiners will not criticize a supervised financial institution for a “violation” of supervisory guidance. Rather, any citations will be for violations of law, regulation, or non- compliance with enforcement orders or other enforceable conditions. During examinations and other supervisory activities, examiners may identify deficiencies in compliance risk management, or other areas that do not constitute violations of law or regulation. In some situations, examiners may reference (including in writing) supervisory guidance to provide examples of appropriate consumer protection practices, and other actions for addressing compliance with laws or regulations.
This concludes the F D I C’s overview of its compliance examination program.
If your Credit union could use assistance with your exam, reach out to Mark Treichel on LinkedIn, or at mark Treichel dot com. This is Samantha Shares and we Thank you for listening.