Consumer Compliance Outlook: Fourth Quarter 2014

Managing Compliance Risk Through Consumer Compliance Risk Assessments

By Dorothy Stefanyszyn and Joe Detchemendy, Examiners, Federal Reserve Bank of St. Louis

Financial institutions face a variety of compliance risks every day, ranging from the risks associated with new products and services to the risks of operational failures involving existing products and services. It is therefore critical that institutions identify, measure, monitor, and manage the consumer compliance risks associated with their products, services, and business lines. A consumer compliance risk assessment (risk assessment) is an excellent tool to help accomplish these tasks. It generally involves identifying the current and future risks for an institution’s structure and business activities and then evaluating the institution’s procedures to control and mitigate these risks.

This article discusses the risk assessment process that the Federal Reserve Board (Board) outlined in its new Community Bank Risk-Focused Consumer Compliance Supervision Program (RFS Program),1 which was implemented in January 2014.2 The process outlined in the RFS Program illustrates one approach institutions can use to conduct risk assessments. While institutions have discretion about the way in which they conduct and document a risk assessment, examiners expect an institution to conduct an assessment across the organization and to document how effectively those risks are being controlled.

The Risk Assessment Process

The risk assessment process in the RFS Program has three components: identifying inherent risk, evaluating risk management controls, and measuring residual risk. Within an institution, the board of directors may delegate risk assessment responsibilities to bank management, business line staff, compliance personnel, or some combination of each of these groups. To include appropriately broad input, it may be necessary to reach across an institution’s different business and operational areas to gather feedback from managers and personnel regarding the controls in place and their efficacy.

The RFS Program includes an example of a risk assessment matrix, which is shown below. Examiners use this matrix to document the level of inherent risk, risk controls, and residual risk for the business lines, products, and services offered by the institution. The focus is on the institution’s material products. Product materiality considers the relative importance of a product to an institution compared with the institution’s other product offerings.

Product	Inherent Risk			Risk Controls				Residual Risk
Product	Institutional Factors	Legal and Regulatory Factors	Environmental Factors	Board and Management Design	Policies, Procedures, and Limits	Risk Monitoring and MIS	Internal Controls	Residual Risk
Material Business Line, Product, or Service
Material Business Line, Product, or Service
Material Business Line, Product, or Service
Material Business Line, Product, or Service
Material Business Lines, Product, or Service
Material Business Lines, Product, or Service
Aggregate Risk and Risk Control Assessments
Aggregate Risk and Risk Control Assessments
Inherent Risk — Low, Limited, Moderate, Considerable, or High; Risk Control Assessment — Strong, Satisfactory, Fair, Marginal, or Unsatisfactory; Residual Risk — Low, Limited, Moderate, Considerable, or High

Inherent Risk

Inherent risk considers the likelihood and impact of noncompliance with all applicable consumer laws and regulations prior to considering any mitigating effects of risk management processes.3 As discussed below, institutional, environmental, and legal and regulatory factors should be considered when determining inherent risk levels:

Institutional factors include the institution’s organizational structure, business model and strategies, compliance management structure and personnel, and supervisory history. Changes in business activity, product complexity, growth, vendor management, product volume, and historical trends should also be included. Assessments should consider institutional factors that tend to increase the level of consumer compliance risk, such as complex products, decentralized operations, or third-party relationships. In addition, institutions that offer an extensive branch network or multiple or nontraditional delivery channels will need to manage a higher level of consumer compliance risk than compared with an institution with limited branching and traditional delivery channels.
Environmental factors include external circumstances factors that could affect compliance risk, such as local business conditions, competition, and demographics. An institution in a fairly homogeneous, rural market may have lower environmental concerns than institutions in larger markets that exhibit greater diversity of income, ethnicity, and business competition. Inherent risks associated with the Equal Credit Opportunity Act, the Fair Housing Act, and the Community Reinvestment Act are typically greater for institutions in larger, more diverse markets, and require more sophisticated controls to mitigate these risks.
Legal and regulatory factors include the complexity of the regulations that apply to an institution’s business activities, regulatory changes, and the resulting consumer compliance scrutiny. If an institution fails to comply with consumer protection laws and regulations, or adhere to its own policies, procedures, and standards, it increases compliance risk of legal or regulatory sanctions, financial loss, consumer harm, or damage to reputation or franchise value.

Under the RFS Program, inherent risk is evaluated using a five-point rating system: 1 = Low, 2 = Limited, 3 = Moderate, 4 = Considerable, and 5 = High. Each rating identifies the likelihood of significant or negative impact on the institution or consumers, and any expected sanctions, losses, or damage to reputation due to consumer compliance risk. Institutions are not required to use a particular rating system, and some institutions may use a different rating scale or use a color-coded system. The important point is to ensure that the rating system has a logical rationale that promotes consistent conclusions.

Risk Controls

Once the institution’s inherent risks are identified, the institution should evaluate the adequacy of its management systems to effectively monitor and control these risks within the institution’s business activities.4

The evaluation of mitigating controls and processes should consider the effectiveness of the traditional four pillars of a sound consumer compliance management program; namely:

The level of board and senior management oversight, including the adequacy of staffing levels and the level of consumer compliance risk management expertise of staff
The adequacy of policies, procedures, and limits, as well as training provided to staff
The adequacy of risk monitoring and management information systems provided to directors and senior management to effectively manage the institution’s compliance management program
The adequacy of internal controls

Board and Senior Management

The risk assessment should evaluate board and senior management oversight to ensure that directors have a clear understanding of the types of risks to which the institution is exposed and that senior management is capable of managing the institution’s activities.5 The ways of promoting effective board and senior management oversight include:

Identifying and understanding the risks inherent in the institution’s activities, and using reporting systems to measure and monitor the major sources of risks to the institution
Reviewing and approving policies and procedures that mitigate inherent risks
Overseeing third-party vendors that provide products and services to the institution
Ensuring that business lines are managed and adequately staffed by knowledgeable and experienced staff consistent with the nature and scope of the institution’s activities
Supervising day-to-day activities by officers and employees, including management supervision of senior officers and heads of business lines
Anticipating and responding to risks that may arise from changes in regulatory or legal requirements, innovations in the market, and changes in the competitive market
Performing due diligence and risk assessments for new activities or products

Policies and Procedures

Policies and procedures should address the risks associated with the institution’s activities and provide guidance to staff to complete transactions or processes in accordance with applicable laws and regulations.6 Larger, more complex institutions have a greater need for written policies and procedures, while smaller, noncomplex institutions may have less formal policies and procedures. Limits are necessary to identify products or services that the institution has identified as harmful or undesirable. Limiting the ability of lending personnel to deviate from the institution’s established underwriting or pricing guidelines, without appropriate approval, is an example of a limit that an institution might impose. Finally, ongoing training and the education of staff is essential to maintaining a sound compliance management program and should be commensurate with the institution’s activities and organizational structure. It is important that the policies, procedures, and limits are consistent with the institution’s stated goals and objectives and that they clearly delineate lines of authority across the institution’s activities.

Risk Monitoring and Management Information Systems (MIS)

Risk monitoring and MIS should provide senior management and directors with timely information on the compliance risk exposure of the institution, as well as information for personnel engaged in the daily management of the institution’s activities.7 The sophistication of the risk monitoring and MIS will vary depending on the complexity and diversity of the institution’s operations but should address all of the institution’s material risks. Maintaining effective risk monitoring and MIS allows an institution to reevaluate its risks on a regular basis so management can respond timely and efficiently to changes in the institution’s compliance risks.

Internal Controls

As discussed in the RFS Program, “effective internal controls are the foundation for the safe, sound, and compliant operation of a financial institution.”8 They should include procedures needed to promptly detect failure of accountability, and the procedures should be performed by competent persons who have no incompatible duties. The risk assessment should evaluate whether testing is performed to detect if any preventative controls fail to work properly or if the controls are circumvented. Audit has the responsibility for independently monitoring and evaluating the effectiveness of controls.9 Finally, an institution should ensure that adequate controls are in place to review vendors affecting consumer compliance risk, including conducting due diligence in hiring and overseeing vendors, establishing contracts with vendors that clearly outline expectations and standards, evaluating the compliance risk associated with products or services offered by the vendors, and monitoring the vendor’s adherence to contractual requirements.

Under the RFS Program, a five-point rating system is used to assess risk controls: 1 = Strong, 2 = Satisfactory, 3 = Fair, 4 = Marginal, and 5 = Unsatisfactory. Each rating reflects an assessment of the effectiveness of management’s ability to identify and control the consumer compliance risks posed by the institution’s business activities.

Residual Risk

The final step to completing the consumer compliance risk assessment is balancing the identified inherent risks and the effectiveness of the institution’s compliance risk management system to determine the level of remaining risk, or residual risk. Residual risk is the risk that remains after determining the level of inherent risk and reaching a conclusion about the effectiveness of risk controls associated with the institution’s material products. The residual risk determined for each of the institution’s material products is aggregated to capture the residual risk for the institution as a whole.10 Residual risk ratings are as follows: 1 = Low, 2 = Limited, 3 = Moderate, 4 = Considerable, and 5 = High.

Using the Risk Assessment Information

Once an institution completes a compliance risk assessment for all activities, the conclusions can inform business decisions about the products and services an institution offers or is considering offering. Management should also use the assessment to inform decisions about the adequacy of controls based on the level of residual risk. A well-constructed risk assessment serves as the foundation for a methodical, measured, and proactive approach to the consumer compliance challenges an institution faces. Additionally, a sound risk assessment process helps compliance personnel to respond proactively to changing compliance risks within the institution.

It is important for an institution to maintain and update its consumer compliance risk assessment, especially as it relates to:

The introduction of new products
Changes to existing products
Regulatory changes
New or updated systems
Changes in compliance management personnel
Examination or audit findings
Changes in the institution’s strategy
Adoption of third-party vendor services

The board is responsible for ensuring compliance with consumer protection laws and regulations, and therefore, it should review and approve the risk assessment. The absence of oversight by the board and senior management to the compliance risk assessment process may indicate a weakness in the consumer compliance management program. The most effective risk assessments are supported by board and senior management and are conducted regularly across all business units of the bank.

Conclusion

In today’s rapidly changing regulatory environment, regular consumer compliance risk assessments are important and beneficial. They can help a financial institution measure and mitigate the risks inherent in its consumer products and services, identify possible weaknesses in its controls and processes, and make any necessary changes to its consumer compliance management program in light of the assessment. Because risk assessments are risk focused, they place more weight on products, services, and processes that entail greater risk. The resulting assessments help management and the board know where the increased compliance risks reside so they can respond appropriately. Specific issues and questions related to risk assessment expectations should be raised with your primary regulator.

¹ The Community Bank Risk-Focused Consumer Compliance Supervision Program can be accessed at http://www.federalreserve.gov/bankinforeg/caletters/Attachment__CA_13-19__Risk-Focused_Supervision_Program_Document.pdf.
² For further information regarding the RFS Program, refer to Jeffrey Drum, “Risk-Focused Consumer Compliance Supervision Program for Community Banks” (Second Quarter 2014 Outlook), available at https://consumercomplianceoutlook.org/2014/second-quarter/risk-focused-consumer-compliance-supervision-program-for-community-banks/.
³ See Federal Reserve Board, CA Letter 13-19, “Community Bank Risk-Focused Consumer Compliance Supervision Program,” November 18, 2013.
⁴ See RFS Program at 12.
⁵ See RFS Program at 23.
⁶ See RFS Program at 25.
⁷ See RFS Program at 27.
⁸ See RFS Program at 27.
⁹ See RFS Program at 27.
¹⁰ See RFS Program at 31.