Consumer Compliance Outlook: Fourth Quarter 2014

Managing Compliance Risk Through Consumer Compliance Risk Assessments

By Dorothy Stefanyszyn and Joe Detchemendy, Examiners, Federal Reserve Bank of St. Louis

Financial institutions face a variety of compliance risks every day, ranging from the risks associated with new products and services to the risks of operational failures involving existing products and services. It is therefore critical that institutions identify, measure, monitor, and manage the consumer compliance risks associated with their products, services, and business lines. A consumer compliance risk assessment (risk assessment) is an excellent tool to help accomplish these tasks. It generally involves identifying the current and future risks for an institution’s structure and business activities and then evaluating the institution’s procedures to control and mitigate these risks.

This article discusses the risk assessment process that the Federal Reserve Board (Board) outlined in its new Community Bank Risk-Focused Consumer Compliance Supervision Program (RFS Program),1 which was implemented in January 2014.2 The process outlined in the RFS Program illustrates one approach institutions can use to conduct risk assessments. While institutions have discretion about the way in which they conduct and document a risk assessment, examiners expect an institution to conduct an assessment across the organization and to document how effectively those risks are being controlled.

The Risk Assessment Process

The risk assessment process in the RFS Program has three components: identifying inherent risk, evaluating risk management controls, and measuring residual risk. Within an institution, the board of directors may delegate risk assessment responsibilities to bank management, business line staff, compliance personnel, or some combination of each of these groups. To include appropriately broad input, it may be necessary to reach across an institution’s different business and operational areas to gather feedback from managers and personnel regarding the controls in place and their efficacy.

The RFS Program includes an example of a risk assessment matrix, which is shown below. Examiners use this matrix to document the level of inherent risk, risk controls, and residual risk for the business lines, products, and services offered by the institution. The focus is on the institution’s material products. Product materiality considers the relative importance of a product to an institution compared with the institution’s other product offerings.

Inherent Risk
Risk Controls
Residual Risk
Institutional Factors
Legal and Regulatory Factors
Environmental Factors
Board and Management Design
Policies, Procedures, and Limits
Risk Monitoring and MIS
Internal Controls
Material Business Line, Product, or Service                
Material Business Line, Product, or Service                
Material Business Lines, Product, or Service                
Aggregate Risk and Risk Control Assessments                
Inherent Risk — Low, Limited, Moderate, Considerable, or High; Risk Control Assessment — Strong, Satisfactory, Fair, Marginal, or Unsatisfactory; Residual Risk — Low, Limited, Moderate, Considerable, or High

Inherent Risk

Inherent risk considers the likelihood and impact of noncompliance with all applicable consumer laws and regulations prior to considering any mitigating effects of risk management processes.3 As discussed below, institutional, environmental, and legal and regulatory factors should be considered when determining inherent risk levels:

Under the RFS Program, inherent risk is evaluated using a five-point rating system: 1 = Low, 2 = Limited, 3 = Moderate, 4 = Considerable, and 5 = High. Each rating identifies the likelihood of significant or negative impact on the institution or consumers, and any expected sanctions, losses, or damage to reputation due to consumer compliance risk. Institutions are not required to use a particular rating system, and some institutions may use a different rating scale or use a color-coded system. The important point is to ensure that the rating system has a logical rationale that promotes consistent conclusions.

Risk Controls

Once the institution’s inherent risks are identified, the institution should evaluate the adequacy of its management systems to effectively monitor and control these risks within the institution’s business activities.4

The evaluation of mitigating controls and processes should consider the effectiveness of the traditional four pillars of a sound consumer compliance management program; namely:

Board and Senior Management

The risk assessment should evaluate board and senior management oversight to ensure that directors have a clear understanding of the types of risks to which the institution is exposed and that senior management is capable of managing the institution’s activities.5 The ways of promoting effective board and senior management oversight include:

Policies and Procedures

Policies and procedures should address the risks associated with the institution’s activities and provide guidance to staff to complete transactions or processes in accordance with applicable laws and regulations.6 Larger, more complex institutions have a greater need for written policies and procedures, while smaller, noncomplex institutions may have less formal policies and procedures. Limits are necessary to identify products or services that the institution has identified as harmful or undesirable. Limiting the ability of lending personnel to deviate from the institution’s established underwriting or pricing guidelines, without appropriate approval, is an example of a limit that an institution might impose. Finally, ongoing training and the education of staff is essential to maintaining a sound compliance management program and should be commensurate with the institution’s activities and organizational structure. It is important that the policies, procedures, and limits are consistent with the institution’s stated goals and objectives and that they clearly delineate lines of authority across the institution’s activities.

Risk Monitoring and Management Information Systems (MIS)

Risk monitoring and MIS should provide senior management and directors with timely information on the compliance risk exposure of the institution, as well as information for personnel engaged in the daily management of the institution’s activities.7 The sophistication of the risk monitoring and MIS will vary depending on the complexity and diversity of the institution’s operations but should address all of the institution’s material risks. Maintaining effective risk monitoring and MIS allows an institution to reevaluate its risks on a regular basis so management can respond timely and efficiently to changes in the institution’s compliance risks.

Internal Controls

As discussed in the RFS Program, “effective internal controls are the foundation for the safe, sound, and compliant operation of a financial institution.”8 They should include procedures needed to promptly detect failure of accountability, and the procedures should be performed by competent persons who have no incompatible duties. The risk assessment should evaluate whether testing is performed to detect if any preventative controls fail to work properly or if the controls are circumvented. Audit has the responsibility for independently monitoring and evaluating the effectiveness of controls.9 Finally, an institution should ensure that adequate controls are in place to review vendors affecting consumer compliance risk, including conducting due diligence in hiring and overseeing vendors, establishing contracts with vendors that clearly outline expectations and standards, evaluating the compliance risk associated with products or services offered by the vendors, and monitoring the vendor’s adherence to contractual requirements.

Under the RFS Program, a five-point rating system is used to assess risk controls: 1 = Strong, 2 = Satisfactory, 3 = Fair, 4 = Marginal, and 5 = Unsatisfactory. Each rating reflects an assessment of the effectiveness of management’s ability to identify and control the consumer compliance risks posed by the institution’s business activities.

Residual Risk

The final step to completing the consumer compliance risk assessment is balancing the identified inherent risks and the effectiveness of the institution’s compliance risk management system to determine the level of remaining risk, or residual risk. Residual risk is the risk that remains after determining the level of inherent risk and reaching a conclusion about the effectiveness of risk controls associated with the institution’s material products. The residual risk determined for each of the institution’s material products is aggregated to capture the residual risk for the institution as a whole.10 Residual risk ratings are as follows: 1 = Low, 2 = Limited, 3 = Moderate, 4 = Considerable, and 5 = High.

Using the Risk Assessment Information

Once an institution completes a compliance risk assessment for all activities, the conclusions can inform business decisions about the products and services an institution offers or is considering offering. Management should also use the assessment to inform decisions about the adequacy of controls based on the level of residual risk. A well-constructed risk assessment serves as the foundation for a methodical, measured, and proactive approach to the consumer compliance challenges an institution faces. Additionally, a sound risk assessment process helps compliance personnel to respond proactively to changing compliance risks within the institution.

It is important for an institution to maintain and update its consumer compliance risk assessment, especially as it relates to:

The board is responsible for ensuring compliance with consumer protection laws and regulations, and therefore, it should review and approve the risk assessment. The absence of oversight by the board and senior management to the compliance risk assessment process may indicate a weakness in the consumer compliance management program. The most effective risk assessments are supported by board and senior management and are conducted regularly across all business units of the bank.


In today’s rapidly changing regulatory environment, regular consumer compliance risk assessments are important and beneficial. They can help a financial institution measure and mitigate the risks inherent in its consumer products and services, identify possible weaknesses in its controls and processes, and make any necessary changes to its consumer compliance management program in light of the assessment. Because risk assessments are risk focused, they place more weight on products, services, and processes that entail greater risk. The resulting assessments help management and the board know where the increased compliance risks reside so they can respond appropriately. Specific issues and questions related to risk assessment expectations should be raised with your primary regulator.