How Should Financial Institutions Prepare for a Consumer Compliance Examination?
Abraham Lincoln famously said: “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” For financial institutions undergoing a compliance examination, the wisdom of these words is especially true because preparing for the examination will reduce stress levels, help the examination run smoothly and efficiently, and allow financial institutions to manage the demands placed on compliance staff, management, and other staff in the organization.
For many institutions, preparing for examinations is more challenging because of significant changes in consumer protection regulations and supervision following the financial crisis. In 2010, Congress passed the Dodd–Frank Wall Street Reform and Consumer Protection Act, and in 2013, the Board of Governors of the Federal Reserve System issued an updated risk-focused supervisory program that emphasizes tailoring examinations to a bank's risk profile.2 Then in 2017, the Federal Financial Institutions Examination Council updated the Uniform Interagency Consumer Compliance Rating System to revise the framework examiners use for evaluating an institution's compliance management system. With all these significant changes, even tenured compliance officers are likely to ask a critical question: How can my institution better prepare for its upcoming consumer compliance examination?
This article discusses the Federal Reserve's typical examination process to provide insights into the purpose of each stage and the work involved. The article also provides specific suggestions about how financial institution managers and compliance officers can prepare for their next consumer compliance examination. By reviewing and understanding the examination process, financial institutions can appropriately budget time and resources, and compliance officers will be better equipped to facilitate an efficient and effective examination.
Review of the Examination Process3
The First-Request Letter
The first-request letter is a detailed questionnaire that requests specific documents and asks questions about the institution's compliance management program and factors that contribute to the bank's inherent consumer compliance risk. Examiners pair the bank's first-request letter responses with interviews about the bank's compliance program and business line controls. Examiners use this information during the scoping and risk assessment phase to develop the bank's detailed risk profile.
Risk Assessment and Scoping
Before the Federal Reserve implemented risk-focused examinations in 2013, the traditional compliance examination often involved reviewing all products, services, and activities at each financial institution. This approach meant that examiners developed a less-detailed institutional profile before visiting the financial institution, and the examination scope was virtually unchanged from institution to institution. In contrast, risk-focused examinations consider the institution's risk profile, including the inherent consumer compliance risk associated with its products and services and how effectively it identifies and manages this risk. To effectively scope a risk-focused examination before arriving onsite, examiners create a more detailed institutional profile to understand the unique characteristics of each institution and perform a thorough risk assessment of its products and services. This additional work on the front end of the examination process streamlines the overall assessment by focusing exam activities on the areas of highest risk.
Risk-focused examinations align examination activities with the residual risk of an institution's products, services, and activities. Higher-residual risk areas receive higher-intensity reviews, and lower residual risk areas receive lower-intensity reviews or no review at all. Transaction testing (i.e., reviewing a sample of consumer transactions to verify compliance) is associated with a higher-intensity review, whereas interviews of key institution staff may be sufficient for a lower-intensity review. Transaction testing may also involve either a full or a targeted review of prior transactions for compliance with regulatory requirements. Financial institution managers and compliance officers should be able to discern the areas that the examiner-in-charge (EIC) deems to be higher risk, based on the files and documents requested in the second-request letter and the interviews that the EIC schedules during the examination.
The Second-Request Letter
As part of a risk-focused approach, some Reserve Banks may use a second- request letter. While the first-request letter typically asks for a broad range of documents and information, the second-request letter is a tailored document that focuses on the institution's higher-risk areas. The documents requested in the second-request letter generally reflect the EIC's scoping decisions, and they will be the focus of the majority of the onsite examination. Examiners usually perform transaction testing on documents requested in the second- request letter.
Onsite Examination
Once onsite, examiners will continue the examination by conducting transaction testing, interviewing staff, and investigating possible violations. How much time examiners spend onsite will vary, depending on the size, complexity, and risk profile of the institution.
Closing meetings summarize examiner findings from the scoping and examination process. Ideally, these meetings do not surprise financial institution management or compliance officers because examiners are expected to discuss issues with the institution's management during the examination. Examiners will review any identified violations and provide observations about the effectiveness of the bank's compliance management program. Additionally, if examiners identify notices of “Matters Requiring Attention” or “Matters Requiring Immediate Attention,” they will also discuss these topics at the closing meetings. Reserve Banks will issue the final report no later than 60 days after the examination closing date.
Preparing for the Examination Process
How can a financial institution's management and compliance staff prepare for an upcoming consumer compliance examination? The following sections group preparation practices in relation to the examination process. The first section offers suggestions appropriate for banks that have not yet received their first-request letter and therefore have more time to deliberate and research before their next examination. When a bank receives its first-request letter, it shifts to a tactical response. Finally, when a bank receives its second-request letter, the focus turns to practical advice for managing the remainder of the process.
Before the Examination Process Begins
To maintain an effective compliance program, institutions often review relevant federal guidance, previous examination results, and their own processes. These ongoing procedures can help institutions prepare for the next examination. But once an examination begins, institutions typically have limited time to dedicate to these tasks, so early planning can have long-term benefits. To prepare, institutions may consider the following suggestions:
- Review Relevant Guidance. Reserve Bank examiners receive training on and are required to
follow Consumer Affairs Letters (CA Letters). The Federal Reserve's Division of Consumer and Community
Affairs issues CA Letters to communicate significant policy and procedural matters related to the Federal
Reserve System's consumer compliance supervisory responsibilities. For this reason, financial institution
management teams and compliance officers should familiarize themselves with the guidance contained in these
letters.4 In particular, the following two important topics are addressed in CA Letters:
- The Community Bank Risk-Focused Consumer Compliance Supervision Program5 provides the framework that examiners use to determine whether an institution is effectively controlling its compliance risk. Therefore, understanding this program is essential to understanding how examiners scope and examine a financial institution's compliance management systems. The program can also be helpful in guiding a financial institution in setting up its own compliance risk assessment processes.
- The new Uniform Interagency Consumer Compliance Rating System6 provides the updated rating system that complements the current risk-focused examination approach. While this new rating system does not set new or higher supervisory expectations, it does provide a new framework that highlights the different assessment factors used to determine an institution's consumer compliance rating. Institutions may find that these factors receive more attention during their next examination because the report of examination now addresses these factors in the compliance ratings analysis.7
- Review Previous Report of Examination. Review the institution's previous consumer compliance report of examination. This report details how examiners evaluated the institution's compliance management system at the previous consumer compliance examination and any matters that required management's attention. This document determines which pillars of the institution's compliance management system that examiners determined were strong, satisfactory, or in need of improvement. It is also worth considering what has changed at the bank since the previous examination that could have affected these assessments.
- Review Any Corrective Action Processes. Be prepared to discuss the financial institution's processes for taking corrective action. Once an institution identifies an issue, it should have a process in place to remedy the issue and verify that it does not reoccur. This process should include finding the issue's root cause, following up with the appropriate staff and management, implementing a solution, and monitoring ongoing performance to ensure the issue does not happen again. One way to demonstrate an effective corrective action program is to document that the institution has adequately addressed issues from the previous examination, audits, and internal reviews. The EIC is likely to follow up on these issues, so it is helpful if the financial institution addresses these areas before its next examination.
- Review Change Management Processes. Be ready to share the financial institution's story of how its compliance management system identifies and responds to change. Change often increases compliance risk, whereas a lack of change may suggest that existing satisfactory controls are still effective. Sources of change may include new regulatory requirements, new products, new vendors, increased volume for existing products, changes in management structure, and an increase in the number of branches. Successful compliance management systems anticipate change, evaluate its significance, and implement responses across impacted business lines.
- Review Consumer Complaints. Be prepared to explain and to show how the institution addresses consumer complaints, which can provide an opportunity to reevaluate the financial institution's controls. Institutions with a strong compliance management system collect consumer complaints from all sources: branch locations, emails, or voice mails, even social media. Complaints, especially when a trend is identified, can indicate possible deficiencies in a compliance management system. Effective compliance programs ensure that management takes appropriate corrective action to address any identified deficiencies revealed in the complaint resolution process.
During the Examination Process
Once an institution receives a first-request letter, it will begin to gather documents and oversee the examination process. To manage the document-gathering process for examiners, many financial institutions appoint a central point of contact, who is often the compliance officer. Here are some suggestions on how to be strategic with bank resources and manage examiner expectations once the examination begins.
- Understanding the First-Request Letter — The primary purpose of the first-request letter is to provide examiners with information that enables them to assess the institution's residual risk for each of its products, services, and activities. Financial institutions should evaluate information requests with this in mind. Institutions should not interpret questions too narrowly. Instead, they should think of information requests as an opportunity to help examiners learn about the institution's risk profile, which will ultimately lead to a more accurate and tailored examination scope.
- Responding to Requests. When reviewing the first- request letter, if any individual request raises questions or seems excessively burdensome, the central point of contact can ask the EIC to clarify why the requested information is needed or propose alternatives. This approach helps ensure that the information-gathering process is as effective as possible.
- Providing Scoping Oversight. Before the onsite examination interviews begin, examiners often conduct interviews with business-line personnel as part of the examination scoping process. Institutions may consider appointing a central person, possibly the compliance officer, to attend the interviews, if possible. These interviews give the compliance officer a better understanding of the examination's focus and provide opportunities to ensure that examiners receive complete responses to their inquiries.
After scoping the examination, the EIC should have an understanding of how many examiners will visit the financial institution and the extent of their stay. It won't be long before the second-request letter arrives, and the institution should start planning to have examiners in the building. Here are some practical suggestions for managing the process:
- Clarify Details. Confirm the arrival date and the number of onsite examiners so the financial institution can reserve a working space large enough to accommodate them.
- Examination Oversight. The compliance officer or other designee should offer to schedule any interviews and confirm that needed employees will be present. As schedules permit, financial institutions should schedule more tenured employees for interviews because they are more experienced with the institution's practices.
- Closing Report. At the closing meeting, examiners will confirm if the examination is finished. If so, the institution can expect to receive the examination report within 60 days. If not, the institution can consider offering assistance with any outstanding matters.
CONCLUSION
With a better understanding of the mechanics of consumer compliance examinations, bankers can reduce examination stress levels and perhaps even anticipate what to expect at different stages of the examination process. Financial institution management and compliance officers can prepare for their next consumer compliance examination, which can help limit the number of surprises during the examination and help examiners reach their conclusions efficiently. For specific questions about your next examination, state member banks should contact their Reserve Bank consumer compliance team.
Endnote
1 This article specifically addresses the consumer compliance examination process for state-chartered banks that are members of the Federal Reserve System. While we believe many of the practices are generally applicable to financial institutions, readers should establish examination expectations with their institution's specific regulator.
2 Consumer Compliance Outlook reviewed the new program in 2014; Jeffrey Drum, “Risk-Focused Consumer Compliance Supervision Program for Community Banks,” Consumer Compliance Outlook (Second Quarter 2014). This program applies to state-chartered banks that are members of the Federal Reserve System.
3 The processes described are typical, but financial institution management may experience some differences. For example, you may interact with a variety of Reserve Bank examination staff throughout the examination preparation and scoping processes. In addition, the timing or sequence of certain events could vary.
4 The Federal Reserve's collection of CA Letters is available at https://www.federalreserve.gov/supervisionreg/caletters/caletters.htm.
5 See CA Letter 13-19, “Community Bank Risk-Focused Consumer Compliance Supervision Program,” November 18, 2013, available at https://www.federalreserve.gov/supervisionreg/caletters/caltr1319.htm.
6 See CA Letter 16-8, “Uniform Interagency Consumer Compliance Rating System,” November 22, 2016, available at www.federalreserve.gov/bankinforeg/caletters/caltr1608.htm.
7 For a more in-depth discussion of the factors that comprise the new consumer compliance rating system, see Lanette Meister, “Implementing the New Uniform Interagency Consume Compliance Rating System,” Consumer Compliance Outlook (First Issue 2017).