Consumer Compliance Outlook > 2023 > Second-Third Issue 2023

Consumer Compliance Outlook: Second-Third Issue 2023

Compliance Risk Assessments

By Kathleen Benson, Lead Examiner, Federal Reserve Bank of Chicago

Financial institutions are responsible for ensuring their compliance management systems (CMS) adequately mitigate the risk of violating consumer protection laws and regulations.¹ Compliance risk assessments are a helpful tool for institutions to identify, understand, and manage the consumer compliance risk in their financial products and services. While the Federal Reserve generally does not require the institutions it supervises to conduct consumer compliance risk assessments,² assessments scaled appropriately for the size and complexity of the institution provide significant benefits, including:

• identifying risks so management can take appropriate action to mitigate them;
• highlighting weaknesses in controls that need to be enhanced;
• aligning compliance risk with an institution’s risk appetite; and
• demonstrating the adequacy of the CMS to examiners and other stakeholders.

Federal Reserve examiners use a risk assessment process, detailed in Consumer Affairs (CA) letter 13-19, “Community Bank Risk-Focused Consumer Compliance Supervision Program,”³ when scoping examination activities. Although targeted to the examination process, the letter includes helpful definitions and concepts that can also be utilized by bank management. This article discusses risk assessment concepts, including those found in CA letter 13-19, that management may use to identify and manage consumer compliance risk.

Risk Assessment Terminology

These definitions discussed in CA letter 13-19. However, the discussion only provides highlights of the risk considerations, since the letter is directed at examiners’ assessment of risk, rather than a process supervised institutions are required to use.

Inherent risk. Inherent consumer compliance risk is the likelihood and impact of noncompliance with consumer laws and regulations that apply to the institution’s products and services before considering the mitigating effects of risk management. Factors to consider include the complexity of applicable laws and regulations and the risk of consumer harm if the risk is not properly mitigated. The level of regulatory change and the maturity of the product or service can be factors in assessing inherent risk. For example, many institutions assessed the inherent risk of residential real estate lending as high when the TILA-RESPA Integrated Disclosures (TRID) requirement became effective in 2015 because TRID significantly changed the closed-end, residential mortgage loan origination process. Additional factors, such as product volume, complexity, and stability or reliance on third-party vendors, are detailed in CA letter 13-19. Inherent risk components are typically categorized as high, moderate, or low, as defined by the institution.

Risk management. Consumer compliance risk management considers the adequacy of board and management oversight of compliance-related activities and includes policies and procedures, monitoring activities supported by management information systems, and internal controls. The formality of risk management processes varies with the size and complexity of the institution. Smaller institutions, with less complex products and services, may rely on less formal risk management processes. In contrast, larger and more complex institutions (or smaller institutions with a business model that relies on complex partnerships) generally require formal written policies and procedures, multifaceted monitoring activities based on comprehensive management information systems that provide information to various levels of management and the board, and comprehensively documented internal control processes. Change management processes are recommended, although the processes may also vary in formality depending on the size and complexity of the institution. The adequacy of risk management components is typically categorized as strong, satisfactory, or weak, as defined by the institution.

Residual risk. Residual product risk is the remaining risk after controls are implemented to mitigate inherent risk. Effective risk management reduces the likelihood or impact of an inherent risk occurring. Residual risk components are typically categorized as high, moderate, or low, as defined by the institution.

Developing the Risk Assessment

A formal risk assessment may have both a quantitative aspect, such as the number of consumer complaints, and a qualitative process supported by a narrative about inherent risk levels and the adequacy of risk management processes. The risk assessment should involve business line management and compliance staff. Business line management owns the risk present in the business line and typically has the most detailed knowledge of products and services and business-line-embedded risk management processes, while compliance staff can oversee the process and ensure consistency among business lines, provide effective challenge, and ensure that compliance and audit controls are incorporated. An institution’s compliance committee and board of directors should also be involved through the review and approval of the risk assessment. The components of the risk assessment each have a particular focus (see Figure 1: Risk Assessment Process).

Inherent risk identification. This process focuses on material products, business lines, or services. Commercial and agricultural lending generally have similar compliance risk profiles, so they are frequently combined in risk assessments unless there are unique risk management processes associated with each. Residential real estate lending is often considered the most complex product line because it is subject to many laws and regulations, including the disclosure and substantive protections of the Truth in Lending Act, the mortgage servicing requirements of the Real Estate Settlement Procedures Act, the data collection and reporting requirements of the Home Mortgage Disclosure Act, and the flood insurance purchase requirements of the Flood Disaster Protection Act.
Institution-specific attributes, such as the presence or absence of Special Flood Hazard Areas in the institution’s market area or more complex product features such as adjustable-rate mortgages, escrow, and private mortgage insurance, are further considerations when performing an inherent risk assessment for residential real estate lending. Consumer loan products, including home equity lending and deposit products, typically round out the primary product and services categories. Institutions utilizing fintech products or offering deposit accounts with higher-risk add-on features, such as vendor-provided identity theft monitoring or other benefits, should explicitly include them in their risk assessment because of the higher risks of these products.

Fair lending risk associated with the institution’s products and services should also be considered in the compliance risk assessment, although larger and more complex institutions often opt to develop a separate fair lending risk assessment. Regardless of the size of the institution, an assessment of fair lending risk should consider the fair lending risk indicators from the 2009 Interagency Fair Lending Examination Procedures:⁴

• Underwriting
• Redlining
• Pricing
• Marketing
• Steering
• Overt indicators of discrimination

Other important considerations to incorporate into a compliance risk assessment include the risk of unfair or deceptive acts or practices that is present when an institution develops and/or markets products and services.

Inherent risk assessments should also consider the following:

• Critical regulatory requirements and associated penalties for noncompliance
• The maturity of the product or service, since new products or services typically have greater risk levels
• Change affecting the products in terms of volume growth, competition, and new or changing regulations
• Reliance on external vendors
• Whether there are significant industry issues with the product or service, such as concerns with deposit overdraft services⁵

Risk management assessments. This process should consider whether board and management oversight and the institution’s compliance program (policies and procedures, training, monitoring and internal controls, and complaint management) provide a sufficiently robust assessment of the effectiveness of risk management practices. Smaller, less complex institutions may find that extensive policies and procedures are not necessary; however, considerations such as the degree of centralized risk management processes, employee knowledge or experience, and turnover are also important when assessing the need for documented policies and procedures and the frequency of training on laws, regulations, policies, and procedures. The adequacy of existing risk monitoring reports or processes used by business line management and the compliance function should also be assessed. When issues are identified, action should be taken to identify the root cause, enhance controls, and/or decrease inherent risk to prevent similar findings in the future.

The assessment of internal controls should consider automated system capabilities to disclose transactions properly and the need for manual checkpoints when gaps are identified in system functionality. Other important risk management considerations include the adequacy of loan or deposit processing forms and compliance checklists and similar items or a second review of documents before they are provided to consumers. Similarly, the frequency and severity of findings identified in examinations, compliance reviews, and internal or external audits should be considered when developing a conclusion about risk management adequacy. In less complex institutions, examiners frequently find that annual compliance audits are one of the strongest aspects of an institution’s CMS.

Even when risk management for a given product or service is deemed satisfactory after considering the items that have been noted, the risk assessment process provides the opportunity to identify and prioritize further improvements in risk management and/or to reduce risk, which can enable potential issues to be detected earlier.

Residual risk identification. After identifying residual risk, an institution should determine whether it aligns with the board’s risk appetite. This assessment may determine that risk management practices should be enhanced and/or that inherent risk should be reduced; examples of this could be providing additional training or procedural guidance to enhance controls, or, if a higher-risk product feature has not proved to be sufficiently profitable or utilized relative to the risk level, considering whether modifying the product offering is desirable. The most effective compliance risk assessments specifically ask whether changes are necessary, and, if they are, the action items clearly identify the responsible parties and the time frames in which the desired change is expected to occur.

Additional Considerations

Financial institutions may undertake formal compliance risk assessments using a product, service, and activity structure for the assessment. This approach allows business line management to identify inherent risk and assess the adequacy of risk management practices. In addition, narrative highlights or an executive summary can capture nuances of inherent risk and risk management practices that solely numeric assessments cannot. Examiners sometimes see risk assessments that are primarily structured around applicable laws and regulations. However, this type of assessment less frequently considers differences in business unit processes that may exist, which are critical to include. For example, adverse action processes under the Equal Credit Opportunity Act and the Fair Credit Reporting Act may differ on the commercial side of the institution compared with the consumer side, and the differences may not be noted and individually assessed for effectiveness without a business line approach. In addition, risk management practices are typically based around products and services and the areas responsible for them, rather than solely laws and regulations. Examiners have also noted that the use of highly numeric risk assessments can result in overly complex documents, or, at the opposite extreme, simplistic assessments that do not truly convey the nature of compliance risk, but instead reduce risks and risk management practices to mere numbers.

Both regulation-based and highly numeric risk assessments can adequately reflect conclusions about residual risk and the need for additional risk mitigation. However, examiners have generally found that a risk assessment structure based on products, services, and activities is more effective in conveying the many factors that should be considered in compliance risk assessments. These structures, with appropriate narratives or executive summaries, may also make it easier for an institution’s senior management and board to understand the risk assessment.

Finally, some institutions outsource the risk assessment process to qualified third parties. While this is a less typical approach, it may be particularly helpful for an institution undertaking a formal risk assessment process for the first time. After the initial risk assessment is completed with the third party, the institution may then be able to undertake the process itself. If an institution partners with a third party to develop its risk assessment, it is important for the institution to understand and agree with the third party’s risk assessment approach, because an institution is ultimately responsible for managing its own risk.

Examiner Review of Compliance Risk Assessments

An institution’s risk assessment process is one of the factors considered in the Uniform Interagency Consumer Compliance Rating System. The Board and Management Oversight assessment factor includes in its rubric the “comprehension, identification, and management of risks arising from the institution’s products, services, or activities.”⁶ Further, the qualitative description for 2-rated institutions indicates management “comprehends and adequately identifies compliance risks, including emerging risks, ...” and also “adequately manages those risks, including through self-assessments.”⁷ Examiners see a wide variety of risk assessment processes. A key consideration is that an institution’s process must meet its needs and provide an accurate assessment of compliance risk. This includes examples at less complex institutions where the limited complexity of the institution’s products, services, and activities allows seasoned institution management and compliance officers to orally convey their understanding of compliance risk and the effectiveness of risk management processes. However, most institutions the Federal Reserve examines, regardless of size, utilize formal compliance risk assessment processes because of the benefits provided.

Conclusion

Financial institutions have different ways to effectively identify, understand, and manage compliance risk. However, examiners have found that institutions with an effective CMS typically use formal compliance risk assessments. The work spent on the front end in conducting risk assessments to identify inherent risk and risk management processes can yield many benefits on the back end by ensuring that residual compliance risk is aligned with the institution’s risk appetite and that risk management practices reduce the likelihood of significant compliance issues.

Because many methods can be used to assess compliance risk, institutions performing risk assessments for the first time or enhancing an existing process are encouraged to discuss their risk assessment plans during their examination or when they anticipate modifying existing processes. Specific questions and issues should be discussed with your primary regulator.

ENDNOTES

¹ See 2016 Uniform Interagency Consumer Compliance Rating System, 81 Federal Register 79473 (November 14, 2016).

² In cases where examiners determine that compliance risk is not sufficiently identified or appropriately managed, examiners may require an institution to implement or enhance a compliance risk assessment.

³ See the Federal Reserve’s “Community Bank Risk-Focused Consumer Compliance Supervision Program” (January 1, 2014).

⁴ See Interagency Fair Lending Examination Procedures.

⁵ Risks associated with deposit overdraft services are discussed in the 2016 Outlook Live - Interagency Overdraft Services webinar.

⁶ See 2016 Uniform Interagency Consumer Compliance Rating System, 81 Federal Register at 79478.

⁷ See 81 Federal Register at 79481.