Proposed New Ratings for Compliance-Is This a Brave New World?

A Two Part Series.  Part Two – Change Creates Opportunity.

dreamstime_s_51898458In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions.    Once these new guidelines are adopted, not only will they represent a strong departure from the current system for rating, they also present a strong opportunity for financial institutions to greatly impact their own compliance destiny.   Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.

The Proposed New Rating System 

The new rating system is designed to focus on the Compliance Management System (“CMS”) that an institution has established to administrate its compliance effort.  This assessment is supposed to be risk based which means that for each institution, the CMS should be unique.  The size, complexity and risk profile of an institution should dictate the structure of the CMS.

The compliance ratings will focus on three specific areas

1)      Board Oversight

2)      The Compliance Program

3)      Violations of Law and Consumer harm

The guidance notes that a part or all of the CMS can be outsourced to third party providers with the caveat that the financial institution cannot outsource the responsibility for compliance.  In other words, the financial institution will be held accountable for the failures of its third party provider.    For each of these areas, there are specific considerations that the examination team will consider.  The guidance describes the factors that should be considered by the examination team for each of the factors:

Board Oversight:

The areas that will be evaluated for Board Oversight are listed below.   A review of these factors indicates that the examiners will be asked to focus on the compliance environment.  The overall level of importance assigned to compliance will be considered as part of the consideration of the management of the institution.   This is consistent with the growing focus placed by prudential regulators on the management component of compliance.

  • Oversight of and commitment to the institution’s compliance risk management program;
  • effectiveness of the institution’s change management processes, including responding timely and satisfactorily to any variety of change, internal or external, to the institution;
  • comprehension, identification, and management of risks arising from the institution’s products, services, or activities; and
  • any corrective action undertaken as consumer compliance issues are identified.

Compliance Management System

The factors listed for the compliance management system are familiar and include the following:

  1. Whether the institution’s policies and procedures are appropriate to the risk in the products, services, and activities of the institution
  2. The degree to which compliance training is current and tailored to risk and staff responsibilities
  3. The sufficiency of the monitoring and, if applicable, audit to encompass compliance risks throughout the institution;
  4. The responsiveness and effectiveness of the consumer complaint resolution process.

These factors will allow the examination team the ability to look at a system for compliance in context of the institutions.  Since each institution is unique, the system for compliance should be reviewed in light of the overall operation of an individual financial institution.

Violations of Law and Consumer Harm

The final area of consideration is where the “rubber meets the road” for compliance programs.  Ultimately, the goal of compliance programs has to be to mitigate against the possibility of compliance violations.  As part of evaluating compliance programs the examiners have to consider the following:

  1. The root cause, or causes, of any violations of law identified during the examination
  2. The severity of any consumer harm resulting from violations
  3. The duration of time over which the violations occurred
  4. The pervasiveness of the violations.

The examiners will clearly be allowed to make distinctions between technical violations that don’t cause a great deal of consumer harm form severe and substantive violations.  For example, the failure to provide notice of property in a flood zone when a loan is modified is not likely to cause great consumer harm.  More often than not when this transaction occurs, the borrower has already purchased flood insurance and the notice is a technicality.   This is the sort of violation in the past lead to difficulties in providing a clear rating of a compliance program.

Opportunities Provided by These Changes

The new compliance rating represents significant changes in the ability of banks to alter their compliance destiny.   The emphasis on self- detection and self-policing allows financial institutions to perform self-evaluation and diagnose compliance issues internally.

In the new rating system, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  An attitude that compliance is important must permeate the organization starting from the top.  To impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This may seem like a reasonable response, but it is incomplete.

This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile decreases and the less likely enforcement action will be imposed.


At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all!   The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program in particular.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  In point of fact, the regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).

It is important to remember here that the reporting should be complete and as early as possible keeping in mind that you should know the extent and the root cause of the problem.  It is also advisable to have a strategy for remediation in place at the time of reporting.


What will the institution do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did management make sure the problem has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  So for example, if it turns out that loan staff has been improperly disclosing transfer taxes on the GFE, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files that for the past 12 months
  • Reimbursement of any customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring

The new compliance rating systems will place a strong premium on self-policing.  There is no time like the present to institution procedures that emphasize self-policing and embrace the overall concept of compliance as a core value.


Proposed new ratings for compliance- Is this a Brave New World?

Part One- Change is on the Horizon

In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions.   Once these new guidelines are adopted, not only will they represent a strong departure from the current system for rating, they also present a strong opportunity for financial institutions to greatly impact their own compliance destiny.   Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.

The Current Rating System

The current system for rating compliance at financial institutions was first adopted in 1980.   Performance of an institution under the Community Reinvestment Act is evaluated separately and is therefore not considered as part of the compliance examination. Under the current system, compliance is rated on a scale of increasing concern from one to five. An institution with a rating of one has little to no compliance concerns while a five rated institutions has severe concerns and an inoperative compliance system.

Under the current system, the ratings that examiners assign are based upon transaction testing. Examiners would sample a series of transactions and if there were violations of regulations, ratings would be affected. Over the years, several problems were noted with this approach. First, this approach does not take into account the root of the problem. For example, suppose the problem was caused by a form that was not up to date. Suppose further that the problem with the form was it had the wrong address for the regulator of the institution.   Using the transaction approach each loan file that contained this disclosure would count as a regulatory violation and the institution would appear to have huge number of violations. In this case, even if the examiners determined this was a technical violation and not serious, the possibility existed the overall rating would have to be a bad one to reflect the number of violations noted.

However, what if in this case, the compliance staff was well aware of the changed address, had performed training and endeavored to change all of the required forms. Unfortunately, one branch or division of the Bank still had old forms and was still using them. It is of course not good that the old forms were still being used, but the finding certainly does not indicate a severe risk at the institution.

A second problem with the current guidelines is that they do not clearly match the risk based approach for examinations that regulators have employed for several years. Each regulator has received the mandate that examinations should be tailored using a risk based approach. The examination should focus on the size, complexity and overall risk portfolio of a financial institution. The compliance examination is supposed to evaluate the effectiveness of overall system that has been employed at an institution.   In that regard, each financial institution is unique in the products and services that they offer. For example, a community bank that makes five HMDA reportable loans a year doesn’t have the same compliance needs as an institution that makes five hundred HMDA loans in the same time.

Yet another concern with the current rating system is that it tends to be “one size fits all” and as a result, outcomes are unpredictable.   Examiners, for some time have considered compliance systems on a contextual basis. The relative size of an institution, its activity in a given area and the resources realistically available have all been factors examiners consider when assessing a compliance program. Unfortunately, under the current system there is no mechanism to clearly reflect these considerations.   In many cases, an overall rating of “two” is assigned to a financial institution followed by a litany of criticism that leaves the reader confused about how the rating was possible.

In the last two years in particular, there has been a push from regulators to encourage “self-policing”, which is the process of self-detecting and correcting compliance problems at institutions. And while there have been supervisory directives that encourage self-policing, the current rating system does not allow this behavior to be properly recognized.

New Ratings

The proposed guidance discusses the key principals of the new ratings system:

“The proposed System is based on a set of key principles. The Agencies agreed that the proposed ratings should be:

  • Risk-based
  • Transparent
  • Actionable
  • [A]n Incentive for Compliance.

Risk Based: the principal here is that not all compliance systems are the same. They will vary based upon the size, complexity and risk profile of the bank. The examiners will be asked to evaluate the compliance system as it relates to the particular institution that is being reviewed. For example, written procedures that are very general in nature may be appropriate at an institution that has stable staff and experienced little to no turnover. On the other hand, those same procedures may be inadequate at a new and growing institution.

Transparent: The scope of the review and the categories that are being considered should be clear and published. Each institution should be able to understand the rating is based on specific considerations made during the current examination. Past examinations results may or may not be considered; the description of the rating criteria should detail the factors deemed important.

Actionable: The evaluation should include recommendations that address the overall strengths of the compliance program and specific areas that should be enhanced.   The idea here is  management’s attention should be drawn to specific steps that should be taken to enhance the overall compliance program.

Incent Compliance: The examiners should consider the level to which the institution has instituted a program that self-detects and corrects problems.   In this case, remember self-detecting and correcting includes an analysis of the root of the problem and remediation testing before the matter is considered closed.

Overall Ratings

Under the new rating system, there will still be a “one” through “five”, but the ratings will be given on three distinct components of compliance;

  1. Board & management Oversight
  2. The Compliance management program
  3. Violations of law and Harm to consumers

In part two of this series we will discuss the new ratings and the opportunities this system presents.

Please feel free to contact us at WWW.VCM4you.compicture1.jpg

Your Partner in Balancing Compliance