CMS_AC

Question 1

What three types of supervisory activities does the FDIC conduct to review an institution’s CMS?

Answer 1

Compliance examinations, visitations, and investigations

Question 2

What is the primary means the FDIC uses to determine whether a financial institution meets its responsibility to comply with the requirements and proscriptions of federal consumer protection laws and regulations?

Answer 2

Compliance examinations

Question 3

Why does the FDIC conduct visitations (3)?

Answer 3

to review the compliance posture of newly-chartered institutions or those converting to state non-member status;

to review progress on corrective actions or compliance with an enforcement action in the interval between examinations;

or to investigate problems brought to the attention of the FDIC.

Question 4

Purpose of visitations?

Answer 4

Visitations are usually targeted events aimed at specific operational areas, or an entire CMS previously identified as significantly deficient

Question 5

Purpose of investigations?

Answer 5

Conducted primarily to follow-up on particular consumer inquiries or complaints, including FL complaints

Question 6

Purpose of compliance examinations (3)?

Answer 6

• assess the quality of an FDIC-supervised institution’s CMS (see “Evaluating the Compliance Management System”) for implementing federal consumer protection statutes and regulations;
• review compliance with relevant laws and regulations; and
• initiate effective supervisory action when elements of an institution’s CMS are deficient and/or when violations of law are found.

Question 7

FDIC compliance examinations blend ____ and ____ approaches.

Answer 7

Risk-focused; process-oriented

Question 8

Risk-focusing involves (3):

Answer 8

• developing a compliance risk profile for an institution using various sources of information about its products, services, regulations (PSRs), organizational structure, operations, and past supervisory performance;
• assessing the quality of an institution’s CMS in light of the inherent risks associated with the level and complexity of its business operations and product and service offerings; and
• testing selected transactions based on residual risk

Question 9

What is considered under Board and Management Oversight (8)?

Answer 9

Commitment to and oversight of CMS.

Level of resources dedicated to compliance functions.

Third-party due diligence

Change management (Anticipation and responsiveness to changes in applicable laws and regulations, market conditions, and products and services offered)

Due diligence in advance of product or service changes (pre- and post-implementation)

Comprehension and identification of compliance risks, including emerging risks in the bank’s products, services, and other activities

Management of identified risk (self-assessments)

Identification of and responsiveness to compliance risk management deficiencies, violations, and remediation.

Question 10

What is considered under the Compliance Program (5)?

Answer 10

Policies and procedures

third-party management

compliance training

monitoring & audit

consumer complaint response

Question 11

Who at the bank is responsible for complying with all federal consumer protection laws and regulations?

Answer 11

Board of Directors and management

Question 12

The FDIC expects BOD and management to have a system in place to effectively manage its compliance risk, consistent with the _____.

Answer 12

Size & complexity of its products, services, and markets.

Question 13

Is a bank required to have all elements of a CMS?

Answer 13

NO, and many institutions do NOT.

Conclusions about the adequacy of a bank’s CMS must be based on the effectiveness of those elements that are in place, taken as a whole, for that bank’s particular operations.

Each bank has a CMS that is adequate for the compliance responsibilities that are necessary due to its operating environment.

Question 14

Role of the Compliance Examiner- examiners must (4):

Answer 14

• establish an examination scope focused on areas of highest consumer harm risk;
• evaluate an institution’s CMS;
• conduct transaction testing
• report findings to the Board of Directors and management of the institution.

Question 15

As part of the examination process, examiners are expected to (3):

Answer 15

• take a reasoned, common sense approach to examining and use sound judgment when making decisions;
• maintain ongoing communication with bank management throughout an examination;
• assist an institution to help itself improve performance by providing management with sound recommendations for enhancing its CMS;
• share experiences and knowledge of a successful CMS; and
• provide guidance regarding the various consumer protection and fair lending laws and regulations.

Question 16

What are the 3 stages of a compliance examination?

Answer 16

1. Pre-exam planning
2. Review and analysis (on and off-site)
3. Communicating findings to bank management via meeting and ROE

Question 17

What does pre-exam planning involve (3)?

Answer 17

gathering information available in FDIC records and databases

contacting the bank to review and narrow the draft request for information and documents, and

delivering a letter to the institution requesting specific information and documents for detailed analysis by the examination team

Question 18

What occurs during the review and analysis stage?

Answer 18

An examiner thoroughly evaluates an institution’s CMS & documents system weaknesses and violations (if any)

Question 19

Examination resources are focused on addressing what?

Answer 19

Areas of HIGHEST consumer harm risk

Question 20

Examiners must consider WHAT when evaluating the CMS?

Answer 20

Size, level, and complexity of a bank’s operations

Question 21

What is the purpose of the ROE?

Answer 21

Provides an account of the strengths and weaknesses of a CMS to the Board of Directors and management.

Question 22

Laws and regulations are legally ___ and ___.

Answer 22

legally binding and enforceable

Question 23

What has the force and effect of law?

Answer 23

A law or regulation

Question 24

What is supervisory guidance?

Answer 24

Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance.

Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate practices for a given subject area.

Supervisory guidance often provides examples of practices that the agencies generally consider consistent with safety-and-soundness standards or other applicable laws and regulations, including those designed to protect consumers

Question 25

The FDIC’s consumer compliance examination process is ____.

Answer 25

Risk-focused

Question 26

What is Consumer Harm?

Answer 26

An actual or potential injury or loss to a consumer, whether such injury or loss is economically quantifiable (e.g., overcharge) or non-quantifiable (e.g., discouragement).

It may be caused by a financial institution’s violation of a federal consumer protection law or regulation directly or through a third party or reflects weaknesses in a financial institution’s compliance management system

Question 27

What three ways can consumer harm occur?

Answer 27

Quantifiable harm

Non-quantifiable harm

Potential harm

Question 28

What is quantifiable harm?

Answer 28

Economic harm to a consumer where the injury or loss can be measured.

MONETARY

Question 29

What type of consumer harm are these:

(1) consumer may suffer monetary harm as a result of deceptive marketing practices that entices a consumer to purchase a product without having accurate information regarding the benefits, costs, or terms of the product in violation of Section 5 of the Federal Trade Commission Act.
(2) Bank employs a pricing structure that allows significant discretion, without effective monitoring or controls, resulting in a protected class of borrowers being charged higher prices on average than similarly situated non-protected borrowers in violation of the Equal Credit Opportunity Act, then the higher prices paid by the protected class of borrowers over similarly situated non-protected borrowers.

Answer 29

Quantifiable harm

Question 30

What is non-quantifiable harm?

Answer 30

Injury or loss to the consumer that cannot be measured, or is very difficult to measure, yet the consumer may suffer some form of economic or other harm.

Question 31

What type of consumer harm is this?

Answer 31

Financial institution unfairly denies the consumer
credit or discourages an application on a prohibited basis in violation of the Equal Credit Opportunity Act

Consumer injured economically, but calculating the monetary value for the injury would be challenging

Question 32

What type of consumer harm is this?

Bank imposes additional, unlawful requirements on consumers before the bank is willing to consider the consumers’ billing disputes or requirements that are not accurately divulged in the bank’s error resolution disclosures.

Answer 32

Non-quantifiable harm

The practices could discourage a consumer from filing a dispute. Consumer harm exists, but may be difficult to identify and/or quantify.

Question 33

What is potential harm?

Answer 33

Involves financial institution activities (or failure to take action) that create the possibility that a consumer may be harmed.

Question 34

What type of harm is this?

Violation of the regulations that implement the National Flood Insurance Act of 1968 where the financial institution failed to require flood insurance on a residence at loan closing.

Answer 34

Potential harm

The consumer has not suffered actual loss but is exposed to potential economic loss should a flood occur.

Question 35

The FDIC’s mission of promoting public confidence in the financial system is best served through a supervisory approach focused on ______

Answer 35

Identifying, addressing, and preventing consumer harm

Question 36

How do examiners identify consumer harm?

Answer 36

By identifying the inherent risks of consumer harm that may occur in a bank’s business activities.

Question 37

What is inherent risk?

Answer 37

The compliance risk associated with product and service offerings, practices, or other activities that could directly or indirectly result in significant consumer harm or noncompliance with consumer protection rules and regulations.

Inherent risk refers to the risk that a product, service, practice, or other activity would pose if no controls or other mitigating factors were in place.

Ex: a new loan product, a change to deposit account terms, or a third party relationship

Question 38

How do examiners address identified inherent risks of consumer harm?

Answer 38

When inherent risks of consumer harm are identified, examiners will ensure that the bank takes appropriate actions to address or mitigate these risks

Question 39

How do examiners prevent consumer harm?

Answer 39

Mitigating factors are the strength of the CMS to mitigate inherent risk.

Question 40

Examples of mitigating factors?

Answer 40

strong management controls, effective training programs, and on-going monitoring efforts.

Question 41

What are the FDIC’s supervisory strategies designed to do?

Answer 41

To promote compliance with consumer protection laws and regulations in FDIC-supervised institutions

Question 42

How do examiners evaluate risks of consumer harm?

Answer 42

through an analysis of an institution’s historical CMS, the products and services currently offered, the markets served, and existing and new third-party relationships.

Question 43

What is residual risk?

Answer 43

The risk exposure that remains after identifying the level of inherent risk and factoring in the strength of the mitigating factors to control that risk.

Question 44

Risk-scoping formula

Answer 44

inherent risk - mitigating factors = residual risk

Question 45

What is the level of risk in this example?

Bank introduces a new overdraft program with no due diligence, no monitoring or auditing, and numerous customer inquiries.

Answer 45

HIGH RISK product without effective CMS elements to mitigate inherent risk

inherent risk= high
mitigating factors= none
residual risk= high

Question 46

The FDIC classifies violations of federal consumer laws based, in part, on what?

Answer 46

the level of risk of consumer harm

Question 47

What should be communicated when a violation is identified?

Answer 47

severity, extent, or potential consumer harm caused by the violation

Question 48

What does appropriate corrective action consider?

Answer 48

overall effectiveness of the institution’s CMS, the root cause(s) of the deficiencies, and extent and impact of consumer harm.

Question 49

Why are communication and technical assistance to supervised institutions an important component of the FDIC’s supervisory approach in preventing consumer harm?

Answer 49

It supports institutions efforts to maintain an effective CMS!

Question 50

When is communication especially important?

Examples of FDIC communication channels?

Answer 50

During periods of regulatory change and transitions!

CHANNELS: national and regional bankers’ teleconferences on emerging topics; speaking engagements at national, regional, state, and local conferences and conventions; a web-based regulatory calendar; Supervisory Insights Journal articles; regional newsletters; banker and bank director trainings and online technical assistance videos; meetings with industry trade groups; and issuance of guidance through Financial Institution Letters

Question 51

How does communicating the focus of FDIC examination efforts and supervisory priorities through these diverse channels assists bankers?

Answer 51

Helps them in identifying and reviewing key areas of concern and addressing deficiencies promptly, prior to and unrelated to a specific examination activity.

In addition, examiners can provide certain types of technical assistance to community bankers during the course of an examination that may enable an institution to reduce the risk of consumer harm in the operation of its business.

Question 52

Communication and technical assistance give bankers the tools for what?

Answer 52

To address issues that may pose consumer harm

Question 53

What are the elements of an effected CMS?

Answer 53

Board and management oversight

Consumer compliance program

Question 54

What can noncompliance result in?

Answer 54

Monetary penalties, litigation, and formal enforcement actions

Question 55

Who is responsible for ensuring that the bank and its third-parties are in compliance?

Answer 55

Board and management

Question 56

Who is ULTIMATELY responsible for developing and administering a CMS that ensure compliance with federal consumer protection laws and regulations?

Answer 56

The BOARD

Question 57

What are key actions that the Board and management can take to demonstrate their commitment to maintaining an effective CMS and to set a positive climate for compliance (8)?

Answer 57

• demonstrating clear and unequivocal expectations about consumer compliance, not only within the institution, but also to third-party providers;
• adopting clear policy statements;
• appointing a compliance officer with authority and accountability;
• allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations;
• anticipating and evaluating changes in the institution’s operating environment and implementing responses across impacted lines of business;
• identifying compliance risk in the institution’s products, services, and other activities, and responding to deficiencies and violations;
• conducting periodic compliance audits; and
• providing for recurrent reports by the compliance officer to the Board.

Question 58

What sets the tone on compliance?

Answer 58

Leadership on compliance by Board & management

Question 59

Regardless of size or institution complexity, what is the first step Board and management should take in providing for the administration of the compliance program?

Answer 59

Designate a compliance officer!

Question 60

Compliance officers must have the authority and independence to do what three things?

Answer 60

• cross departmental lines;
• have access to all areas of the institution’s operations; and
• effect corrective action.

Question 61

T or F:

A compliance committee, as an alternative to or in addition to a full-time compliance officer, could be formed consisting of the compliance officer, representatives from various departments, and member(s) of management or the Board

Answer 61

TRUE

Question 62

What are a compliance officer’s general responsibilities, regardless of the size or complexity (7)?

Answer 62

• developing compliance policies and procedures;
• training management and employees in consumer protection laws and regulations;
• reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures;
• assessing emerging issues or potential liabilities;
• coordinating responses to consumer complaints;
• reporting compliance activities and audit/review findings to the Board; and
• ensuring that corrective actions are implemented in a timely fashion and are effective at preventing recurrence.

Question 63

True or false: Board and Management are not ultimately responsible for identifying and controlling compliance risks arising from third-party relationships?

Answer 63

FALSE

Board and Management is responsible to the same extent as if the third-party activity was handled within the institution.

Question 64

While an effective compliance risk management process for third-parties will vary depending on complexity and risk profile of the third-party relationship, what is generally included in the process (4)?

Answer 64

• Risk assessment
• Due diligence in selecting the third-party provider
• Appropriate contract structuring and review, and
• Sufficient oversight of third-party activities, including adequate quality control over products or services provided.

Question 65

What are the components of a Consumer Compliance Program?

Answer 65

• Policies and procedures
• Training
• Monitoring and/or Audit
• Consumer complaint response

Question 66

Why should banks establish a formal, written compliance program (4)?

Answer 66

• Planned organized effort to guide compliance activities
• Source document that serves as a training and reference tool
• Will prevent or reduce regulatory violations & provide cost efficiencies
• Sound business step

Question 67

T or F: A compliance program is static (i.e. unchanging)

Answer 67

FALSE

Must be dynamic and constantly amended to focus resources where they are needed most based on risks.

Question 68

What is the formality of a compliance program dictated by (6)?

Answer 68

• institution’s size, number of branches, and organizational structure;
• business strategy of the institution (e.g., community bank versus regional; or retail versus wholesale bank);
• complexity of products and services offered;
• staff experience and training;
• type and extent of third-party relationships;
• location of the institution—its main office and branches; and
• other influences, such as whether the institution is involved in interstate or international banking.

Question 69

Is a written compliance program required?

Answer 69

NO- the program’s EFFECTIVENESS is more important than its formality

Ex: Especially true for small banks- program not in writing but an effective monitoring system ensure overall compliance

Question 70

When does a written compliance program become more important?

Answer 70

During periods of expansion or staff turnover

Because individuals with the particular knowledge or experience may no longer be with the institution or available for contact.

Question 71

What do effective policies and procedures include (4)

Answer 71

Policies should be established that include goals and objectives and appropriate procedures for meeting those goals and objectives.

Information needed to perform a business transaction (i.e. applicable regulation cites and definitions, sample forms with instructions, institution policy, and, where appropriate, directions for routing, reviewing, retaining, and destroying transaction documents)

Question 72

Compliance policies and procedures are the means for ensuring what?

Answer 72

Ensuring consistent operating guidelines that support the institution in complying with applicable federal consumer protection laws and regulations (directly and through third-parties)

Question 73

Who should be responsible for compliance training and establishing a regular training schedule for Directors, management and staff (and third-parties where appropriate)?

Answer 73

Compliance Officer

Question 74

Line management and staff should receive ___, __, and ___ training in laws and regulations, and internal policies and procedures that directly affect their jobs.

Answer 74

timely, specific, comprehensive

Question 75

What characteristics does an effect compliance training program include (4)?

Answer 75

Training to all staff, management, and Board (third parties as applicable) relevant to their jobs

Regular training schedule

Periodic assessment of employee knowledge and comprehension of the subject matter

Training content that is frequently updated with current, complete and accurate information on products, services, and business operations of the bank. As well as, laws and regulations, policies and procedures, and emerging issues.

Question 76

What is monitoring?

Answer 76

proactive approach by the institution to identify procedural or training weaknesses in an effort to preclude regulatory violations

Question 77

What is an audit?

Answer 77

An independent assessment and validation of an institution’s system of internal controls, operations, and compliance risk management framework.

Complements the monitoring system.

Question 78

Who can perform audits?

Answer 78

Internally (in-house) or by an external party (such as consultant or accountant) as long as the individuals that perform the audits are independent of the areas being audited

Question 79

Banks should have monitoring and/or audit

functions that are appropriate for their ___, ___, and ____.

Answer 79

size, complexity, risk profile

Question 80

T or F:

If an institution has strong monitoring but no audit, all risks are appropriately mitigated.

Answer 80

False - audit and monitoring each play an important but different role in supporting a strong CMS.

For many banks, both are necessary

Question 81

Effective monitoring includes regularly scheduled reviews of what (7)?

Answer 81

• disclosures and calculations for various product offerings;
• document filing and retention procedures;
• posted notices, marketing literature, and advertising;
• various state usury and consumer protection laws and regulations;
• third-party service provider operations; and
• internal compliance communication systems that update and revise the applicable laws and regulations to management and staff.

Question 82

Monitoring also includes reviews at the ___ level?

Answer 82

TRANSACTION LEVEL!

at the transaction level during the normal, daily activities of employees in every operating unit of the institution.

Question 83

Who should determine the scope and frequency of audits?

Answer 83

The Board

Question 84

What factors should be considered when determining the scope and frequency of audits (9)?

Answer 84

• expertise and experience of various institution personnel;
• organization and staffing of the compliance function;
• volume of transactions;
• complexity of products offered;
• number and type of consumer complaints received;
• number and type of branches;
• acquisition or opening of additional branch(es);
• size of the institution;
• organizational structure of the institution;
• outsourcing of functions to third-party service providers, including a review of agreements signed or made between the institution and vendors;
• degree to which policies and procedures are defined and detailed in writing; and
• magnitude/frequency of changes to any of the above.

Question 85

Generally, what will a strong consumer compliance audit incorporate?

Answer 85

Vigorous transaction testing!

Question 86

Who should audit findings be reported to?

Answer 86

Directly to the Board to a committee of the Board

Question 87

What should a written consumer compliance audit report include (4)?

Answer 87

• scope of the audit (including departments, branches, product types and third-party relationships reviewed);
• deficiencies or modifications identified;
• number of transactions sampled by category of product type; and
• descriptions of, or suggestions for, corrective actions and time frames for correction.

Question 88

What does an effective consumer complaint response include (5)?

Answer 88

• Prompt complaint responses
• Established procedures for addressing complaints
• Designated individuals or departments responsible for handling complaints- known to all institution personnel to expedite responses.
• Compliance officer who is aware of all complaints and acts to ensure a timely resolution; and determines the root cause and ensures corrective action
• Monitor complaints to and/or about third parties providing services on behalf of the bank

Question 89

II. REVIEW AND ANALYSIS

Answer 89

N/A

Question 90

What does the review period or scope typically cover?

Answer 90

Bank activities conducted from the start date of the prior exam through the start date of the current exam

Question 91

What is the goal of a risk-focused, process-oriented exam?

Answer 91

To direct resources towards areas with higher degrees of risk of consumer harm

Question 92

What does the Assessment of Risk of Consumer Harm (ARCH) describe?

Answer 92

The focus of the exam, including issues to be investigated and the PSRs that exhibit residual risk

Question 93

DEVELOPING A RISK PROFILE

Answer 93

N/A

Question 94

The ARCH documents areas of inherent risk by considering what three areas:

Answer 94

Institution structure

Supervisory history

Operational areas- PSR risk

Question 95

What is considered when determining the inherent risk of an Institution’s Structure? (4)

Answer 95

o Significant factors or changes

o Mergers or acquisitions

o Significant growth since prior examination

o De Novo status

Question 96

What is considered when determining the inherent risk of Supervisory History? (6)

Answer 96

o Current and past enforcement actions

o Reimbursement history

o History of FL compliance

o Current and prior exam ratings and recommendations

o Consumer-related litigation

o Consumer complaints

Question 97

What is considered when determining the inherent risk of Operational Areas- PSRs (7)?

Answer 97

o Major product lines

o New or revised PSRs

o Applicable regulations

o Recent case law

o Growth in operations

o Complexity of operations

o Third party affiliations

Question 98

What is regulation risk?

Answer 98

Measures the possible consequences (to the bank and its customers) of noncompliance with specific regulations

Recognizes that the impact of noncompliance differs depending on the consumer law or regulation.

Question 99

What is regulation risk for the public?

Answer 99

The measurement of relative adverse financial impact or other harm that noncompliance may produce

Question 100

What is regulation risk for the bank?

Answer 100

Measurement of legal, reputation, and financial harm that noncompliance may produce

Question 101

What factors affect the level of regulation risk (4)?

Answer 101

• Potential financial and/or reputation harm to consumers;
• Potential legal, reputation, and financial harm to the bank;
• New laws, regulations, or amendments
• Volume of transactions subject to a specific regulation.

Question 102

In order to properly assess a bank’s risk, the EIC or designee also reviews ____, which may or may not mitigate the identified inherent risks:

Answer 102

the CMS

Question 103

When does residual risk exist?

Answer 103

When inherent risk is not sufficiently mitigated by the CMS

Question 104

Risk-scoping formula?

Answer 104

Inherent risk- mitigating factors= residual risk

Question 105

T or F:

One element of a bank’s CMS may influence another area

Answer 105

True!

Be aware of relationships and their mutual impact.

Question 106

What other CMS element may be impacted in this example?

The initial review of institution practices identifies a lack of audit of loan denials

Answer 106

The examiner should look to see whether monitoring procedures are in place to mitigate the impact of the lack of audit procedures.

The existence of monitoring procedures may lead the examiner to determine that the absence of an audit does not raise the institution’s risk profile

Question 107

What other CMS element may be impacted in this example?

Initial review of policies and procedures identifies well-organized, appropriate, and up to date guidelines for deposit compliance management.

Answer 107

The examiner should also consider the institution’s record of oversight in this area.

If deposit compliance has historically suffered from poor management oversight, then the existence of written procedures should be given less weight when determining the risk profile.

Question 108

DEVELOPING THE ARCH

Answer 108

N/A

Question 109

What is described in Section 1 of the ARCH? Section 2? Section 3? Section 4?

When should Sections 1-4 be completed and approved?

Answer 109

Section 1: Institution structure and supervisory history

Section 2: Initial assessment of the CMS

Section 3: ID inherent risks related to the bank’s operations, followed by an analysis of whether each inherent risk is low, mitigated, or results in residual risk of consumer harm.

Section 4: PSRs summarized

Sections 1-4 should be completed and approved by a supervisor or delegated designee prior to the start of the examination

Question 110

When should Section 5 of the ARCH be used?

Answer 110

If material changes to the scope of the exam are warranted

Question 111

T or F:

The questions in the ARCH cover every potential risk.

Answer 111

False: the questions set out a basic framework to assist examiners in assessing and documenting consumer harm.

But examiners are not limited to these questions, and should consider all relevant facts when evaluating a bank’s risk profile

Question 112

ENTRANCE MEETING

Answer 112

N/A

Question 113

What is the purpose of an Entrance Meeting?

When should it be conducted?

Answer 113

Purpose: facilitate the discussion of various admin items and the scope of the exam

ASAP after beginning the exam

Question 114

What is discussed during the Entrance Meeting (10)?

Answer 114

Overview of the exam process (info collected during PEP and its impact on SCOPE)

Names of FDIC examiners (on-site or off-site)

Length of Exam

Activities expected to be conducted on-site and off-site

EIC availability to discuss exam issues or FDIC policy

Primary contacts for exam issues

Issues identified during PEP, areas with significant risk that will receive close attention

PEP materials requested but not received

Exit meeting procedures

Date of next Board Meeting

Any issues with CRA and FL review

Question 115

ONGOING COMMUNICATION

Answer 115

n/a

Question 116

When should issues of concern be discussed with management?

Answer 116

AS THEY ARISE (to the extent possible)

Question 117

REVIEW OF CMS

Answer 117

N/A

Question 118

When reviewing the CMS, examiners should (4):

Answer 118

• Determine the quality of the institution’s CMS (degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations)
• Assess whether the CMS is effective at facilitating compliance
• Identify potential deficiencies in the CMS and areas of greatest risk of consumer harm
• Determine where transaction testing is necessary

Question 119

What materials should be reviewed at minimum when evaluating the adequacy of Board and Oversight? (9)

Answer 119

Examiner-determined risk profile as relates to oversight

Prior Exam reports

Meeting minutes (Board, Compliance Committee, etc.)

New/amended policies or procedures

Files related to receipt and resolution of complaints (bank, CRC reports, etc.)

Management responses and follow-up to findings (exam, monitoring, audits)

Third party agreements

Org Charts and management resumes

Examiner Notes

Question 120

What materials (at a minimum) should examiners review to determine the adequacy of Policies and procedures (4)?

Answer 120

• The examiner-determined risk profile of the financial institution as it relates to policies and procedures, including the institution’s business strategy, product offering, branches, third party relationships, etc.
• Compliance-related policies and other written compliance procedures
• Board minutes, Compliance Committee minutes, and other committee minutes, as applicable
• Examiner notes

Question 121

What should policies and procedures cover at a minimum (10)?

Answer 121

Compliance Policy
Lending
Deposits
Electronic Banking
Privacy
Non-deposit products (NDIP)
Branch Closing Policy 
TILA Policy
FCRA
Overdraft Programs

Question 122

What should be included in the Compliance Policy?

Answer 122

• Specific guidance on daily compliance activities

- Responsibilities and authorities of the compliance officer, Compliance Committee, and individual employees.

Question 123

What banks are required to have a Branch Closing Policy?

Answer 123

Section 42 of the Federal Deposit Insurance Act requires every financial institution that has one or more branch locations to maintain a branch closing policy

Question 124

What are the six areas that require written policies and procedures?

Answer 124

Branch Closing
EFT Remittance Transfers
TILA
FCRA
Safe Act
NDIP

Question 125

Are overdraft policies required?

Answer 125

NO

BUT- banks that provide ODP should adopt written policies and procedures adequate to address the credit, operational, and other risks associated with these types of programs.

Question 126

Under what circumstances are examiners not required to review a policy or procedure (4)?

Answer 126

1) The policy was reviewed at the prior FDIC consumer compliance examination
2) The review of the policy at the prior examination found no deficiencies
3) No changes or amendments have been made since the policy was last reviewed
4) There have been no significant regulatory or operational changes pertinent to the area covered by the policy since the prior examination.

Question 127

What materials should be reviewed to determine the adequacy of training (3)?

Answer 127

1. Examiner-determined risk profile as relates to training
2. Compliance-related training docs
3. Examiner notes from discussions with CO, managers, etc.

Question 128

What materials (at a minimum) should be reviewed to determine the adequacy of Monitoring (4)?

Answer 128

• The examiner-determined risk profile as it relates to monitoring
• Compliance-related policies and other written compliance procedures
• Documentation of the results of monitoring activities
• Reports to management of the findings, corrective actions, and related follow-up from monitoring procedures
• Examiner notes

Question 129

What materials (at a minimum) should be reviewed to determine the adequacy of Audit? (7)

Answer 129

• The examiner-determined risk profile as it relates to the audit function
• Audit policy, external audit agreement, or other written audit guidelines
• Compliance-related audit reports, responses, and follow-up
• Audit workpapers
• Org chart
• Board minutes, Compliance Committee minutes, and other committee minutes, as applicable
• Examiner notes from discussions with audit staff, compliance officer, managers, etc.

Question 130

T or F:

Request Fair Lending self-testing reports/results.

Answer 130

FALSE

Do not request this; however, if a bank voluntarily provides it then review the findings as part of the FL review.

Question 131

T or F:

A financial institution’s audit or review of loan files, internal policies, and training material may indicate difference in the treatment of applicants that could constitute a violation of the fair lending laws.

Answer 131

TRUE

Question 132

What materials (at a minimum) should examiners review to determine the adequacy of Consumer Complaint Response? (5)

Answer 132

• The examiner-determined risk profile as it relates to consumer complaints
• Consumer complaint policies/procedures
• Complaint files - from receipt to resolution (complaint archived by bank or the FDIC)
• Board minutes, Compliance Committee minutes, and other committee minutes, as applicable
• Examiner notes

Question 133

TRANSACTION TESTING AND SAMPLING

Answer 133

N/A

Question 134

What dictates the intensity of transaction testing?

Answer 134

severity of CMS weakness and inherent risk

Question 135

Greater weakness and higher inherent risk leads to what?

Answer 135

Review of more transactions!

Question 136

T or F:

In certain cases management’s admission that a violation occurred is sufficient to warrant a citation without transaction testing.

Answer 136

TRUE

Question 137

III. Consumer Compliance Rating System

Answer 137

N/A

Question 138

The FDIC assigns consumer compliance ratings to institutions it supervises pursuant to what?

Answer 138

Uniform Interagency Consumer Compliance Rating System (CC Rating System) approved by the FFIEC

Question 139

Primary purpose of the CC Rating system?

Answer 139

To ensure that:

• Regulated banks are evaluated in a comprehensive and consistent manner
• Supervisory resources are appropriately focused on areas exhibiting risk of consumer harm and on institutions that warrant elevated supervisory attention.

Question 140

T or F:

The consumer compliance rating does not reflect the effectiveness of a bank’s CMS to ensure compliance with laws and regulations and reduce the risk of consumer harm.

Answer 140

FALSE

Question 141

What are the rating adjectives for a CMS in the ROE (1-5)?

Answer 141

1 - Strong CMS
2 - Satisfactory CMS

3 - Deficient CMS
4 - Seriously deficient CMS
5 - Critically deficient

Question 142

Ratings of 1 or 2 represent what?

Answer 142

Satisfactory or better performance

Question 143

Ratings of 3, 4, or 5 indicate what?

Answer 143

Performance is less than satisfactory

Question 144

What 3 categories if the CC Rating System organized under?

Answer 144

1. Board and Management Oversight
2. Compliance Program
3. Violations of Law and Consumer Harm

Question 145

The first 2 categories are used to asses what?

Answer 145

The bank’s CMS

Question 146

T or F:

Examiners should evaluate activities conducted through third-party relationships as though the activities were performed by the institution itself.

Answer 146

TRUE

Question 147

What are the Rating assessment factors for Board and Management Oversight? (4)

Answer 147

• Oversight of and commitment to the CMS;
• Effectiveness of the bank’s change management processes including responding timely and satisfactorily to any variety of change, internal or external, to the institution
• Comprehension, identification, and management of risks from the products, services, or activities; and
• self-identification and correction of such issues

Question 148

What are the Rating assessment factors for the Compliance Program? (4)

Answer 148

• whether the policies and procedures are appropriate to the risk in the products, services, and activities;
• the degree to which compliance training is current and tailored to risk and staff responsibilities;

• the sufficiency of the monitoring and, if applicable, audit to encompass compliance risks;
and

• the responsiveness and effectiveness of the consumer complaint resolution process

Question 149

What are the assessment factors for Violations of Law and Consumer Harm (4)?

Answer 149

• root cause(s)
• severity of any consumer harm
• duration of time over which the violations occurred; and
• pervasiveness

Question 150

T or F:

The root cause of a violation analyzes the degree to which weaknesses in the CMS gave rise to the violation.

Answer 150

TRUE; in many instances, the root cause ties to a weakness is one or more elements of a CMS

Question 151

What does the severity assessment factor do?

Answer 151

Weighs the type of consumer harm, if any, that resulted from the violation

Question 152

What does the duration assessment factor consider?

Answer 152

The length of time over which the violations occurred

Question 153

What does the pervasiveness assessment factor evaluate?

Answer 153

The extent of the violation(s) and resulting consumer harm, if any.

Violations that affect a large number of consumers will raise greater supervisory concern than violations that impact a limited number of consumers.

Question 154

What are the strongest types of compliance programs?

Answer 154

Ones that are PROACTIVE.

They promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner.

Question 155

T or F:

Self-identification and prompt corrective action reflect strengths in a CMS.

Answer 155

TRUE: a robust CMS appropriate for the size, complexity, and risk profile of a bank’s business often will prevent violations or detect potential violations early on.

Question 156

T or F:

The consumer compliance rating reflects the effectiveness of a bank’s
CMS to identify and manage compliance risk in the bank’s products and services and to prevent violations of
law and consumer harm, as evidenced by the bank’s performance under each of the assessment factor

Answer 156

TRUE

Question 157

True or false: A bank may not receive a less than satisfactory rating if no violations were identified.

Question 158

Which presents greater supervisory concern?

1. Serious weaknesses in the policies and procedures or audit program of the mortgage department at a
   mortgage lender
2. Same gaps at an institution that makes very few mortgage loans and strictly as an accommodation.

Answer 158

the first one, greater weight should apply to the bank’s management of material products with significant potential consumer compliance risk.

Question 159

T or F:

An institution cannot receive a less than satisfactory rating if no violations were identified.

Answer 159

FALSE; a bank can receive a less than satisfactory rating even when no violations were identified based on deficiencies or weaknesses in the CMS.

Question 160

Who does the CFPB regulate/supervise?

Answer 160

institutions with total assets of more than $10 billion