Compliance Management System (CMS) Flashcards
1
Q
What are the 3 types of supervisory activities/ strategies conducted by the FDIC?
A
Examinations, visitations, and investigations.
2
Q
Purpose of a visitation?
A
Targeted event aimed at specific operational areas, or entire compliance management systems previously identified as significantly deficient.
3
Q
Purpose of an investigation?
A
Conducted to follow-up on specific consumer inquiries or complaints, including fair lending complaints.
4
Q
Purpose of examination? (3)
A
• assess the quality of an FDIC-supervised institution’s CMS for implementing federal consumer protection statutes and regulations;
• review compliance with relevant laws and regulations; and
• initiate effective supervisory action when elements of an institution’s CMS are deficient and/or when violations of law are found.
5
Q
What does risk-focusing involve? (3)
A
Developing a compliance risk profile for a bank using Products, Services, or Regulations (PSRs), and the bank’s organizational structure, operations, and past performance.
Assessing quality of CMS in light of inherent risks from the level and complexity of business operations, products, and services.
Transaction testing based on residual risk.
6
Q
What is reviewed under Board and Management oversight? (7)
A
Commitment and oversight of CMS.
Third party due diligence
Change management
Due diligence from product or service changes (pre and post)
Comprehension and identification of compliance risks including emerging risks in the bank’s products, services, etc.
Management of risk (self-assessments)
Identification and responsiveness to CMS deficiencies, violations, and remediation.
7
Q
What is reviewed under the compliance program?
A
Policies and procedures
Third-party management
Monitoring & audit
Consumer complaint response.
8
Q
What should be considered when evaluating a bank’s CMS?
A
The size, level complexity of the bank.
A bank is not required to have all elements of a CMS. Conclusions about the adequacy of a bank’s CMS must be based on the
effectiveness of those elements that are in place, taken as a whole, for that bank’s particular operations.
9
Q
What is the purpose of the ROE?
A
The Report of Examination
provides an account of the strengths and weaknesses of a CMS to the Board.
10
Q
What is Supervisory Guidance?
A
Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate
practices for a given subject area.
11
Q
What is Consumer Harm?
A
Actual or Potential injury or loss to a consumer whether such injury or loss is economically quantifiable (ex: overcharge) or non-quantifiable (ex: discouragement). May be caused by activities through a third-party.
12
Q
What is quantifiable harm?
A
Economic harm to a consumer where the injury or loss can be measured.
13
Q
What type of consumer harm is this?
Deceptive marketing
practices that entices a consumer to purchase a product without having accurate information regarding the benefits,
costs, or terms of the product in violation of Section 5 of the Federal Trade Commission Act.
A
Quantifiable Harm
14
Q
What type of consumer harm is this?
Bank employs a pricing structure that allows significant discretion, without effective monitoring or controls, resulting in a protected class of borrowers being charged higher prices on average than similarly situated non-protected borrowers in violation of the Equal Credit Opportunity Act
A
Quantifiable harm
15
Q
What is non-quantifiable harm?
A
Injury or loss to the consumer that cannot be measured, or is very difficult to measure, yet the consumer may suffer some form of economic or other harm.
16
Q
What type of consumer harm is this?
Financial institution unfairly denies the consumer
credit or discourages an application on a prohibited basis in violation of the Equal Credit Opportunity Act
A
Non-quantifiable harm
Consumer was injured economically; however, calculating the monetary value for the injury would be challenging.
17
Q
What type of consumer harm is this?
Unlawful requirements on consumers before the bank is willing to consider the consumers’ billing disputes or requirements that are not accurately divulged in the bank’s error resolution disclosures.
A
Non-quantifiable harm
The practice could discourage a customer from filing a dispute, but would be difficult to identify or quantify.
18
Q
What is potential harm?
A
Involves financial institution activities (or failure to take action) that create the possibility that a consumer may be harmed.
19
Q
What type of harm is this?
Violation of the regulations that implement the National Flood Insurance Act of 1968 where the financial institution failed to require flood insurance on a residence at loan closing.
A
Potential harm
The consumer has not suffered actual loss but is exposed to potential economic loss should a flood occur.
20
Q
What is the supervisory approach to consumer harm?
A
Identifying, addressing, and preventing consumer harm.
21
Q
How to examiners identify consumer harm?
A
Identification of inherent risk that may occur in a bank’s business activities.
22
Q
What is inherent risk?
Example?
A
Compliance risk associated with product and service offerings, practices, or other activities that could directly or indirectly result in significant consumer harm or noncompliance with rule or regulations, if no other controls or mitigating factors were in place.
Ex: new loan product, change in deposit account terms, presence of third party relationships.
23
Q
How do examiners address consumer harm?
A
When inherent risks are identified, examiners will ensure the bank takes appropriate action to address or mitigate the risks.
24
Q
How do examiner’s prevent consumer harm?
Example?
A
Mitigating factors are the strength of the CMS to mitigate inherent risk.
Ex: Strong management controls, effective training, on-going monitoring efforts.
25
What is residual risk?
Risk exposure that remains after identifying the level of inherent risk and factoring in the strength of the mitigating factors that control that risk.
26
What is the risk scoping formula?
inherent risk - mitigating factors = residual risk
27
What is the level of risk in this scenario?
A bank introduces a new overdraft program with no due diligence, no monitoring or auditing, and numerous customer inquiries.
High risk product without effective CMS elements to mitigate inherent risk, thus high level of residual risk remains.
Inherent risk High
No Mitigants
Residual Risk High
28
What should be communicated when an violation is identified? (3)
Severity, extent, and actual or potential consumer harm caused by the violation.
29
What should a bank consider when taking appropriate corrective action?
Overall effectiveness of the CMS, root cause of deficiencies, and extent or impact of consumer harm.
30
Why is communication and technical assistance provided by the FDIC a key component of preventing consumer harm?
Communicating the focus of FDIC examination efforts and supervisory priorities through diverse channels assists bankers in identifying and reviewing key areas of concern and addressing deficiencies promptly, prior to and unrelated to a specific
examination activity.
In addition, examiners can provide certain types of technical assistance to community bankers
during the course of an examination that may enable an institution to reduce the risk of consumer harm in the operation of its business.
31
What is an effective CMS commonly comprised of?
Board and Management oversight
Compliance Program
32
Who is ultimately responsible for developing and administering a CMS?
The Board
33
Examples of Effective Board and Management oversight? (8)
• demonstrating clear and unequivocal expectations about consumer compliance, not only within the institution, but also to third-party providers;
• adopting clear policy statements;
• appointing a compliance officer with authority and accountability;
• allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations;
• anticipating and evaluating changes in the institution’s operating environment and implementing responses across impacted lines of business;
• identifying compliance risk in the institution’s products, services, and other activities, and responding to deficiencies and violations;
• conducting periodic compliance audits; and
• providing for recurrent reports by the compliance officer to the Board.
34
Compliance officers need authority and independence to do what? (3)
• cross departmental lines;
• have access to all areas of the institution’s operations; and
• effect corrective action.
35
What are a compliance officer's general responsibilities regardless of bank size or complexity? (7)
• developing compliance policies and procedures;
• training management and employees in consumer protection laws and regulations;
• reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures;
• assessing emerging issues or potential liabilities;
• coordinating responses to consumer complaints;
• reporting compliance activities and audit/review findings to the Board; and
• ensuring that corrective actions are implemented in a timely fashion and are effective at preventing recurrence.
36
True or false: Board and Management are not responsible for identifying and controlling compliance risks arising from third-party relationships?
False
Board and Management is responsible to the same extent as if the third-party activity was handled within the institution.
37
What is included in an effective compliance risk management process for third-parties? (5)
risk assessments
due diligence in selecting provider
appropriate contract structuring and review
sufficient oversight of third-party activities
adequate quality control over products or services provided.
38
What are the components of a compliance program?
Policies and Procedures
Training
Monitoring/Audit
Consumer Complaint response
39
Why is a formal, written compliance program important? (4)
Planned organized effort to guide compliance activities
training and reference tool
sound business step
will prevent or reduce regulatory violations
40
true or false: a compliance program is dynamic?
true. A compliance program should be constantly amended to focus resources where they are needed most based on risk.
41
Is a written compliance program required?
No. However the programs effectiveness is more important than its formality.
42
What do effective policies and procedures include? (4)
examples?
Goals and Objectives
Procedures for meeting goals and objectives
Information needed to perform a business transaction
Written and reviewed/updated as business, regulatory, or environmental changes occur.
Ex: regulation cites, definitions, sample forms w/ instructions, institution policy, directions for routing, reviewing and retaining/destroying transaction docs.
43
What does effective training include? (4)
training to all staff, management, and Board (third parties as applicable) relevant to their jobs
regular training schedule
periodic assessment of employee knowledge and comprehension
training content that is frequently updated and accurate on products, services, and business operations of the bank. As well as, laws and regulations, policies and procedures, and emerging issues.
44
What is monitoring?
A proactive approach by the bank to identify procedural or training weaknesses in an effort to preclude regulatory violations.
45
What is an audit?
Independent assessment and validation of a bank's system of internal controls, operations, and compliance risk management framework. Complements a monitoring system.
46
True or false: If an institution has strong monitoring but no audit, all risks are appropriately mitigated.
False - audit and monitoring each play an important but different role in supporting a strong CMS.
47
Effective monitoring includes regularly scheduled reviews of what? (7)
• disclosures and calculations for various product offerings;
• document filing and retention procedures;
• posted notices, marketing literature, and advertising;
• various state usury and consumer protection laws and regulations;
• third-party service provider operations; and
• internal compliance communication systems that update and revise the applicable laws and regulations to management and staff.
transaction level reviews are also helpful.
48
Who determines the scope and frequency of audits?
The Board
49
What should be considered when determining the scope and frequency of an audit? (12)
• expertise and experience of various institution personnel;
• organization and staffing of the compliance function;
• volume of transactions;
• complexity of products offered;
• number and type of consumer complaints received;
• number and type of branches;
• acquisition or opening of additional branch(es);
• size of the institution;
• organizational structure of the institution;
• outsourcing of functions to third-party service providers, including a review of agreements signed or made between the institution and vendors;
• degree to which policies and procedures are defined and detailed in writing; and
• magnitude/frequency of changes to any of the above.
50
True or false: Audit findings should be reported directly to the Board?
False: findings should be reported to the Boar OR to a Board level committee.
51
Audit report should include? (4)
• scope of the audit (including departments, branches, product types and third-party relationships reviewed);
• deficiencies or modifications identified;
• number of transactions sampled by category of product type; and
• descriptions of, or suggestions for, corrective actions and time frames for correction.
52
What does effective complaint response include? (3)
-prompt complaint response
-established procedures for addressing complaints and individuals responsible for handling responses
-compliance officer is aware of complaints received and ensures action is taken to correct any deficiencies complaints are monitored including those from third parties.
53
What is the purpose of the entrance meeting?
Facilitate discussion of various admin items and the scope of the exam.
54
What is discussed during the entrance meeting? (10)
Overview of exam (PEP info and impact on SCOPE)
FDIC examiners
Length of Exam
EIC availability to discuss exam issues or FDIC policy
Primary contacts for exam issues
Issues identified during PEP, areas with significant risk that will receive close attention
PEP materials requested but not received
Exit meeting procedures
Date of next Board Meeting
CRA and FL reviews
55
What should examiners consider when reviewing the CMS? (4)
The quality of the CMS (degree management is proactive and can assure compliance with regs)
If CMS is effective at facilitating compliance
identify CMS deficiencies and areas with great consumer harm risk.
Determine transaction testing areas.
56
What materials should be reviewed at minimum to determine the adequacy of Policies and Procedures? (4)
Bank risk profile (business strategy, product offerings, branches, third party relationships)
Policies and Procedures
Board and Committee minutes
Examiner notes from management discussions
57
What materials should be reviewed at minimum to determine the adequacy of Board and Management Oversight? (9)
Bank Risk profile
Prior Exam reports
Meeting minutes
New/amended policies or procedures
FDIC internal resources and CRC reports
Management responses to findings (exam, monitoring, audits)
Third party agreements
Org Charts
Examiner Notes
58
Policies and Procedures should cover what areas at minimum? (10)
Compliance Policy
Lending
Deposits
Electronic Banking
Privacy
NDIP
Branch Closing
TILA
FCRA
Overdraft
59
What should be in a Compliance Policy?
Guidance on daily compliance activities
Authority and responsibilities of CO, Committees, and employees
60
What bank's are required to maintain a Branch Closing policy?
Every bank with one or more branch locations.
61
What are the Six areas that require written policies and procedures?
Branch Closing
EFT Remittance Transfers
TILA
FCRA
Safe Act
NDIP
62
Are overdraft policies required?
No, but banks providing ODP are recommended to adopt written policies and procedures adequate to address the credit, operational, and other risks.
63
Under what circumstances are examiners not required to review a policy or procedure? (3)
policy reviewed LX w/ no deficiencies
no changes or amendments since LX
No significant regulatory or operational changes since LX.
64
What materials should be reviewed to determine the adequacy of training? (3)
Training Risk profile
Compliance training documentation
Examiner notes
65
What materials should be reviewed to determine the adequacy of Monitoring? (5)
Monitoring Risk profile
Related policies and procedures
Monitoring documentation
Reports with findings, corrective action, and follow-up
Examiner notes
66
What materials should be reviewed to determine the adequacy of Audit? (7)
Audit Risk profile
Audit policy, audit agreement/audit guidelines
Audit reports, responses, Follow-up
Audit workpapers
Org Chart
Board & committee minutes
Examiner notes
67
True or false: Request Fair Lending self-testing reports .
False: Do not request this; however, if a bank voluntarily provides it then review the findings as part of the FL review.
68
True or false: A financial institution’s audit or review of loan files, internal policies, and training material may indicate difference in the treatment of applicants that could constitute a violation of the fair lending laws.
True
69
What materials should examiners review to determine the adequacy of Complaint response? (5)
Complaint risk profile
Complaint policies/procedures
Complaint files (internal FDIC and external)
Board & committee minutes
Examiner Notes
70
True or false:
In certain cases management’s admission that a violation occurred is sufficient to warrant a citation without transaction testing.
True
71
When should you consult with regional or field office management?
If an unusual issue or problem is identified.
72
When should you and regional office or management staff consult with Washington SMEs? (3)
When findings, issues, or potential violations require guidance with respect to new regulations, or involve emerging/sensitive policy concerns.
Areas with high sensitivity/high impact.
For actions that require approval or concurrence or formal documentation under DCP policy/Authority.
73
What should be done if an examiner's recommendation is inconsistent with the outcome from a consultation?
Examiner and review examiner ensure language in the ROE is consistent with the final outcome.
74
When is a Board meeting required post-exam?
Identified significant problems that required consultations
Enforcement action
Compliance rating 3,4,5
Needs to Improve CRA or lower
meeting requested
75
When is a Board meeting not required?
Visitations
Complaint investigations
on-site reviews
76
What is a transmittal letter?
Accompanies ROE to Board, and requires follow- up on the exam with the regional office, to:
Address MRBA
Develop violation corrective action
send letter RO detailing corrective action for violations/MRBAs
77
True or false: The consumer compliance rating does not reflect the effectiveness of a banks CMS to ensure compliance with laws and regulations and reduce the risk of consumer harm.
False
78
What are the rating adjectives for a CMS in the ROE?
1 - Strong CMS
2 - Satisfactory CMS
3 - Deficient CMS
4 - Seriously deficient CMS
5 - Critically deficient
79
What are the Rating assessment factors for Board and Management oversite? (4)
Oversight and commitment to the CMS
Effectiveness of bank's change management processes
comprehension, identification, and management of risks from products, services or activities.
Self-identification and correction of issues.
80
What are the Rating assessment factors for the Compliance Program? (4)
policies and procedures appropriate for risks in products, services, activities
degree training is current and tailed to risk and staff
sufficiency of monitoring/audit to encompass compliance risk
responsiveness and effectiveness of consumer complaint resolution.
81
True or false: the root cause of a violation analyzes the degree to which weaknesses in the CMS gave rise to the violation.
True. The root cause is often ties to one or more weaknesses in the CMS.
82
What are the strongest types of compliance programs?
Ones that are proactive. They promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner.
83
True or false: Self-identification and prompt corrective action reflect strengths in a CMS.
True: a robust CMS appropriate for the size, complexity, and risk profile of a bank's business often will prevent violations or detect potential violations early on.
84
Which presents greater supervisory concern?
serious weaknesses in the policies and procedures or audit program of the mortgage department at a
mortgage lender
same gaps at an institution that makes very few
mortgage loans and strictly as an accommodation.
the first one, greater weight should apply to the bank's management of material products with significant potential consumer compliance risk.
85
True or false: A bank may not receive a less than satisfactory rating if no violations were identified.
False, a bank can receive a less than satisfactory rating with no violations based on deficiencies or weaknesses in the CMS.
86
What are the four basic elements of an effective third-party risk management system?
Risk assessment
Due diligence in selecting a third-party
Contract structuring and review
Oversight/ Ongoing monitoring
87
What makes a third party relationship significant? (7)
New relationship or implements new banking activities
has material affect on bank revenues or expenses
performs critical functions
stores, accesses, transmits, or performs transactions on sensitive customer info
markets bank products or services
provides or performs subprime lending or card payment transactions.
poses risks that could significantly impact earnings or capital.
88
What is the focus of a third party review?
validating management's record and process of identifying, monitoring, and controlling risks associated with the use of the third party.
89
True or false: The FDIC does not evaluate activities conducted through third-party relationships as though the activities were performed by the bank itself.
False. The Board is ultimately responsible for managing activities conducted through third parties.
90
True or False: Indemnity agreements with third-parties insulate the bank from responsibility
False. It helps to mitigate risk, but the agreements do not insulate the bank for its ultimate responsibility to be safe and sound and in compliance.
91
What is the definition of a third party?
All entities that have entered into a business relationship with the financial institution, whether the third party is a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, or domestic or foreign.
92
What types of risk arise from third-party relationships? (7)
Strategic risk
Reputation risk
Operational risk
Transaction risk
Credit risk
Compliance risk
Other risks
93
What is Operational risk?
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. Third-party relationships often integrate the internal processes of other organizations with the bank’s processes and can increase the overall operational complexity.
94
What is Transaction risk?
Transaction risk is the risk arising from problems with service or product delivery.
Ex: failure to perform as expected such as inadequate capacity, technological failure, human error, or fraud. The lack of an effective business resumption plan and appropriate contingency plans. Weak control over technology used resulting in threats to security and the integrity of systems and resources.
95
What is Credit risk?
Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed.
Ex: Financial condition of the third party, third-party that markets or is involved in the lending process.
96
What would mitigate credit risk?
Appropriate monitoring of third-party activities to ensure credit risk is understood and remains within Board approved limits.
97
What is Compliance risk?
Compliance risk is the risk arising from violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or with the institution’s business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies, or ethical standards.
Ex: marketing that violates ECOA or the FACT act.
98
What are some other risks associated with third parties that are less common? (5)
liquidity, interest rate, price, foreign currency translation, and country risks.
99
What should be included in a third-party risk assessment process?
Ensure relationship is consistent with bank's strategic plan.
Risk/Reward analysis for having the relationship vs. conducting activities at the bank
Reviewed by the Board or Committee.
Identify performance criteria, internal controls, reporting needs, and contract requirements for ongoing assessment and control of risks.
Ability to provide ongoing oversight.
Ensure CMS is adapted to effectively address relationship
Estimating long term financial impact of relationship
100
What should be included for due diligence in selecting a third party?
Identifying risks and internal controls at start of a relationship and periodically during course (contract renewal)
Review of all info about the third party focusing on financial condition, specific relevant experience, knowledge of laws and regs, reputation, scope and effectiveness of operations and controls.
101
What are the 14 things a bank could review as part of due diligence?
•Audited financial statements, annual reports, SEC filings, and other available financial indicators.
•Significance of the proposed contract on the third party’s financial condition.
•Experience and ability in implementing and monitoring the proposed activity.
•Business reputation.
•Qualifications and experience of the company’s principals.
•Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies.
•Existence of any significant complaints or litigation, or regulatory actions against the company.
•Ability to perform the proposed functions using current systems or the need to make additional investment.
•Use of other parties or subcontractors by the third party.
•Scope of internal controls, systems and data security, privacy protections, and audit coverage.
•Business resumption strategy and contingency plans.
•Knowledge of relevant consumer protection and civil rights laws and regulations.
•Adequacy of management information systems.
•Insurance coverage.
102
What should be included as part of contract structure and review of third-parties? (4)
Board approval of contract
Review of contract by legal counsel
Prohibit assignment, transfer, or subcontracting of third party to other vendors unless approved by the bank.
Pay structure/cost or compensation for the relationship
103
Name 5 topics that should be considered for including in the Scope of a third party contract?
•Timeframe covered by the contract.
•Frequency, format, and specifications of the service or product to be provided.
•Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service.
•Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance.
•Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations.
•Identification of which party will be responsible for delivering any required customer disclosures.
•Insurance coverage to be maintained by the third party.
•Terms relating to any use of bank premises, equipment, or employees.
•Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements.
•Authorization for the institution to monitor and periodically review the third party for compliance with its agreement.
•Indemnification.
104
Name 2 compensation programs with third-parties that would elevate risk?
Programs that encourage steering consumers to higher cost products.
Volume and Short-term compensation incentives.
105
What areas should be included in a contract? (12)
Scope
Cost/Compensation
Performance Standards
Management information Reports
Audit
Confidentiality and security agreement
Consumer complaints
Business resumption and contingency plans
Default and Termination
Ownership and license
Indemnification
Limits on liability
106
True or false: The existence of indemnification provisions in a contract will not be a mitigating factor where deficiencies indicate the need to seek corrective actions.
True - Where violations are present, the FDICs consideration of remedial measures or enforcement actions will be made regardless of indemnification clauses.
107
What should be reviewed as part of third-party oversight?
Annual board or committee review/approval of third-party agreements, operations, and risks
Maintain an adequate CMS
Staff to monitor significant relationships
Monitoring of third party quality of service, risk management, financial condition, and applicable controls and reports
108
Name 5 things that should be included in third party monitoring? (15 total)
-Relationship effectiveness and alignment with strategic goals
-Legal review
-Annual financial review (audited financial statements)
-Insurance coverage
-Audit reports
-Policies, Procedures, internal controls
-compliance with laws and regs
-Business resumption & contingency plans
-changes in key personelle
-performance reports
-training of bank and third party
-testing programs for relationships w/ direct contact with customers
-Consumer complaint response
-Meet with reps from the third party to discuss performance or other areas of risk.
-Proper documentation of monitoring, oversight, contracts, business plans, risk analyses, and due diligence.
