Compliance Management System (CMS) Flashcards

Question 1

Q

What are the 3 types of supervisory activities/ strategies conducted by the FDIC?

Answer

A

Examinations, visitations, and investigations.

Question 2

Q

Purpose of a visitation?

Answer

A

Targeted event aimed at specific operational areas, or entire compliance management systems previously identified as significantly deficient.

Question 3

Q

Purpose of an investigation?

Answer

A

Conducted to follow-up on specific consumer inquiries or complaints, including fair lending complaints.

Question 4

Q

Purpose of examination? (3)

Answer

A

• assess the quality of an FDIC-supervised institution’s CMS for implementing federal consumer protection statutes and regulations;

• review compliance with relevant laws and regulations; and

• initiate effective supervisory action when elements of an institution’s CMS are deficient and/or when violations of law are found.

Question 5

Q

What does risk-focusing involve? (3)

Answer

A

Developing a compliance risk profile for a bank using Products, Services, or Regulations (PSRs), and the bank’s organizational structure, operations, and past performance.

Assessing quality of CMS in light of inherent risks from the level and complexity of business operations, products, and services.

Transaction testing based on residual risk.

Question 6

Q

What is reviewed under Board and Management oversight? (7)

Answer

A

Commitment and oversight of CMS.

Third party due diligence

Change management

Due diligence from product or service changes (pre and post)

Comprehension and identification of compliance risks including emerging risks in the bank’s products, services, etc.

Management of risk (self-assessments)

Identification and responsiveness to CMS deficiencies, violations, and remediation.

Question 7

Q

What is reviewed under the compliance program?

Answer

A

Policies and procedures
Third-party management
Monitoring & audit
Consumer complaint response.

Question 8

Q

What should be considered when evaluating a bank’s CMS?

Answer

A

The size, level complexity of the bank.

A bank is not required to have all elements of a CMS. Conclusions about the adequacy of a bank’s CMS must be based on the
effectiveness of those elements that are in place, taken as a whole, for that bank’s particular operations.

Question 9

Q

What is the purpose of the ROE?

Answer

A

The Report of Examination
provides an account of the strengths and weaknesses of a CMS to the Board.

Question 10

Q

What is Supervisory Guidance?

Answer

A

Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate
practices for a given subject area.

Question 11

Q

What is Consumer Harm?

Answer

A

Actual or Potential injury or loss to a consumer whether such injury or loss is economically quantifiable (ex: overcharge) or non-quantifiable (ex: discouragement). May be caused by activities through a third-party.

Question 12

Q

What is quantifiable harm?

Answer

A

Economic harm to a consumer where the injury or loss can be measured.

Question 13

Q

What type of consumer harm is this?

Deceptive marketing
practices that entices a consumer to purchase a product without having accurate information regarding the benefits,
costs, or terms of the product in violation of Section 5 of the Federal Trade Commission Act.

Answer

A

Quantifiable Harm

Question 14

Q

What type of consumer harm is this?

Bank employs a pricing structure that allows significant discretion, without effective monitoring or controls, resulting in a protected class of borrowers being charged higher prices on average than similarly situated non-protected borrowers in violation of the Equal Credit Opportunity Act

Answer

A

Quantifiable harm

Question 15

Q

What is non-quantifiable harm?

Answer

A

Injury or loss to the consumer that cannot be measured, or is very difficult to measure, yet the consumer may suffer some form of economic or other harm.

Question 16

Q

What type of consumer harm is this?

Financial institution unfairly denies the consumer
credit or discourages an application on a prohibited basis in violation of the Equal Credit Opportunity Act

Answer

A

Non-quantifiable harm

Consumer was injured economically; however, calculating the monetary value for the injury would be challenging.

Question 17

Q

What type of consumer harm is this?

Unlawful requirements on consumers before the bank is willing to consider the consumers’ billing disputes or requirements that are not accurately divulged in the bank’s error resolution disclosures.

Answer

A

Non-quantifiable harm

The practice could discourage a customer from filing a dispute, but would be difficult to identify or quantify.

Question 18

Q

What is potential harm?

Answer

A

Involves financial institution activities (or failure to take action) that create the possibility that a consumer may be harmed.

Question 19

Q

What type of harm is this?

Violation of the regulations that implement the National Flood Insurance Act of 1968 where the financial institution failed to require flood insurance on a residence at loan closing.

Answer

A

Potential harm

The consumer has not suffered actual loss but is exposed to potential economic loss should a flood occur.

Question 20

Q

What is the supervisory approach to consumer harm?

Answer

A

Identifying, addressing, and preventing consumer harm.

Question 21

Q

How to examiners identify consumer harm?

Answer

A

Identification of inherent risk that may occur in a bank’s business activities.

Question 22

Q

What is inherent risk?

Example?

Answer

A

Compliance risk associated with product and service offerings, practices, or other activities that could directly or indirectly result in significant consumer harm or noncompliance with rule or regulations, if no other controls or mitigating factors were in place.

Ex: new loan product, change in deposit account terms, presence of third party relationships.

Question 23

Q

How do examiners address consumer harm?

Answer

A

When inherent risks are identified, examiners will ensure the bank takes appropriate action to address or mitigate the risks.

Question 24

Q

How do examiner’s prevent consumer harm?

Example?

Answer

A

Mitigating factors are the strength of the CMS to mitigate inherent risk.

Ex: Strong management controls, effective training, on-going monitoring efforts.

Question 25

Q

What is residual risk?

Answer

A

Risk exposure that remains after identifying the level of inherent risk and factoring in the strength of the mitigating factors that control that risk.

Question 26

Q

What is the risk scoping formula?

Answer

A

inherent risk - mitigating factors = residual risk

Question 27

Q

What is the level of risk in this scenario?

A bank introduces a new overdraft program with no due diligence, no monitoring or auditing, and numerous customer inquiries.

Answer

A

High risk product without effective CMS elements to mitigate inherent risk, thus high level of residual risk remains.

Inherent risk High
No Mitigants
Residual Risk High

Question 28

Q

What should be communicated when an violation is identified? (3)

Answer

A

Severity, extent, and actual or potential consumer harm caused by the violation.

Question 29

Q

What should a bank consider when taking appropriate corrective action?

Answer

A

Overall effectiveness of the CMS, root cause of deficiencies, and extent or impact of consumer harm.

Question 30

Q

Why is communication and technical assistance provided by the FDIC a key component of preventing consumer harm?

Answer

A

Communicating the focus of FDIC examination efforts and supervisory priorities through diverse channels assists bankers in identifying and reviewing key areas of concern and addressing deficiencies promptly, prior to and unrelated to a specific
examination activity.

In addition, examiners can provide certain types of technical assistance to community bankers
during the course of an examination that may enable an institution to reduce the risk of consumer harm in the operation of its business.

Question 31

Q

What is an effective CMS commonly comprised of?

Answer

A

Board and Management oversight

Compliance Program

Question 32

Q

Who is ultimately responsible for developing and administering a CMS?

Answer

A

The Board

Question 33

Q

Examples of Effective Board and Management oversight? (8)

Answer

A

• demonstrating clear and unequivocal expectations about consumer compliance, not only within the institution, but also to third-party providers;
• adopting clear policy statements;
• appointing a compliance officer with authority and accountability;
• allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations;
• anticipating and evaluating changes in the institution’s operating environment and implementing responses across impacted lines of business;
• identifying compliance risk in the institution’s products, services, and other activities, and responding to deficiencies and violations;
• conducting periodic compliance audits; and
• providing for recurrent reports by the compliance officer to the Board.

Question 34

Q

Compliance officers need authority and independence to do what? (3)

Answer

A

• cross departmental lines;
• have access to all areas of the institution’s operations; and
• effect corrective action.

Question 35

Q

What are a compliance officer’s general responsibilities regardless of bank size or complexity? (7)

Answer

A

• developing compliance policies and procedures;
• training management and employees in consumer protection laws and regulations;
• reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures;
• assessing emerging issues or potential liabilities;
• coordinating responses to consumer complaints;
• reporting compliance activities and audit/review findings to the Board; and
• ensuring that corrective actions are implemented in a timely fashion and are effective at preventing recurrence.

Question 36

Q

True or false: Board and Management are not responsible for identifying and controlling compliance risks arising from third-party relationships?

Answer

A

False

Board and Management is responsible to the same extent as if the third-party activity was handled within the institution.

Question 37

Q

What is included in an effective compliance risk management process for third-parties? (5)

Answer

A

risk assessments
due diligence in selecting provider
appropriate contract structuring and review
sufficient oversight of third-party activities
adequate quality control over products or services provided.

Question 38

Q

What are the components of a compliance program?

Answer

A

Policies and Procedures
Training
Monitoring/Audit
Consumer Complaint response

Question 39

Q

Why is a formal, written compliance program important? (4)

Answer

A

Planned organized effort to guide compliance activities

training and reference tool

sound business step

will prevent or reduce regulatory violations

Question 40

Q

true or false: a compliance program is dynamic?

Answer

A

true. A compliance program should be constantly amended to focus resources where they are needed most based on risk.

Question 41

Q

Is a written compliance program required?

Answer

A

No. However the programs effectiveness is more important than its formality.

Question 42

Q

What do effective policies and procedures include? (4)

examples?

Answer

A

Goals and Objectives
Procedures for meeting goals and objectives
Information needed to perform a business transaction
Written and reviewed/updated as business, regulatory, or environmental changes occur.

Ex: regulation cites, definitions, sample forms w/ instructions, institution policy, directions for routing, reviewing and retaining/destroying transaction docs.

Question 43

Q

What does effective training include? (4)

Answer

A

training to all staff, management, and Board (third parties as applicable) relevant to their jobs

regular training schedule

periodic assessment of employee knowledge and comprehension

training content that is frequently updated and accurate on products, services, and business operations of the bank. As well as, laws and regulations, policies and procedures, and emerging issues.

Question 44

Q

What is monitoring?

Answer

A

A proactive approach by the bank to identify procedural or training weaknesses in an effort to preclude regulatory violations.

Question 45

Q

What is an audit?

Answer

A

Independent assessment and validation of a bank’s system of internal controls, operations, and compliance risk management framework. Complements a monitoring system.

Question 46

Q

True or false: If an institution has strong monitoring but no audit, all risks are appropriately mitigated.

Answer

A

False - audit and monitoring each play an important but different role in supporting a strong CMS.

Question 47

Q

Effective monitoring includes regularly scheduled reviews of what? (7)

Answer

A

• disclosures and calculations for various product offerings;
• document filing and retention procedures;
• posted notices, marketing literature, and advertising;
• various state usury and consumer protection laws and regulations;
• third-party service provider operations; and
• internal compliance communication systems that update and revise the applicable laws and regulations to management and staff.

transaction level reviews are also helpful.

Question 48

Q

Who determines the scope and frequency of audits?

Answer

A

The Board

Question 49

Q

What should be considered when determining the scope and frequency of an audit? (12)

Answer

A

• expertise and experience of various institution personnel;
• organization and staffing of the compliance function;
• volume of transactions;
• complexity of products offered;
• number and type of consumer complaints received;
• number and type of branches;
• acquisition or opening of additional branch(es);
• size of the institution;
• organizational structure of the institution;
• outsourcing of functions to third-party service providers, including a review of agreements signed or made between the institution and vendors;
• degree to which policies and procedures are defined and detailed in writing; and
• magnitude/frequency of changes to any of the above.

Question 50

Q

True or false: Audit findings should be reported directly to the Board?

Answer

A

False: findings should be reported to the Boar OR to a Board level committee.

Question 51

Q

Audit report should include? (4)

Answer

A

• scope of the audit (including departments, branches, product types and third-party relationships reviewed);
• deficiencies or modifications identified;
• number of transactions sampled by category of product type; and
• descriptions of, or suggestions for, corrective actions and time frames for correction.

Question 52

Q

What does effective complaint response include? (3)

Answer

A

-prompt complaint response

-established procedures for addressing complaints and individuals responsible for handling responses

-compliance officer is aware of complaints received and ensures action is taken to correct any deficiencies complaints are monitored including those from third parties.

Question 53

Q

What is the purpose of the entrance meeting?

Answer

A

Facilitate discussion of various admin items and the scope of the exam.

Question 54

Q

What is discussed during the entrance meeting? (10)

Answer

A

Overview of exam (PEP info and impact on SCOPE)

FDIC examiners

Length of Exam

EIC availability to discuss exam issues or FDIC policy

Primary contacts for exam issues

Issues identified during PEP, areas with significant risk that will receive close attention

PEP materials requested but not received

Exit meeting procedures

Date of next Board Meeting

CRA and FL reviews

Question 55

Q

What should examiners consider when reviewing the CMS? (4)

Answer

A

The quality of the CMS (degree management is proactive and can assure compliance with regs)

If CMS is effective at facilitating compliance

identify CMS deficiencies and areas with great consumer harm risk.

Determine transaction testing areas.

Question 56

Q

What materials should be reviewed at minimum to determine the adequacy of Policies and Procedures? (4)

Answer

A

Bank risk profile (business strategy, product offerings, branches, third party relationships)

Policies and Procedures

Board and Committee minutes

Examiner notes from management discussions

Question 57

Q

What materials should be reviewed at minimum to determine the adequacy of Board and Management Oversight? (9)

Answer

A

Bank Risk profile
Prior Exam reports
Meeting minutes
New/amended policies or procedures
FDIC internal resources and CRC reports
Management responses to findings (exam, monitoring, audits)
Third party agreements
Org Charts
Examiner Notes

Question 58

Q

Policies and Procedures should cover what areas at minimum? (10)

Answer

A

Compliance Policy
Lending
Deposits
Electronic Banking
Privacy
NDIP
Branch Closing
TILA
FCRA
Overdraft

Question 59

Q

What should be in a Compliance Policy?

Answer

A

Guidance on daily compliance activities

Authority and responsibilities of CO, Committees, and employees

Question 60

Q

What bank’s are required to maintain a Branch Closing policy?

Answer

A

Every bank with one or more branch locations.

Question 61

Q

What are the Six areas that require written policies and procedures?

Answer

A

Branch Closing
EFT Remittance Transfers
TILA
FCRA
Safe Act
NDIP

Question 62

Q

Are overdraft policies required?

Answer

A

No, but banks providing ODP are recommended to adopt written policies and procedures adequate to address the credit, operational, and other risks.

Question 63

Q

Under what circumstances are examiners not required to review a policy or procedure? (3)

Answer

A

policy reviewed LX w/ no deficiencies
no changes or amendments since LX
No significant regulatory or operational changes since LX.

Question 64

Q

What materials should be reviewed to determine the adequacy of training? (3)

Answer

A

Training Risk profile
Compliance training documentation
Examiner notes

Answer 65

A

Monitoring Risk profile

Related policies and procedures

Monitoring documentation

Reports with findings, corrective action, and follow-up

Examiner notes

Answer 66

A

Audit Risk profile

Audit policy, audit agreement/audit guidelines

Audit reports, responses, Follow-up

Audit workpapers

Org Chart

Board & committee minutes

Examiner notes

Answer 67

A

False: Do not request this; however, if a bank voluntarily provides it then review the findings as part of the FL review.

Answer 68

A

Complaint risk profile
Complaint policies/procedures
Complaint files (internal FDIC and external)
Board & committee minutes
Examiner Notes

Answer 69

A

If an unusual issue or problem is identified.

Answer 70

A

When findings, issues, or potential violations require guidance with respect to new regulations, or involve emerging/sensitive policy concerns.

Areas with high sensitivity/high impact.

For actions that require approval or concurrence or formal documentation under DCP policy/Authority.

Answer 71

A

Examiner and review examiner ensure language in the ROE is consistent with the final outcome.

Answer 72

A

Identified significant problems that required consultations

Enforcement action

Compliance rating 3,4,5

Needs to Improve CRA or lower

meeting requested

Answer 73

A

Visitations
Complaint investigations
on-site reviews

Answer 74

A

Accompanies ROE to Board, and requires follow- up on the exam with the regional office, to:

Address MRBA
Develop violation corrective action
send letter RO detailing corrective action for violations/MRBAs

Answer 75

A

1 - Strong CMS
2 - Satisfactory CMS
3 - Deficient CMS
4 - Seriously deficient CMS
5 - Critically deficient

Answer 76

A

Oversight and commitment to the CMS

Effectiveness of bank’s change management processes

comprehension, identification, and management of risks from products, services or activities.

Self-identification and correction of issues.

Answer 77

A

policies and procedures appropriate for risks in products, services, activities

degree training is current and tailed to risk and staff

sufficiency of monitoring/audit to encompass compliance risk

responsiveness and effectiveness of consumer complaint resolution.

Answer 78

A

True. The root cause is often ties to one or more weaknesses in the CMS.

Answer 79

A

Ones that are proactive. They promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner.

Answer 80

A

True: a robust CMS appropriate for the size, complexity, and risk profile of a bank’s business often will prevent violations or detect potential violations early on.

Answer 81

A

the first one, greater weight should apply to the bank’s management of material products with significant potential consumer compliance risk.

Answer 82

A

False, a bank can receive a less than satisfactory rating with no violations based on deficiencies or weaknesses in the CMS.

Answer 83

A

Risk assessment
Due diligence in selecting a third-party
Contract structuring and review
Oversight/ Ongoing monitoring

Answer 84

A

New relationship or implements new banking activities

has material affect on bank revenues or expenses

performs critical functions

stores, accesses, transmits, or performs transactions on sensitive customer info

markets bank products or services

provides or performs subprime lending or card payment transactions.

poses risks that could significantly impact earnings or capital.

Answer 85

A

validating management’s record and process of identifying, monitoring, and controlling risks associated with the use of the third party.

Answer 86

A

False. The Board is ultimately responsible for managing activities conducted through third parties.

Answer 87

A

False. It helps to mitigate risk, but the agreements do not insulate the bank for its ultimate responsibility to be safe and sound and in compliance.

Answer 88

A

All entities that have entered into a business relationship with the financial institution, whether the third party is a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, or domestic or foreign.

Answer 89

A

Strategic risk
Reputation risk
Operational risk
Transaction risk
Credit risk
Compliance risk
Other risks

Answer 90

A

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. Third-party relationships often integrate the internal processes of other organizations with the bank’s processes and can increase the overall operational complexity.

Answer 91

A

Transaction risk is the risk arising from problems with service or product delivery.

Ex: failure to perform as expected such as inadequate capacity, technological failure, human error, or fraud. The lack of an effective business resumption plan and appropriate contingency plans. Weak control over technology used resulting in threats to security and the integrity of systems and resources.

Answer 92

A

Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed.

Ex: Financial condition of the third party, third-party that markets or is involved in the lending process.

Answer 93

A

Appropriate monitoring of third-party activities to ensure credit risk is understood and remains within Board approved limits.

Answer 94

A

Compliance risk is the risk arising from violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or with the institution’s business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies, or ethical standards.

Ex: marketing that violates ECOA or the FACT act.

Answer 95

A

liquidity, interest rate, price, foreign currency translation, and country risks.

Answer 96

A

Ensure relationship is consistent with bank’s strategic plan.

Risk/Reward analysis for having the relationship vs. conducting activities at the bank

Reviewed by the Board or Committee.

Identify performance criteria, internal controls, reporting needs, and contract requirements for ongoing assessment and control of risks.

Ability to provide ongoing oversight.

Ensure CMS is adapted to effectively address relationship

Estimating long term financial impact of relationship

Answer 97

A

Identifying risks and internal controls at start of a relationship and periodically during course (contract renewal)

Review of all info about the third party focusing on financial condition, specific relevant experience, knowledge of laws and regs, reputation, scope and effectiveness of operations and controls.

Answer 98

A

•Audited financial statements, annual reports, SEC filings, and other available financial indicators.
•Significance of the proposed contract on the third party’s financial condition.
•Experience and ability in implementing and monitoring the proposed activity.
•Business reputation.
•Qualifications and experience of the company’s principals.
•Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies.
•Existence of any significant complaints or litigation, or regulatory actions against the company.
•Ability to perform the proposed functions using current systems or the need to make additional investment.
•Use of other parties or subcontractors by the third party.
•Scope of internal controls, systems and data security, privacy protections, and audit coverage.
•Business resumption strategy and contingency plans.
•Knowledge of relevant consumer protection and civil rights laws and regulations.
•Adequacy of management information systems.
•Insurance coverage.

Answer 99

A

Board approval of contract

Review of contract by legal counsel

Prohibit assignment, transfer, or subcontracting of third party to other vendors unless approved by the bank.

Pay structure/cost or compensation for the relationship

Answer 100

A

•Timeframe covered by the contract.
•Frequency, format, and specifications of the service or product to be provided.
•Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service.
•Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance.
•Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations.
•Identification of which party will be responsible for delivering any required customer disclosures.
•Insurance coverage to be maintained by the third party.
•Terms relating to any use of bank premises, equipment, or employees.
•Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements.
•Authorization for the institution to monitor and periodically review the third party for compliance with its agreement.
•Indemnification.

Answer 101

A

Programs that encourage steering consumers to higher cost products.

Volume and Short-term compensation incentives.

Answer 102

A

Scope
Cost/Compensation
Performance Standards
Management information Reports
Audit
Confidentiality and security agreement
Consumer complaints
Business resumption and contingency plans
Default and Termination
Ownership and license
Indemnification
Limits on liability

Answer 103

A

True - Where violations are present, the FDICs consideration of remedial measures or enforcement actions will be made regardless of indemnification clauses.

Answer 104

A

Annual board or committee review/approval of third-party agreements, operations, and risks

Maintain an adequate CMS

Staff to monitor significant relationships

Monitoring of third party quality of service, risk management, financial condition, and applicable controls and reports

Answer 105

A

-Relationship effectiveness and alignment with strategic goals
-Legal review
-Annual financial review (audited financial statements)
-Insurance coverage
-Audit reports
-Policies, Procedures, internal controls
-compliance with laws and regs
-Business resumption & contingency plans
-changes in key personelle
-performance reports
-training of bank and third party
-testing programs for relationships w/ direct contact with customers
-Consumer complaint response
-Meet with reps from the third party to discuss performance or other areas of risk.
-Proper documentation of monitoring, oversight, contracts, business plans, risk analyses, and due diligence.

Brainscape's Knowledge GenomeTM

Compliance Management System (CMS) Flashcards

Brainscape's Knowledge Genome^TM