Compliance Management System (CMS) Flashcards
What are the 3 types of supervisory activities/ strategies conducted by the FDIC?
Examinations, visitations, and investigations.
Purpose of a visitation?
Targeted event aimed at specific operational areas, or entire compliance management systems previously identified as significantly deficient.
Purpose of an investigation?
Conducted to follow-up on specific consumer inquiries or complaints, including fair lending complaints.
Purpose of examination? (3)
- assess the quality of an FDIC-supervised institution’s CMS for implementing federal consumer protection statutes and regulations;
- review compliance with relevant laws and regulations; and
- initiate effective supervisory action when elements of an institution’s CMS are deficient and/or when violations of law are found.
What does risk-focusing involve? (3)
Developing a compliance risk profile for a bank using Products, Services, or Regulations (PSRs), and the bank’s organizational structure, operations, and past performance.
Assessing quality of CMS in light of inherent risks from the level and complexity of business operations, products, and services.
Transaction testing based on residual risk.
What is reviewed under Board and Management oversight? (7)
Commitment and oversight of CMS.
Third party due diligence
Change management
Due diligence from product or service changes (pre and post)
Comprehension and identification of compliance risks including emerging risks in the bank’s products, services, etc.
Management of risk (self-assessments)
Identification and responsiveness to CMS deficiencies, violations, and remediation.
What is reviewed under the compliance program?
Policies and procedures
Third-party management
Monitoring & audit
Consumer complaint response.
What should be considered when evaluating a bank’s CMS?
The size, level complexity of the bank.
A bank is not required to have all elements of a CMS. Conclusions about the adequacy of a bank’s CMS must be based on the
effectiveness of those elements that are in place, taken as a whole, for that bank’s particular operations.
What is the purpose of the ROE?
The Report of Examination
provides an account of the strengths and weaknesses of a CMS to the Board.
What is Supervisory Guidance?
Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate
practices for a given subject area.
What is Consumer Harm?
Actual or Potential injury or loss to a consumer whether such injury or loss is economically quantifiable (ex: overcharge) or non-quantifiable (ex: discouragement). May be caused by activities through a third-party.
What is quantifiable harm?
Economic harm to a consumer where the injury or loss can be measured.
What type of consumer harm is this?
Deceptive marketing
practices that entices a consumer to purchase a product without having accurate information regarding the benefits,
costs, or terms of the product in violation of Section 5 of the Federal Trade Commission Act.
Quantifiable Harm
What type of consumer harm is this?
Bank employs a pricing structure that allows significant discretion, without effective monitoring or controls, resulting in a protected class of borrowers being charged higher prices on average than similarly situated non-protected borrowers in violation of the Equal Credit Opportunity Act
Quantifiable harm
What is non-quantifiable harm?
Injury or loss to the consumer that cannot be measured, or is very difficult to measure, yet the consumer may suffer some form of economic or other harm.
What type of consumer harm is this?
Financial institution unfairly denies the consumer
credit or discourages an application on a prohibited basis in violation of the Equal Credit Opportunity Act
Non-quantifiable harm
Consumer was injured economically; however, calculating the monetary value for the injury would be challenging.
What type of consumer harm is this?
Unlawful requirements on consumers before the bank is willing to consider the consumers’ billing disputes or requirements that are not accurately divulged in the bank’s error resolution disclosures.
Non-quantifiable harm
The practice could discourage a customer from filing a dispute, but would be difficult to identify or quantify.
What is potential harm?
Involves financial institution activities (or failure to take action) that create the possibility that a consumer may be harmed.
What type of harm is this?
Violation of the regulations that implement the National Flood Insurance Act of 1968 where the financial institution failed to require flood insurance on a residence at loan closing.
Potential harm
The consumer has not suffered actual loss but is exposed to potential economic loss should a flood occur.
What is the supervisory approach to consumer harm?
Identifying, addressing, and preventing consumer harm.
How to examiners identify consumer harm?
Identification of inherent risk that may occur in a bank’s business activities.
What is inherent risk?
Example?
Compliance risk associated with product and service offerings, practices, or other activities that could directly or indirectly result in significant consumer harm or noncompliance with rule or regulations, if no other controls or mitigating factors were in place.
Ex: new loan product, change in deposit account terms, presence of third party relationships.
How do examiners address consumer harm?
When inherent risks are identified, examiners will ensure the bank takes appropriate action to address or mitigate the risks.
How do examiner’s prevent consumer harm?
Example?
Mitigating factors are the strength of the CMS to mitigate inherent risk.
Ex: Strong management controls, effective training, on-going monitoring efforts.
What is residual risk?
Risk exposure that remains after identifying the level of inherent risk and factoring in the strength of the mitigating factors that control that risk.
What is the risk scoping formula?
inherent risk - mitigating factors = residual risk
What is the level of risk in this scenario?
A bank introduces a new overdraft program with no due diligence, no monitoring or auditing, and numerous customer inquiries.
High risk product without effective CMS elements to mitigate inherent risk, thus high level of residual risk remains.
Inherent risk High
No Mitigants
Residual Risk High
What should be communicated when an violation is identified? (3)
Severity, extent, and actual or potential consumer harm caused by the violation.
What should a bank consider when taking appropriate corrective action?
Overall effectiveness of the CMS, root cause of deficiencies, and extent or impact of consumer harm.
Why is communication and technical assistance provided by the FDIC a key component of preventing consumer harm?
Communicating the focus of FDIC examination efforts and supervisory priorities through diverse channels assists bankers in identifying and reviewing key areas of concern and addressing deficiencies promptly, prior to and unrelated to a specific
examination activity.
In addition, examiners can provide certain types of technical assistance to community bankers
during the course of an examination that may enable an institution to reduce the risk of consumer harm in the operation of its business.
What is an effective CMS commonly comprised of?
Board and Management oversight
Compliance Program
Who is ultimately responsible for developing and administering a CMS?
The Board
Examples of Effective Board and Management oversight? (8)
- demonstrating clear and unequivocal expectations about consumer compliance, not only within the institution, but also to third-party providers;
- adopting clear policy statements;
- appointing a compliance officer with authority and accountability;
- allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations;
- anticipating and evaluating changes in the institution’s operating environment and implementing responses across impacted lines of business;
- identifying compliance risk in the institution’s products, services, and other activities, and responding to deficiencies and violations;
- conducting periodic compliance audits; and
- providing for recurrent reports by the compliance officer to the Board.
Compliance officers need authority and independence to do what? (3)
- cross departmental lines;
- have access to all areas of the institution’s operations; and
- effect corrective action.
What are a compliance officer’s general responsibilities regardless of bank size or complexity? (7)
- developing compliance policies and procedures;
- training management and employees in consumer protection laws and regulations;
- reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures;
- assessing emerging issues or potential liabilities;
- coordinating responses to consumer complaints;
- reporting compliance activities and audit/review findings to the Board; and
- ensuring that corrective actions are implemented in a timely fashion and are effective at preventing recurrence.
True or false: Board and Management are not responsible for identifying and controlling compliance risks arising from third-party relationships?
False
Board and Management is responsible to the same extent as if the third-party activity was handled within the institution.
What is included in an effective compliance risk management process for third-parties? (5)
risk assessments
due diligence in selecting provider
appropriate contract structuring and review
sufficient oversight of third-party activities
adequate quality control over products or services provided.
What are the components of a compliance program?
Policies and Procedures
Training
Monitoring/Audit
Consumer Complaint response
Why is a formal, written compliance program important? (4)
Planned organized effort to guide compliance activities
training and reference tool
sound business step
will prevent or reduce regulatory violations
true or false: a compliance program is dynamic?
true. A compliance program should be constantly amended to focus resources where they are needed most based on risk.
Is a written compliance program required?
No. However the programs effectiveness is more important than its formality.
What do effective policies and procedures include? (4)
examples?
Goals and Objectives
Procedures for meeting goals and objectives
Information needed to perform a business transaction
Written and reviewed/updated as business, regulatory, or environmental changes occur.
Ex: regulation cites, definitions, sample forms w/ instructions, institution policy, directions for routing, reviewing and retaining/destroying transaction docs.
What does effective training include? (4)
training to all staff, management, and Board (third parties as applicable) relevant to their jobs
regular training schedule
periodic assessment of employee knowledge and comprehension
training content that is frequently updated and accurate on products, services, and business operations of the bank. As well as, laws and regulations, policies and procedures, and emerging issues.