Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Consumer Compliance Examinations

II-5 Review and Analysis

Chapter Last Updated: October 2025

Introduction

The FDIC’s consumer compliance examination process assesses how well a financial institution manages compliance with federal consumer protection laws and regulations. The review period or scope typically covers bank activities conducted over a discrete period of time from the start date of the prior examination through the start date of the current examination. The review and analysis phase of the consumer compliance examination starts with a top- down, comprehensive evaluation of the compliance management system (CMS) used by the financial institution to identify, monitor, and manage its compliance responsibilities and risks. The procedures outlined below guide the examiner through an assessment of an institution’s CMS and assist the examiner in identifying specific areas of weakness for further analysis. Many procedures listed in this section can be performed at the field office or other location prior to the start of the examination, if materials are available.

Off-Site Review and Analysis

The Examiner-in-Charge (EIC) reviews and analyzes the material gathered from FDIC, third parties, and the institution in response to the Compliance Information and Document Request (CIDR) in order to develop the scope memorandum and plan the examination. This review and analysis should be broad enough to obtain an understanding of the organizational structure of the institution, its related activities, and compliance risks associated with each of its activities.

The review should be used to preliminarily determine whether the institution’s Board of Directors (Board) and management identify, understand, and adequately control the elements of risks facing the financial institution. In general, management and Directors are expected to have a clearly defined system of risk management controls governing the institution’s compliance operations, including those activities conducted by affiliates and third-party vendors. During this review the EIC should consider what types of questions should be asked during the examination to test whether the institution’s written policies and procedures accurately reflect actual operations.

Risk Scope Memorandum

The goal of a risk-focused, process-oriented examination is to direct resources toward areas with higher degrees of risk of consumer harm. To accomplish this goal, the examiner must assess the financial institution’s CMS as it applies to key operational areas and evaluate the risk of non-compliance with applicable laws and regulations. This process is documented by the examiner in a scoping memorandum, the Assessment of Risk of Consumer Harm (ARCH), which is reviewed and approved by the supervisor. The ARCH is developed during the pre-examination planning process and utilizes historical data, information obtained from the interview with the institution, and documents and information submitted by the institution in response to the CIDR. The ARCH describes the focus of the examination, including issues to be investigated and the products, services, or regulations that exhibit inherent risk not sufficiently mitigated by the institution’s CMS. The identified areas with residual risk will be further reviewed or transaction tested during the examination.

During the examination, the EIC should obtain approval for any material changes to the scope of the examination. The EIC describes the changes in a scope amendment that is submitted to the Field Supervisor and all appropriate Supervisory Examiners for review and approval.

The final ARCH should be posted to the System of Uniform Reporting of Compliance and CRA Examinations (FOCUS), making it available to all staff and management during the exam review and for future internal use, especially for the start of the subsequent examination.

Developing a Risk Profile

Every institution has inherent risk based on strategic plans, products and services offered, past supervisory actions, business activity, and other factors. The ARCH will document the identified areas of inherent risk by considering the following:

  • Institution Structure:
    • Significant factors or changes
    • Mergers or acquisitions
    • Significant growth since prior examination
    • De Novo status
  • Supervisory History:
    • Current and past enforcement actions
    • Reimbursement history
    • History of compliance with fair lending laws and regulations
    • Current and prior regulator ratings and supervisory recommendations
    • Consumer-related litigation
    • Consumer complaints
  • Operational Areas - Product/Service/Regulation (PSR) Risk:
    • Major product lines
    • New or revised products/services/regulations
    • Applicable regulations
    • Recent case law
    • Growth in operations
    • Complexity of operations
    • Third party affiliations

Institution Structure: A key component of a financial institution’s risk profile is its structure and business model. An examiner will consider the nature and complexity of, or any changes to, the organizational, management, and ownership structure; business strategy; market areas and customers served; delivery channels; any subsidiaries or affiliates that offer products or services or support operations; branching activities; any unique or niche characteristics; and any significant changes in the institution’s balance sheet composition or income.

Supervisory History: The financial institution’s past consumer compliance performance is an important consideration when developing its risk profile. Historic effectiveness of the CMS, including the results of previous examinations and management’s record of taking corrective measures, will impact its risk profile and ultimately the scope of the examination. The most recent consumer compliance history should be given the most weight. The EIC will be able to locate performance risk information in various areas, including the FDIC’s correspondence and enforcement records for the subject institution. The most recent Risk Management report and workpapers may contain additional information on the institution’s performance risk (e.g., comments regarding institution management).

Operational Areas – PSR Risk: The nature and scope of a financial institution’s activities is a critical consideration in the identification of inherent risk. PSR risks can exist in the following operational areas:

  • Lending
  • Deposits
  • Retail Investment and Insurance Sales
  • Privacy and Consumer Information
  • Advertising, Marketing, and Social Media
  • Debt Collection
  • Third-Party Relationships
  • Other Products
  • Other Regulations or Supervisory Guidance

The institution’s products and services impact the institution’s risk depending upon the financial institution’s size, market share, and portfolio concentration. The complexity of products offered and the associated likelihood of error should be considered. Third-party relationships can present heightened risk, particularly for product delivery, but also for any operation, product, service, or activity provided or conducted by a third party on behalf of the institution. Finally, the institution’s strategic plan for growth and for the introduction of new products or services should also be taken into account.

Regulation risk measures the possible consequences to the institution and its customers of noncompliance with specific regulatory provisions. Regulation risk recognizes that the impact of noncompliance differs depending on the consumer law or regulation. For the public, it is the measurement of relative adverse financial impact or other harm that noncompliance may produce. For the institution, regulation risk is the measurement of legal, and financial harm that noncompliance may produce. For example, the financial harm both to the institution and to consumers associated with violations of the Truth in Lending Act (Regulation Z) requiring reimbursements far exceeds the consequences of an isolated undocumented check hold. The level of regulation risk is affected by such factors as:

  • Potential financial harm to consumers;
  • Potential legal, and financial harm to an institution;
  • New laws, regulations, or amendments thereof; and
  • The amount of transaction activity subject to a specific regulation.

In order to properly assess a financial institution’s risk, the EIC or designee also reviews the following aspects of the CMS, which may or may not mitigate the identified inherent risks:

  • Board and Management Oversight
  • Compliance Program
    • Policies and Procedures
    • Training
    • Monitoring and/or Audit Procedures
    • Complaint Response

Taking into consideration the conclusions drawn in each of the preceding components, and any other pertinent information, the examiner should identify and assess the inherent risk within the institution’s PSRs. When the institution’s inherent risk is not sufficiently mitigated by its CMS, residual risk is present. To develop a risk profile of the institution and set the examination scope, the examiner should keep the risk scoping formula in mind (Inherent Risk– Mitigating Factors =Residual Risk).

The areas with residual risk should be further reviewed or transaction tested during the examination. The result of the EIC’s assessment of risk and the specific issues to be investigated and areas to be targeted with transaction testing should be addressed in the ARCH, which is discussed in the next section.

It is important to remember that one element of a financial institution’s consumer compliance efforts may influence another area. Be aware of relationships and their mutual impact. For example, if the initial review of institution practices identifies a lack of audit of loan denials, the examiner should look to see whether monitoring procedures are in place to mitigate the impact of the lack of audit procedures. The existence of monitoring procedures may lead the examiner to determine that the absence of an audit does not raise the institution’s risk profile. Conversely, if the initial review of institution policies and procedures identifies well-organized, appropriate, and up-to-date written guidelines for deposit compliance management, the examiner should also consider the institution’s record of oversight in this area. If deposit compliance has historically suffered from poor management oversight, then the existence of written procedures should be given less weight when determining the risk profile. It is important to accurately identify inherent risk and weight any mitigating factors that reduce the risk. This process requires the use of sound examiner judgment.

Developing the ARCH

The EIC should begin the risk scoping process by gathering information about the institution from both internal and external sources. The EIC uses information, such as prior consumer compliance and risk management reports of examination, correspondence, and available complaint information, to prepare for the pre-examination planning interview with the institution. Once the pre-examination planning interview is complete and the institution provides responses to the CIDR, the EIC can complete the ARCH. Follow-up contact with institution personnel during pre-examination planning is encouraged, if warranted, to properly determine the most appropriate examination scope.

The ARCH is divided into five sections and begins with an overview of the institution and examination, including current examination information, financial data, and previous examination supervisory comments. Examiners start the risk assessment process by describing the institution's structure and supervisory history in Section 1, followed by an initial assessment of the CMS in Section 2. Examiners identify inherent risks in Section 3 by answering a series of questions about the institution's operations, followed by an analysis of whether each inherent risk is low, mitigated, or results in residual risk of consumer harm. Examiners identify areas that result in residual risk as a PSR that will be reviewed as part of the scope of the examination. The PSRs are summarized in a table in Section 4, where examiners also document additional scope information. Sections 1-4 should be completed and approved by a supervisor or delegated designee prior to the start of the examination. Section 5 should be completed and approved if material changes to the scope of the examination are warranted.

Examiner judgment is a critical aspect of properly evaluating an institution’s risk profile. The ARCH allows examiners to use their judgment to focus and prioritize resources on areas (products, services, or regulations) that present the highest risk of consumer harm. The questions in the ARCH do not cover every potential risk but rather set out a basic framework to assist examiners in assessing and documenting an institution’s risk of consumer harm. Examiners are not limited to these questions and should consider all relevant facts when evaluating the institution’s risk profile.

The ARCH is completed within DCP’s Pre-Examination Planning System and the final, approved ARCH must be uploaded and maintained in FOCUS.

Examination Activities: On-site and Off-site Decisioning:

The FDIC has established standard consumer compliance consideration factors to ensure consistency in local decision-making when determining which examination activities should be completed on-site versus off-site. Each examination will be tailored to the risks identified during the planning process; however, all examinations are expected to have an on-site presence. This risk- focused approach encourages flexibility in application and relies on examiner judgment (in consultation with field management) to conduct the most effective and efficient examination that facilitates examiners assessing institutions’ compliance with consumer protection laws and the Community Reinvestment Act. The appropriate mix of on-site and off-site examination activities will depend upon many factors, including the bank’s business model, risk profile, and complexity; loan file imaging and technological capabilities; institution space/working accommodations; banker feedback; training needs; on-site/off-site plans of RMS and other agencies (CFPB, state authority, etc.), when applicable; ability to collaborate on joint activities; and the need to establish ongoing and effective communication with bank management at each examination, among other considerations. The list below provides a general outline of certain examination activities that can be conducted on-site or off-site. However, examiners should consider the risk profile of the institution and the other factors provided above when determining which activities should be performed on-site versus off-site. When making determinations regarding off-site activities, examiners should further assess the aforementioned factors to decide whether to perform such activities in a field office or virtual environment.

NOTE: The activities listed below are not intended to be all-inclusive, nor is this direction meant to limit or constrain examiner judgment in conducting on-site activities when warranted.

Examiners may perform the following portions of the examination off-site, keeping in mind the risk profile of the institution:

  • Conducting pre-examination planning and scoping activities
  • Completing portions of low-risk fair lending and Home Mortgage Disclosure Act (HMDA) reviews
  • Conducting portions of Community Reinvestment Act (CRA) evaluations, particularly for Small Banks and Intermediate Small Banks
  • Reviewing policies/procedures; Board/committee packages and meeting minutes; risk assessments; and audit reports/workpapers
  • Utilizing Regional Office and Washington Office specialist and Subject Matter Expert resources, including consumer compliance technology specialists, fair lending examination specialists, examination specialists, and other exam team members for out-of-territory exams when their assistance doesn’t require being on-site
  • Reviewing loan files and deposit disclosures to the extent technology allows
  • Completing training benchmarks where on-site performance is not necessary for effective training or clearly not required
  • Training for large groups of pre- or newly-commissioned examiners via a training team [note: collaborative spaces in the field office can serve as an effective forum for group training sessions]
  • Assessing and transaction testing for portions of lower-complexity/lower- risk areas
  • Reviewing online bank systems, such as e-OSCAR, rewards checking, automated overdraft programs, credit bureau reporting, and escrow account administration, unless technology limitations require on-site review
  • Writing the Report of Examination and finalizing examination workpapers

Examiners are generally expected to perform the following portions of the examination on-site:

  • Conducting key meetings, including exit/Board meetings, and significant conversations with bank officers about potential consumer harm, possible downgrades, enforcement actions, significant fair lending discussions (e.g. criteria interviews), Unfair or Deceptive Acts or Practices concerns, and the CMS interview for higher-risk institutions.
  • Training and instilling FDIC culture for pre-commissioned examiners and interns [note: this can be done with a combination of off-site in the field office and on-site at the bank]
  • Observing situations that could lead to further investigation/examination activities (e.g. detecting internal control weaknesses, potential fraud, dominant officer situation, etc.)

  • Training on first-time significant benchmarks to provide a more collaborative and hands-on development experience

    [note: the trainee and coach should generally work on-site together, in the bank and/or field office, as appropriate, while completing the benchmark]

  • Working side-by-side for Acting EIC assignments [note: Signing EIC and Acting EIC should be together to complete relevant portions of the exam for the EIC to observe and coach the Acting EIC on examination oversight either in the bank and/or field office]
  • Conducting transaction testing for high-risk PSRs, or when remote access is not available

Examination Review and Analysis

Throughout the review and analysis phase of the examination, the examiner should have discussions with management, the compliance officer, Directors, and other personnel to develop an understanding of how management approaches its consumer compliance responsibilities. These discussions will enable the examiner to determine whether and to what extent the financial institution has a CMS that is integrated into its daily operations.

Entrance Meeting with Senior Management

During the pre-examination planning stage, the EIC should schedule a meeting with senior management (e.g., the president, chief executive officer, compliance officer, and if they wish, members of the Board). This meeting should take place as soon as possible after beginning the examination and should facilitate the discussion of various administrative items and the scope of the examination. Matters to be discussed during the entrance meeting include:

  • An overview of the examination process, including the use of information collected during pre-examination planning and its impact on the scope of the examination
  • The names of FDIC examiners on the examination and whether they will be working on-site or off-site
  • Anticipated length of the examination
  • Activities expected to be conducted on-site and off-site, and communicating that adjustments may be made based on risk
  • The EIC’s accessibility throughout the examination to discuss any issues relating to the examination and/or FDIC policy and practices and communication preferences
  • The identity of the individual(s) who is/are the primary contact person(s) for examination related issues and communication preferences for both on-site and off-site examiners
  • Any issues identified during off-site review and analysis, particularly areas of significant risk of consumer harm that will be receiving close attention
  • The materials requested during pre-examination planning that were not provided by the financial institution prior to the examination start date
  • An explanation of the closing management meeting procedures
  • The date of the next Board/trustees meeting (Management should be advised that depending upon the examination findings, the FDIC may need to attend the regularly scheduled meeting or call for a special Board meeting.)
  • Any issues related to the CRA evaluation and fair lending review

Examiners should use a written agenda to document the issues covered at the entrance meeting, and file a copy in the examination workpapers

Ongoing Communication

Communication between financial institution management, Board, institution staff, and FDIC examination staff is a major component of an effective examination or visitation. Open communication should be maintained with management during the course of the examination. To the extent possible, all issues of concern should be discussed with management as they arise. This allows management time to provide additional relevant information or to begin correcting problems where appropriate.

The financial institution’s Directors/trustees are encouraged to participate in regularly scheduled meetings with examiners. However, examination findings should be discussed with management prior to discussing with Board members. Also, the EIC should notify the financial institution’s management as early as possible of any plans to meet with the Board to present examination findings. This will provide Directors/trustees with an opportunity to forego meetings during the examination, if that is their preference.

Review of the CMS

Based on information gleaned from the discussions with institution management and staff, along with the off-site review and analysis, the examiner should:

  • Determine the quality of the institution’s CMS, including the degree to which management has taken a proactive approach to compliance and whether management can demonstrate its ability to assure compliance with federal consumer laws and regulations
  • Assess whether the CMS is effective at facilitating compliance
  • Identify potential deficiencies in the CMS and areas of greatest risk of consumer harm
  • Determine where transaction testing is necessary

The following sections include question lists that are intended to serve only as general guidance for the matters to be addressed during the examiner’s dialogue with institution personnel. The sections are organized by elements of the CMS and should be considered in conjunction with each of the different operational areas of the institution to come to a conclusion about the strength of each element overall. The questions will not apply to every examination scenario and should be customized to each situation. Examiner judgment must be used to determine whether additional pertinent questions should be asked. Because all the facets of a CMS are interrelated, certain themes will be repeated in the question lists for multiple sections. Throughout the examination process, the examiner should refer to the FDIC Laws, Regulations, and Related Acts as well as any pertinent outstanding FDIC guidance regarding the regulatory or policy requirements of each area under review.

NOTE: The Examination Checklists/Workpapers are not to be given to institution management to complete.

Applicable Statutes and Regulations

The CMS must adequately address (through oversight, policies and procedures, training, monitoring and/or audit, and complaint response) all areas related to the following Federal consumer laws, regulations, rules, and policy statements:

Lending

Truth in Lending

Real Estate Settlement Procedures

Homeowners Protection

Equal Credit Opportunity

Fair Housing

Home Mortgage Disclosure

Flood Insurance

Preservation of Consumers’ Claims and Defenses

Homeownership Counseling

Servicemembers Civil Relief Consumer Leasing

Military Lending Act

Secure and Fair Enforcement for Mortgage Licensing

Protecting Tenants at Foreclosure

Deposits

Truth in Savings

Electronic Fund Transfers

Expedited Funds Availability

Garnishment of Accounts Containing Federal Benefit Payments

Part 360 – Resolution and Receivership Rules

Non-Deposit Products

Investment Sales/Recordkeeping

Broker/Dealer Rules and Exemptions (Regulation R)

Consumer Protection in Sales of Insurance

Other Products or Issues

Advertisement of Membership Electronic

Banking

Privacy of Consumer Financial Information Fair

Credit Reporting Act, including FACTA Fair

Debt Collection Practices

Right to Financial Privacy

Children’s Online Privacy Protection

Unfair or Deceptive Acts or Practices

Telephone Consumer Protection

Controlling the Assault of Non-Solicited Pornography and Marketing

Third-Party Risk

Overdraft Payment Programs

Community Reinvestment Act (CRA)

CRA Technical Requirements

Branch Closings

Interstate Banking and Branching

Evaluating Management Oversight

Material to be reviewed during completion of this section will include, at a minimum:

  • The examiner-determined risk profile of the financial institution as it relates to management oversight
  • Prior Reports of Examination, including Consumer Compliance, Risk Management, and specialty examinations (with a focus on the management component of each)
  • Minutes of the meetings of the Board, Compliance Committee, Discount Committee, etc.
  • New, modified or amended compliance-related policies, procedures, and other internal memoranda
  • All files related to the receipt and resolution of compliance- related consumer complaints archived by the institution or the FDIC, including information from the FDIC’s automated complaint tracking system managed by the FDIC’s Consumer Response Unit
  • Written management and Board response and follow-up to internal monitoring and to internal and external audits, if applicable
  • Agreements with third parties to provide products or services, such as an outside vendor to provide compliance services and educational materials or with a networking broker/dealer to provide brokerage services
  • Institution organizational chart and management résumés
  • Examiner notes from discussions with the compliance officer, managers, etc.

Procedures

  1. Review Board and committee meeting minutes. Review of these documents should give the examiner an indication of the following:
  • Extent of Board oversight/involvement in assuring compliance with consumer protection and fair lending laws and regulations by the institution and, as applicable, by third-party providers
  • Training of Directors and management regarding consumer compliance and fair lending issues
  • Rationale for implementing new policies or procedures or modifying existing ones
  • Any negative comments on rejected loan applications during Loan Committee or any other meeting (such records must be traced to the specific loan file to assure that no unlawful disparate treatment or discrimination was involved in the denial)
  • Consideration of new loan or deposit products and strategies for their implementation
  • Consideration of new software or software vendors
  • Consideration of third parties for compliance audit, if applicable
  • Approval of, and rationale for, branch openings and closings
  • Whether the Board documented a review of the prior Consumer Compliance Report of Examination (ROE) that included, as applicable: a discussion of recommendations for policy changes, an adoption of those revisions, and a report regarding corrective action and subsequent testing for identified violations
  1. Based on the material reviewed during pre-examination planning and the examination, and based on discussions with management, answer the following questions:
  • What is the institution’s business strategy and what are the compliance implications of that strategy (for example, elevated risk due to rapidly growing subprime lending, cutting-edge e-banking activities, etc.)?
  • What particular compliance-related areas does management feel are weak or in need of review?
  • Have the Board and management worked to foster a positive climate for compliance?
  • Has management allocated the appropriate level of resources to compliance?
  • Does the institution have a designated compliance officer and/or Compliance Committee? If not, is the absence of an officer or committee significant in light of the institution’s resources and risk profile?
  • Has management ensured that the compliance officer(s) and/or Compliance Committee has the appropriate level of authority and accountability to effectively administer the institution’s CMS?
  • Has management responded appropriately and promptly to consumer complaints?
  • Has management responded appropriately to deficiencies noted and suggestions made at previous examinations and audits?
  • How does management stay abreast of changes in regulatory requirements and other compliance issues? Is this method appropriate in light of the institution’s resources and risk profile?
  • How does management ensure that the institution’s staff stays abreast of changes?
  • How does management ensure that compliance is considered as part of new product and service development, marketing, and advertising?
  • How does management ensure that due diligence is performed prior to changing third-party product or service providers, such as software vendors or third-party audit providers?
  • What is the level of management’s knowledge of compliance issues?
  • Does the review of the Board and/or Compliance Committee minutes indicate a reasonable level of Board involvement?
  • Is the Board aware that it is ultimately responsible for the institution’s CMS?
  1. Develop and document a preliminary assessment of the institution’s performance related to this area. Is management oversight generally strong, adequate, or weak? On what is this assessment based?

Evaluating the Consumer Compliance Program

Policies and Procedures

Examiners are to determine whether the institution’s policies and procedures are appropriate to the risk in the products, services, and markets of the institution. Material to be reviewed during completion of this section will include, at a minimum:

  • The examiner-determined risk profile of the financial institution as it relates to policies and procedures, including the institution’s business strategy, product offering, branches, third party relationships, etc.
  • Compliance-related policies and other written compliance procedures
  • Board minutes, Compliance Committee minutes, and other committee minutes, as applicable
  • Examiner notes from discussions with the compliance officer, senior managers, etc.

Policies and procedures, whether written or unwritten, should cover all of the areas listed below. A financial institution may have other policies or procedures related to compliance not listed here that should be included in the examiner’s review, depending on the institution’s activities and risk profile.

  • Compliance Policy – This may be a single document or a compilation of various documents each relating to specific areas of institution activity. In addition to specific guidance on daily compliance activities, the policy should provide for an adequate level of responsibility and authority for the compliance officer, Compliance Committee, and individual employees.
  • Lending – Often, institutions will have separate policies for various lending types such as consumer, real estate, commercial, agricultural, etc. All should be reviewed during pre-examination planning.
  • Deposits – Institutions often have separate policies for Regulation DD, Regulation E, Regulation CC, and Part 329.
  • Electronic Banking – The adequacy of e-banking policies should be assessed in light of the level of activity in which the institution is engaged.
  • Privacy – Institution privacy policies and procedures vary widely, depending on the level of information sharing involved.
  • Non-Deposit Products – Policies and procedures must provide adequate guidance for the sale of investment and insurance products by institution employees (including loan officers who sell insurance during the loan process), dual employees, and on-site non-employee brokers.
  • Branch Closing Policy – Section 42 of the Federal Deposit Insurance Act requires every financial institution that has one or more branch locations to maintain a branch closing policy.
  • Truth in Lending Policy – Applicable to institutions as defined under section 1503(3) of the SAFE Act, 12 U.S.C. 5102(3). These may be incorporated into the Loan Policy or as stand-alone policies. For these institutions, written policies and procedures must be appropriate to the nature, size, complexity, and scope of the mortgage lending activities of the depository institution and its subsidiaries. They specifically must address lender compensation, prohibition on steering, and the requirements under the SAFE Act.
  • Fair Credit Reporting Act – Policies and procedures must provide adequate guidance for the adequate reporting of consumer information, complaint resolution of consumer information, and safeguarding of consumer information.
  • Overdraft Programs – Institutions providing overdraft programs should adopt written policies and procedures adequate to address the credit, operational, and other risks associated with these types of programs.

In order to ensure an accurate assessment of the institution’s CMS, each policy and procedure must be reviewed during pre- examination planning or the examination unless all the following are true:

1) The policy was reviewed at the prior FDIC consumer compliance examination

2) The review of the policy at the prior examination found no deficiencies

3) No changes or amendments have been made since the policy was last reviewed

4) There have been no significant regulatory or operational changes pertinent to the area covered by the policy since the prior examination.

  1. Conduct sufficient documentation reviews and management discussions to answer the following questions.
  • What areas of compliance do the written policies or procedures cover?
  • Which policies or procedures are unwritten?
  • Is the use of unwritten policies/procedures adequate for the institution’s needs?
  • Do the policies give effective guidance to institution employees?
  • Are policies and procedures structured and implemented in such a way as to ensure fair and equitable treatment of all consumers?
  • Do the policies assign compliance responsibility? Are the assignments logical and reasonable given the time and resources available to those employees?
  • Do the policies provide appropriate authority to employees responsible for identifying and correcting deficiencies?
  • Are the policies and procedures established in such a way as to ensure a smooth transition in the case of key personnel turnover?
  • Are policies, procedures, and standardized forms periodically reviewed and updated in response to regulatory changes and changes in the institutions risk profile? How frequent are the reviews?
  • Does the Board review and approve all changes to policies and procedures? If not, is the level of approval appropriate given the examiner-determined institution risk profile?
  • Are there any practices that have become policy by virtue of the frequency of their occurrence? If so, do these practices conflict with formal policies or procedures?

NOTE: Additional guidance for the review of loan and appraisal policies is located in the Fair Lending Examination Procedures.

  1. Determine whether the institution’s policies and procedures provide the appropriate level of guidance for all employees and include clearly defined goals and objectives.
  2. Develop and document a preliminary assessment of the institution’s performance related to this area. Are policies and procedures considered generally strong, adequate, or weak? On what is this assessment based?

Training

Examiners will determine whether consumer compliance training is current and tailored to risk of the institution and staff responsibilities. Material to be reviewed during

completion of this section will include, at a minimum:

  • The examiner-determined risk profile of the financial institution as it relates to training
  • Compliance-related training documentation
  • Examiner notes from discussions with compliance officer, managers, etc.
  1. Review the institution’s training records and have sufficient discussions with management to answer the following questions:
  • Does every employee receive appropriate training given his or her compliance responsibilities?
  • Do third party service providers receive appropriate training?
  • How often is training conducted? Is the frequency of training acceptable?
  • Is the training program continuously updated to incorporate accurate, complete information on new products and services, regulatory changes, emerging issues, etc.?
  • Is the effectiveness of the training evaluated by management through delayed testing, before-and-after work product reviews, or other means?
  • Regardless of whether staff training is conducted primarily in-house or is out-sourced, does management evaluate whether the institution’s training needs are being met? As EIC, do you agree or disagree with management’s conclusions?
  1. Develop and document a preliminary assessment of the institution’s performance related to this area. Is the institution’s training considered generally strong, adequate, or weak? On what is this assessment based?

Monitoring and/or Audit

Examiners should determine the sufficiency of the monitoring and, if applicable, audit to encompass consumer compliance risks throughout the institution. Material to be reviewed during completion of this section will include, at a minimum:

  • The examiner-determined risk profile of the financial institution as it relates to monitoring
  • Compliance-related policies and other written compliance procedures
  • Documentation of the results of monitoring activities
  • Formal and/or informal reports to management of the findings, corrective actions, and related follow-up from monitoring procedures
  • Examiner notes from discussions with the compliance officer, manager, etc.

Conduct documentation review and have sufficient discussions with management to answer the following questions:

  • What monitoring systems are in place for loan transactions? Deposit transactions? Investment and insurance sales activities?
  • Is every transaction subject to monitoring? If not, what is the level of transactional review? Is the level of monitoring adequate?
  • Does monitoring include a review of the performance by third party product or service providers?
  • Are the appropriate personnel conducting the monitoring (i.e. someone with daily involvement in the monitored area and who has received adequate training)?
  • How are errors that are identified during the monitoring process documented?
  • How are the errors corrected?
  • Is there appropriate follow-up when errors are identified (i.e. refresher training, disciplinary action)?
  1. Determine whether the institution’s monitoring efforts encompass all applicable regulations.
  2. Develop and document a preliminary assessment of the institution’s performance related to this area. Is the institution’s monitoring effort generally strong, adequate, or weak? On what is this assessment based?

Evaluating the Audit Function:

Material to be reviewed during completion of this section will include, at a minimum:

  • The examiner-determined risk profile of the financial institution as it relates to the audit function
  • Audit policy, external audit agreement, or other written audit guidelines
  • Compliance-related internal and external audit reports, responses, and follow-up
  • Internal and external audit workpapers
  • Institution organizational chart
  • Board minutes, Compliance Committee minutes, and other committee minutes, as applicable
  • Examiner notes from discussions with audit staff, compliance officer, managers, etc.

Exception: Do not request fair lending self-testing reports (or results). If, however, a financial institution voluntarily provides documentation of its fair lending self-testing, review the findings as part of the fair lending examination.

NOTE: A financial institution’s audit or review of loan files, internal policies, and training material may indicate difference in the treatment of applicants that could constitute a violation of the fair lending laws.

  1. Conduct documentation review and have sufficient discussions with management to answer the following questions:
  • Are internal audits conducted? How often and by whom?
  • If internal audits are conducted, is the auditor independent of the transaction being audited? If not, is this considered acceptable considering the institution’s resources and risk profile?
  • Are external audits conducted? How often and by whom?
  • Are internal/external audits comprehensive in scope? If audits are not comprehensive, do they cover all areas of significant risk? Do they include reviews at every branch location and of significant third party relationships?
  • Are audit findings compiled in writing? Do they identify the nature and circumstances (i.e., cause, time period, etc.) of the identified exceptions? Do they provide management enough information to (1) determine cause and (2) formulate an appropriate corrective action?
  • Are internal/external audits of sufficient quality?
  • Are the audit findings communicated to the Board either directly or through the compliance committee?
  • Have audit report findings been appropriately addressed by the Board and senior management in a timely manner and include corrective actions and follow-up efforts?
  • Are written audit reports readily available for examiner review?
  1. Develop and document a preliminary assessment of the institution’s performance related to this area. Is the audit function generally strong, adequate, or weak? On what is this assessment based?

Consumer Complaint Response

Examiners are to determine the responsiveness and effectiveness of the consumer complaint resolution process. Material to be reviewed during completion of this section will include, at a minimum:

  • The examiner-determined risk profile of the financial institution as it relates to consumer complaints
  • Consumer complaint policy or other written compliance procedures regarding complaints
  • All files related to the receipt and resolution of compliance- related consumer complaints archived by the institution or the FDIC, including information from the FDIC’s automated complaint tracking system (EPIC)
  • Board minutes, Compliance Committee minutes, and other committee minutes, as applicable
  • Examiner notes from discussions with the compliance officer, managers, etc.
  1. Conduct documentation review and have sufficient discussions with management to answer the following questions:
  • Has the institution implemented policies and procedures to handle consumer complaints about the institution and, as applicable, third party providers?
  • If policies and procedures are in place, do they comply with all regulatory requirements regarding complaints (maximum time limits for response, documentation requirements, etc.)?
  • If the institution has received consumer complaints, have all complaints been resolved satisfactorily?
  • Cross-referencing the complaints to all other areas of the CMS, does the type or quantity of complaints suggest any other areas in need of in-depth review?
  • Does the institution review complaints to determine whether improvements or changes to products or operations should be made?
  1. Develop and document a preliminary assessment of the institution’s performance related to this area. Are the institution’s consumer complaint response processes generally strong, adequate, or weak? On what is this assessment based?

Transaction Sampling and Testing

After analyzing the CMS elements in relationship to each of the institution’s inherent risks, the EIC will identify PSRs with residual risks and decide what transaction sampling and testing is necessary. The number of transactions and the particular regulatory requirements to be reviewed should be carefully tailored to weaknesses identified in the CMS as it relates to specific PSRs. For example, if there is a weakness in monitoring the calculation of Annual Percentage Rates in open-end credit transactions, then a sample of those calculations should be tested. It would not be necessary to test all Truth in Lending Act requirements.

The severity of CMS weakness and inherent risk will dictate the intensity of transaction testing; greater weakness and higher risk will generally lead to the review of more transactions. If the examiner finds a moderate degree of risk, then sufficient testing should be done to support a conclusion.

Depending on the importance of an element, the examiner may find it appropriate to conduct a limited review of a couple of transactions to support a favorable conclusion. In certain cases, however, management’s admission that a violation occurred is sufficient to warrant the citation without transaction testing. This also negates the need to list specific transactions in the ROE.

When transaction sampling and testing are conducted for PSRs exhibiting higher levels of residual risk, the examiner should tailor the actual sample and test to the identified weakness. If an inherent risk is sufficiently mitigated by the strength of the CMS, then minimal residual risk of consumer harm exists and transaction testing is not considered necessary.

Consultation Policy

Consultations and communication between field, regional, and Washington staff members help maintain the quality and consistency of consumer compliance, fair lending, and CRA examinations and supervision. Information communicated informally or through consultations alerts senior DCPofficials to significant, unusual or emerging supervisory issues, which ensures that these issues receive appropriate and timely consideration. Current information from examiners in the field also helps the FDIC and interagency groups develop more realistic policies and regulations.

Examination staff should consult with regional or field office management or staff if they find an unusual issue or problem. In turn, regional or field office management and staff are encouraged to consult with Washington subject matter experts, particularly with respect to findings, issues, or potential violations requiring guidance with respect to new regulations, or involving emerging/sensitive policy concerns.

Certain situations, because of their sensitivity or potential impact, mandate that the regional and/or Washington office(s) be consulted. Actions that require either approval or concurrence under delegated authority or DCP policy also require formal documentation.

If a consultation results in an outcome inconsistent with the examiner’s recommendation, then the examiner and the review examiner should ensure that the language of the ROE or CRA Performance Evaluation is consistent with the final outcome.

Last Updated: October 7, 2025