CHIEF EXECUTIVE (also of interest to Compliance Officer)
Revised Compliance Examination Process
The Federal Deposit Insurance Corporation (FDIC) has revised its process for examining FDIC-supervised depository institutions to determine their compliance with consumer protection laws and regulations. The revised process focuses increased attention on an institution's compliance management system. Examiners will begin to use these procedures for all examinations for which an on-site review is scheduled to begin on or after June 30, 2003.
The Federal Deposit Insurance Corporation has revised its
approach to examining institutions for compliance with consumer protection laws
and regulations. Under the new approach, FDIC compliance examinations will
combine the risk-based examination process it now employs with an in-depth
evaluation of an institution’s compliance management system, resulting in a
top-down, risk-focused approach to examinations. Examiners will start using
the new approach for examinations for which an on-site review is scheduled to
begin on or after June 30, 2003.
The revised examination process will not affect the current
approach to examining fair lending compliance (although the approaches are
similar), or evaluating Community Reinvestment Act performance.
In the mid-1990s, the FDIC introduced risk-scoping in the
compliance examination process. Transaction testing was reduced or eliminated
based upon an assessment of the risk of noncompliance in a particular area.
That re-engineering effort improved both efficiency and effectiveness.
However, experience has shown that further gains are possible. The new examination
approach recognizes that the banking industry’s compliance responsibilities
continue to grow and become more complex with changes in financial products and
services, and in their delivery systems. Moreover, by focusing on the
institution’s compliance program, emphasis is placed on the institution’s
responsibility to ensure it complies with consumer protection laws. Over time,
the approach may reduce the amount of time examiners spend at well-managed
institutions, allowing the agency to spend more time supervising institutions
with weak compliance management systems.
Focus on Compliance Management
To help financial institutions prepare for compliance
examinations under the new process, the FDIC has prepared the attached two
chapters that will be incorporated into the FDIC Compliance Examination
Manual. The first, "Overview of the Compliance Examination," provides a
general description of the FDIC compliance examination under the revised
examination procedures. The second, "Compliance Management System," discusses the three principal elements of a
compliance management system: board and management oversight, compliance
program (policy and procedures, monitoring, training, and response to customer
complaints), and audit.
In developing this revised process, special attention was
given to how its underlying standards should be applied to the many small banks
that the FDIC supervises. For example, the FDIC does not expect small banks to
necessarily have separate compliance officers or defined, written compliance
programs. The FDIC does expect small banks to have considered their
responsibilities and thought about what works best for them, and to have
effectively implemented a successful method that ensures compliance. On the
other hand, as an institution gets larger, or its product line expands, the
FDIC believes that written programs and dedicated compliance staff may be
necessary to ensure compliance.
whether an institution needs a regular compliance audit depends upon its
particular business. Many banks do not perform compliance audits, but have a
satisfactory compliance management system because of strong board and
management oversight and an effective compliance program. Some banks perform
informal audits, which may not have a written report and may not be thought of
as an audit. Examiners will consider whether an internal audit function
exists, regardless of label, and will look at its effectiveness.
If there is
a formal audit function, it should result in a written report that specifies
the scope of the audit, including sample sizes; the nature and circumstances of
any deficiencies found; and other information sufficient to allow the
institution to determine the cause of problems and formulate corrective
action. FDIC and interagency audit policies should be followed (see
FIL-21-2003, dated March 17, 2003, "Interagency Policy Statement on the
Internal Audit Function and Its Outsourcing"; and FIL-96-99, dated October 25, 1999, "Interagency Policy Statement on
External Auditing Programs of Banks and Savings Associations").
The end result of this process
is an examination report that concentrates on the strengths and weaknesses of
the institution’s approach to compliance, whether the institution has a formal
program or a less formal set of practices. Violations found through
transaction testing will illustrate and confirm weaknesses in the bank’s
administration of its compliance responsibilities. The point of the report –
and examiner interaction with institution management – is to assist the
institution in strengthening its compliance posture. Increasing the focus of
the examination on compliance management should result in fewer violations in
the future, a smoother, more efficient examination process, and long-term
benefits to consumers.
How the Revised Process Differs From Current Practice
Examination Process – The FDIC has combined the
information and document requests sent to the bank into one new document, the "Compliance
Information and Document Request." This new document now includes items
specific to compliance management. This information will enable examiners to
begin an evaluation of an institution’s compliance management system off site.
Over time, the pre-examination review will become more efficient, as examiners
build on previous examinations and focus attention primarily on what has
changed in between examinations.
While examiners have always reviewed policies and
procedures, the new process focuses additional early attention on both written
and informal practices. Examiners will determine actual practice through
extensive discussions with bank management and staff and a review of relevant
documents. Transaction testing will be completed using existing Federal
Financial Institutions Examination Council (FFIEC) procedures, but it will be
more particularized based on the examiner’s assessment of the institution’s
compliance risk profile. For example, an examiner may not test for all aspects
of Truth in Lending Act compliance, but might focus just on rescission
practices in a bank’s home equity line of credit program.
Report of Examination – There will be a single report
format, instead of two. The report will focus on an institution’s compliance
management system, and only significant violations will be included. Other
violations will continue to be provided to management, and tracked by the FDIC.
Find Out More
The complete revised compliance examination procedures will
be available on the FDIC Web site in June. A copy of the revised FDIC
Compliance Examination Manual will be mailed later in the year to current
Please contact your FDIC Division of Supervision and
Consumer Protection Regional Office for more information.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).