The FDIC promotes compliance with federal consumer protection laws, fair lending statutes and regulations, and the Community Reinvestment Act through supervisory and outreach programs. The FDIC conducts three types of supervisory activities to review an institution's compliance posture compliance examinations, visitations, and investigations.
Compliance examinations are the primary means the FDIC uses to determine whether a financial institution is meeting its responsibility to comply with the requirements and proscriptions of federal consumer protection laws and regulations. Visitations are conducted by the FDIC to review the compliance posture of newly chartered institutions coming under FDIC-supervision, or in the interval between compliance examinations to review an institution's progress on corrective actions. Visitations are usually targeted events aimed at specific operational areas, or entire compliance management systems previously identified as significantly deficient. Compliance examinations and visitations may also be considered during the review of an application submitted to the FDIC (e.g., application for deposit insurance or establishing a branch). Finally, investigations are conducted primarily to follow up on particular consumer inquiries or complaints, including fair lending complaints.
This chapter provides a general overview of the FDIC compliance examination. The purposes of compliance examinations are to:
assess the quality of an FDIC-supervised institution's compliance management system (see "Compliance Management System") for implementing federal consumer protection statutes and regulations;
review compliance with relevant laws and regulations; and
initiate effective supervisory action when elements of an institution's compliance management system are deficient or when significant violations of law are found.
FDIC compliance examinations follow a unique method that blends both risk-focused and process-oriented approaches. Risk-focusing involves using information gathered about a financial institution to direct FDIC examiner resources to those operational areas that present the greatest compliance risks. Concentrating on the institution's internal control infrastructure and methods, or the "process" used to ensure compliance with federal consumer protection laws and regulations, acknowledges that the ultimate responsibility for compliance rests with the institution and encourages examination efficiency.
developing a compliance risk profile for an institution using various sources of information about its business lines, organizational structure, operations, and past supervisory performance;
assessing the quality of an institution's compliance management system in light of the risks associated with the level and complexity of its business operations and product and service offerings; and
testing selected transactions based on risk such as when an operational area is determined to be high risk and the institution's compliance management efforts appear weak.
Evaluating the Compliance Management System
Compliance examinations start with a top-down, process-oriented, comprehensive review and analysis of an institution's compliance management system. The compliance examiner considers:
the knowledge level and attitude of management and personnel;
management's responsiveness to emerging issues and past or self-identified compliance deficiencies;
compliance organizational structure, such as reporting relationships and recent experiences with staff turnover;
management information systems;
policies and procedures;
monitoring and audit programs.
Based on the results of this review, the examiner may conclude that weaknesses in the institution's compliance management system may result in current or future noncompliance with federal consumer protection laws, regulations, or policy statements. The examiner must determine, based on this analysis, whether transaction testing is warranted to further study particular risk in an entire operational area or regulation, or only a limited aspect of an area or regulation. Generally, the more confidence an examiner has in an institution's compliance management system, the less transaction testing an examiner may do.
The FDIC examination approach appropriately recognizes that the board of directors and management of a financial institution are responsible for complying with all federal consumer protection laws and regulations. While the formality and complexity of compliance management systems will vary greatly among institutions, the FDIC expects the board of directors and management of each institution to have a viable system in place to manage its compliance risk, consistent with its size and product mix.
Managing the examination based on risk maximizes examiner efficiency and may reduce the on-site examination presence, while emphasizing areas requiring elevated supervisory attention. By focusing on compliance management systems, examiners will be able to identify the root causes of deficiencies and suggest appropriate corrective actions designed to address the problem.
ROLE OF THE COMPLIANCE EXAMINER
Compliance examiners play a crucial role in the supervisory process. The compliance examination, along with follow-up supervisory attention to an institution's compliance program deficiencies and violations, helps to ensure that consumers and businesses obtain the benefits and protections afforded them under federal law. To this end, an examiner's efforts should help the financial institution improve its compliance posture and prevent future violations.
Primarily, examiners must:
establish an examination scope focused on assessed risk areas;
evaluate an institution's compliance management system;
conduct transaction testing where risks intersect with weaknesses in the compliance management system or uncertainties about aspects of that system; and
report findings to the board of directors and management of the institution.
As part of the examination process, examiners are expected to:
take a reasoned, common sense approach to examining and use sound judgment when making decisions;
maintain ongoing communication with financial institution management throughout an examination;
assist an institution to help itself improve performance by providing management with sound recommendations for enhancing its compliance management system;
share experiences and knowledge of successful compliance management systems; and
provide guidance regarding the various consumer and fair lending laws and regulations.
Compliance examinations primarily involve four stages - pre-examination planning and analysis, on-site examination, reaching conclusions, and communicating findings to institution management via meetings and a report of examination.
Pre-examination Planning and Analysis
Pre-examination planning involves gathering information available in FDIC records and databases and delivering a letter to a financial institution requesting specific information and documents for detailed analysis by the examination team (see Chapter III.A). Proper examination preparation and planning maximizes an examination team's time and resources. The Examiner-in-Charge directs the analysis of the pre-examination information, and begins to develop the scope of the examination and plan for resource deployment to areas of highest risk.
The scope of an examination will be preliminarily established prior to entering the financial institution, and should continue to be refined through the results of examiner discussion with senior management, the compliance officer (or staff assigned), and the internal auditor. While on site at an institution, an examiner may limit the scope of the compliance review based on reliable procedures and controls in place. Similarly, the examiner may expand the review based on, for example, management's view about compliance, a lack of necessary procedures or controls, the presence of violations, or the presence of new or significantly amended regulations.
During the on-site phase of an examination, an examiner thoroughly reviews an institution's compliance management system to assess its quality and viability, and documents system weaknesses and violations of federal consumer protection laws and regulations. The compliance review includes, among other things, an evaluation of the:
commitment of the board of directors, management, and staff to compliance;
qualifications of the compliance officer or designated staff;
scope and effectiveness of compliance policies and procedures;
effectiveness of training;
thoroughness of monitoring and any internal/external reviews or audits; and
responsiveness of the board and management to the findings of internal/external reviews and to the findings of the previous examination.
An examiner must consider the size, level, and complexity of an institution's operations when evaluating the adequacy of an institution's compliance management system.
The examination procedures enable an examiner to identify and quantify compliance risk; make an assessment of an institution's compliance infrastructure and methods for identifying, monitoring, and controlling compliance risk; and determine the transaction testing needed to assess the integrity of the compliance management system. The number of transactions selected and the type of sampling used should be relative to the perceived risk and the need to assess the level of compliance in an activity or function.
At the conclusion of the on-site examination, an examiner:
summarizes all findings regarding the strengths and weaknesses of an institution's compliance management system;
determines the cause(s) of programmatic deficiencies or violations and relates them to the specific weakness(es) in the institution's compliance management system; and
identifies actions necessary to address deficiencies or violations.
Determining the cause(s) of a program deficiency or violation is critical to recommending solutions that will successfully address problem areas and strengthen an institution's compliance posture for the future.
Examiners must discuss findings and recommendations with management and obtain a commitment for corrective action. These discussions will be held during the course of the examination and at an exit meeting with senior management and/or the board of directors.
The results of the examination will also be communicated to the board of directors and management of the institution in a Report of Examination. The Report of Examination is a stand alone document that details the:
scope of the examination;
examiner's comments and conclusions on compliance management;
significant violations and other matters of supervisory concern; and
management's response to findings.
The Report of Examination provides an account of the strengths and weaknesses of a compliance management system. It is more than an exception-based document and should add value to the institution's compliance efforts.
COMPLIANCE MANAGEMENT SYSTEM
Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market globalization. To remain profitable in such an environment, financial institutions continuously assess and modify their product and service offerings and operations in the context of a business strategy. At the same time, new legislation may be enacted to address developments in the marketplace.
All these forces combine to create inherent risk. To address this risk, a financial institution must develop and maintain a sound compliance management system that is integrated into the overall risk-management strategy of the institution. Ultimately, compliance should be part of the daily routine of management and employees of a financial institution.
This chapter discusses the elements of an effective compliance management system - board of directors and management oversight, the compliance program, and the compliance audit.
COMPLIANCE MANAGEMENT SYSTEM
A compliance management system is how an institution:
earns about its compliance responsibilities;
ensures that employees understand these responsibilities;
ensures that requirements are incorporated into business processes;
reviews operations to ensure responsibilities are carried out and requirements are met; and
takes corrective action and updates materials as necessary.
An effective compliance management system is commonly comprised of three interdependent elements:
board and management oversight,
compliance program, and
When all elements are strong and working together, an institution will be successful at managing its compliance responsibilities and risks now and in the future.
Financial institutions are required to comply with federal consumer protection laws and regulations. Noncompliance can result in monetary penalties, litigation, and formal enforcement actions. The responsibility for ensuring an institution is in compliance appropriately rests with the board of directors and management of the institution. Therefore, the FDIC expects every FDIC-supervised institution to have an effective compliance management system adapted to its unique business strategy.
Board of Directors and Management Oversight
The board of directors of a financial institution is ultimately responsible for developing and administering a compliance management system that ensures compliance with federal consumer protection laws and regulations. To a large degree, the success of an institution's compliance management system is founded on the actions taken by its board and senior management. Key actions that a board and management may take to demonstrate their commitment to maintaining an effective compliance management system and to set a positive climate for compliance include:
demonstrating clear and unequivocal expectations about compliance;
adopting clear policy statements;
appointing a compliance officer with authority and accountability;
allocating resources to compliance functions commensurate with the level and complexity of the institution's operations;
conducting periodic compliance audits; and
providing for recurrent reports by the compliance officer to the board.
Leadership on compliance by the board of directors and senior management sets the tone in an organization. The board and senior management should discuss compliance topics during their meetings. They should include compliance matters in their communications to institution personnel and the general public. Institution management and staff should have a clear understanding that compliance is important to the board and senior management, and that they are expected to incorporate compliance in their daily operations.
Policy statements on compliance topics provide a framework for the institution's procedures and provide clear communication to management and employees of the board's intentions toward compliance.
Regardless of size or institution complexity, the first step a board of directors and senior management should take in providing for the administration of the compliance program is the designation of a compliance officer. In developing the organizational structure of the compliance program, a board and senior management must grant a compliance officer sufficient authority and independence to:
cross departmental lines;
have access to all areas of the institution's operations; and
effect corrective action.
A compliance committee, either as an alternative to or in addition to a full-time compliance officer, could be formed consisting of the compliance officer, representatives from various departments, and member(s) of senior management or the board. However, the ultimate responsibility of overall compliance with all statutes and regulations resides with the board.
A qualified compliance officer will have knowledge and understanding of all consumer protection laws and regulations that apply to the business operations of the financial institution. The compliance officer should also have general knowledge of the overall operations of the institution and interact with all of the departments and branches to keep abreast of changes (e.g., new products and services or business practices, personnel turnover) that may require action to manage perceived risk. In larger or more complex institutions, the compliance officer may devote all of his or her time to compliance activities. In smaller or less complex institutions, where staffing is limited, a full-time compliance officer may not be necessary; instead, the compliance responsibilities may be divided between various individuals by type of regulation, such as loan-related or deposit-related regulations. In some instances, several banks may share a compliance officer.
A compliance officer's general responsibilities, regardless of the size or complexity of the institution's operations, include:
developing compliance policies and procedures;
training management and employees in consumer protection laws and regulations;
reviewing policies and procedures for compliance with applicable laws and regulations and the institution's stated policies and procedures;
assessing emerging issues or potential liabilities;
coordinating responses to consumer complaints;
reporting compliance activities and audit/review findings to the board; and
ensuring corrective actions.
When more than one individual is responsible for compliance, it is necessary that responsibility and accountability be clearly defined.
To be effective at overseeing compliance and maintaining a strong compliance posture, a compliance officer must be provided with ongoing training, as well as sufficient time and adequate resources to do the job. The compliance officer may utilize third-party service providers or consultants to help administer the compliance program or audit functions. However, the compliance officer should perform sufficient due diligence to verify that the provider is qualified, because ultimately the institution is accountable for compliance with consumer protection laws and regulations.
A sound compliance program is essential to the efficient and successful operation of the institution, much as a business plan. A compliance program includes the following components:
policies and procedures,
consumer complaint response.
A financial institution should generally establish a formal, written compliance program. In addition to being a planned and organized effort to guide the institution's compliance activities, a written program represents an essential source document that will serve as a training and reference tool for all employees. A well planned, implemented, and maintained compliance program will prevent or reduce regulatory violations, provide cost efficiencies, and is a sound business step.
It is expected that no two compliance programs will be the same, and that the formality of a program will be dictated by numerous considerations, including:
institution's size, number of branches, and organizational structure;
business strategy of the institution (e.g., community bank versus regional; retail versus wholesale bank);
types of products;
location of the institution - its main office and branches; and
ther influences, such as whether the institution is involved in interstate or international banking.
The formality of the compliance program is not as important as its effectiveness. This is especially true for small institutions where the program may not be in writing but an effective monitoring system has been established that ensures overall compliance. However, during periods of expansion or staff turnover, a written compliance program becomes more important because individuals with the particular knowledge or experience may no longer be with the institution or available for contact.
Regardless of the degree of formality, all financial institutions are expected to manage their compliance programs proactively to ensure continuing compliance. Compliance efforts require an ongoing commitment from all levels of management and should be a part of an institution's daily business operations.
Policies and Procedures
Compliance policies and procedures generally should be described in a document and reviewed and updated as the financial institution's business and regulatory environment changes. Policies should be established that include goals and objectives and appropriate procedures for meeting those goals and objectives. Generally, the degree of detail or specificity of procedures will vary in accordance with the complexity of the issue or transactions addressed.
An institution's policies and procedures should provide personnel with all the information needed to perform a business transaction. This may include applicable regulation cites and definitions, sample forms with instructions, institution policy, and, where appropriate, directions for routing, reviewing, retaining, and destroying transaction documents. For example, loan application procedures should be established so that institution personnel consistently treat all applicants equitably and fairly. These procedures should incorporate and clearly convey to staff the regulatory requirements and the institution's lending policy, including the institution's nondiscriminatory lending criteria.
Compliance policies and procedures are the means to ensure consistent operating guidelines that support the institution in complying with applicable federal consumer protection laws and regulations. Also, these criteria will provide standards by which compliance officers and line managers may review business operations.
Education of a financial institution's board of directors, management, and staff is essential to maintaining an effective compliance program. Line management and staff should receive specific, comprehensive training in laws and regulations, and internal policies and procedures that directly affect their jobs.
The compliance officer should be responsible for compliance training and establish a regular training schedule for directors, management, and staff, as well as for third-party service providers. Training can be conducted in-house or through external training programs or seminars. Once personnel have been trained on a particular subject, a compliance officer should periodically assess employees on their knowledge and comprehension of the subject matter.
An effective compliance training program is frequently updated with current, complete, and accurate information on products and services and business operations of the institution, consumer protection laws and regulations, internal policies and procedures, and emerging issues in the public domain. For example, loan officers, as well as other front-line personnel regularly interacting with loan applicants, should be fully informed about the loan products and services offered by the institution and thoroughly knowledgeable about all aspects of the consumer credit protection laws and regulations that apply.
Monitoring is a proactive approach by the institution to identify procedural or training weaknesses in an effort to preclude regulatory violations. Institutions that include a compliance officer in the planning, development, and implementation of business propositions increase the likelihood of success of its compliance monitoring function.
An effective monitoring system includes regularly scheduled reviews of:
disclosures and calculations for various product offerings;
document filing and retention procedures;
posted notices, marketing literature, and advertising;
various state usury and consumer protection laws and regulations;
third-party service provider operations; and
internal compliance communication systems that provide updates and revisions of the applicable laws and regulations to management and staff.
Changes to regulations or changes in an institution's business operations, products, or services should trigger a review of established compliance procedures. Modifications that are necessary should be made expeditiously to minimize compliance risk, and applicable personnel in all affected operating units should be advised of the changes.
Monitoring also includes reviews at the transaction level during the normal, daily activities of employees in every operating unit of the institution. This might include, for example, verification of an annual percentage rate, or a second review of a loan application, before the transaction is completed. Monitoring at this level helps establish management and staff accountability and identifies potential problems in a timely manner.
Compliance officers should monitor employee performance to ensure that they are following an institution's established internal compliance policies and procedures. The frequency and volume of employee turnover at an institution should be factored into the schedule for reviews. Such reviews are especially critical after problems have been noted during past audits or examinations, regulations change, new products are introduced, mergers occur, or when additional branch locations are opened.
Consumer Complaint Response
An institution should be prepared to handle consumer complaints promptly. Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel to expedite referrals.
Complaints may be indicative of a compliance weakness in a particular function or department. Therefore, a compliance officer should be aware of the complaints received and act to ensure a timely resolution. A compliance officer should determine the cause of the complaint and take action to improve the institution's business practices, as appropriate.
A compliance audit is an independent review of an institution's compliance with consumer protection laws and regulations and adherence to internal policies and procedures. The audit helps management ensure ongoing compliance and identify compliance risk conditions. It complements the institution's internal monitoring system. The board of directors of the institution should determine the scope of an audit, and the frequency with which audits are conducted.
The scope and frequency of an audit should consider such factors as:
expertise and experience of various institution personnel;
organization and staffing of the compliance function;
volume of transactions;
complexity of products offered;
number and type of consumer complaints received;
number and type of branches;
acquisition or opening of additional branch(es);
size of the institution;
organizational structure of the institution;
outsourcing of functions to third-party service providers;
degree to which policies and procedures are defined and detailed in writing; and
magnitude/frequency of changes to any of the above.
An audit may be conducted once a year, or may be ongoing where all products and services, all applicable operations, and all departments and branches are addressed on a staggered basis. An audit may be performed "in-house" or may be contracted to an outside firm or individual, such as a consultant or accountant. A financial institution that outsources the audit should make certain that the auditor is well-versed in compliance, and that the audit program is based on current law and regulation, as well as comprehensive in scope. Generally, a strong compliance audit will incorporate vigorous transaction testing.
Regardless of whether audits are conducted by institution personnel or by a contractor, the audit findings should be reported directly to the board of directors or a committee of the board. A written compliance audit report should include:
scope of the audit (including departments, branches, and product types reviewed);
deficiencies or modifications identified;
number of transactions sampled by category of product type; and
descriptions of, or suggestions for, corrective actions and time frames for correction.
Board and senior management response to the audit report should be prompt. The compliance officer should receive a copy of all compliance audit reports, and act to address noted deficiencies and required changes to ensure full compliance with consumer protection laws and regulations. Management should also establish follow-up procedures to verify, at a later date, that the corrective actions were lasting and effective.