In a March Supervisory Letter (opens new window), NCUA issued updated guidance on its consumer compliance risk indicators. Our field staff began using these updated indicators during their examinations starting on or after March 31.
The updated indicators build upon the set of indicators NCUA used previously and provide additional guidance for field staff in assigning the compliance risk-rating—one of the existing seven risk categories in the agency’s risk-focused examination program. These updates reflect changes in technology, business models and members’ banking habits since the list of compliance risk indicators was first developed in 2002. They also incorporate the principles of the Federal Financial Institutions Examination Council’s Uniform Interagency Consumer Compliance Rating System. As a result, the new indicators provide a more comprehensive, integrated and transparent framework for NCUA to use when evaluating a credit union’s ability to manage its risk of violations and non-compliance with applicable consumer financial protection laws and regulations.
What these changes do not do is create a new compliance rating, separate compliance with consumer financial protection regulations and laws from overall compliance, or impose any new or higher supervisory expectations for federally insured credit unions.
NCUA’s assessment of compliance risk encompasses all of the federal consumer financial protection laws and regulations NCUA enforces, as well as other relevant laws and regulations that govern the operation of credit unions, such as the Bank Secrecy Act, the Flood Disaster Protection Act, the SAFE Act and, more broadly, NCUA’s Rules and Regulations. Our field staff will continue to note their conclusions about a credit union’s compliance risk and management of that risk in the appropriate category, and these will be reflected in the management component of a credit union’s CAMEL rating and the overall composite CAMEL rating, as appropriate.
Our approach to examining a credit union’s compliance with applicable laws and regulations remains risk-focused with appropriate consideration given to a credit union’s size, complexity and risk profile. Field staff will use their professional judgment to focus on the areas of greatest potential risk.
In their reviews, field staff will focus primarily on the sufficiency of a credit union’s overall approach to managing compliance risk—also referred to as a compliance management system. As reflected in the updated indicators, compliance risk is managed appropriately by a credit union when its compliance management systems are proactive—that is, they promote self-identification and self-correction of any compliance deficiencies.
Our field staff ’s evaluation also routinely includes specific or in-depth reviews of areas of special emphasis based on statutory requirements, changes to laws or regulations, broad trends or other institution-specific risk factors. The supervisory evaluation of compliance need not, and typically does not, include specific or in-depth evaluations of compliance with all applicable laws and regulations, or extensive transaction testing.
The updated compliance-risk framework has three broad categories. Each category has several criteria, which are summarized below. NCUA’s field staff assess the first two with consideration given to a credit union’s size, complexity and risk profile. In particular, field staff consider:
- Board and Management Oversight
- Commitment to the credit union’s compliance management system;
- Effectiveness of the change management processes;
- Risk-management practices associated with products, services and activities; and
- Self-identification efforts and corrective actions taken.
- Compliance Program
- The effectiveness of a credit union’s compliance management system; and
- Policies and procedures, training, monitoring and audit programs, and complaint resolution.
- Violations of Law and Consumer Harm (if applicable)
- Pervasiveness of the violation;
- Root cause of the violation;
- Severity of the violation or any consumer harm; and
- Duration of the violation.
Finally, in assigning a credit union’s level of compliance risk, our field staff consider the totality of the compliance risk indicators. Any single or small subset of the indicators is not necessarily determinative of the existence of lower or higher risk. An effective risk assessment is a composite of multiple factors. Depending on the circumstances, certain factors, such as the quality of the credit union’s overall approach to compliance management or the existence of pervasive or severe violations, may be weighted more heavily than others.