Updated Compliance Risk Indicators

Appendix A: Compliance Risk Indicators

Board and Management Oversight

Board and management oversight factors should be evaluated commensurate with the credit union’s size, complexity, and risk profile. Compliance expectations below extend to third-party relationships.

Board and Management Oversight Indicators
Factor Low Moderate High

Oversight and Commitment

Board and management fully understand all aspects of compliance risk and exhibit a clear commitment to compliance. Commitment is communicated throughout the credit union. Board and management demonstrate strong commitment and oversight to the credit union’s compliance management system.

Significant compliance resources are provided, including systems, capital, and human resources. Staff is knowledgeable, empowered and held accountable for compliance with consumer laws and regulations.

Management conducts comprehensive and ongoing due diligence and oversight of third parties consistent with NCUA expectations to ensure that the credit union complies with consumer protection laws and regulations. Where appropriate, the credit union exercises strong oversight of third parties’ policies, procedures, internal controls and training to ensure consistent oversight of compliance responsibilities.

Board and management reasonably understand the key aspects of compliance risk. Commitment to compliance is reasonable and satisfactorily communicated. Board and management provide satisfactory oversight of the credit union’s compliance management system.

Compliance resources are adequate and staff is generally able to ensure the credit union is in compliance with consumer laws and regulations.

Management conducts adequate and ongoing due diligence and oversight of third parties to ensure that the credit union complies with consumer protection laws and regulations. They adequately oversee third parties’ policies, procedures, and internal controls, and training to ensure appropriate oversight of compliance responsibilities.

Board and management does not understand, or has chosen to ignore key aspects of compliance risk. The importance of compliance is not emphasized or communicated throughout the organization. Management has not established or enforced accountability for compliance performance. Board and management oversight, resources, and attention to the credit union’s compliance management system are deficient or non-existent.

Compliance resources are inadequate or seriously deficient and are ineffective at ensuring the credit union’s compliance with consumer laws and regulations.

Management does not adequately conduct due diligence and oversight of third parties to ensure that the credit union complies with consumer protection laws and regulations, nor do they adequately oversee third parties’ policies, procedures, internal controls, and training to ensure appropriate oversight of compliance responsibilities.

Change Management

Management anticipates and responds promptly to changes in applicable laws and regulations, market conditions and products and services offered by evaluating the change and implementing responses across impacted lines of business.

Management conducts due diligence in advance of product changes, considers the life cycle of a product before implementing the change, and reviews the change after implementation to determine whether actions taken have achieved planned results.

Management responds timely and adequately to changes in applicable laws and regulations, market conditions, and products and services offered by evaluating the change and implementing responses across impacted lines of business.

Management evaluates product changes before and after implementing the change.

Management does not respond adequately or timely or fails to respond to changes in applicable laws and regulations, market conditions, and products and services offered.

Comprehension, Identification and Management of Risk

The credit union has a strong control culture that has proven effective. Compliance management systems are sound and minimize the likelihood of excessive or serious future violations.

Management has a good understanding and effectively identifies compliance risks, including emerging risks, in the credit union’s products, services, and other activities.

Management effectively manages those risks, including through comprehensive self-assessments.

Compliance management systems are adequate to avoid significant or frequent violations or noncompliance.

Management understands and adequately identifies compliance risks, including emerging risks, in the credit union’s products, services, and other activities.

Management adequately manages those risks including through self-assessments.

Compliance management systems are deficient, reflecting an inadequate commitment to risk management.

Management does not understand or identify compliance risks, including emerging risks, in the credit union’s products, services, and other activities.

Corrective Action and Self-Identification

Management proactively identifies issues and promptly responds to compliance risk management deficiencies and any violations of laws or regulations, including taking corrective action.

Management adequately responds to and corrects deficiencies and/or violations, including adequate corrective action, in the normal course of business.

Management does not adequately respond to compliance deficiencies and violations including those related to corrective action, or those responses, including those relating to examination findings that are seriously deficient.

Compliance Program

Compliance Program factors should be evaluated commensurate with the credit union’s size, complexity, and risk profile. Compliance expectations below extend to third-party relationships.

Compliance Program Indicators
Factor Low Moderate High

Policies and Procedures

Compliance policies and procedures and third-party relationship management programs are strong, comprehensive, and provide standards to effectively manage compliance risk in the products, services, and activities of the credit union.

Compliance policies and procedures and third-party relationship management programs are adequate to manage the compliance risk in the products, services, and activities of the credit union.

Compliance policies and procedures and third-party relationship management programs are inadequate (or absent) at managing the compliance risk in the products, services and activities of the credit union.

Training

Compliance training is comprehensive, timely, and specifically tailored to the particular responsibilities of the staff receiving it, including those responsible for product development, marketing, and customer service.

The compliance training program is updated proactively in advance of the introduction of new products or new consumer protection laws and regulations to ensure that all staff are aware of compliance responsibilities before roll out.

Compliance training outlining staff responsibilities is adequate and provided timely to appropriate staff.

The compliance training program is updated to encompass new products and to comply with changes to consumer protection laws and regulations.

Compliance training is not adequately comprehensive, timely, updated, or appropriately tailored to the particular responsibilities of the staff. Compliance training may be seriously deficient or absent.

Monitoring and/or Audit

Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems are comprehensive, timely, and successful at identifying and measuring material compliance risk management throughout the credit union.

Programs are monitored proactively to identify procedural or training weaknesses to preclude regulatory violations. Program modifications are made expeditiously to minimize compliance risk.

Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems adequately address compliance risks throughout the credit union.

Compliance monitoring practices, management information systems, reporting, compliance audit, and internal control systems are absent or do not adequately address risks involving products, services or other activities including, timing and scope.

Consumer Complaint Response

Processes and procedures for addressing consumer complaints are strong. Consumer complaint investigations and responses are prompt and thorough.

Management monitors consumer complaints to identify risks of potential consumer harm, program deficiencies, and customer service issues and takes appropriate action.

Processes and procedures for addressing consumer complaints are adequate. Consumer complaint investigations and responses are generally prompt and thorough.

Management adequately monitors consumer complaints and responds to issues identified.

Processes and procedures for addressing consumer complaints are deficient, absent, or inadequate. Consumer complaint investigations and responses are not thorough or timely, or are deficient, or absent.

Management does not adequately monitor consumer complaints, monitoring is seriously deficient, or management exhibits a disregard for complaints or preventing consumer harm.

Violations of Law and Consumer Harm

Violations of Law and Consumer Harm Indicators
Factor Low Moderate High

Root Cause

Violations are the result of minor weaknesses, if any, in the compliance risk management system.

Violations are the result of modest weaknesses in the compliance risk management system.

Violations are the result of material weaknesses, or serious or critical deficiencies in the compliance risk management system.

Severity

Type of consumer harm, if any, resulting from the violations would have minimal impact on consumers.

Type of consumer harm resulting from the violations would have limited impact on consumers.

Type of consumer harm resulting from the violations would have considerable or serious impact on consumers.

Duration

Violations and resulting consumer harm, if any, occurred over a brief period of time.

Violations and resulting consumer harm, if any, occurred over a limited period of time.

Violations and resulting consumer harm, if any, occurred over an extended period of time, or have been long-standing or repeated.

Pervasiveness

Violations and resulting consumer harm, if any, are isolated in number.

Violations and resulting consumer harm, if any, are limited in number.

Violations and resulting consumer harm, if any, are numerous, or widespread in multiple products or services.

Last modified on
09/18/20