Compliance Management Systems and Compliance Risk

Overview

Credit unions manage their exposure to compliance risk through a comprehensive compliance program, often referred to as a compliance management system (CMS). The following components are essential to a comprehensive CMS:

  • Board of Directors and Senior Management Oversight
  • Policies and Procedures
  • Training
  • Monitoring and Corrective Action
  • Member Complaint Response
  • Compliance Audit

A credit union’s CMS should address all of its compliance responsibilities. The depth of detail for each component will vary based on a credit union’s size and complexity. Conclusions about the adequacy of a credit union’s CMS should be based on the effectiveness of the system as a whole.

In March 2017, the NCUA issued Supervisory Letter SL No. 17-01, which discusses the updated list of Compliance Risk Indicators that are a part of NCUA’s risk-focused examination program. It included an updated AIRES questionnaire for compliance risk. The guidance in the Supervisory Letter applies whenever field staff evaluate compliance risk in a federally insured credit union. 


Associated Risks

Compliance risk can occur when the credit union fails to implement a satisfactory compliance management system.

Reputation risk may increase when the credit union incurs fines and penalties or receives decreased member confidence as a result of failure to comply with consumer compliance regulations. 

Strategicrisk occurs when the board of directors fails to perform necessary due diligence in developing a compliance management system.

Transaction risk can occur when there are operational or system problems that cause disclosures provided to members to be inaccurate or understated. 

Examination Objectives

Assess the credit union’s level of compliance risk and effectiveness of the credit union’s CMSs. 

  • Determine whether board and management’s commitment to and oversight of compliance risk and CMS is appropriate for the size, complexity and risk profile of the credit union;
  • Assess management’s ability to anticipate consumer protection challenges and emerging risks and, where necessary, determine whether management responds appropriately and takes corrective action;
  • Determine the effectiveness of the credit union’s policies, procedures, third party management, training programs, review and monitoring mechanisms (including audits and internal control systems), and consumer complaint response process.
  • When violations of law and/or consumer harm are identified, determine the root cause, severity, duration, and pervasiveness, and recommend corrective actions.

Examination Procedures

NCUA does not conduct separate consumer protection examinations nor does it assign a separate Consumer Compliance Rating. These procedures are written to align and augment the NCUA’s overall risk-focused examination approach. An effort has been made, where possible, not to re-state examination procedures discussed in the CMS section of this Federal Consumer Financial Protection Guide.

  1. Consider the credit union’s market and field of membership, organizational structure — including the compliance management program and personnel roles and responsibilities — business strategy, business activities and products, risk tolerance, processes for controlling risk, systems, and other relevant information about the credit union, including any changes to the aforementioned areas.
  2. Identify the number and subject matter of consumer complaints involving the credit union since the preceding examination effective date. When warranted, review the underlying complaint documents and credit union response. If applicable, determine what additional on-site review steps are necessary to address any concerns identified. 
  3. Through the review of board and committee minutes, board and management reports, board policies, strategic planning documents, directives, and budgets, assess the appropriateness and effectiveness of the level of board and management oversight in regards to crisk, compliance management systems, and federal consumer protection laws and regulations.
  4. Interview credit union management and senior compliance personnel regarding compliance management systems and processes, including planning, resources devoted to compliance efforts, responses to changes in consumer protection laws and regulations, due diligence, complaint response process, and compliance reviews. Make an assessment of management’s commitment to and effectiveness of compliance management efforts and systems.
  5. Review available documentation, such as policies and procedures relating to consumer compliance and federal consumer protection laws and regulations, internal and external consumer compliance review reports, training records, and consumer complaints received by the credit union and related documentation. Make conclusions regarding the effectiveness, timeliness, and appropriateness of the credit union’s CMS.
  6. When violations or deficiencies are identified, determine their root cause, severity, duration, and pervasiveness. Make conclusions on whether the problem identified can be corrected during the normal course of business, the severity of the impact on consumers, the duration of the violation and, if the credit union self-identified the issue, whether it took corrective action immediately, and whether the violations and deficiencies were isolated in nature or widespread across the credit union.

CMS AND COMPLIANCE RISK
CHECKLIST

Board and Management Oversight

Account Disclosures (§707.4)
Item Description YES NO N/A
1 Do the board and management effectively manage compliance risk, including providing adequate oversight and resources commensurate with the credit union’s size, complexity, and risk profile?      

Oversight and Commitment

Oversight and Commitment
Item Description YES NO N/A
1(a) Do the board of directors, supervisory committee, and management demonstrate a commitment and oversight to the credit union’s compliance management system?      
1(b) Do the board and management provide compliance resources, including systems, capital, and personnel?  Is staff knowledgeable, empowered, and held accountable for compliance with laws and regulations?      
1(c) Does management ensure adequate and ongoing due diligence and oversight of third parties?      

 Change Management

Change Management
Item Description YES NO N/A
1(d) Does management anticipate and respond to changes in applicable laws and regulations, market conditions and products and services offered by evaluating the change and implementing responses across impacted lines of business?      

Comprehension, Identification, and Management of Risk

Comprehension, Identification, and Management of Risk
Item Description YES NO N/A
1(e) Does management understand and identify compliance risks, including emerging risks, in the credit union’s products, services, and other activities?      
1(f) Does management engage in managing risk, including through self-assessments?      

Corrective Action and Self-Identification

Corrective Action and Self-Identification
Item Description YES NO N/A
1(g) Does Management identify issues and respond to compliance risk management deficiencies and any violations of laws or regulations, including providing remediation?      

Compliance Program

Compliance Program
Item Description YES NO N/A
2 Is the credit union’s compliance management program effective and include policies, procedures, training, monitoring and audit programs, and complaint resolution commensurate with the credit union’s size, complexity, and risk profile?      

Policies and Procedures

Policies and Procedures
Item Description YES NO N/A
2(a) Are compliance policies, procedures and third-party relationship management programs adequate to manage the compliance risk in the credit union’s products, services and activities?      
2(b) Is compliance training outlining staff responsibilities appropriate and timely?      
2(c) Is the compliance-training program updated to encompass new products and services, internal policy changes, and to comply with changes to consumer protection laws and regulations?      

Monitoring and/or Audit

Monitoring and/or Audit
Item Description YES NO N/A
2(d) Are compliance monitoring practices, management information systems, compliance audit, and internal control systems in place to adequately identify and address compliance risks throughout the credit union?      

Consumer Complaint Response

Consumer Complaint Response
Item Description YES NO N/A
2(e) Does the credit union have processes and procedures in place to address consumer complaints and investigations?  Are consumer complaint investigations and responses prompt and thorough?      
2(f) Does management monitor consumer complaints to identify risks of potential consumer harm, program deficiencies, and/or customer service issues?  If yes, does management take appropriate action?      

Violations of Law and Consumer Harm

Violations of Law and Consumer Harm
Item Description YES NO N/A
3 During the examination did you identify no violations or only minor violations that did not result in consumer harm and did not represent supervisory concern?  (This would include becoming aware of violations or identifying them through your reviews.)      

Root Cause

Root Cause
Item Description YES NO N/A
3(a) Were the violations the result of minor weaknesses in the compliance management system?  If no, document and discuss the material or critical weaknesses in the compliance management system.      

Severity

Severity
Item Description YES NO N/A
3(b) Did the violations cause minimal supervisory concern or consumer impact?  If no, document and discuss the specific facts involved.      

Duration

Duration
Item Description YES NO N/A
3(c) Did the violation occur over a limited period of time?  If no, discuss the time frame and whether the violations were long-standing or whether they were repeated.      

Pervasiveness

Pervasiveness
Item Description YES NO N/A
3(d) Were the violations isolated and resulted in little supervisory concern or consumer harm?  If no, discuss the number or how widespread in multiple products or services.