QUESTION
I am our company’s Compliance Manager. We enjoy reading your weekly FAQs. In fact, we use them in our weekly sales and compliance meetings. Over the years, we have kept them together in a companywide folder for everyone to read.
This is the first time we’ve written to you. Our problem is that we need guidance in determining risk ratings for our risk assessments. We conduct internal risk assessments but are unsure how to arrange a risk rating. Each regulation is broken down into its major requirements in our risk assessment procedures. Each of these requirements is then assessed for its risk by determining if it is affected by any risk factors that present increased compliance risk.
The matrix we use is not broken down to the level of detail contained in the checklists, so we may need to refine our risk ratings further when they are entered into the checklists. For example, under Regulation Z, the matrix includes one item for section 1026.18, the content of disclosures. However, not all items in 1026.18 will carry the same risk level; the requirement that the disclosure contains the name of the creditor will carry a lower risk than the requirement that the annual percentage rate and finance charge be accurate.
What are the primary risk factors that we can use in our matrix? Also, how should we provide the risk ratings?
ANSWER
I reviewed the documents you sent me as specimens of your assessment matrix. There are many types of risk assessments and many areas of risk in a financial institution. A risk assessment should be designed to evaluate consistently the extent of risk to consumers arising from the activities of a particular entity and to identify the sources of that risk.
One way to conceptualize risk is to view it through the backdrop of risk to consumers; specifically, the potential for consumers to suffer economic loss or other legally-cognizable injuries due to a violation of Federal or state consumer financial law. To determine the risk to consumers, the risk assessment should consider the interaction of two broad sets of factors: (1) inherent risks in a particular line of business or the entity as a whole and (2) the quality of controls implemented by the entity to manage and mitigate those risks.
Let’s start with inherent risk. Inherent risk includes factors that increase the potential for unfair, deceptive, or abusive acts or practices, discrimination, or violations of other Federal consumer financial laws. It also includes factors that increase compliance management challenges and thereby increase the risk of various legal and regulatory violations.
Then there’s the quality of risk controls, which includes factors related to managing and mitigating specific inherent risks and the strength of an entity’s overall Compliance Management System (“CMS”).
The most affordable and quickest means to check the viability of your Compliance Management System is our CMS Tune-up, a mini-audit that reviews the CMS, provides recommendations, and issues a risk rating. I note that your company is already on our list to conduct a CMS Tune-up in August. I think this is a prudent decision. If others want more information about the CMS Tune-up, contact us HERE.
In my view, there are six factors to include in a risk assessment.
The six factors are penalties, litigation, examiner scrutiny, new areas, internal violations, and exam violations.
Let’s take a brief look at each of these factors.
Penalties
The regulatory agencies can impose additional penalties for violations of regulations, notwithstanding the general penalties they can impose as part of their broad enforcement powers. Most of these penalties are criminal and civil monetary penalties, but one exception is the Community Reinvestment Act, where the penalty for violation can involve the denial of bank applications for expansion, merger, and so forth; or the savings account/MMDA transaction limitations, where the penalty can involve the recalculation of reserve requirements. Within these areas, the penalties for noncompliance can be severe. The Bank Secrecy Act and Regulation O are two such areas. As another example, finance charge and annual percentage rate (APR) calculation violations under Regulation Z require mandatory reimbursement.
Litigation
There is often a significant risk of customer litigation. Within these areas, violations can lead to substantial risks of civil liability to customers. In many cases, the law provides for additional damages beyond those suffered by the customer, such as specific, additional monetary damages, attorneys’ fees, class action status, and so forth. For instance, violation of the right of rescission under Regulation Z can lead to customer litigation, resulting in the loss of the security interest and income from the loan.
Examiner Scrutiny
Numerous regulatory areas receive increased scrutiny during regulatory examinations. For example, BSA and Regulation O receive increased scrutiny during almost every examination. Also, compliance with flood insurance requirements is an area that is currently experiencing increased scrutiny by some agencies in some areas.
New Areas
There are relatively new compliance requirements. Also, there are areas in which the financial institution only recently introduced products that require compliance with a particular existing or new requirement. To assist you in identifying new compliance requirements, your matrix should include the effective date for any new regulations.
Internal
Violations
These are areas where violations were found as a part of the financial institution’s own internal compliance monitoring.
Exam violationsThese are areas in which violations were found during a previous regulatory examination.
Let’s move on to the risk rating itself!
There are several ways in which a matrix can be used to help assess the risk involved. One simple method would be to place an “X” in the appropriate column for each compliance requirement listed in the rows, if that factor is present for that requirement. An “X” indicates that the requirement (or condition) requires more scrutiny than usual – the more “Xs” there are, the higher the risk.Rather
than using an “X”, another method would be to rank the risk using a number (1-3,
for example, “1” being the lowest risk and “3” being the highest) to classify
the risk in even more detail. The risk numbers in each row would then be added
up to obtain an overall risk score for each compliance requirement – the higher
the number, the higher the risk for that requirement. This method has an
advantage in that some factors are “more equal” than others, and their existence
merits much more attention than normal. A good example of this is the area of
previous examination violations. Repeat violations must be avoided at all
costs, which is why this factor merits increased attention. Using a numerical
program, each area involving repeat violations would involve the highest degree
of risk (i.e., a “3” using a 1-3 risk rating program).
A numerical risk rating also has the
advantage of being able to vary the weight of each risk factor for each
requirement. For instance, while all of Regulation Z is subject to litigation
risk because of the civil liability provisions of Truth-in-Lending, some of the
mandates of Regulation Z are more likely to be subject to litigation than
others. An example would be the right of rescission and the APR and finance
charge disclosures more likely to be the subject of litigation than the record
retention requirements. Therefore, in this case, the right of rescission and
the APR and finance charge requirements would be rated a “3,” while the record
retention requirements would be rated a “1”.
The “Penalties” and Litigation” risk columns in the matrix can be filled in with a check mark (“✓”) just to designate those compliance requirements where the law provides for specific additional penalties that may be assessed by regulators and additional damages that customers can recover in litigation. In addition, to help you identify those requirements that are new, the “New Area” risk column could be filled in with a “✓” for those regulations that are new or revised in the past year.
Jonathan Foxx, Ph.D., MBA