Risk Assessment Theory and Practical

Transcription

1 Assessment Theory and Practical Jim Bedsole, CRCM, CBA, CFSA, CAFP SVP, Chief Compliance & Officer BankSouth Thomas Williams, CRCM, CCBIA SVP, Senior Compliance Officer United Bank Georgia Bankers Association 2017 Compliance School

2 Assessment Theory 1

3 Why Assessment? Template? Top Down vs. Bottom Up 2

4 Terminology & Methodology Shared Ownership Framework 3

5 Assess Controls Avoid Mitigate Share Accept Weighting 4

6 Residual Traditional View Residual risk never exceeds Inherent risk Residual New Viewpoint Residual risk may exceed Inherent risk Board Review vs. Board Approval 5

7 Updates What Do You Do With It? Staffing Resource Acquisition and Allocation Policies, Procedures, Processes Monitoring/Auditing Training 6

8 Assessment Practical 7

9 OCC Community Bank Supervision Compliance Assessment 8

10 Compliance Compliance risk is the risk to current or anticipated earnings or capital arising from violations of laws, rules, or regulations, or from nonconformance with prescribed practices, internal policies and procedures, or ethical standards. This risk exposes a bank to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can result in diminished reputation, reduced franchise or enterprise value, limited business opportunities, and lessened expansion potential. (Updated 5/06/2013) Compliance risk is not limited to risk from failure to comply with consumer protection laws; it encompasses the risk of noncompliance with all laws and regulations, as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation (known as legal risk) from all aspects of banking, traditional and nontraditional. (Updated 5/06/2013) Summary Conclusions Quantity of compliance risk is: Low Moderate High Quality of compliance risk management is: Strong Satisfactory Weak Examiners should consider both the quantity of compliance risk and the quality of compliance risk management to derive the following conclusions: Aggregate compliance risk is: Low Moderate High Direction is expected to be: Decreasing Stable Increasing 9

11 Quantity of Compliance Indicators Examiners should use the following indicators when assessing quantity of compliance risk. Low Moderate High Violations or compliance program weaknesses are insignificant in number and issues or do not exist. No e-banking or the Web site is informational or non-transactional. All loans are originated in-house with no broker or third-party relationships. Limited/no marketing or advertising of products and services. Bank offers traditional mix of noncomplex lending, investment, and deposit products. Bank offers products and services to local market/service area. Financial institution competition within its marketplace is minimal. Volume of products and services offered is reasonable considering its financial strength and capability, and growth is stable. Bank has few offices, some automated teller machines and centralized operations. Volume of consumer complaints is minimal. Violations or compliance program weaknesses exist and represent technical issues with some reimbursement to consumers that are resolved in a timely manner. Bank is beginning e-banking and offers limited products and services. Low volume of consumer and business loans are originated by local brokers or other third parties. Limited marketing or advertising practices commensurate with strategic focus. Bank offers traditional investment and deposit products and a mix of traditional and complex lending products. Bank offers products and services to regional market/service area. Financial institution competition within its marketplace is considerable. Volume of products and services offered is increasing considering its financial strength and capability, and growth is steady. Bank has statewide branching and automated teller machine network with decentralized operations. Volume of consumer complaints is moderate. Violations or compliance program weaknesses are significant in number, resulting in large consumer reimbursements or regulatory fines and penalties. Bank offers a wide array of e- banking products and services (e.g., account transfers, e-bill payments or accounts opened via the Internet). High volume of consumer or business loans is originated by multiple statewide or nationwide brokers or other third parties. Marketing and advertising of new products offered through multiple of channels (branch network, Internet, direct mail, solicitations, etc.). Bank offers a broad array of traditional and complex lending, investment, and deposit products. Bank offers products and services to national market/service area. Financial institution competition within its marketplace is significant and may include large national and international companies. Volume of products and services offered is outpacing its financial strength and capability, and growth is unstable. Bank has regional or national branching and automated teller machine network with decentralized operations. Volume of consumer complaints is high. 10

12 Quality of Compliance Management Indicators Examiners should use the following indicators when assessing the quality of compliance risk management. Strong Satisfactory Weak Board has adopted compliance risk management policies that are consistent with business strategies and risk tolerance. Management fully understands all aspects of compliance risk; exhibits clear commitment to compliance. Commitment is communicated throughout the institution. Authority and accountability are clearly defined and enforced. Management anticipates and responds well to market, technological, or regulatory changes. Compliance considerations are incorporated into product/system development and modification processes, including changes made by service providers or vendors. Control systems effectively identify violations or compliance system weaknesses and corrective action is prompt and reasonable. Management provides effective resources/training programs to ensure compliance. Board has adopted compliance risk management policies that are generally consistent with business strategies and risk tolerance. Management reasonably understands the key aspects of compliance risk. Commitment to compliance is reasonable and satisfactorily communicated throughout the institution. Authority and accountability are defined, although some refinements may be needed. Management adequately responds to market, technological, or regulatory changes. Although compliance may not be formally considered when developing products and systems, issues are typically addressed before they are fully implemented. Control systems are adequate for identifying violations or compliance system weaknesses but not always in a timely manner. Management is usually responsive and corrective action is generally timely but not in all instances. Management provides adequate resources/training, given the complexity of products/operations. Board has adopted compliance risk management policies that are inconsistent with business strategies and risk tolerance. Management does not understand or has chosen to ignore key aspects of compliance risk. Importance of compliance is not emphasized or communicated throughout the organization. Management has not established or enforced accountability. Management does not anticipate or take timely or appropriate actions in response to market, technological, or regulatory changes. Compliance considerations are not incorporated into product and system development. Control systems are ineffective in identifying violations and compliance system weaknesses. Management is unresponsive; corrective action is weak. Management has not provided adequate resources or training. 11

13 Quality of Compliance Management Indicators continued Strong Satisfactory Weak Bank has a strong record of compliance. Considering the scope and complexity of its operations and structure, compliance risk management systems are sound and minimize the likelihood of significant or frequent violations or instances of noncompliance. Bank has strong record of acting on and monitoring consumer complaints. Bank has a satisfactory record of compliance. Considering scope and complexity of operations and structure, compliance risk management systems are adequate to avoid significant or frequent violations or instances of noncompliance. Bank has satisfactory record of acting on and monitoring consumer complaints. Bank has unsatisfactory record of compliance. Considering scope and complexity of operations and structure, compliance risk management systems are deficient, reflecting inadequate commitment to risk management. Bank has a weak record of acting on and monitoring consumer complaints. 12

14 BSA/AML/OFAC Indicators Appendix B: Other s Quantity of BSA/AML/OFAC Indicators Examiners should use the following indicators when assessing quantity of BSA/AML/OFAC risk. Low Moderate High Stable, known customer base. No e-banking or Web site is informational or non-transactional. On the basis of information received from the BSA-reporting database, there are few or no large currency or structured transactions. Identified a few high-risk customers and businesses; these may include nonresident aliens, foreign individuals (including accounts with U.S. powers of attorney), and foreign commercial customers. (Updated 9/28/2012) No overseas branches and no foreign correspondent financial institution accounts. Bank does not engage in pouch activities, offer special-use accounts, or offer payable through accounts (PTA), or provide U.S. dollar draft services. (Updated 9/28/2012) Few international accounts or very low volume of currency activity in the accounts. Customer base increasing due to branching, merger, or acquisition. Bank is beginning e-banking and offers limited products and services. On the basis of information received from the BSA-reporting database, there is a moderate volume of large currency or structured transactions. Identified a moderate number of high-risk customers and businesses. Bank has overseas branches or a few foreign correspondent financial institution accounts, typically with financial institutions with adequate AML policies and procedures from low-risk countries, and minimal pouch activities, special-use accounts, payable through accounts (PTA), or U.S. dollar draft services. (Updated 9/28/2012) Moderate level of international accounts with unexplained currency activity. Large and growing customer base in a wide and diverse geographic area. Bank offers a wide array of e-banking products and services (e.g., account transfers, e-bill payment, or accounts opened via the Internet). On the basis of information received from the BSA-reporting database, there is a significant volume of large currency or structured transactions. Identified a large number of highrisk customers and businesses. Bank has overseas branches or maintains a large number of foreign correspondent financial institution accounts with financial institutions with inadequate AML policies and procedures, particularly those located in highrisk jurisdictions, or offers substantial pouch activities, special-use accounts, payable through accounts (PTA), or U.S. dollar draft services. (Updated 9/28/2012) Large number of international accounts with unexplained currency activity. 13

15 Quantity of BSA/AML/OFAC Indicators continued Low Moderate High Bank offers limited or no private banking services or trust and asset management products or services. Limited number of funds transfers for customers, noncustomers; limited third-party transactions, and no foreign funds transfers. No other types of international transactions, such as trade finance, cross border ACH, and management of sovereign debt. (Updated 9/28/2012) No history of OFAC actions. No evidence of apparent violation or circumstances that might lead to a violation. (Updated 9/28/2012) Bank is not in a High Intensity Drug Trafficking Area (HIDTA) or High Intensity Financial Crime Area (HIFCA). No fund transfers or account relationships involve HIDTAs or HIFCAs. No transactions with high-risk geographic locations. Low turnover of key personnel or frontline personnel (e.g., customer service representatives, tellers, or other branch personnel). Bank offers limited domestic private banking services or trust and asset management products or services over which the bank has investment discretion. Strategic plan may be to increase trust business. Moderate number of funds transfers. Few international funds transfers from personal or business accounts with typically low-risk countries. Limited other types of international transactions. (Updated 9/28/2012) A small number of recent actions (e.g., actions within the last five years) by OFAC, including notice letters, or civil money penalties, with evidence that the bank addressed the issues and is not at risk of similar violations in the future. (Updated 9/28/2012) Bank is in a High Intensity Drug Trafficking Area (HIDTA) or High Intensity Financial Crime Area (NIFCA). Bank has some fund transfers or account relationships that involve HIDTAs or HIFCAs. Minimal transactions with highrisk geographic locations. Low turnover of key personnel, but frontline personnel in branches may have changed. Bank offers significant domestic and international private banking or trust and asset management products or services. Private banking or trust and asset management services are growing. Products offered include investment management services, and trust accounts are predominantly nondiscretionary versus where the bank has full investment discretion. Large number of noncustomer funds transfer transactions and payable upon proper identification (PUPID) transactions. Frequent funds from personal or business accounts to or from high-risk jurisdictions, and financial secrecy havens or jurisdictions. A high number of other types of international transactions. (Updated 9/28/2012) Multiple recent actions by OFAC, where the bank has not addressed the issues, thus leading to an increased risk of the bank undertaking similar violations in the future. (Updated 9/28/2012) Bank is in a High Intensity Drug Trafficking Area (HIDTA) and an HIFCA. Large number of fund transfers or account relationships involve HIDTAs or HIFCAs. Significant volume of transactions with high-risk geographic locations. High turnover, especially in key personnel positions. 14

16 Quality of BSA/AML/OFAC Management Indicators Examiners should use the following indicators when assessing quality of BSA/AML/OFAC risk management. Strong Satisfactory Weak Management fully understands the aspects of compliance risk and exhibits strong commitment to compliance. Compliance considerations are incorporated into all products and areas of the organization. When deficiencies are identified, management promptly implements meaningful corrective action. Authority and accountability for compliance are clearly defined and enforced, including designation of qualified BSA officer. Independent testing is in place and is effective. Board has approved a BSA compliance program that includes adequate policies, procedures, controls, and information systems. Training is appropriate, effective, covers applicable personnel, and necessary resources have been provided to ensure compliance. Management reasonably understands key aspects of compliance and commitment is generally clear and satisfactorily communicated. Compliance considerations are overlooked or are weak in one or two areas. Problems can be corrected in the normal course of business without significant investment of money or management attention. Management is responsive when deficiencies are identified. Authority and accountability are defined, but some refinements are needed. Qualified BSA officer has been designated. Overall, independent testing is in place and effective. However, some weaknesses are noted. Board has approved a BSA compliance program that addresses most policies, procedures, controls, and information systems but some weaknesses are noted. Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program. Management does not understand or has chosen to ignore key aspects of compliance risk. Importance of compliance is not emphasized or communicated throughout the organization. Compliance considerations are not incorporated into numerous areas of the organization. Errors and weaknesses are not selfidentified. Management may only respond when violations are cited. Authority and accountability for compliance has not been clearly established. No qualified BSA officer or an unqualified one may have been appointed. Role of BSA officer is unclear. Independent testing is not in place and/or is ineffective. Board may not have approved a BSA compliance program. Policies, procedures, controls, and information systems are significantly deficient. For example, there are substantial failures to file currency transaction reports and/or suspicious activity reports. Training is not consistent and does not cover important regulatory and risk areas. 15

17 Quality of BSA/AML/OFAC Management Indicators continued Strong Satisfactory Weak Effective customer identification processes and account-opening procedures are in place. Management has identified and developed controls that are applied appropriately to highrisk areas, products, services, and customers of the bank. Compliance systems and controls quickly adapt to changes in various government lists (e.g., OFAC, Financial Crimes Enforcement Center [FinCEN], and Other Government Provided List). Compliance systems and controls effectively identify and appropriately report suspicious activity. Systems are commensurate with risk. Low volume of correspondence from IRS indicates that CTRs are accurate. Appropriate compliance controls and systems are implemented to identify compliance problems and assess performance. Customer identification processes and account-opening procedures are generally in place but not well applied to all high-risk areas. Management is aware of high-risk areas, products, services, and customers, but controls are not always appropriately applied to manage this risk. Compliance systems and controls are generally adequate and adapt to changes in various government lists (e.g., OFAC, Financial Crimes Enforcement Center [FinCEN], and Other Government Provided List). Compliance systems and controls generally identify suspicious activity. However, monitoring systems are not comprehensive or have some weaknesses. Volume of correspondence from IRS indicates some errors in CTR reporting. No shortcomings of significance are evident in compliance controls or systems. Probability of serious future violations or noncompliance is within acceptable tolerance. Customer identification processes and account-opening procedures are absent or ineffective. Management is not fully aware of high-risk areas of the bank. Inadequate policies, procedures, and controls have resulted in instances of unreported suspicious activity, unreported large currency transactions, structured transactions, and/or substantive violations of law. Compliance systems and controls are inadequate to comply with and adapt to changes in various government lists (e.g., OFAC, Financial Crimes Enforcement Center [FinCEN], and Other Government Provided List). Compliance systems and controls are ineffective in identifying and reporting suspicious activity. Volume of correspondence from IRS indicates a substantive volume of CTR reporting errors. Likelihood of continued compliance violations or noncompliance is high because a corrective action program does not exist or extended time is needed to implement such a program. 16

18 Fair Lending Indicators Quantity of Fair Lending (F/L) Indicators Examiners should use the following indicators when assessing quantity of fair lending risk. Low Moderate High Significant and explainable volume of consumer lending. Generic, non-complex products offered. Low number of policy exceptions/overrides. Lending policies allow little or no lender discretion in the loan decision process. Little or no disparities among approval/denial rates or pricing by prohibited basis groups. Low proportion of withdrawn/incomplete applications for prohibited basis groups. No conspicuous gaps in lending patterns. Centralized underwriting and makes own loans. No marketing practices or products that are targeted to any specific group or location. No F/L complaints or complaints to Departments of Justice (DOJ) or Housing and Urban Development (HUD) regarding discrimination or discouraged applications. Lower volume of consumer lending, but explainable. Limited number of complex products offered. Modest number of policy exceptions/overrides and may exceed guidelines. Lending policies allow some lender discretion in the loan decision process. Some disparities among approval/denial rates or pricing by prohibited basis groups. Moderate proportion of withdrawn/incomplete applications for prohibited basis groups. Explainable conspicuous gaps in lending patterns. Local brokers originate a low volume of loans. Limited marketing practices or products that are targeted to specific groups. Activity is commensurate with strategic focus. Limited number of F/L related complaints. Low and unexplainable volume of consumer lending. (Bank could be discouraging applicants). Several complex products offered (e.g., subprime high-cost mortgages, etc.). High number of policy exceptions/overrides. Lending policies allow high level of lender discretion in the loan decision process. Substantive disparities among approval/denial rates or pricing by prohibited basis groups. Higher proportion of withdrawn/incomplete applications for prohibited basis groups. Unexplainable conspicuous gaps in lending. Decentralized underwriting and high volume of loans originated by multiple statewide or nationwide brokers. Marketing practices or products are targeted to specific groups or locations, (e.g., advertising subprime or higher cost consumer loans in a language other than English). Numerous F/L related complaints. 17

19 Quantity of Fair Lending (F/L) Indicators continued Low Moderate High No F/L lawsuits or claims regarding discrimination or discouraged applicants. No special compensation incentives for lenders Community groups have raised F/L issues. Some potential lawsuits (e.g., allegations of predatory lending). Lenders do receive incentives for number of loans made, but activity is closely monitored. Actual F/L lawsuits or claims. Investigations of fair lending complaints by DOJ or HUD. Lenders receive incentives for number of loans made without review. 18

20 Quality of Fair Lending Management Indicators Examiners should use the following indicators when assessing quality of fair lending risk management. Strong Satisfactory Weak Bank conducts an effective F/L risk assessment. Results are discussed with the board. Centralized decision making with ongoing monitoring for consistency. Bank adheres to welldefined underwriting standards and override procedures. Bank has an effective second review process in place. F/L considerations are incorporated into all areas of the bank, (e.g., rollout of new products, advertising, changes in forms, disclosures, etc.) Policies and procedures are adequate. When deficiencies are identified, management promptly implements meaningful corrective action. Training to ensure consistent treatment is appropriate and effective. Necessary resources have been provided to ensure compliance. Experienced, welltrained, and knowledgeable staff. Bank is responsive and resolves complaints promptly when received. Bank conducts a F/L risk assessment but system is flawed. Centralized decision making but with limited monitoring. Staff generally adheres to underwriting standards and override procedures. Bank has implemented an informal second review process (e.g., inconsistent consideration of denied applications, exceptions, and/or overrides. F/L considerations sometimes overlooked and not incorporated into all areas of the bank. Management effects corrective action when identified. Policies and procedures are generally adequate but certain weaknesses are noted. Management is responsive when deficiencies are identified in the normal course of business or second review process. Training is conducted but is conducted infrequently or is not timely. Management might not provide adequate resources and employee turnover may be high. In general, complaints are promptly and adequately addressed. Little or no monitoring of F/L compliance. Decentralized decision making without monitoring of discretionary pricing, overrides, or policy exceptions. No second review process. F/L considerations are not incorporated in numerous areas of the bank. Management does not effect corrective action. Policies and procedures are significantly flawed and do not provide sufficient guidance as to why business reasons or other factors are not discriminatory. Errors and deficiencies are not selfidentified. Management may only respond when violations are cited. Training is sporadic and ineffective (as evidenced by inconsistent application of underwriting standards); high volume of withdrawn/incomplete applications may indicate bank is discouraging applicants. Management does not monitor or adequately and promptly address complaints. 19

21 Quality of Fair Lending Management Indicators - continued Strong Satisfactory Weak Appropriate fair lending compliance controls and systems (e.g., quality control functions, compliance audits, and selfassessments) are implemented to identify compliance problems and assess performance. Clear and objective standards for referring applicants to subsidiaries or affiliates; classifying applicants as prime or subprime or deciding what alternative loan products should be offered. No significant shortcomings are evident in fair lending compliance controls or systems (e.g., compliance reviews, compliance audits, and self-assessments). Probability of serious future violation or noncompliance is within acceptable tolerance. Objective standards for referring applicants to subsidiaries or affiliates; classifying applicants as prime or subprime or deciding what alternative loan products should be offered. Significant shortcomings are evident in fair lending compliance controls or systems (e.g., quality control functions, compliance reviews, compliance audits, and self-assessments). The probability of serious future violation or noncompliance is not within acceptable risk tolerances. Missing clear and objective standards for referring applicants to subsidiaries or affiliates; classifying applicants as prime or subprime or deciding what kinds of alternative loan products should be offered. 20

22 Consumer Lending Regulations Indicators Quantity of Consumer Lending Regulations (FDPA/RESPA/TILA/HPA/HMDA) Indicators Examiners should use the following indicators when assessing quantity of consumer lending regulations risk. Low Moderate High Noncomplex and stable types of products offered (e.g., fixed-rate long-term mortgages, simple consumer loans). Consistent, high volume of loan originations with no recently identified violations of law/regulation indicating bank is accustomed to dealing with technical regulations. Experienced, knowledgeable staff in key lending control positions. May be indicated by low staff turnover or frequency of training. Stable software and processes with low errors in technical requirements (disclosures, notices, APRs, changes in indices, etc.). Electronic banking is not offered or is limited to account inquiries. Marketing activities are limited to local area, stable environment, centralized. Interest rate environment is stable. Few competitors. Limited number of complex loan products offered. Products change occasionally. Consistent high volume of loan originations with occasional technical violations noted. Experienced, knowledgeable staff in moderately critical lending control positions. Implementation of new software, or software conversions with some errors in technical requirements. Electronic banking is limited to non-transactional functions, and is informational only. Information includes triggering terms. No online loan applications permitted. Marketing activities are limited to standard products, decentralized channels (branches), and wider geographical area. Interest rate environment is changing but loan volume is manageable. Multiple competitors. May result in bank offering some loan products they are not experienced in Complex loan products offered (e.g., ARMS, HELOC, construction loans). Products change frequently. Low level or infrequent loan originations and/or frequent violations noted. Inexperienced or untrained staff in key or high volume critical lending control positions. High turnover or infrequent training may be an indicator. System conversions or software changes due to vendor changes or merger activity. Problems indicated by high level of errors in technical requirements. Loan application and transactions accepted via the Internet increasing the difficulty of delivering disclosures and makes bank more susceptible to fraud. Active marketing of new products offered through multiple channels (Internet, direct mail, solicitations, etc.). Interest rates environment is unstable causing unmanageable loan volume. High level of competition causing increased loan volume, particularly in complex loan products they are 21

23 handling. not experienced in handling. Quantity of Consumer Lending Regulations (FDPA/RESPA/TILA/HPA/HMDA) Indicators - continued Low Moderate High Few or no consumer complaints are received. There is no obvious pattern as to regulation type when complaints are reviewed. No special flood hazard areas in lending area. (FDPA) No broker relationship or limited broker relationships with low amount of unearned fees either paid or received. (RESPA) Bank does not offer products or services that require expanded, detailed regulatory compliance such as: Credit cards (TILA) Home equity loans/lines (TILA) Consumer leases (Leasing) Escrow (RESPA, HPA) Private mortgage insurance (TILA, HPA) Required service providers (RESPA) Controlled business arrangements Low number of consumer complaints received. No pattern as to type of complaint. Few or no substantive issues. Bank does not provide disclosures electronically. No loans subject to the Servicemembers Civil Relief Act and the Talent Amendment. Some consumer complaints are received. There is no obvious pattern as to regulation type. Lending area has few special flood hazard areas. Moderate use of broker and moderate amount of unearned fees either paid or received. Bank may offer some products or services that require expanded, detailed regulatory compliance such as: Credit cards (TILA) Home equity loans/lines (TILA) Consumer leases (Leasing) Escrow (RESPA, HPA) Private mortgage insurance (TILA, HPA) Required service providers (RESPA) Controlled business arrangements Moderate number of consumer complaints received without a pattern as to compliance type. Moderate number of substantive issues. Bank provides electronic and paper disclosures. Staff is knowledgeable of E-Sign Act and there is effective consumer opt-in as required by the act. Some loans subject to the Servicemembers Civil Relief Act and the Talent Amendment. Several consumer complaints are received and may represent a pattern. Lending area has numerous special flood hazard areas. Broker relationship coupled with high amount of unearned fee income either paid or received. Bank offers numerous products or services that require expanded, detailed regulatory compliance such as: Credit cards (TILA) Home equity loans/lines (TILA) Consumer leases (Leasing) Escrow (RESPA, HPA) Private mortgage insurance (TILA, HPA) Required service providers (RESPA) Controlled business arrangements Several consumer complaints are received and may represent a pattern. Significant number of substantive issues. OCC Customer Assistance Group has notified the supervisory office. Bank only provides disclosures electronically. Staff has some knowledge of E-Sign Act. Effective consumer opt-in, as required by the act, is inconsistent. Significant number of loans subject to the Servicemembers Civil Relief Act and the Talent Amendment. 22

24 Quality of Consumer Lending Regulations (FDPA/RESPA/TILA/HPA/HMDA) Management Indicators Examiners should use the following indicators when assessing quality of consumer lending regulations risk management. Strong Satisfactory Weak Management fully understands all aspects of lending compliance risk and exhibits clear commitment to compliance. Commitment is communicated throughout affected areas of the institution. Authority and accountability for lending compliance are clearly defined and enforced. Management anticipates and responds well to changes of a market, technological or regulatory nature that affect lending regulations compliance. Lending compliance considerations are incorporated into products and system development processes, including changes made by outside service providers or vendors or affiliates. When lending compliance deficiencies are identified, management promptly implements meaningful corrective action. Appropriate lending compliance controls and systems (e.g., quality control functions, compliance audits, and self-assessments) are implemented to identify compliance problems and assess performance. Management reasonably understands the key aspects of lending compliance risk. Commitment to lending compliance is reasonable and satisfactorily communicated throughout affected areas of the institution. Authority and accountability for lending compliance are defined, although some refinements may be needed. Management adequately responds to changes of a market, technological or regulatory nature that affect lending regulations compliance. Lending compliance may not be formally considered when developing products and systems, and issues are typically addressed before they are fully implemented. Lending compliance problems can be corrected in the normal course of business without a significant investment of money or management attention. Management is responsive when lending deficiencies are identified. No shortcomings of significance are evident in lending compliance controls or systems (e.g., quality control functions, compliance reviews, compliance audits, and self-assessments). Probability of serious future violations or noncompliance is within acceptable tolerance. Management does not understand or has chosen to ignore key aspects of lending compliance risk. Importance of lending compliance is not emphasized or communicated throughout affected areas of the institution. Management has not established or enforced accountability for lending compliance performance. Management does not anticipate or take timely or appropriate actions in response to changes of a market, technological or regulatory nature that affect lending regulations compliance. Lending compliance considerations are not incorporated into product and systems development. Lending compliance errors are often not detected internally, corrective action is often ineffective, or management is unresponsive. Likelihood of continued lending compliance violations or noncompliance is high because a corrective action program does not exist, or extended time is needed to implement such a program. 23

25 Quality of Consumer Lending Regulations (FDPA/RESPA/TILA/HPA/HMDA) Management Indicators continued Strong Satisfactory Weak Lending compliance training programs are effective, and the necessary resources have been provided to ensure compliance. Compliance risk management processes and information systems are sound, and the bank has a strong control culture that has proven effective for lending compliance. Effective control systems are in place to assure maintenance of flood insurance throughout the loan term. This includes mechanism to force place flood insurance if necessary. (FDPA) Control systems are effective to collect and accurately report all HMDA and CRA loans. HMDA or FHHLD System data are evaluated quarterly for trends and accuracy. Management provides adequate resources and training for compliance. Compliance risk management processes and information systems are adequate to avoid significant or frequent violations or noncompliance with lending regulations. Control systems are in place to detect the expiration of insurance but there is not a mechanism to provide for the timely force placement of insurance (gaps in insurance can occur). Control systems do not capture all loans or there are errors. Bank s internal control systems found data errors and corrected them. HMDA or FHHLD System data are not evaluated for trends but accuracy is assessed quarterly. Management has not provided adequate resources or training for compliance with lending regulations. Compliance risk management processes and information systems are deficient in the lending regulations. Bank does not have effective system to maintain flood insurance. Control systems are not capturing all loans. Bank does not have a quality control system to detect errors. HMDA or FHHLD System data are not evaluated for trends nor reviewed for accuracy until prepared for submission to the FFIEC. 24

26 Consumer Deposit Regulations Indicators Quantity of Consumer Deposit Regulations (Reg. D, Reg. DD, Reg. CC, Reg. E) Indicators Examiners should use the following indicators when assessing quantity of consumer deposit regulations risk. Low Moderate High Staff is experienced and knowledgeable regarding regulatory requirements that apply to their functions. Staff turnover is generally low. Noncomplex products are offered. Product types are stable. (Reg. D, Reg. DD, Reg. CC, Reg. E) Electronic banking is not offered or is limited to account inquiries. (Reg. D, Reg. DD) Marketing activities are limited to local area, stable environment, centralized. (Reg. DD) Interest rate environment is stable. (Reg. DD) Few competitors. (Reg. DD) Tested and proven software and processes are in use. Few if any errors regarding technical requirements (disclosures, notices, APYs, etc) are noted. (Regs. DD, CC, D, E) Staff is generally experienced and knowledgeable regarding regulatory requirements that apply to their functions. Some turnover is identified. Limited number of complex products is offered. Product types change occasionally. (Reg. D, Reg. DD, Reg. CC, Reg. E) Electronic banking is limited to non-transactional functions and is informational only (which may trigger Reg. DD advertising requirements). No account opening permitted. (Reg. D, Reg. DD) Marketing activities are limited to standard products, decentralized channels (individual branches or lines of business) (Reg. DD) Interest rate environment is unstable but volume is manageable. (Reg. DD) Multiple competitors. May result in the bank developing more complex products. (Reg. DD) New software has been implemented, or software conversions have taken place. Some errors regarding technical requirements are noted. (Regs. DD, CC, D, E) Staff is inexperienced or is not knowledgeable regarding regulatory requirements that apply to their functions. Turnover may be high. Several complex deposit products offered (e.g.. index-powered CDs, tiered rate, stepped-rate). Product types change frequently. (Reg. D, Reg. DD, Reg. CC, Reg. E) Accounts can be opened via the Internet and transactions conducted (account-to-account transfers, electronic bill payment, etc.). (Reg. D, Reg. DD, Reg. CC, Reg. E) Active marketing of new products offered through multiple channels (Internet, direct mail, etc.). (Reg. DD) Interest rates are unstable. May result in rapid shift in demand for certain products (Reg. DD). May indicate a need for further disclosures to the consumer. High level of competition. May result in the bank offering premiums or bonuses for deposit products. (Reg. DD) System conversions or software changes have been implemented due to vendor changes, or merger activity. Numerous errors regarding technical requirements are noted. (Regs. DD, CC, D, E). 25

27 Quantity of Consumer Deposit Regulations (Reg. D, Reg. DD, Reg. CC, Reg. E) Indicators continued Low Moderate High Next day availability of deposits across the board. Few exception holds. (Reg. CC) Low number of consumer complaints received. No pattern as to type of complaint. Few or no substantive issues. Access devices are not offered or are limited to ATM cards. (Reg. E) Bank does not offer MMDA or NOW accounts. (Reg. D) Bank does not provide disclosures electronically. Case-by-case, new account and large deposit exceptions occur occasionally. Deposit holds are done infrequently. (Reg. CC) Moderate number of consumer complaints received without a pattern as to compliance type. Moderate number of substantive issues. Access devices such as ATM and debit cards are offered. Multiple channels may be available. (Reg. E) MMDA and/or NOW accounts may be offered as permitted by regulation. (Reg. D) Bank provides both electronic and paper disclosures. Staff is knowledgeable of E-Sign Act and there is effective consumer opt-in as required by the act. Holds are placed frequently. (Reg. CC) Several consumer complaints are received and may represent a pattern. Significant number of substantive issues. Bank s ATM network may be extensive. Access devices such as ATM and debit cards are offered. Multiple channels may be available. (Reg. E) MMDA and/or NOW accounts are offered. NOW accounts may not be limited to consumers only. (Reg. D) Bank provides disclosures electronically only. Staff has some knowledge of the E-Sign Act. Effective consumer opt-in, as required by the act, is inconsistent. 26

28 Quality of Consumer Deposit Regulations (Reg. D, Reg. DD, Reg. CC, Reg. E) Management Indicators Examiners should use the following indicators when assessing quality of consumer deposit regulations risk management. Strong Satisfactory Weak Management fully understands all aspects of deposit compliance risk and exhibits clear commitment to compliance. Importance of deposit compliance is emphasized and communicated throughout the organization. Authority and accountability for deposit compliance is clearly defined and enforced. Management anticipates and responds well to changes of a market, technological, or regulatory nature that affect deposit regulations compliance. Deposit compliance considerations (APYs, periodic statements, deposit holds, MMDA withdrawals/transfers, etc.) are incorporated into products and system development and modification processes, including changes made by outside service providers or vendors. (Regs. DD, E, CC, D) When deposit compliance deficiencies are identified, management promptly implements meaningful corrective action. These include responding to customer complaints and resolving EFT errors. Management reasonably understands key aspects of deposit compliance risk. Commitment to deposit compliance is reasonable and satisfactorily communicated. Authority and accountability for deposit compliance is defined, although some refinements are needed. Management adequately responds to changes of a market, technological, or regulatory nature that affect deposit regulations compliance. Although deposit compliance may not be formally considered when developing products and systems, issues are typically addressed before they are fully implemented. Deposit compliance problems can be corrected in the normal course of business without a significant investment of money or management attention. Management is responsive when deposit deficiencies are identified. Management does not understand key aspects of deposit compliance risk. Commitment to deposit compliance is not reasonable or satisfactorily communicated. Management has not established or enforced accountability for deposit compliance performance. Management does not anticipate or take timely or appropriate actions in response to changes of a market, technological, or regulatory nature that affect deposit regulations compliance. Deposit compliance considerations are not incorporated into product and systems development. Deposit compliance errors are often not detected internally, corrective action is often ineffective, or management is unresponsive. 27

29 Quality of Consumer Deposit Regulations (Reg. D, Reg. DD, Reg. CC, Reg. E) Management Indicators continued Strong Satisfactory Weak Appropriate deposit compliance controls and systems (e.g., quality control functions, compliance audits, self-assessments) are implemented to identify compliance problems and assess performance. Deposit compliance training programs are effective, and the necessary resources have been provided to ensure compliance. Compliance risk management processes and information systems are sound and the bank has a strong control culture that has proven effective for deposit compliance. No shortcomings of significance are evident in deposit compliance controls or systems (e.g., quality control functions, compliance reviews, compliance audits, and self-assessments). The probability of serious future violations or noncompliance is within acceptable tolerance. Management provides adequate resources and training given the complexity of products and operations for compliance with deposit regulations. Compliance risk management processes and information systems are adequate to avoid significant or frequent violations or noncompliance with deposit regulations. Likelihood of continued deposit compliance violations or noncompliance is high because a corrective action program does not exist, or extended time is needed to implement such a program. Management has not provided adequate resources or training for compliance with deposit regulations. Compliance risk management processes and information systems are deficient in the deposit regulations. 28

30 Other Consumer Regulations Indicators Quantity of Other Consumer Regulations Indicators (Privacy of Consumer Financial Information, Fair Credit Reporting Act, Right to Financial Privacy Act, Fair Debt Collection Practices Act, Children s On-Line Privacy Protection Act, Controlling the Assault of Non-Solicited Pornography and Marketing Act, Telephone Consumer Protection Act) Examiners should use the following indicators when assessing quantity of other consumer regulations risk. Low Moderate High Bank does not share customer information with affiliates and nonaffiliates outside of the regulatory exceptions contained in 12 CFR 40.13,.14, and.15 (Privacy) Bank does not disclose information to nonaffiliated third parties outside the statutory exceptions, and an opt-out election is therefore not necessary. (Privacy) Bank has no relationships with nonaffiliated entities. (Privacy) Bank does not report credit information on its customers other than to a consumer-reporting agency. (Fair Credit Reporting Act) Bank has not received requests from government agencies for information related to customers financial records. (Right to Financial Privacy Act) Bank shares limited customer information with affiliates and nonaffiliates. Bank discloses information to nonaffiliated third parties outside the statutory exceptions. Consumers are provided a reasonably clear and conspicuous opt-out notice and a generally reasonable means to do so. Bank has devised a generally effective means to record, maintain, and effectuate opt-out election by consumers. Bank has relationships with a limited number of nonaffiliated entities. Bank provides credit information on its customers to their holding companies or affiliates as permitted by the law. Bank has received limited requests from government agencies for customers financial records. Bank actively shares customer information with affiliates and nonaffiliates. Bank discloses information to nonaffiliated third parties outside the statutory exceptions. Consumers are either not provided with an opt-out notice, or it is not clear and conspicuous. It is difficult for consumers to submit the notice. Bank either has not devised a means to record, maintain, and effectuate opt-out election by consumers, or it is not effective. Bank has relationships with a large number of nonaffiliated entities. Bank routinely provides credit information on its customers to other creditors or correspondents to market new products. Bank has received a significant number of requests from government agencies for customers financial records. 29

31 Quantity of Other Consumer Regulations Indicators continued Low Moderate High Bank does not operate a Web site or online service directed to children younger than 13 or does not have actual knowledge that it is collecting or maintaining personal information from a child online. (COPPA). Bank does not market products or services via or telephone (CAN-SPAM, TCPA). Bank does not regularly collect consumer debts for another person or institution or use any name other than its own when collecting consumer debts and is therefore not a debt collector. (Fair Debt Collection Practices Act) Bank s Web site may collect information from children younger than 13 but does not have an FTCapproved program. Bank may market products or services via or telephone, but its program does not meet all requirements of CAN-SPAM or TCPA. Bank occasionally acts as a debt collector. Bank s Web site collects information from children younger than 13. Bank participates in an FTC-approved, self-regulatory program and independent review/audit has verified bank's compliance with the program. Bank markets products or services via or telephone. It does not have a process to review or ensure compliance with requirements of CAN-SPAM or TCPA. Bank frequently acts as a debt collector. 30

32 Quality of Other Consumer Regulations Management Indicators (Privacy of Consumer Financial Information, Fair Credit Reporting Act, Right to Financial Privacy Act, Fair Debt Collection Practices Act, Children s On-Line Privacy Protection Act, Controlling the Assault of Non-Solicited Pornography and Marketing Act, Telephone Consumer Protection Act) Examiners should use the following indicators when assessing quality of other consumer regulations risk management. Strong Satisfactory Weak Management has effective privacy and marketing policies that accurately reflect the operations of the bank. (Privacy, CAN-SPAM, TCPA) Bank has implemented a comprehensive, board-approved written information security program that complies with section 501(b) of GLBA. (Privacy) Compliance actively monitors to ensure that the bank does not report credit information on its customers other than to a consumer-reporting agency. (Fair Credit Reporting Act) Bank has an effective system to ensure that requests for information related to customer's financial records from government agencies are responded to appropriately. (Right to Financial Privacy Act) Training related to privacy and marketing laws and regulations is effective, and resources have been provided to ensure compliance. Authority and accountability for privacy and marketing compliance is clearly defined and enforced. Management has privacy and marketing policies that adequately reflect the operations of the bank. Bank has implemented an adequate, board-approved written information security program that generally complies with section 501(b) of GLBA but has some weaknesses. Compliance adequately monitors to ensure that the bank does not report credit information on its customers other than to a consumer-reporting agency. An adequate control system may not be fully implemented to ensure that requests for information from government agencies are responded to appropriately. Management provides adequate resources and training given the complexity of products and operations for compliance with privacy and marketing laws and regulations. Authority and accountability for privacy and marketing compliance are defined, although some refinements may be needed. Management does not understand or has chosen to ignore key aspects of risk within the privacy regulation. Privacy and marketing policies are ineffective and do not accurately reflect the operations of the bank. Bank has not implemented a written information security program or does not adequately comply with section 501(b) of GLBA. Compliance does not monitor to ensure that the bank does not report credit information on its customers other than to a consumer-reporting agency. Bank does not have a control system in place to ensure that requests for information related to customer's financial records from government agencies are responded to appropriately. Management has not provided adequate resources or training for compliance with privacy and marketing laws and regulations. Management has not established or enforced accountability for privacy and marketing compliance performance. 31

33 Quality of Other Consumer Regulations Management Indicators continued Strong Satisfactory Weak Turnover of bank staff responsible for privacy-related compliance is minimal. Bank either has not received any consumer complaints or, if it has, the complaint resolution process is timely and complete. Appropriate compliance controls and systems (e.g., quality control functions, compliance audits, and self-assessments) are implemented to identify compliance problems and assess performance. Bank has experienced some turnover of bank staff responsible for privacy-related compliance, but management has quickly and effectively replaced them. Bank responds to consumer complaints in a generally timely and complete manner. No shortcomings of significance are evident in compliance controls or systems (e.g., quality control functions, compliance reviews, compliance audits, and selfassessments). Probability of serious future violations or noncompliance is within acceptable tolerance. Turnover of bank staff responsible for privacy-related compliance has occurred. Replacement staff has not been found. Bank either does not respond to consumer complaints, or does so after an extended period of time. Responses are generally inadequate. Likelihood of continued compliance violations or noncompliance is high because a corrective action program does not exist, or extended time is needed to implement such a program. 32

34 XYZ Bank OCC Compliance Assessment 33

35 Bank Name: Prepared By: Date: January 2017 Compliance Compliance risk is the risk to current or anticipated earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and an inability to enforce contracts. Compliance risk in not limited solely to risk from failure to comply with consumer protection laws; it encompasses the risk of noncompliance with all laws and regulations, as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation (known as legal risk) from all aspects, of banking, traditional and nontraditional. Summary Conclusions: The Quantity of Compliance s is: The Quality of Compliance Management is: Low Moderate X High Strong X Satisfactory Weak Aggregate from Compliance Activities is: The Direction is expected to be: Low Moderate X High Decreasing Stable Increasing X Narrative Summary Comments: Overall compliance risk is moderate as a function of moderate quantity of risk and generally strong controls in place. We do expect compliance risk to be increasing, principally as a result of heavy regulatory focus and ongoing regulation changes. Specific areas of focus for the ongoing strengthening of the compliance program documentation, compliance audit activities, and additional strengthening to compliance training program. We recently implemented Continuity Control RegAdvisor and RegControl programs to automate compliance control activities and provide significant documentation improvements. 1 34

36 35

37 36

38 XYZ Bank Compliance Assessment Articulated s 37

39 INHERENT RISKS Quantity of 1 - Low; 2 - Moderately Low; 3- Moderate; 4 - Moderately High; 5 - High XYZ BANK COMPLIANCE RISK ASSESSMENT - December 2013 RISK MITIGATION & CONTROL Quality of Management Regulation/ Law Exams Business Units Affected Legal Regulatory Reputation Execution Complexity Prior Exceptions Management Response Policies & Procedures Turnover Training or Growth Business Line Maturity Audit Program Aggregate Direction of Comments HUD Reg X - Real Estate Settlement Procedures (RESPA) Consumer Affairs Consumer mortgages Paying or receiving kickbacks is a felony; $10k fine plus 1 year federal prison; individual tolerance cures on loans where settlement fees are out of tolerance between early and final disclosures Reg Z - Truth in Lending (TIL) Consumer Affairs Consumer purpose lending Up to $2,000 in individual action; $500M or 1% of banks net worth in class action plus damages, costs, atty fees. Costs incurred in rescission and reimbursement; most common enforcement action is up to a 2 year file search for other violations. Criminial Liability: $5,000 fine and/or 1 year in federal prison 38 Page 1 of 12

40 INHERENT RISKS Quantity of 1 - Low; 2 - Moderately Low; 3- Moderate; 4 - Moderately High; 5 - High XYZ BANK COMPLIANCE RISK ASSESSMENT - December 2013 RISK MITIGATION & CONTROL Quality of Management Regulation/ Law Exams Business Units Affected Legal Regulatory Reputation Execution Complexity Prior Exceptions Management Response Policies & Procedures Turnover Training or Growth Business Line Maturity Audit Program Aggregate Direction of Comments Fair Lending/Reg B - Equal Credit Opportunity (ECOA) & Fair Housing (FHA) Fair Lending All lending and servicing, loan officers and lobby personnel Fair Lending is a significant risk given the explosive growth in the mortgage divisions; Fair Lending Wiz is being implemented but not producing audit info yet; area was deemed high risk by FRB at CA exam Aug 2012; punitive damages to $10k individually, $500M class action; referral to DOJ; impact on CRA rating and branching ability; 6 month file scrub on denials; 24 month file scrub on Fair Lending violations Reg AA: Unfair, Deceptive, and Abusive Acts & Practices (UDAAP); Reg N: Mortgage Acts and Practices - Advertising Consumer Affairs Primarily mortgage ads, UDAAP can affect all products and marketing efforts Cross-pollination to Fair Lending exam; action under Section 8 of FDICIA including C&D order requiring actions be taken to remedy violations and CMPs Home Owners Protection Act (HOPA) Consumer Affairs Mortgage loans requiring Private Mortgage Insurance Correction of borrower's account to reflect date PMI should have terminated; return unearned PMI premiums to borrower 39 Page 2 of 12

41 INHERENT RISKS Quantity of 1 - Low; 2 - Moderately Low; 3- Moderate; 4 - Moderately High; 5 - High XYZ BANK COMPLIANCE RISK ASSESSMENT - December 2013 RISK MITIGATION & CONTROL Quality of Management Regulation/ Law Exams Business Units Affected Legal Regulatory Reputation Execution Complexity Prior Exceptions Management Response Policies & Procedures Turnover Training or Growth Business Line Maturity Audit Program Aggregate Direction of Comments Reg C - Home Mortgage Disclosure Act (HMDA) HMDA Data Verification All mortgage lending HMDA risk is part of the explosive growth in mortgage. Additional fields are slated to be added via Dodd-Frank. Unknown impact of D-F on risk tolerance before a scrub. Too many unknowns for risk to be considered stable; punitive damages to $10k individually, $500M class action plus actual damages; impact on compliance exam rating Fair Credit Reporting (FCRA)/ Fair & Accurate Credit Transactions Act (FACTA) Consumer Affairs Lending Obtaining credit reports under false pretenses or without a permissible purpose can be fined up to $1,000; punitive damages assessed in court Reg CC - Expedited Funds Availability Consumer Affairs Frontline, Operations rating includes fraudulent cashiers check in Taos; CMPs to $1k in individual action; up to $500M in class action plus actual damages 40 Page 3 of 12

42 INHERENT RISKS Quantity of 1 - Low; 2 - Moderately Low; 3- Moderate; 4 - Moderately High; 5 - High XYZ BANK COMPLIANCE RISK ASSESSMENT - December 2013 RISK MITIGATION & CONTROL Quality of Management Regulation/ Law Exams Business Units Affected Legal Regulatory Reputation Execution Complexity Prior Exceptions Management Response Policies & Procedures Turnover Training or Growth Business Line Maturity Audit Program Aggregate Direction of Comments Bank Secrecy Act (BSA)/ Safety and Anti-Money Laundering Soundness (AML)/ USA PATRIOT Act All, especially frontline Explosive growth in mortgage; no material turnover in core bank; some turnover in BSA staff; penalties include Civil and Criminal penalties, public enforcement actions, and loss of charter Servicemembers Civil Relief Act (SCRA) Consumer Affairs Loan servicing, loans to military Private cause of action with relief including damages, injunctions, attorney's fees; newspaper/website comments carry high reputation risk Flood Disaster Protection Act Consumer Affairs Loans secured by improved RE $2,000 per violation under Biggert Waters Reform Act; referral to DOJ or FEMA; enforcement actions are public CAN-SPAM Act Consumer Affairs marketing Each separate in violation of the CAN-SPAM Act is subject to penalties of up to $16,000 per 41 Page 4 of 12

43 INHERENT RISKS Quantity of 1 - Low; 2 - Moderately Low; 3- Moderate; 4 - Moderately High; 5 - High XYZ BANK COMPLIANCE RISK ASSESSMENT - December 2013 RISK MITIGATION & CONTROL Quality of Management Regulation/ Law Office of Foreign Assets Control (OFAC) Exams Safety and Soundness Business Units Affected New accounts, new loans, transaction processing Legal Regulatory Reputation Execution Complexity Prior Exceptions Management Response Policies & Procedures Turnover Training or Growth Business Line Maturity Audit Program Aggregate Direction of Comments OFAC is managed with software in all areas of bank and mortgage; automatically flagged suspect hits; no actual hits to date; CMP range $250k or twice the amount of the underlying transaction to $1,075 million per occurrence; criminal penalties of years with fines of $50k-$10 million; publication of violators Reg P - Privacy of Consumer Financial Information; Right to Financial Privacy (RFPA); Gramm-Leach-Bliley Act (GLBA); Information Security All All Disclosures are automated; annual mailing has been timely since beginning; model form used for mailings; CMPs to $1 million or 1% of bank's assets; loss of insured status; criminal penalties to $1 million and up to 5 years federal prison Reg BB: Community Reinvestment Act (CRA) CRA Lending Limits placed on branch expansion; bank rating is public information; crosspollination to Fair Lending Exam Page 5 of 12 42

44 INHERENT RISKS Quantity of 1 - Low; 2 - Moderately Low; 3- Moderate; 4 - Moderately High; 5 - High XYZ BANK COMPLIANCE RISK ASSESSMENT - December 2013 RISK MITIGATION & CONTROL Quality of Management Regulation/ Law Exams Business Units Affected Legal Regulatory Reputation Execution Complexity Prior Exceptions Management Response Policies & Procedures Turnover Training or Growth Business Line Maturity Audit Program Aggregate Direction of Comments Secure and Fair Mortgage Enforcement (SAFE Act - CFPB Reg G) Safety and Soundness Mortgage loans Loans without NMLS number not saleable on secondary market; regulatory enforcement can include C&D proceedings, monetary penalties against bank, employees, and directors under 12 USC 1818(b) Electronic Signatures in Global and National Commerce (E-SIGN Act) ebanking Electronic disclosures, statements, signatures The legal effectiveness, validity, or enforceability of any contract executed by a consumer shall not be denied solely because of the failure to obtain electronic consent or confirmation of consent by that consumer in accordance with paragraph (1)(C)(ii). Reg E - Electronic Funds Transfer Consumer Affairs Consumer deposit accts, debit cards, ACH, overdrafts Punitive damages to $1k individually or $500M in class action; criminal penalty of $5k plus 1 year federal prison for failure to comply Reg O - Credit to Insiders Safety and Soundness All insider loans and personal deposit accounts Punitive to $1k per day; individual penalties against the insider; additional penalties under FIRREA; can include federal prison Page 6 of 12 43

45 INHERENT RISKS Quantity of 1 - Low; 2 - Moderately Low; 3- Moderate; 4 - Moderately High; 5 - High XYZ BANK COMPLIANCE RISK ASSESSMENT - December 2013 RISK MITIGATION & CONTROL Quality of Management Regulation/ Law Exams Business Units Affected Legal Regulatory Reputation Execution Complexity Prior Exceptions Management Response Policies & Procedures Turnover Training or Growth Business Line Maturity Audit Program Aggregate Direction of Comments Reg DD - Truth in Savings (TIS) Consumer Affairs Consumer deposit accounts, new accounts Software maintains consistency of disclosures; no private cause of action; administrative sanctions available to the Fed Reg D - Reserve Requirements Safety and Soundness; Accounting; Consumer Deposit Ops Affairs Penalty includes retroactive calculation and funding of reserve requirements; CMP based on severity of violation Reg GG - Internet Gambling Safety and Soundness New commercial deposit accounts Penalties apply to the gambling enterprise; bank risk is being cited for noncompliance Reg M - Consumer Leasing Consumer Affairs None - do not engage in consumer leasing N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A Fill in if bank begins to engage in the activity of consumer leasing Average Rating by Factor Program risk is moderate and increasing based on personnel change, growth in mortgage. Dodd-Frank is considered High /Impact Unknown 44 Page 7 of 12

46 OVERALL RISK HEAT MAP - DECEMBER Business Line Maturity 3.8 Turnover or Growth Regulatory 3.0 Legal Complexity Reputation RisTraining 2.2 Prior Exceptio Policies & ProcExecution Management Response 1.9 Audit Program of 12 45

47 Safety& Soundness - December Bank Secrecy Act/Anti- Money Laundering 2.7 Office of Foreign Assets Control 2.4 Reg P - RFPA; GLBA; Info Sec Reg O - Credit to Insiders 1.4 Reg D - Reserve Requirements 1.2 Deposit Ops Compliance - December Reg CC - Expedited Funds Availability Reg E - Electronic Funds Transfer of 12

48 Reg DD - Truth in Savings 1.3 Reg GG - Internet Gambling 1.0 Lending Compliance - December HUD Reg X - RESPA 4.5 Reg Z - Truth in Lending 4.3 Fair Lending: Reg B & Fair Housing Reg AA: UDAAP Home Owners Protection Act 3.2 Reg C - HMDA FCRA & FACTA 2.8 Servicemembers Civil Relief Act Flood Disaster ProtectioCAN-SPAM Act 2.5 Reg BB: CRA 2.3 SAFE Act - (CFPB Reg G) E-SIGN Act of 12

49 COMPLIANCE ARTICULATED RISK CRITERIA Factor Low - 1 Moderately Low - 2 Moderate - 3 Moderately High - 4 High - 5 Legal (Level of Penalty/Litigation) The regulation does not contain provisions for additional penalties or litigation. The regulation contains penalty provisions on an individual, per item basis not to exceed $5k The regulation significant monetary penalty provisions, including individual, per item basis equal to or exceeding $5k and additional penalties against bank The regulation contains provisions for significant monetary penalties and/or the regulatory agencies can include a retroactive file scrub, or other retroactive action. The regulation contains provisions for material additional penalties or litigation. Errors may result in class action lawsuits, civil money penalties, impact on branching activities, C&D Regulatory No exceptions were noted in the most recent exam and internal audit AND exam scrutiny appears to be based on internal audit findings Only minor exceptions have been noted in recent audit/exam; exceptions were isolated and technical; exam scrutiny appears to be based on internal audit findings Examiner scrutiny or attention is expected; based on previous 2 exams; any exceptions noted were isolated and technical Examiner scrutiny or attention is above average, based on regulatory environment, change in the bank's product mix, or issues noted in the most recent exam. Examiner scrutiny or attention is significantly above average, based on regulatory environment, change in the bank's product mix, or material issues noted in the most recent exam (supervisory action or required reimbursements). Reputation Regulation is virtually invisible to the public Regulation has one-time impact on the consumer and historically has not been the subject of consumer complaints The regulation is visible to the public but violations aren't likely to be seen outside of an exam report OR consumer complaints that have been received internally have been successfully handled internally Has been the subject of 1-5 consumer complaints received through the agencies OR violations likely to be visible in the CRA Public Evaluation Report Failure to comply with the regulation is likely to result in negative publicity OR has been the subject of >5 consumer complaints received through the agencies OR a violation may result in a referral to HUD or the DOJ Execution Regulation has been substantially the same for some time; audits show procedures and internal controls are working Regulation has had changes in the past 2 years; changes have been successfully implemented based on audits and most recent exam Regulation is has undergone some recent changes and will require a moderate number of procedural changes or audit reports show moderate issues with performance Regulation is has undergone some recent changes and will require a significant number of new procedures or audit reports show significant issues with performance Regulation is new and will require a new policy and new procedures Complexity Regulation is relatively straightforward, easy to understand, and easy to monitor. Regulation requires routine monitoring which is done regularly within the business unit and audited at least annually Regulation requires routine monitoring which is done regularly within the business unit and audited at least twice annually Regulation requires routine monitoring which is done regularly within the business unit and audited monthly Regulation is highly technical or complex, requires specialized knowledge, has had multiple changes in last 2 years, and/or is difficult to monitor. Prior Exceptions No exceptions in internal or external audits or exams in the last year Minor exceptions in internal or external audits in the last year; isolated and technical, not resulting in monetary reimbursement Past exceptions in internal or external audits or exams have been Significant exceptions have been cited minor to moderate in nature and but not repeated. AND/OR Moderate have been repeated. Minor monetary reimbursements have been monetary reimbursements have made in the last 6 months been made in the last 12 months. Significant violations have been repeated.or Moderate exceptions have been frequently repeated for some time. AND/OR significant monetary reimbursements have been made or any level of reimbursements have been made frequently in the last 6 months of 12

50 Management Response Policies/Procedures Training Turnover/Growth Business Line Maturity Audit Program Management has responded to exceptions with corrective action quickly, thoroughly, and effectively. Policy is in place (if required). Procedures fully address compliance risks and reflect actual practices. Policy has been reviewed within the last 12 months Training is effective and has taken place within the last year and for new hires. Training addresses the regulation and the bank's procedures. Very few affected personnel have not taken training. Key personnel have remained substantially the same. The business areas to which the regulation applies have been substantially the same for some time. Management has responded to exceptions with corrective action quickly, thoroughly, but corrective action has had only moderate success. Policy is in place (if required). Procedures fully address compliance risks and reflect actual practices. Policy has been reviewed within the last months Training has taken place within the last year and for new hires. Training addresses the regulation, but does not cover bank procedures (computer-based training) There has been some shifting of roles and/or some new hires to accommodate growth, but most key personnel are still involved. The business areas to which the regulation applies have experienced less than 10% growth. The regulation is effectively The regulation is effectively monitored with an Outstanding monitored with an Satisfactory rating on the last audit. The rating on the last audit. The last last audit was within the last 6 audit was within the last year. months to 1 year. Responses have been somewhat delayed or incomplete. Corrective action has had moderate success. Responses have been somewhat delayed or incomplete. Corrective action has been marginally successful. Policy is in place (if required). Procedures address compliance Policy (if required) has not been risks but are somewhat out of date. reviewed for over 24 months AND/OR Policy has been reviewed in the last Procedures are in place, but out of date months. Training is adequate with most staff participating, but may be somewhat incomplete (i.e., it does not cover bank procedures) OR has not taken place within the last year or for new hires. There has been moderate shifting of roles and/or some new hires, but most key personnel are still involved. Some business areas have grown more complex OR some new products or activities have been developed during the past year OR business areas to which the regulation applies have experienced 10-25% growth. The last audit was within the last year to 18 months. There may be new areas of regulation which have not been audited. Training is provided, but audit results AND/OR management responses indicate that additional training is needed There has been significant turnover or growth in positions holding responsibility for key aspects of the regulation Some business areas have grown more complex OR some new products or activities have been developed during the past year OR business areas to which the regulation applies have experienced 25-50% growth. The regulation is not effectively compliant with Needs Improvement rating on the last audit. The last audit was within the last year. Responses have been significantly delayed, incomplete, and/or corrective action has been nonexistent or ineffective. A necessary policy is not in place. AND/OR Procedures are nonexistent, incomplete, not reflective of actual practices OR have been implemented in the last 6 months. Training is nonexistent or ineffective, has low participation, and/or has not taken place within the last 18 months. There has been complete turnover in positions holding responsibility for key aspects of the regulation or multiple management positions are new A key business area is considerably new to the bank or multiple areas have grown significantly more complex OR business areas to which the regulation applies have experienced over 50% growth. The regulation has not been audited for at least 18 months or is not on the internal or external audit schedule. 12 of 12 49

51 XYZ Bank BSA/AML/OFAC Assessment Methodology 50

52 51

53 52

54 53

55 54

56 55

57 56

58 57

59 58

60 59

61 60

62 XYZ Bank BSA/AML/OFAC Assessment Template 61

63 [INSERT BANK NAME] BSA/AML/OFAC Assessment Updated: Month, Year Definition Rating Score EXHIBIT A Likelihood = What are the chances of a negative event or how prevalent is the type for customer, 0 = Not Present or how much volume occurs with the service, etc. 1 = L = Low, Likelihood, or Impact Impact = 2 = M = Medium, Likelihood, or Impact How is the institution effected by negative occurrences, and what is the effect on resources of the institution in ensuring AML Compliance 3 = H = High, Likelihood, or Impact Category Item # Issue Likelihood Impact Quantity of Rating Mitigation Considerations Quality of Management Aggregate/ Residual Direcxtion of Future Strategies Comments Customers Is the customer base stable? What level of risk does the customer population pose? How much is known about the customers? Customers that are nonbank financial institutionssuch as money services businesses, casinos, broker-dealers in securities and precious metals dealers. This includes institutions which offer prepaid access devices of any type including gift certificates at certain amounts. Does the bank serve senior foreign political figures (PEP's)? Nonresident alien (NRA) and accounts for foreign individuals present added risk factors Cash-intensive business customers such as convenience stores, restaurants, bars, vending machine operators and parking garage operators, and privately owned ATM operators present elevated risk for a bank. Charities and nongovernmental organizations can present elevated risk Number of high risk customers, which may include SAR suspects or customers with a large amount of high risk transactions, relative to the size of the general customer population Foreign financial institution customers present increased risk. Private Banking customers and associated programs present elevated risk International accounts which are subsidiaries of international corporations or other entities can be high risk entities. Other customers who pose a high risk for money laundering including broker/dealers,insurance companies, large trust customers and custodial customers Third Party Payment processors can pose high risk because of lack of knowledge of purpose of the funds and the customers of the customer Customer Ranking 1 Count of issues considered, not inclusive of 0 categories in Residual Average Category Products & Services Cashier's Checks, Traveler's checks and money order sales poses significant money laundering risk for various types of money laundering risks, especially where a bank offers these products to non account holders. Currency transaction activity increases money laundering risk as the amount of currency increases ACH transfer activity. ACH transfers are not immune to money laundering especially when the originator is not your customer. 62

64 02.4 Domestic wire transfer activity - Higher volumes of wire transfers even on the domestic side can elevate the risk 02.5 International wire transfers 02.6 International PUPID's 02.7 Private Banking programs present elevated risk Foreign Correspondent Banking Services elevate risk due to lack of knowledge of foreign customer base Domestic Remote Deposit Capture Money laundering vulnerability in checking account products Money laundering vulnerability in savings account products Money laundering vulnerability in certificate of deposit account products Prepaid cards including gift cards or \other prepaid products present a very large risk for money laundering. Remotely created checks both domestic and especially international are both a high risk for money laundering and embezzlement Credit card products. The bank offers a small number of credit card accounts and almost all are offered only to customers of other products e-banking - Account opening online or by telephone - The anonymity of e-banking presents better opportunities for those who are perpetrating fraud or money laundering. Loan products - An institution must ensure that the use and source of funds is legitimate and loans are not secured by cash or securities or other marketable collateral in a significant proportion of the accounts International trade finance products are a very high risk vehicle for money laundering Non-deposit investment products present unique money laundering risk Safe deposit boxes can pose risk especially with customers who act in conjunction with cash activity on deposit products Money transmission services for non-account holding customers Change Orders involve exchanging currency for different denominations. Such exchanges may pose a higher degree of risk. Products and Services Ranking 2 Count of issues considered, not inclusive of 0 categories in Residual Average Category Geographical 03.1 Institutions with branches in High Intensity Financial Crime Areas ("HIFCA") are likely to have high risk customers Institutions with branches in High Intensity Drug Trafficking Areas ("HIDTA") are likely to have high risk customers. Review other geographic factors that may impact money laundering risk from the customer base Off shore financial centers can present very high money laundering risk Exposure to customers who are involved with countries subject to OFAC Sanctions greatly increases money laundering risk in addition to OFAC violation risk Exposure to customers who are involved with countries subject to terrorism warnings from the Secretary of State, part of a Primary Money Laundering Concern of FinCEN, identified as high risk by FATF, or high risk based on the bank's own experience greatly increases money laundering risk in addition to OFAC violation risk. Geographical Ranking 3 Count of issues considered, not inclusive of 0 categories in Residual Average Category 63

65 Operational Operation of the Customer Identification Program effectively detects potential fraudulent of suspicious situations. Are personnel sufficiently experienced and trained? Is there high turnover, preventing consistent application of knowledge and experience Management has a good understanding of BSA and associated risk and they are fully committed to a strong BSA Compliance program Training of all staff at appropriate levels is required to operate an effective AML Program Are there significant risks associated with Currency Transaction Reporting requirements? What is the CTR volume? Are the CTR controls satisfactory Does the bank have an effective Suspicious Activity Reporting system and can the bank demonstrate effective decision making processes with regard to SAR's. Are government list scanning requirements including 314a requirements met with effective controls? Operational Ranking 4 Count of issues considered, not inclusive of 0 categories in Residual Average Category OFAC 05.1 Is the customer base well-known and in a local environment. The less stable, the greater the OFAC risk Are there overseas branches or foreign correspondent accounts? 05.3 What level of e-banking activity does the bank offer? 05.4 What level of wire transfers does the bank, especially international wires Does the bank offer trade finance products or engage in a high volume of international ACH transactions 05.6 Has the bank had any history of OFAC matches or negative findings by OFAC with regard to sanctions violations OFAC Ranking 5 Count of issues considered, not inclusive of 0 categories in Residual Average Category Overall Category Weight Score Rating 1 Customers Products and Services Geographical Operational Total BSA/AML Total OFAC

66 XYZ Bank UDAAP Assessment Methodology 65

67 UDAAP Assessment Methodology General Information policy for Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) requires completion of a comprehensive enterprise-wide UDAAP risk assessment. Management recognizes that a well-developed risk assessment will assist staff in identifying the organization s UDAAP risk profile and develop appropriate risk mitigation processes and practices to help manage those risks. The assessment will provide a comprehensive analysis of the UDAAP risks in a concise and organized format and will incorporate all business units. There have been long-standing expectations for banks to not engage in Unfair or Deceptive Acts or Practices (UDAP). The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd- Frank Act or DFA) created a new federal agency assigned responsibility for consumer protection in financial transactions the Consumer Finance Protection Bureau (CFPB). In conjunction with the creation of the CFPB, the Dodd-Frank Act also added an additional prohibition that of acts or practices that would be deemed to be abusive of consumers. The focus of UDAAP risk assessment is specifically on risks to consumers of harm resulting from acts or practices that would be considered to be unfair, deceptive, or abusive. While such practices could also create risk to the organization (such as through litigation, fines, or penalties), the primary focus of this risk assessment is oriented toward assessing risk to consumers. With these changes stemming from DFA, there is an increasing regulatory focus on UDAAP and an increasing expectation that financial institutions engage in processes to identify and appropriately control risks of harm to consumers from UDAAP. Because this is an evolving area, there is not a significant amount of industry guidance available from which to build appropriate risk assessments. The methodology adopted by for completion of the UDAAP Assessment has been developed from a number of sources including other institution risk assessment processes, trade association resources, regulatory guidance, and industry publications. The methodology, like UDAAP itself, is fairly subjective as it is often difficult to apply specific quantification methods to an assessment in this arena. The purpose of this methodology will be to describe the process and specific factors that are to be considered in making the subjective ratings incorporated into this risk assessment. Over time, it is expected that this methodology will continue to evolve as additional UDAAP guidance, enforcement actions, and additional information become available to financial institutions. Upon completion of the risk assessment, the results are to be used to drive appropriate compliance monitoring, testing, and audit activities as well as identify any control gaps that should be addressed and strengthened. The UDAAP risk assessment results will also roll up into the comprehensive Compliance Assessment process for DFC. Methodology The methodology adopted by for the UDAAP Assessment utilizes a matrix approach to collect information on various inherent risk factors (quantity of risk) and risk controls and mitigations (quality of risk management). These are then used to identify any risk gaps that exist and to form an 66

68 67

69 Delivery Channels The final component of the Retail Footprint risk factor is the delivery channels used by the institution for its products and services. These delivery channels can create unintended product variations or customer segmentation. Delivery channels that change by geography, channels that generate business outside of the bank s general market area, and channels that employ new technology can all lead to increased risk in this component. Strategic Direction The bank s strategic direction can influence UDAAP risk levels through marketing strategy, new product and service development, advertisements and solicitations, and pricing and profitibility. Assessment of this factor will take all four of these components into account. Marketing Strategy To avoid UDAAP risk, marketing and advertising campaigns must be clear and easy to understand. The consumer should be able to know what is being offered and what it costs. Banks must know if their marketing reflects all consumers in their market area. The risk assessment should document the extent that these issues are addressed. New Product and Service Development A bank s new products and services should be consistent with its overall strategic goals, provide value to intended consumers, and be well thought out to avoid any unintended consequences. Advertisements and Solicitations A bank s advertisements, enticements, and solicitations represent another aspect of its strategic direction. Those materials should be informative and reflect what consumers actually tend to receive. Use of pre-screened solicitations must follow strict regulatory parameters. Pricing and Profitability Regulators will evaluate whether the bank s products and services cost too much whether they make their money from fee-based products or take advantage of less financial savvy consumers through complex or abusive pricing models. As a final aspect of strategic direction, assessment of how pricing is set and how it compares to peer banks is appropriate. Operations A third factor to consider in inherent risk is Operations. Bank operations will influence its consumer protection in three categories: General Operations, Role of Third Parties, and Compliance with Traditional Regulations. General Operations Regulators expect banks to have an effective enterprise-wide consumer protection function. Banks will want to consider operational issues as part of that such as compensation practices, employee turnover, and other similar factors, including requirement of mandatory arbitration clauses in account agreements. Role of Third Parties Under UDAAP, banks can be culpable for the actions of the third party vendors that they use. The greater the number of third parties, the higher the level of associated risk. UDAAP risk UDAAP Assessment Methodology 3 of 6 March

70 69

71 70

72 mitigation and controls likely will not completely address every risk issue identified. This is not necessarily a problem, but the risk gaps should be identified, evaluated for appropriate actions and prioritized. The board s risk appetite should be a factor in making this assessment. On the summary table, list each gap identified, the level of risk concern (high, moderate, low), any observations about the risk gap, management s action plan for resolution, and documentation of follow-up efforts. At the conclusion, document the overall strength of risk controls and mitigation inclusive of risk gaps and mitigation efforts (strong, adequate, weak). Summarize the results in the Summary table. UDAAP Direction Looking forward, an assessment should be made as to whether the overall UDAAP risk level will be increasing, decreasing or remain stable over the next 12 to 18 months and what changes may impact the level of residual risk for the bank. Factors such as national or local economic events, proposed changes to products, policies, or procedures, new regulatory requirements, staff turnover, and the bank s strategic direction can impact the forward looking direction of risk. Conclusions should be documented in the Summary table. Subsequent Activities Once all factors have been assessed and rated, overall conclusions should be documented in the risk summary table. The conclusions of the risk assessment should then be used to determine the scope and frequency of compliance testing associated with the identified UDAAP controls. Follow up must also be completed to ensure completion of management action plans responsive to risk gaps identified. A risk assessment narrative should be prepared to accompany the Summary and Analysis portions of the assessment. The results of the risk assessment should be shared with executive management and the board of directors. The risk assessment should be further updated at least annually. UDAAP Assessment Methodology 6 of 6 March

73 XYZ Bank UDAAP Assessment Template 72

74 Source #1 RETAIL FOOTPRINT (4 sub factors) R1.1 Customer Demographics Yes/No Comments Does the bank s business or marketing plan target less financially savvy customers or are there a significant percentage of these customers in its market and / or CRA assessment area? Elderly Students Military Immigrants or other Customers who speak English as a second language Consumers with poor credit Consumers living in LMI areas Others that could be considered less financially savvy Does the bank regularly review its customer demographics? Has the bank s retail footprint changed recently? Has that had an impact on the customer base that it serves? Has the bank s customer demographics shifted in line with changes in census data? Do the bank s strategic growth plans reflect community growth and demographic trends? R1.2 Product and Service Offerings Yes/No Comments Does the Bank offer any of the following products? Credit Card Add On Products Secured / Subprime Credit Cards Subprime or High Cost Mortgages Non Traditional Mortgages (allow negative amortization) Gift Cards Fee Based Overdraft Protection Plans Payday, Deposit Advance or Tax Refund Anticipation Loans Payroll cards Reverse Mortgages Other new and non traditional banking products or services Do products or services penetrate geographic or consumer markets differently? Can consumers apply for a specific product or service and end up with a different product or service than that requested? R1.3 Complexity of Products and Services Yes/No Comments Does the bank offer inexpensive basic checking and savings products? Does the bank s product mix include any that are complex in nature? Does any bank product require customers to jump through complex or non transparent hoops to obtain a benefit? Do traditional bank products or services have non typical features or requirements? Is pricing structured or products bundled in a way that makes it difficult for consumers to understand? R1.4 Delivery Channels Yes/No Comments How does the bank distribute its products? Internal Channels Third Parties Subsidiaries or Loan Production Offices Any which generate business outside its retail footprint? Is the bank utilizing any new delivery channels? Do marketing efforts differ by delivery channel or geographic area? Do product and service terms vary by delivery channel? 73

75 Are special prices, products or services offered in some markets and not others? Source #2: Strategic Direction (4 sub factors) R2.1 Marketing Strategy Yes/No Comments Have marketing and advertising media varied recently? Does the bank utilize social network channels to communicate products to customers and potential customers? Do marketing and advertising materials vary to promote special or limited time offers? Is the level of marketing and advertising tailored or targeted to address market competition? Is scripting for telephone sales representatives used? Do the bank s advertising patterns or practices include all customer demographics? R2.2 New Product and Service Development Yes/No Comments Has the bank introduced any new products or fee based services recently? Do community groups in the bank s retail footprint express concern about any of the products and services offered or not offered? Is there pressure to provide any products or services to stay abreast of competition? Is the bank at the forefront in developing new and non traditional products and services within its market place? Does the local economy and competition impact willingness to experiment with new products and services? R2.3 Advertisements and Solicitations Yes/No Comments Do advertisements provide customers with all the information needed to make an informed decision about the product in a clear, transparent and accurate manner? Are customers reasonably able to obtain the products and services, including interest rates, amounts of credit or rewards, as represented? Does the bank market using a language other than English? Does it continue to provide customers with relevant disclosures and subsequent correspondence in the same language? Are advertisements in print, audio, or visual media consistent with advertisements and product descriptions provided on the bank s web site? Does the bank use prescreened or pre approved solicitations? R2.4 Pricing & Profitability Yes/No Comments Do all new products and services provide customers with a benefit that will exceed their costs? Is pricing reasonable in relation to costs and risk? Does profitability depend on penalty fees? Is fee income from product and services sales a significant portion of net income? Do the board and senior management push specific product or service offerings because of significant fee income? Is fee income significantly higher than at peer banks? Are product and service volumes exceeding management expectations? Is there an undue percentage of bank capital invested in loan/deposit products that have been associated with abusive, unfair, or deceptive acts or practices? Does the bank track products to ensure customers are utilizing what they have paid for? If they are not using a product, are fees refunded? 74

76 Source #3: Operations (3 sub factors) R3.1 General Operations Yes/No Comments Does the bank have decentralized or outsourced operations? Does the bank have an effective enterprise wide consumer protection compliance function? Does the bank use scoring systems in any aspect of offering and maintaining customer product and service accounts? Are mandatory arbitration clauses required in product terms? Does the bank have a high rate of employee turnover in key areas such as marketing, underwriting or delivery? Does the bank incent staff by sales volume, interest rates or other methods which could encourage steering to specific product offerings or other unfair practices? R3.2 Role of Third Parties (Broker, Dealer, Vendor) Yes/No Comments Does the bank use any brokers or dealers? Are staff or customer complaints about third party conduct, including chargeback rates frequent or voluminous? Does the bank use third party marketers/advertisers to develop marketing/advertising programs or scripts for any products or services? Does the bank use third party processers? Has the bank s use of third party vendors changed recently? R3.3 Compliance with Traditional Regulations Yes/No Comments Has the bank had recent violations of traditional lending regulations? Has the bank had recent violations of traditional deposit regulations? Does the bank protect customer information from hackers and follow the Right to Financial Privacy Act? Does the bank inform customers when fraud detection is noted? Source #4: UDAAP Environment (2 Sub factors) R4.1 External Supervisory Focus Yes/No Comments Are regulator publications emphasizing consumer issues that impact the bank directly? Have bank products and service types been the focus of news coverage? Has the bank been subject to any enforcement actions or been investigated by a regulatory or law enforcement agency for violations of consumer protection laws or regulations? Have any peer banks been subject to enforcement actions or investigated by a regulatory or law enforcement agency for violations of consumer protection laws or regulations related to products the bank offers? Has anything material changed recently in consumer protection regulations or UDAAP standards or related state law? If so, did the bank have adequate time to implement and do all affected personnel understand the new requirements? Has the bank s regulator recently communicated any information requests for specific bank data or related to specific activities? R4.2 Internal Consumer Complaints Yes/No Comments Is there any pending litigation regarding any of the bank s product or service offerings? Is there litigation activity concerning products or services the bank offers? 75

77 Is the level of bank, third party, and operating subsidiary consumer complaints considered high? Are there specific areas or specific customer demographics within the bank s retail footprint with higher levels of consumer complaints than other areas? Is the level of complaints as a percentage of product or service volume considered high? Can any bank employee handle and resolve consumer complaints on their own initiative? Control Set I: Compliance Management Program (2 sub factors) C1.1 Board of Directors and Senior Management Oversight Yes/No Comments Has the Board adopted clear consumer protection policies and operating procedures appropriate for the size and complexity of the bank s operations? Does the board foster a strong consumer protection compliance culture with clear and demonstrated compliance expectations and bank fairness objectives for the bank and third party vendors it uses? Do business line staff and managers understand that they own their unit s consumer protection and harm to consumers risks and are responsible for managing it? Does senior management incorporate bank enterprise wide consumer protection risk and performance reports in their business decisions and ongoing corporate strategies? Does the bank have appropriate communication or reporting across board, senior management, business lines and compliance groups to enable each to perform their roles and be accountable for their performance? Does the bank write specific consumer protection compliance and harm to consumers requirements into job descriptions of line management and staff, and is the compliance unit consulted to obtain feedback when performance reviews are done or before bonuses or other compensation are paid? Does management respond promptly to consumer protection and UDAAP examination findings? Are root causes determined for any weaknesses or violations found and are appropriate program changes implemented? Has senior management communicated the importance of compliance and commitment to consumer fairness throughout the organization? Do the Board and Senior Management receive regular and ongoing reports of consumer compliance adherence including compliance audits? Does the Board or a Board committee follow up on significant consumer protection issues? Does management have a process in place to anticipate changes in the market, consumer needs or regulatory requirements? Has the Board appointed an appropriately qualified and experienced chief compliance officer to manage its compliance and consumer protection program? (In smaller or less complex entities where staffing is limited, a full time compliance officer may not be necessary.) Has the Board appointed staff and allocated resources to the compliance function commensurate with the size and complexity of its operations and practices, the Federal consumer financial laws and regulations to which the entity is subject, and necessary to avoid potential consumer harm associated with violations of such laws and regulations. 76

78 Has Senior Management addressed consumer compliance issues and associated risks of harm to consumers throughout product development, marketing, and account administration, and through the entity s handling of consumer complaints and inquiries? Does the Board require audit coverage of compliance matters and review the results of periodic compliance audits? Does the Board review annually the consumer protection and UDAAP risk management program effectiveness? Does the Board incorporate consumer protection and UDAAP requirements in its strategic planning process? C1.2 Compliance Program (5 elements) C1.2.1 Compliance Management Yes/No Comments Does the Compliance Department have sufficient authority to carry out its mission, including monitoring, testing and performing self assessments? Is Compliance sufficiently independent of the business lines? Does the compliance officer have direct access to the Board or to any governance units or committees? Are all employees held responsible for compliance and harm to consumers? Is the compliance program tailored to the size and complexity of the institution and consistent with adopted Board policies related to compliance? Does the program promptly address potential consumer protection or UDAAP issues? Does the program ensure corrective action for all identified system weaknesses and violations reported? Are telephone and advertising scripts developed with compliance staff involvement and periodically monitored? Does the bank have processes for assimilating legislative and regulatory changes, and new compliance hot topics being emphasized by regulatory agencies that affect its operations? C1.2.2 Policies and Procedures Yes/No Comments Regarding consumer protection policies, guidelines or standards: Are they clear and objectively determined? Are they easy to incorporate into daily employee tasks? Do they guide employee discretion clearly and objectively including for referrals to other products or lending channels? Are they maintained to remain current? Are they amended when exceptions become the norm? Have there been any recent changes? Are changes clearly communicated to all appropriate personnel? Do they incorporate applicable regulatory guidance? Are they designed to detect and prevent violations and other harm to consumers? Do policies and procedures cover processes for development and implementation of new consumer financial products, services, or other activities, distribution channels, and strategies to determine the degree of compliance function participation? Are there well defined standards that can be applied to each consumer product, service or activity? Are there well defined parameters for bank staff regarding exceptions to offering products, services, or activities? Do customer files have complete documentation showing the application and transaction history covering loan or deposit products or services requested and provided to the consumer? 77

79 C1.2.3 Training Yes/No Comments Does the bank offer the compliance officer and other bank compliance staff training opportunities to stay current with changing regulatory requirements and industry compliance challenges? Does the compliance officer or other compliance staff participate in compliance working groups with other local bank compliance officers or with state association compliance efforts? Does the bank have a regular, ongoing documented compliance training program that covers all staff to ensure all Federal rules are followed? Are training courses developed for specific staff audiences and include compliance with bank policies and procedures? Does the bank use review tests to certify that staff acquired the compliance knowledge necessary to perform their job? Does bank staff involved in product and service development and delivery activities have consumer protection and UDAAP knowledge appropriate to their responsibilities? Are all employees trained to take customer complaints seriously? Is there a formal new hire training program that includes existing employees with new roles? C1.2.4 Monitoring, Testing and Corrective Action Yes/No Comments Does the compliance function sample transactions of relevant product types and decision centers, including sales, processing, underwriting, collections, and servicing to ensure that policies are being followed on a day to day basis? Are the following monitored and tracked: Product, service and servicing activity volume and solutions by customer demographics? Consumer acceptance rates for loan solicitations or pre screened offers? Policy or procedural exceptions? Call center volume? Recorded telemarketer calls for consistency with product features and compliance with bank policy and regulatory requirements? Advertising reviews? Customer satisfaction with products? Does the bank manage servicing activities in an adequate control environment, including policies and procedures, quality assurance, ongoing monitoring, training, automation and management oversight, billing, call handling, automated dialers, payoffs, lien releases and payment processing? Does the bank conduct UDAAP mystery shopping? C1.2.5 Compliance Audit Yes/No Comments Is the compliance audit work performed consistent with the established audit plan and scope? Are the frequency and depth of audit coverage and review appropriate for the size and complexity of the bank and the nature and extent of its activities? Is employee practice in complying with consumer protection compliance consistent with bank policies and procedures and regulatory requirements? Do compliance auditors determine the root causes for operational weaknesses, violations of law, or other deficiencies? Does management take corrective action to follow up on any identified weaknesses or violations of laws and regulations? 78

80 Does the bank track recommended and corrective actions and perform follow up reviews ensure appropriate changes have been implemented? Does the compliance audit scope include a review of potential UDAAP? Does audit assess UDAAP compliance throughout the product or service life cycle? Control Set II: UDAAP Specific Controls (6 sub factors) C2.1 Advertisements and Solicitations: Yes/No Comments Does the compliance program support the following marketing controls? Bank policy ensures that all marketing materials will be consumer friendly Messages are in no way misleading All pertinent and asterisked information is in a location where customers can easily locate it Any specific offer dates within which a product or service is available are specifically and clearly noted For pre approved offers at a specific rate or at a specific cost, the bank guarantees that customers will get that rate or cost if they apply A significant majority of consumers who accept solicitations for rates up to or as low as actually obtain the product or service advertised The bank can substantiate all claims made, especially in regard to fees If customers must affirmatively act to cancel a service following any free trial period to avoid being billed for it, the bank explains how to do that both at sign up and as the trial period is ending Customers may close accounts that have been guaranteed without incurring any fees or penalties Ads do not contain any word play (e.g., no annual fees have instead monthly fees or credit life insurance) If the bank offers products and services such as insurance, travel services, credit protection and consumer report update services with a credit product, it is clear whether they are optional or required All marketing pictures are reflective of what customers can expect All bank testimonials or endorsements are genuine Any TV or radio advertisement disclosures are placed in a way that customers can reasonably understand all of them Contact information is always provided so customers can reach someone if they have questions or complaints The bank immediately stops solicitations when a customer requests it The bank can actually deliver all the features of its products and services The bank tracks advertising and monitors to ensure it is not just in media serving specific customer demographics and ensures that advertisements reflect a diversity of consumers All persons who review marketing materials also review complaints to ensure they understand the customer s point of view C2.2 Disclosures Yes/No Comments Does the compliance program support the following disclosure controls? Bank policy ensures that disclosures are clearly written and provide customers with the information they need, regardless of whether it is required by regulation 79

81 All disclosures clearly and accurately describe terms, benefits and material limitations such as limits on interest rates, expiration dates, prerequisites, and cancellation requirements, both affirmatively and by lack of omission All fees, penalties, and other charges are disclosed transparently All disclosures are worded in a way that customers can understand (i.e., without jargon and legalese and written at an 8th grade level or below) The bank periodically reviews all disclosures to ensure they are current, clear and transparent Complicated disclosures draw attention to key terms, including limitations and conditions Disclosures clearly explain when product or service terms may be changed Customers are informed before any less favorable rate takes effect C2.3 Customer Service Yes/No Comments Procedures articulate bank expectations on providing consistent and good consumer assistance in daily banking activities The bank ensures customers do obtain the specific product or service that they have requested rather than a more expensive alternative The bank has friendly, consistent and knowledgeable staff that can talk to customers in a way they can understand When counter offering a customer request, the bank clearly, prominently and accurately explains the difference between the requested product and the offered product Employees are required to obtain clear and affirmative assent before enrolling customers in a new product or service C2.4 Vendor Management Yes/No Comments There are policies in place to ensure customers are treated fairly by all vendors and brokers All third parties contracts and agreements incorporate consumer protection compliance, employee training, and audit reporting to compliance Compensation arrangements or performance evaluation criteria do not create incentives to treat customers unfairly All vendors are vetted to ensure they are legitimate and that their products are useful and of value before offering it to customers There is a formal re approval and risk assessment process to consider third party performance over the past period (year, quarter, etc.) to ensure that on an overall basis the relationship with the bank and its customers is satisfactory Regulatory agency guidelines are considered in managing third party relationships The bank approves all marketing or advertising scripts developed and used by third parties for its products and services Third parties do not use the bank s name in their advertisements without an express agreement. Vendors do not using the bank s name or supposed bank letterhead without receiving consent The bank offers or provides compliance training to third party vendors it uses or the third party otherwise provides compliance training to their staff Third parties have a process to receive complaints and it is clear to customers how and who to contact if they have a question or problem Weaknesses in third party operations are corrected promptly Bank policy is to discontinue using a third party if the third party is treating customers unfairly 80

82 The bank performs periodic compliance reviews of third party vendors that it uses to provide or service products or services on its behalf The bank monitors third party compliance with state or federal consumer protection and UDAAP laws and regulations, and its policies or procedures? The bank tracks chargeback rates for its vendors and escalates concerns to senior management when that rate exceeds a certain percentage C2.5 Consumer Complaint Response Yes/No Comments The bank has a process to respond to consumer complaints in a timely manner and determine whether consumer complaints raise potential UDAAP concerns Customer concerns or questions about their experiences with bank products, services, activities, or custom service are recorded and evaluated by management for UDAAP red flags Consumer complaints and inquiries are defined and differentiated and staff is knowledgeable of the differences. Are they handled differently? Complaint staff has the ability to escalate issues of concern to management apart from normal complaint monitoring and reporting processes. These efforts are documented and reviewed for resolution? UDAAP complaints and outcomes are tracked to ensure that bank staff is adhering to bank policies and procedures, following regulatory requirements and treating customers consistent with bank customer service standards Complaints are assessed for the following: Information that may result in changes to products, services, marketing activities, policies, procedures or customer service standards to reduce issues Regulatory concerns that could result in violations of law or regulations such as discouraging applicants, discriminatory practices, unfair and deceptive acts and practices or abusive or predatory practices Consumer response feedback programs are shared with managers so they can correct staff mistakes Management monitors complaints for response back to the customer and provides appropriate resolution as possible Social media is monitored for consumer statements regarding the bank, subsidiaries and third party vendors Remedies are implemented to resolve consumer complaint root causes Processes for customer appeals are readily available, consistently provided and clearly explained Complaints and inquiries are categorized by type There are enough employees responding to complaints so that customers will receive a timely response There is a policy to ensure that complaints will be escalated to the appropriate management level Similar complaints or inquiries are aggregated to see if there are systemic problems or the potential for violating the law C2.6 Customer Friendly Features C2.6.1 Does the compliance program support the following loan product controls? Yes/No Comments Application Processing Loan applications are straightforward, easy to understand and request only personal and creditworthiness information relevant to the credit product If it will cost customers to apply for a loan, those fees are clearly disclosed before the application process 81

83 The following loan features are fully explained to customers: Negative amortization Balloon payments All loan costs Underwriting All requests for information are clear Customers receive clear communication through the process so that they know what to expect Customers receive clear and un contradictory information about closing costs Underwriting relies on ability to repay rather than collateral value Bank employees work consistently with all customers who have a low credit score or problems identified in their credit bureau that can be explained Marginal applicants that could be approved receive the same treatment as other more qualified applicants Closing Customers receive all disclosure documentation in advance of their closing date Bank employees are available to answer any questions a customer may have Servicing Payments are promptly posted The bank reports good payment history to the credit bureau, including for both joint applicants The bank explains how it applies monthly payments and any fees or penalties It is simple and clear for customers to determine their account balance Collections Nothing the bank does could be perceived as harassing Collections practices are clearly spelled out such that customers will be treated objectively and consistently Payoffs It is simple and clear to obtain a payoff amount Credit Cards The amount of usable credit customers can expect is clearly spelled out Fees and charges are low enough that customers have available credit on their cards Available credit is verified before any convenience checks are mailed Customers can rely on the please pay by date to make timely payments The bank clearly explains what will happen if customers pay the minimum amount or less than the minimum amount Secured Credit Cards When customers obtain a secured credit card, they have access to the majority of their credit line The bank s secured card program provides customers with an opportunity to graduate to a higher credit line and, eventually, to an unsecured card through incremental credit line increases when they repay the card Secured credit card interest rate is reasonable based on risk parameters of the program The bank avoids marketing with terms like refundable account holds Mortgages If refinances are a large part of the bank s portfolio, the customers are receiving a benefit 82

84 Lending personnel regularly explain how to reduce the interest rate with points If no closing costs are advertised, then no closing costs are charged Credit Card Add on Products If there is an upfront fee for this product, then the benefits and downsides of the product are explained before the fee is charged It is clear to customers whether this product is included with the card or required to obtain one If customers must pay in advance for credit insurance, any unearned amounts are returned to the customer Payday Loans The bank sets limits to prevent customers from getting into a cycle of debt Customers may cancel payday loan transactions within one day The bank can explain all the costs and fees associated with this product before selling it and provides customers with a way to compare the fees with other similar products Tax Refund Loan The product is marketed as a loan rather than as an advance of a tax refund All costs are explained before a sale of this product Deposit Advance Loans The product is marketed in a manner that is not deceptive All costs are explained before a sale of this product Regulatory guidance is considered in the design and deployment of this product C2.6.2 Does the compliance program support the following deposit product controls? Account Opening Deposit products are explained in a simple and straightforward manner The costs of each product are explained clearly and in a way that customers can reasonably compare products All fees and penalties are clearly explained before they could be charged Account Servicing Deposits are promptly posted Customer requests for information or research are promptly handled It is simple and clear for customers to determine their account balance Account Maintenance All fees and penalties that apply in customer periodic statements are clearly labeled Customer account changes are prompty applied. Account Closing It is simple and clear to close a deposit account Collections Nothing the bank does could be perceived as harassing Collections practices are clearly spelled out such that customers will be treated objectively and consistently Overdrafts More than one overdraft product is available The bank is clear about when it will charge fees and when it will pay overdrafts 83

85 The bank is clear about what it guarantees with regard to overdrafts The bank clearly and neutrally explains the consequences of opting in to overdraft protection including what transactions will be covered The bank clearly informs customers when terms are changing The bank does not advertise an account as free if there could be overdraft charges Gift Cards The bank is clear about any charges before a customer obtains a gift card including any monthly maintenance, dormancy or usage fee The bank explains what will happen if a card is lost or stolen and who to call if this happens The bank explains what can happen if the card is used at gas stations, hotels, restaurants, or other locations that may seek payment authorization The bank explains when it may or may not authorize payments on a gift card The bank explains how customers can redeem de minimis balances Customers understand how to obtain balance information Payroll Cards The bank explains the risks of this product before customers obtain it The bank clearly explains any costs for accessing funds It is clear that there is no deposit insurance associated with this product It is clear what happens if the holder of the funds declares bankruptcy 84

86 UDAAP Summary UDAAP Inherent Profile (Quantity of ) R1 Retail Footprint R1.1 Customer Demographics R1.2 Products & Services Offerings R1.3 Complexity of Products & Services R1.4 Delivery Channels Retail Footprint Conclusion: Rating Observations Sources R2 Strategic Direction R2.1 Marketing Strategy R2.2 New Products & Services R2.3 Advertisements R2.4 Pricing & Profitability Strategic Direction Conclusion: R3 Operations R3.1 General R3.2 Third Parties R3.3 Traditional Compliance Operations Conclusions: R4 UDAAP Environment R4.1 Supervisory Focus R4.2 Customer Complaints UDAAP Environment Conclusion: Overall Inherent Rating: High/Moderate/Low Comments: Insert Comments Quality of UDAAP Management ( Mitigation and Controls) Rating Observations C1 Compliance Management Program (General Controls) C1.1 Board & Senior Management Oversight C1.1 Board & Senior Mgmt Oversight 85

87 C1.2 Compliance Program C1.2.1 Compliance Mgmt C1.2.2 Policies & Procedures C1.2.3 Training C1.2.4 Monitoring, Testing & Correction C1.2.5 Compliance Audit Compliance Management Program Conclusion: C2 UDAAP Controls C2.1 Marketing C2.2 Disclosures C2.3 Customer Service C2.4 Vendor Management C2.5 Complaint Response C2.6 Customer Friendly Features C2.6.1 Customer Friendly Features Loans Application Processing Underwriting Closing Servicing Collections Payoffs Credit Cards Secured Credit Cards Mortgages Credit Card Add Ons Payday Loans Tax Refund Loans Deposit Advance Loans Loan Features Conclusion: C2.6.2 Customer Friendly Features Deposits Account Opening Account Maintenance Account Servicing Account Closing Collections Overdrafts Gift Cards Payroll Cards Deposit Features Conclusion: UDAAP Controls Conclusion: Overall Control Strength Rating: Comments: Strong/Adequate/Weak Insert Comments Controls & Mitigation Consumer Residual 86

88 Gap 1 Level of Concern Observations Action Plan Follow Up Gap 2 Consumer Gaps Identified Level of Concern Observations Action Plan Follow Up Gap 3 Level of Concern Observations Action Plan Follow Up Gap 4 Level of Concern Observations Action Plan Follow Up Level of Controls & Mitigation (Strong, Adequate, or Weak): Strong/Adequate/Weak Comments: Insert Comments Summary Rating Inherent Rating (Quantity of ) Controls & Mitigation (Quality of Mgmt) Aggregate Direction (Increasing, Stable, Decreasing) Date of Last Directional Change 87

89 Jim Bedsole, CRCM, CBA, CFSA, CAFP Senior Vice President, Chief Compliance & Officer BankSouth Direct: (706) Cell: (706) Fax: (706) P.O. Box Lake Oconee Parkway Greensboro, Georgia Thomas Williams, CRCM, CCBIA Senior Vice President, Senior Compliance Manager United Bank Direct: (770) Cell: (678) Fax: (770) South Hill Street Griffin, Georgia 30224