Compliance Risk Assessments Chicago Region Banker Workshop Series

Compliance Risk Assessments 2016 Chicago Region Banker Workshop Series

Statement During the onsite portion of a compliance examination, examiners review adherence to all consumer protection-related regulations. 2

During the onsite portion of a compliance examination, examiners review adherence to all consumer-related regulations. A. Myth B. Fact 0% 0% Myth Fact 3

Response Myth: The exam focus is on areas where the risk of consumer harm is elevated and not on areas where risk is limited and well controlled by a strong compliance management system. 4

Statement An institution s failure to comply with consumer protection, CRA, or fair lending laws and regulations might affect the application of an FDIC-supervised institution seeking to engage in new or expanded business activities. 5

Failure to comply with consumer protection, CRA, or fair lending laws might affect the application of an FDIC-supervised institution. A. Myth B. Fact 0% 0% Myth Fact 6

Response Fact: Compliance with consumer protection laws is one of the items we consider when reviewing an application. 7

Statement Community banks are exiting the residential mortgage business. 8

Community banks are exiting the residential mortgage business. A. Myth B. Fact 0% 0% Myth Fact 9

Response Myth: HMDA data indicates the rules did not have much impact on mortgage lending in 2014. Call Report data shows growth in residential mortgage lending. However, various banker surveys and outreach feedback suggest some institutions are exiting this business. 10

Objectives Incorporate Compliance into Planning Develop Risk Assessment Identify Inherent Risk Mitigate Risk of Consumer Harm Evaluate Residual Risk Prepare for a Risk-Based Examination 11

Agenda Session 1 Introduction to Risk Assessments: Identifying and Assessing Risk Components of a Risk Assessment Exercise 1 Session 2 Beginning with Questions Exercise 2 Examination Process 12

Introduction to Risk Assessments Why Risk Assessments Matter

Definitions Consumer Harm: is an actual or potential injury or loss to a consumer, whether such injury or loss is economically quantifiable (e.g., overcharge) or non-quantifiable (e.g., discouragement) 14

Definitions Inherent Risk: Risk that exists before the application of controls Mitigating Factors: Controls in place to limit inherent risks Residual Risk: Balance that remains after considering the inherent risks and the mitigating factors that reduce risk 15

Incorporating Compliance Strategic Planning Identifying Compliance Risks Establishing and Communicating the Board s Risk Tolerance 16

Risk Assessment Benefits Formalizes and Documents Acceptable Risk Tolerance Set by the Board Applicable Regulation(s) or Guidance Current Compliance Program Resource Allocation 17

Building a Framework No one-size-fits-all Possible organizational models Regardless of format, all focus on: Inherent Risk Mitigating Factors Residual Risk 18

Organizational Models Risk Factor Regulation(s) Inherent Risk Mitigating Factors Residual Risk Product, Service, or Market What regulation(s) apply? Identify and rate inherent risk: Low Moderate High Identify and rate strength of mitigating factors: Strong Adequate Weak Determine level of residual risk: 1- Low 2 3 - Moderate 4 5 High Regulation Risk Factor Inherent Risk Mitigating Factors Residual Risk Regulation What product(s), service(s), or market(s) apply? Identify and rate inherent risks: Low Moderate High Identify and rate strength of mitigating factors: Strong Adequate Weak Determine level of residual risk: 1- Low 2 3 - Moderate 4 5 High 19

Organizational Model Examples Risk Factor Regulation(s) Inherent Risk Mitigating Factors Residual Risk Temporary-topermanent Construction Loans 1) Truth in Lending (Reg Z) 2) Real Estate Settlement Procedures (RESPA) 1) Incorrectly calculate loan payment / APR 2) Complete LE and CD incorrectly 1) Automated loan platform system updated 2) External audit of loans 1) Users not trained how to input data 2) Scope of audit not properly defined Regulation Risk Factor Inherent Risk Mitigating Factors Residual Risk Regulation CC (deposit account holds) 1) Checking Accounts 2) ATM/Debit Cards 3) Overdraft LOC 1) Deposits held too long no access to funds 2) Hold notice not provided could cause overdraft 1) Automated teller software used to place holds. 2) Tellers have written policies. 3) Head teller reviews all holds daily. 1) Computers could be off-line. 2) New teller not aware of policies. 3) Head Teller out sick. 11

3-Tiered Risk Assessment Product Focused Three-Tier Risk Assessment Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) Low Moderate High Mitigating Factors Weak Adequate Strong Residual Risk Inherent Risk: Low, Moderate, or High Mitigating Factors: Weak, Adequate, or Strong 21

Risk Assessment Framework Inherent Risk Consumer Harm Mitigating Factors: Compliance Management System: Board and Management Oversight Compliance Program Policies / Procedures Training Monitoring Consumer Complaint Response Audit Residual Risk 22

Inherent Risks Bank A For the last three months, Bank A has been offering a high APY checking account if certain criteria are met. A third party was used to develop this product. Product Qualifications: Must make 2 deposits Make 10 debit card transactions Use 2 teller checks per statement cycle. Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) Mitigating Factors Residual Risk 23

Inherent Risks Bank B Bank B: Has offered the product in-house for 5 years. Eligibility requirements: Have monthly direct deposit. Have 5 debits transactions post each calendar month. No consumer complaints regarding this product. Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) Mitigating Factors Residual Risk 25

Mitigating Factors Bank A Due diligence performed Core system specs tested Training provided Policies/procedures in place Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) High Mitigating Factors???? Residual Risk 27

Mitigating Factors Bank A Bank counsel review of account disclosures APY testing no issues Included in last audit no issues Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) High Mitigating Factors Strong Residual Risk 28

Mitigating Factors Bank B Mitigating Factors are limited: Training was administered, but it was 5 years ago. The bank has a system to monitor for complaints. Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) Moderate Mitigating Factors Weak Residual Risk 29

Residual Risk Bank A Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) High Bank B Product Regulation(s) Inherent Risk High APY Checking Reg. DD Reg. E Reg. CC (& more) Moderate Mitigating Factors Strong Mitigating Factors Weak Residual Risk Moderate Residual Risk Moderate 30

Questions? 31

Exercise 1 Entering a New Market

Introduction of ABC Bank ABC Bank is a wholly owned subsidiary of ABC Bancorp, Inc., a one bank holding company with assets totaling $198 million, serving the Cabot Cove area of Anystate. Founded in 1909, ABC Bank is a small community bank known for exceptional service and delicious cookies in the lobby. Cabot Cove County is a rural county located adjacent to the growing Neverland Metropolitan Statistical Area (MSA). As a well-run, well capitalized institution, the bank is looking forward to a period of growth. The Board is considering expanding the bank s market area and entering a more densely populated area in Neverland County. Additionally, the Board wants to offer a new checking account with add-on benefits and points to attract new deposits. The Board will be considering these plans during the upcoming Strategic Planning Meeting. 33

Table Question Why would ABC Bank perform a risk assessment for these two plans? 34

Risk Assessment Walk Through Read exercise in Tab 4 of Binder: Entering into a new market. 35

Risk Assessment Exercise ABC Bank Board decided to enter into a new market Goal: Incorporate compliance into this decision. Entering into Neverland MSA Objective: grow the bank Unknown: Buying, merging, building 36

Risk Assessment Structure Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the product, service or market What applies? Low Moderate High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Mitigating Factors Weak Adequate Strong Mitigating Factors Residual Risk 1-Low 2-3-Moderate 4-5-High Residual Risk Moving into a new market 37

Walking Through Inherent Risk Factors Evaluate What We Know: Metropolitan Statistical Area (MSA) Home Mortgage Disclosure Act (HMDA) Demographic Differences Low- and Moderate-Income Census Tracts (CRA) Census Tracts with Majority-Minority Populations (Fair Lending) 38

Risk Assessment Structure (cont.) Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the product, service or market What applies? Low Moderate High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Mitigating Factors Weak Adequate Strong Mitigating Factors Residual Risk 1-Low 2-3-Moderate 4-5-High Residual Risk Moving into a new market HMDA CRA Fair Lending 39

Definitions Inherent Risk: Risk that exists before the application of controls. Mitigating Factors: Controls in place to limit inherent risks. Residual Risk: Balance that remains after considering the inherent risks and the mitigating factors that reduce risk. 40

Rate the Inherent Risk Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the product, service or market What applies? Low Moderate High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Mitigating Factors Weak Adequate Strong Mitigating Factors Residual Risk 1-Low 2-3-Moderate 4-5-High Residual Risk Moving into a new market HMDA CRA Fair Lending 41

Home Mortgage Disclosure Act HMDA: Applicable to Mortgage Lenders in MSAs A Disclosure Law that Relies Upon Public Scrutiny: Used by: Government Officials Public Examiners Banks Requires Collection, Review, and Submission of Data What if the reported data isn t correct? Impact Fair Lending and CRA Evaluations 42

Community Reinvestment Act Community Reinvestment Act (CRA) Requires bank to Identify an Assessment Area Identify Assessment Area Credit Needs: Low- or moderate-income borrowers or geographies Small businesses or Small farms Small Bank CRA Loan to Deposit Ratio Assessment Area Concentration Borrower Distribution (income/revenue) Geographic Distribution Response to written complaints 43

Community Reinvestment Act Existing Assessment Area Proposed addition 44

Fair Lending Modifications Collections OREO/REO Servicing / Post Closing Pre- Application Advertising & Market Selection Channels Responding to Inquiry Approval Criteria Pricing Terms and Conditions Underwriting / Closing Application Level of Assistance Use of Third Parties Initial Terms and Conditions 45

Fair Lending Advertising / Market Selection Existing Market Proposed Addition 46

Rate the Inherent Risk 1. Low 2. Moderate 3. High 0% 0% 0% 48 1. 2. 3.

Rate the Mitigating Factors Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the product, service or market What applies? Low Moderate High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Mitigating Factors Weak Adequate Strong Mitigating Factors Residual Risk 1-Low 2-3-Moderate 4-5-High Residual Risk Moving into a new market HMDA CRA Fair Lending HIGH 50

Mitigating Factors - HMDA Board and Management Oversight Mary is in charge of Loan Operations and is known for her accuracy. Policies/Procedures Existing policies and procedures for lending areas are effective. Training Adequate training is provided for all other lending areas. Mary s new assistant was hired from a HMDA reporting bank. Monitoring Existing monitoring procedures occur after loans are originated. Mary reviews a monthly report of errors. Complaints No complaints have been received. Audit Loan Operations has not had significant audit findings. 51

Mitigating Factors - CRA Board and Management Oversight John is the bank s CRA Officer. He s also a loan officer. Policies/Procedures Training The bank does not have a formal CRA policy, although elements may be found in the bank closing and loan policies. Loan Operations geocodes loans after loans are originated. Computer based, covers elements of CRA and is required annually. Monitoring The bank has historically had a Satisfactory rating for the last 30 years. The program is pretty much on autopilot according to John. Complaints Audit No complaints have been received. No audits have been completed because it has been deemed low risk. 52

Mitigating Factors Fair Lending (Marketing Risk) Board and Management Oversight Jim, is an experienced Compliance Officer and oversees Fair Lending. Policies/Procedures The Loan Policy generally addresses prohibited bases. There are no procedures for marketing. Training Computer based training covers elements of Fair Lending annually. Monitoring Jim reviews the bank s limited advertisements. No monitoring of market area demographics. Complaints No complaints have been received. Audit No fair lending audit is completed. 53

Rate the Mitigating Factors 1. Weak 2. Adequate 3. Strong 0% 0% 0% 55 1. 2. 3.

Rate the Residual Risk Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the product, service or market What applies? Low Moderate High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Mitigating Factors Weak Adequate Strong Mitigating Factors Residual Risk 1-Low 2-3-Moderate 4-5-High Residual Risk Moving into a new market HMDA CRA Fair Lending HIGH WEAK 57

Rate the Residual Risk 1. 1 (Low) 2. 2 3. 3 (Moderate) 4. 4 5. 5 (High) 0% 0% 0% 0% 0% 58 1. 2. 3. 4. 5.

How would you proceed? 1. I would not proceed with entering into a new market. 2. Proceed after adding controls or mitigating factors to reduce risk. 0% 0% 60 1. 2.

Residual Risk What additional controls or mitigating factors need to be added to lower residual high risk? 61

Current Mitigating Factors Identified by Risk Assessment The bank currently has: Experienced Compliance Officer and Loan Operations Staff Effective policies and procedures for most loan-related areas Adequate training in most lending areas Post-origination loan monitoring Monthly review of monitoring exceptions Audits of most loan areas with few findings 62

Current Mitigating Factors Identified by Risk Assessment The bank currently does not have: A formal CRA policy or other plans; program runs on auto pilot An audit or monitoring of CRA performance Procedures for marketing or advertising Monitoring of advertisements Fair Lending audit or monitoring 63

Possible Mitigating Factors Will usually include: Enhancing a component of the Compliance Management System: Board and Management Oversight Compliance Program Policies/Procedures Training Monitoring Consumer Complaint Response Audit 64

Session 1 Take-Away Compliance should be considered during strategic planning. Conducting a risk assessment early in the process is a value-added endeavor. Risk assessments should identify inherent risks and assess the ability of mitigating factors to maintain residual risk within the Board s risk tolerance. 65

Compliance Risk Assessments Session 2

Statement If the FDIC has reason to believe that a pattern or practice of fair lending violations have occurred at an institution, the FDIC has no discretion about whether or not the issue should be referred to the Department of Justice. 67

The FDIC has no discretion to refer a fair lending issue to the Department of Justice. A. Myth B. Fact 0% 0% Myth Fact 68

Response Fact: FDIC is required by statute to refer pattern or practice violations to DOJ. 69

Statement FDIC frequently cites UDAAP violations. 70

FDIC frequently cites UDAAP violations. A. Myth B. Fact 0% 0% Myth Fact 71

Response Myth: UDAAP Violations are rare; however, consumer harm can be significant. In 2015, less than 1% of all exam reports nationally contained a UDAAP citation. In 2015, restitution orders required that institutions pay consumers approximately $99.6 million in refunds, primarily for UDAAP practices. 72

Statement The FDIC only imposes Civil Money Penalties for flood insurance. 73

The FDIC only imposes Civil Money Penalties for flood insurance. A. Myth B. Fact 0% 0% Myth Fact 74

Response Myth: The FDIC can impose a Civil Money Penalty for any violation of law, or unsafe and unsound banking practices. 75

Objectives Incorporate Compliance into Planning Develop Risk Assessment Identify Inherent Risk Mitigate Risk of Consumer Harm Evaluate Residual Risk Prepare for a Risk Based Examination 76

Agenda Session 1 Introduction to Risk Assessments: Identifying and Assessing Risk Components of a Risk Assessment Exercise 1 Session 2 Beginning with Questions Exercise 2 Examination Process 77

Beginning with Questions

Beginning with Questions What could create consumer harm? Types of consumer harm: Significant monetary loss Barriers to customers in obtaining product/service benefits Barriers to asserting rights under consumer protection laws or regulations Interruptions in the ability to deliver products or services 80

Questions (cont.) What operational areas may be affected? Backroom operations Third-Party relationships Customer-facing interactions Systems and software Disclosures / supplies Personnel resources Other bank departments (training, audit, marketing, sales) 81

Residual Risk Questions After identifying inherent risk ask: Are current mitigating factors sufficient to keep residual risk at an acceptable level? What changes need to be made to CMS? How / who will manage the mitigating factors? At the end of the day: Will the cost of adding mitigating factors be worth moving forward with the change? 82

Exercise 2 New Product

ABC Bank ABC Bank is a wholly owned subsidiary of ABC Bancorp, Inc., a one bank holding company with assets totaling $198 million, serving the Cabot Cove area of Anystate. Founded in 1909, ABC Bank is a small community bank serving Cabot Cove County known for exceptional service and delicious cookies in the lobby. Cabot Cove County is a rural county located adjacent to the growing Neverland Metropolitan Statistical area. As a well-run, well capitalized institution, the bank is looking forward to a period of growth. The Board is considering expanding the bank s market area and entering a more densely populated area in Neverland County. Additionally, the Board wants to offer a new checking account with add-on benefits and points to attract new deposits. The Board will be considering these plans during the upcoming Strategic Planning Meeting. 84

Exercise 2 Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the Product, Service, or Market What applies? Low Moderate High Mitigating Factors Strong Adequate Weak Residual Risk 1 - Low 2 3 - Moderate 4 5 High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Mitigating Factors Residual Risk Firefly Deposit Product Truth in Savings UDAP Regulation E Other: 85

Exercise 2 Exercise 2: New Deposit Product Located in Binder under Tab 4 86

Exercise 2 Goal: Conduct a product-based risk assessment of Firefly Group Discussion: Identify some of the inherent risks that are apparent in the exercise 87

Exercise 2 Debrief Inherent Risk Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the Product, Service, or Market What applies? Low Moderate High Exercise 2 Risk Assessment Risk Factor Regulation(s) Inherent Risk Firefly Deposit Product Truth in Savings UDAP Regulation E Other: Mitigating Factors Strong Adequate Weak Mitigating Factors Residual Risk 1 - Low 2 3 - Moderate 4 5 High Residual Risk 88

Inherent Risk Factors Complicated requirements to obtain rewards and add-on benefits Complaints regarding how product features are applied, advertised and disclosed UDAP risk Relatively new third-party Third-party subcontracts with other third-parties 89

Rate the Inherent Risk 1. Low 2. Moderate 3. High 0% 0% 0% 90 1. 2. 3.

Exercise 2 Debrief Inherent Risk Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the Product, Service, or Market What applies? Low Moderate High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Firefly Deposit Product Truth in Savings UDAP Regulation E Other: High Mitigating Factors Strong Adequate Weak Mitigating Factors Residual Risk 1 - Low 2 3 - Moderate 4 5 High Residual Risk 91

Mitigating Factors Some due diligence performed Contacted other banks Searched for complaints Implementation plan includes plans for training Implementation guide will be available to staff to answer customer FAQs Third-Party offers support for set-up and implementation 92

Rate the Mitigating Factors 1. Weak 2. Adequate 3. Strong 0% 0% 0% 93 1. 2. 3.

Exercise 2 Debrief Mitigating Factors Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the Product, Service, or Market What applies? Low Moderate High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Firefly Deposit Product Truth in Savings UDAP Regulation E Other: High Mitigating Factors Strong Adequate Weak Mitigating Factors Weak Residual Risk 1 - Low 2 3 - Moderate 4 5 High Residual Risk 94

Rate the Residual Risk 1. 1 (Low) 2. 2 3. 3 (Moderate) 4. 4 5. 5 (High) 0% 0% 0% 0% 0% 95 1. 2. 3. 4. 5.

Exercise 2 Debrief Residual Risk Illustrative Risk Assessment Risk Factor Regulation(s) Inherent Risk Identify the Product, Service, or Market What applies? Low Moderate High Mitigating Factors Strong Adequate Weak Residual Risk 1 - Low 2 3 - Moderate 4 5 High Exercise 1 Risk Assessment Risk Factor Regulation(s) Inherent Risk Firefly Deposit Product Truth in Savings UDAP Regulation E Other: Mitigating Factors Residual Risk High Weak 4 96

Exercise 2 Now What? Assume the level of residual risk was outside the acceptable tolerance for your Board. What are your options? 97

Questions? 98

Risk-Focused Compliance Examinations Overview

Examination Process Pre-Exam 1: Information Gathering and Initial Scoping Pre-Exam Interview Understand Bank Operations Discuss changes, current strategies and future plans Begin to identify Inherent Risks Tailor the Compliance Information and Document Request (CIDR) 100

Examination Process (cont.) Pre-Exam 2: Thorough Exam Scoping Review operation-related CIDR items to complete the process of identifying Inherent Risk Review CMS-related CIDR items to make a preliminary determination of ability of the CMS to appropriately Mitigate risk Identify the products, services or markets where Residual Risk may still exist - = Inherent Risk Mitigating Factors Residual Risk 101

Examination Process (cont.) On-Site Exam: Assessment of Performance Review of products, service, and markets where pre-exam activities indicate Residual Risk exists 102

Final Take-Aways Conducting a risk assessment early in the process is a value-added endeavor. Risk assessments should consider: Inherent Risk, Mitigating Factors, and Residual Risk. Asking some big picture questions regarding plans will help you begin the process of developing a risk assessment. The FDIC also uses a risk-focused approach to compliance examinations. 103

Questions? 104